In recent weeks, video conferencing has been embraced by people around the globe – businesses, schools, government agencies and our families. But more recently, security, data privacy and user safeguards have come to the forefront when it comes to video conferencing services.
In the spirit of transparency, we wanted to provide clarity to our customers – and potential customers – about our focus and commitment to privacy and security.
Our Approach to Security
RingCentral’s long-standing commitment to security is multidimensional. As a cloud company, we look at cyber security in four dimensions – Enterprise, Cloud, Product, and Customer Trust. We approach each as an essential priority to our business. We know that a strong company, and a strong service for our customers, requires commitment and discipline in each of these areas.
RingCentral applies an enterprise-grade, multi-layered security strategy. Led by our global security team, and encompassing many company-wide cross-functional efforts, we have implemented a series of organizational, technical, and operational cybersecurity measures. We continuously monitor several metrics to give us visibility into various dimensions of our cybersecurity efforts, perform proactive security assessments, and engage in cybersecurity governance and enterprise risk management activities. Throughout the year, we perform multiple security assessments of various types, cyber security governance activities, and enterprise risk management activities. Our senior management maintains an active involvement.
Cloud Security is the security of our infrastructure, back-end communications platform, service environments, and service operations. We employ a layered defense throughout our service cloud consisting of border defenses, multi-factor access controls, cloud security infrastructure, host-level defenses, security telemetry and monitoring. Our operational security practices include more than 300 controls that we audit annually. Our Security team has dedicated security engineering, security data analytics, and detection and response personnel. Our Network Operations Center monitors service availability [24/7] and initiates response for any service interruptions. We don’t host our services in China, nor route customer traffic to locations in China. We strive to remain transparent with our customers about where customer data is stored and processed.
Product security is the security measures we build into our product and services. We perform security testing on each release of our products using internal and external expertise. Our product security testing leverages both off-the-shelf and manual methods. Our Security team has dedicated application security personnel. We leverage multiple secure software development frameworks, and generate data throughout the software development cycle that we use to measure several security-specific software development metrics into our work, such as privacy-by-design and secure software development frameworks, and every year we undertake penetration testing and red team activities.
Trust security is our overall security framework and philosophy for providing transparency to our customers, embedding security principles into our product development activities, infrastructure and service operations, and engaging with independent third-party experts to test our security measures and recommend best practices. We believe that we have a strong vision when it comes to security, but we know that it’s important to include both inside and outside perspectives. This is valuable for us, and valuable to our customers. Independent perspectives allow us to provide transparency. We undergo frequent and proactive testing, assessments, and third-party security audits throughout the year to give our customers assurance that controls are operating effectively for various environments.
Some specifics include:
- Service border defenses at network and application layers such as firewalls, session border controllers, unified communications threat management, DDoS mitigation and multi-factor authentication measures.
- Service cloud security measures, including multiple types of security infrastructure devices, anti-malware, endpoint detection and response, configuration and vulnerability management, container scanning, security analytics for threat detection, and cloud threat monitoring.
- Application security which includes static application security testing, dynamic application security testing, runtime application security testing, penetration testing, code quality metrics, web application testing, mobile application testing, and API scanning.
- Encryption: We use standards-based encryption to protect data in-transit using TLS, SIP over TLS, SRTP and WebRTC, and at-rest using AES with 256-bit keys. We also encrypt desk phone provisioning, and support local data encryption in our softphone client.
- User policy settings: We empower our customers with several identity and access management features, including access verification, passwords, session timeout, waiting room, meeting lock, roles and permissions, account federation, data retention management, audit trail, developer API keys, OATH for Google, and support for SAML 2.0.
- Pre-built integrations that extend our customers’ security options and empower customers to expand the coverage of their existing security and compliance tools such as RingCentral for Smarsh, integration with Okta, and Theta Lake for RingCentral. We, our partners, and our customers are continually building more integrations for a variety of business use cases using our secure developer APIs.
- Privacy practices and disclosures that are clear and transparent. We never have sold and do not sell customer data. And we are compliant with the General Data Protection Rule (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act, (HIPAA). We strive for privacy practices and disclosures that are clear and transparent.
- SOC2 and SOC3 audits, which validate that service operations controls regarding security, availability, and confidentiality are operating effectively. Our SOC-2 report is available upon request, and our SOC-3 report is published on our website.
- HIPAA, FINRA and HITRUST audits ensure that our customers in highly regulated industries, such as healthcare and finance, know that we satisfy third-party verifications for exceeding the minimum standards for compliance. We have recently achieved the U.K. National Cyber Security Centre’s Cyber Essentials certification.
- This year we also intend to add ISO 27001 and ISO 270171 certification, and C5 audits to our trust program.
RingCentral Meetings Security
Since the RingCentral Meetings product is based on the Zoom platform, we want to provide clarity on several questions regarding privacy and security associated with RingCentral meetings.
There are areas that are top of mind for customers and are addressed below.
- Q: Was my meeting data routed through China?
A: RingCentral hosts and controls its own media servers that route RingCentral Meetings data. These servers do not reside in China, so this issue does not apply to RingCentral Meetings.
- Q: Was my user data shared with Facebook via an SDK?
A: This issue does not apply to RingCentral Meetings, as our product does not use the Facebook SDK.
- Q: Is the RingCentral Meetings MacOS client vulnerable to local privilege escalation and hijacking of the clients permissions to access a Mac user’s camera and microphone?
A: These vulnerabilities are listed as CVE-2020-11469 and CVE-2020-11470, respectively. They are not present in RingCentral Meetings’ MacOS client, nor are the script, entitlements and authentication tool described by the published security research as enabling factors of these exploits.
- Q: How can I keep uninvited participants from entering meetings and sharing content?A: We strongly recommend some effective measures and best practices when using RingCentral Meetings as these security capabilities are already available to you:
- Set passwords for all meetings to ensure that only those who have the password are able to attend.
- Only send meeting links to people you want to attend the meeting and do not publish meeting links on social media.
- Lock meetings after all participants have arrived to block unauthorized attendees.
RingCentral is actively working with Zoom to incorporate applicable security updates into RingCentral Meetings. Users can track updates related to specific security and privacy questions on our support website.
Keeping Customers Safe
These are unprecedented times for all of us. Helping our customers through these challenges is our priority. Security, privacy, transparency and reliability have been the foundational pillars for RingCentral since our inception. Our commitment to you is our continuing and unwavering focus on enabling safe and secure business communications.
Originally published 20 Apr, 2020