RingCentral recognizes that secure and reliable phone service is critical to business operations. As a cloud service provider, RingCentral offers robust multi-tenant cloud communications service with several layers of security built in. This paper explains the security model for RingCentral’s cloud services.
The security of RingCentral’s cloud services encompasses multiple layers and many components, from policies and methodologies to service architecture; capability to detect potential toll fraud and service abuse, and user controlled service administration. Security capabilities and settings reside in the application and infrastructure layers, within the service delivery and operations processes, and the company’s security policies and governance practices.
The security of customer PBX services is shared among customers, who manage their PBX policies, user permissions, and login information, and RingCentral, who manages service delivery, architects and designs security into the product, and ensures physical and environmental security of the service. We employ a multi-layered security model, with security at the perimeter, at the service delivery layer, SSL on our web applications, tier 1 data centers, and settings in the interface that a customer controls.
In addition, RingCentral has a full-time security and fraud-prevention department with a security program that is based on industry best practices; our security program also includes communications fraud monitoring where we monitor customers’ service for anomalous calling that may be toll fraud.
User Service Administration
RingCentral’s cloud services include front-end settings that customers control to manage their PBX policies and their users.
These settings include: Adding/removing extensions, setting user permission levels, managing extension PINs, enabling international calling, allowing specific international call destinations, and blocking inbound caller IDs. In addition, customer admins and individual users can review call history and upload and delete messages.
Secure hash of customer PINs. Customer data is logically segmented in application databases.
RingCentral utilizes SSLv3/TLSv1 to encrypt web session traffic.
Network and Infrastructure Security
RingCentral’s network and application perimeter is protected with firewalls and session border controllers. Administrative access requires authenticating through a production VPN gateway, then authenticating to local infrastructure systems. Only authorized personnel are given access to the production environment. Technology layers include intrusion-detection systems, system logs, and fraud analytics. Operational processes include system and service-level monitoring, system hardening, change management, and regular vulnerability scans.
Physical and Environmental Security
We host our services in data centers that undergo SSAE-16 and/or ISO 27001 audits.
Our data centers share hosted facilities space with some of the world’s largest Internet companies and financial institutions.
The geographic diversity of our locations acts as an additional safeguard, minimizing our risk of loss and service interruption due to natural disasters and other catastrophic situations.
The RingCentral service includes multiple layers to prevent and detect toll fraud, including access control, detection controls, usage throttling, and customer-controlled settings to enable/disable international calling to approved destinations. In addition, RingCentral’s security department performs active monitoring to detect and notify customers of anomalous calling patterns on their account.
The RingCentral service is architected to support failover conditions in case of emergency. Our service is built with geographically distributed redundancy. Primary and backup locations remain online simultaneously, with a primary pod in active mode, and the secondary pod in standby mode. Database replication between locations is in real time, with failover being built into the service. If a primary location is unavailable, the backup location will continue service. In addition to infrastructure and application redundancy, we also have geographically distributed operations such that service operations can also continue if one location is not available.
Checklist for Protecting Your RingCentral Service
- Strong PIN
- Disable calling card feature if not needed.
- Disable international calling if not needed.
- If you use international calling, restrict call destinations to those needed for your company business.
- Restrict long-distance calling if not needed.
- Restrict call forward — don’t allow call forwarding to international or long-distance numbers.
- Restrict admin-level permissions. Limit the users to whom you give this level of permission.
- Block any numbers that you do not want to receive calls from.
- Only use email message forwarding for non-sensitive messages. Retrieve sensitive messages via an encrypted web session.
- Securely dispose of any physical copies of your call records and invoices.
- Change PIN codes often.