| Html |
|---|
<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11';
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script> |
| Html |
|---|
<div class="fblang-box-likepdf" data-href="https://confluence.wildix.com/x/QgBuAQ" data-layout="button_count" data-action="recommend" data-size="large" data-show-faces="true" data-share="true"></div> |
| Html |
<div class="lang-box-pdf"> <div> <div class="google-lang"> <div id="google_translate_element"> </div> <script type="text/javascript"> > <div> <div class="google-lang"> <div id="google_translate_element"> </div> <script type="text/javascript"> function googleTranslateElementInit() { new google.translate.TranslateElement({pageLanguage: 'en', includedLanguages: 'de,es,fr,it,nl', autoDisplay: false}, 'google_translate_element'); } </script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script> </div> <div class="pdf-button"> <a href="https://confluence.wildix.com/spaces/flyingpdf/pdfpageexport.action?pageId=23986242" alt="Convert to .pdf" title="Convert to .pdf"><img src="https://confluence.wildix.com/download/attachments/14549012/pdf-button-download-wildix-documentation.png"></a> </div> </div> </div> |
...
| Info |
|---|
This document provides information on built-in security features of the Wildix system, ISO compliance and GDPR. Updated: October 2020August 2021 Permalink: https://confluence.wildix.com/x/QgBuAQ |
Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.
...
I’m experiencing a security problem with my Wildix account
I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, Wizyconf, WP, iOS / Android Wildix apps)
I have a privacy doubt or a privacy-related question about Wildix products and services
Wildix Cloud and ISO 27001
...
, 22301 compliance Anchor ISO27001 ISO27001
| ISO27001 | |
| ISO27001 |
Wildix Cloud services are located in data centers that undergo ISO 27001 and ISO 22301 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.
...
| Questions | Answers |
|---|---|
What are the information flows within the system and between it and other services? |
|
What are the principle methods of transporting information? |
Note: 80 and 443 ports can be changed. |
Are the data shared with any other third parties? | No. |
What firewalls or network control measures are used to protect thesystem/data? | SIP firewall in PBX and high security by design withpasswords and 2factors protection. Data firewall remains important on remotesite. |
Is the system ISO 27001 compliant? | Yes. See this chapter. |
Access Control
What method is used to secure archive historic material and data?
Automatic backups configuration.
Note: Consult WMS Start Guide for details.
How the system is restored (either from backup or a rebuild from scratch) to a known working state?
- Possible restoration in other system with backup file
- Possible failover
| Questions | Answers |
|---|---|
Which access methods are available to access the system? |
Note: Details can be found in WMS Start Guide. |
What system enforced password settings are active for users?
|
|
What additional measures are in place to secure administrator accounts. (e.g. stronger passwords or crypto keys required to access systems) |
|
Is two-factor auth mandatory? | It can be mandatory, managed by ACL rules. |
How are security incidents managed and reported? | Wildix NOC Engineers perform continuous system monitoring 24/7, investigate crash reports, and intervene in case a problem with any client PBX has been revealed by the monitoring system. In case a problem has been revealed, the following actions are undertaken:
|
How does the system hand out the necessary privileges for users to gain the correct access to information? How does it prevent access to the wrong material? | Admin can limit/ allow access to certain PBX services and features by ACL rules. |
How can unauthorised access be detected? |
|
What logs are kept of successful/ unsuccessful usage attempts? | System logs (including all attempts). |
Disaster recovery, backups and data erasure
does the system hand out the necessary privileges for users to gain the correct access to information? How does it prevent access to the wrong material? | Admin can limit/ allow access to certain PBX services and features by ACL rules. |
How can unauthorised access be detected? |
|
What logs are kept of successful/ unsuccessful usage attempts? | System logs (including all attempts). |
Disaster recovery and backups
| Questions | Answers |
|---|---|
| What method is used to secure archive historic material and data? | Automatic backups configuration. Note: Consult WMS Start Guide for details. |
| How the system is restored (either from backup or a rebuild from scratch) to a known working state? |
|
| What is the backup retention period? | Two weeks for a snapshot, the snapshots are scheduled weekly on Sunday evenings. PBX configuration backups can be taken daily / weekly / monthly from the PBX’s WMS interface. |
Is there a testing processed for backups? How often do you test the restoration process? | Configuration backups can be restored through the WMS interface, these are tested regularly. A snapshot backup can also be restored through a request in critical instances via our SRE team. |
How do you secure against:
| Wildix advices to activate 5 years warranty. | How the data is destroyed when no longer needed and what data retention periods areobserved?Data can be destroyed whenneeded
System Web Security
Data Privacy
| Questions | Answers |
|---|---|
What data does the system store? | Chat history and calls stats inCDR-View. |
| What User Generated Content does the system collect and/ or host? |
Note: Chat, calls or phonebooksmodification can be forbidden by ACLrules. |
Are users required to login? Is this login over a secure link?
What are other data transfers/ connections between users' browsers and the system?
Check the doc Ports used by Wildix services.
From which solution stack does the system consist?
What is your approach for identifying applicable security patches and applying the system?
What processes do you have in place to minimise the risk of these issues according to OWASP list:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
The processes are present in Wildix Terms and Conditions.
Are any vulnerability scanning or penetration testing carried out?
Penetration tests are performed yearly and security reports summaries are released on request after signing an NDA to existing customers.
How have you ensured the data links to the web server are adequate for traffic volumes anticipated? Have you tested under anticipated load?
- Test with 5000 users / 600 concurrent calls
- Wildix recommend 100 kb symmetric per call
...
| What security measures are in place to protect the data? | Encryption at rest is implemented with a separate key for each single tenant. It encrypts Block Object Storage. This means data could not be used in the case of someone having access to the Storage with elevated permissions. |
| What are the data retention time limits implemented by Wildix with regards to personal data at stake? | The maximum retention period of any client system operational activity data that may contain personal information is 2 months. At the same time, we make every reasonable effort to clean up the data we are storing. An exception is financial/billing data stored in a period according to the legal issues of the company's residential country. |
| How is the data archived and where? | As the retention period of operational data is only 2 months, we don't archive it, using sharding to ensure integrity and fault tolerance. |
| How the data is destroyed when no longer needed and what data retention periods areobserved? |
|
| Do you have any modus operandi? | No, but we use OWASP procedures as an approach to describe threat agents in threat modeling and risk rating procedures. There are these procedures: |
System Web Security
| Questions | Answers |
|---|---|
Are users required to login? Is this login over a secure link? | Yes, users are required to login, login via HTTPS. |
What are other data transfers/ connections between users' browsers and the system? | Check the doc Ports used by Wildix services. |
From which solution stack does the system consist? | Check the doc Legal Notice PBX. |
What is your approach for identifying applicable security patches and applying the system? | Full security package with recurrent licences: Wildix Terms and Conditions. |
| Are contacts with relevant authorities (CNIL, CISA, NIST…) and special interest groups (OWASP, FIC, RSA, DEF CON…) maintained? | Wildix is in touch with OWASP Foundation and uses the OWASP SAMM in development. |
What processes do you have in place to minimise the risk of these issues according to OWASP list:
| The processes are present in Wildix Terms and Conditions. |
How are security incidents managed and reported? | Wildix SRE Engineers perform continuous system monitoring 24/7, investigate crash reports, and intervene in case a problem with any client PBX has been revealed by the monitoring system. In case a problem has been revealed, the following actions are undertaken:
|
| Is knowledge from previous incidents used to reduce the likelihood or impact of future incidents? | Yes, review of previous security incidents is the basement to improve procedures. |
Are any vulnerability scanning or penetration testing carried out? | Penetration tests are performed yearly and security reports summaries are released on request after signing an NDA to existing customers. |
| Do you implement daily Antivirus scans across all systems a patch management procedure to patch vulnerabilities with a CVSS3 score at 4 or above without undue delay? | We constantly apply security upgrades for all components within the Wildix PBX and components are very mature. By default, we do not allow elevated permissions on our PBXs and malicious software cannot be installed. Wildix PBXs are monitor 24/7 for malicious activity and are blocked by default through our inbuilt SBC and other security mechanisms. |
How have you ensured the data links to the web server are adequate for traffic volumes anticipated? Have you tested under anticipated load? |
|