About Cisco CISCO BroadSoft is now part of Cisco Learn More

Your Security is Our Priority

At BroadSoft, we value your trust and your security is our priority.

BroadSoft understands the challenges and criticality of having secure communications infrastructures and programs for both service providers, channel partners, and your business customers. That is why we make it a top priority to offer you robust security while protecting your customer’s information assets.

The Risks Are Real

A security attack on your customer data and mission-critical systems can jeopardize every aspect of your business operations.

61% of data breach victims are businesses with less than 1000 employees, while 98% of all Distributed Denial of Service (DDoS) attacks are almost always targeted at large organizations.

75% of all data breaches are perpetrated by individuals outside your organization. Half of all breaches involve malware—with ransomware rising to the ranks in 2017 as one of the most common forms of malware.


Source: The 2017 Verizon Data Breach Report

What is bSecure?

bSecure is BroadSoft’s commitment to using secure business practices in every phase of the business.

It begins with software design and development practices and continues through deployment and customer support to ensure that we secure and protect customer data while delivering carrier-grade reliability.

bSecure is a comprehensive approach that includes our team of security experts, processes, data centers, platforms, operations, and architecture to enable the BroadSoft Business portfolio to operate flawlessly.

Download Whitepaper

 

 


Reliability, Redundancy & Availability

The impact of a natural disaster or an unexpected outage on business operations can cause overwhelming downtime. This is where geographic redundancy becomes important ensuring high availability of business critical systems by mitigating the risk of unforeseen disruptions. Our cloud environment is highly available with data centers located around the globe.

Our data centers host geographically redundant deployments of our BroadCloud technology using a fault-tolerant architecture. Without a single point of failure, we can maintain service availability even in the event of a major disruption.

End-to-end monitoring of BroadCloudour application delivery platformand proactive reporting on its real-time status and scheduled maintenance notices allows us to deliver exceptional quality of service, bringing you business continuity and peace of mind.

"Our BroadWorks software application has been designed from the ground up for 5 9's availability and carrier-grade reliability. This is the application implemented in hundreds of carrier networks globally, and is the foundational building block of our SaaS-based BroadCloud UC-One offer."

Physical Security

The BroadSoft application delivery platform is deployed across SSAE 16 and ISO 27001-audited data centers and AWS/GCP public cloud infrastructures.

BroadSoft partners with Tier-4 data center operators with years of experience in the design, implementation, and operation of large-scale data center facilities that are armed with physical security measures, external and environmental threat management safeguards, and rigorous access control mechanisms.

Our data centers and cloud partners are evaluated annually for SOC2 attestation of compliance for physical, environmental, and access security parameters.


"Broadsoft leverages a shared security model where we inherit compliance frameworks, physical security and network security from our world-class infrastructure providers."

Communications Security

Maintaining and ensuring the protection of information interconnected through our network is essential to BroadSoft. Our network security best practices include:

  • Implementing demilitarized zone (DMZ), firewalls, intrusion detection and system authentication mechanisms
  • Encrypting data for protection from threat including protecting data in rest as well as in transit
  • Ensuring transmission security with Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) encryption across endpoints
  • Monitoring any unusual patterns to detect and mitigate fraudulent activity

BroadSoft systems are subject to evaluation consistent with applicable laws, regulations, agency policies, procedures, and practices. Reviews by independent agencies are conducted on a regular basis to ensure that our information security processes are adequate, complete, fit-for-purpose, and enforced.


Product Security & Privacy

BroadSoft’s approach to software development is grounded in the fundamentals of security and quality.

Our Secure Software Development Lifecycle (SSDL) uses the “Security by Design” and “Privacy by Design” approach to ensure that our applications have consistent security postures that minimize product security and privacy risks.

BroadSoft applications undergo rigorous security testing and scan validations for OWASP secure coding practices as part of their development lifecycle. Our recommended configurations deliver five nines availability to attain software integrity, resiliency, scalability, and highest reliability.

"As a technology company, BroadSoft understands that security and privacy needs to be embedded throughout the entire software development lifecycle. Our SSDL is based on the BSIMM software security framework ensuring BroadSoft’s security-by-design and privacy by design approach is consistent with industry best practices."

Fraud Detection

Protecting customers from fraud is vital to BroadSoft. Our real-time fraud detection application analyzes calling patterns to protect our customers from losses due to fraudulent call activity.

The application closely monitors call traffic for any suspect usage patterns for further investigation. When unusual activity is detected, a number of fraud mitigation actions are invoked that include blocking outgoing calling, checking if offending calls are still active and terminating them, and sending alerts and notifications to the operations team. A real-time monitoring dashboard provides insights per site and per enterprise.

As a member of CFCA—the premier international association for fraud risk management and preventionBroadSoft uses an industry-supplied list as one basis for monitoring destinations that have had fraudulent activity reported to the organization.

"BroadCloud’s world-class fraud detection capabilities quickly identifies calling anomalies reducing actual fraud loss for our service provider customers."

Audit and Compliance



 (In process)


 

 

BroadSoft adheres to the most stringent security compliance, policy, and certification frameworks to protect your business communications.

As part of a continued commitment to industry best practices and benchmarks, BroadSoft has adopted ISO 27001:2013 as its security compliance framework and leverages NIST 800-53 for deployments in the US, European Union, and Australia.

With a recently attained FedRAMP “In Process” status, BroadSoft continues to work through the government FedRAMP Security Assessment Framework. BroadSoft also holds PCI-DSS level 1 compliance for our products that interact with end-user cardholder data.

"Performing external audits of our security posture against industry standards is how we attest our bSecure commitment to our customers."

 

 


Data Protection, Privacy & GDPR

Driven by core operating principles and priorities, a thorough adherence to legal, regulatory, and risk management frameworks, and industry best practices and expectations, BroadSoft’s data protection and privacy program is centered on achieving compliance with international regulatory organizations. 

BroadSoft also recognizes the importance of data privacy while also adhering to valid law enforcement requests. Requests for information received from authorized law enforcement authorities will be responded to according to BroadSoft policies, terms, and applicable laws.

General Data Protection Regulation (GDPR) is the most robust set of data protection requirements due to be enforced across the European Union in May 2018. BroadSoft embraces GDPR as an opportunity to enhance our corporate responsibilities to data protection obligations and privacy principles. With the adoption of this gold standard, our data protection and privacy program will be based on delivering the core requirements of GDPR.


"Our partnership with the major Tier 1 carriers in the EU puts us in a unique position to get direct input from them in the interpretation of the GDPR for their telecommunications and cloud UC deployments."

The BroadSoft bSecure Team

BroadSoft has a security team dedicated to your success. Lead by Chief Information Security Officer Mark Kushnir, the team is responsible for creating and implementing our bSecure policies and practices.

The mission of Mark and his team is to:

  • Develop security and data privacy policies and strategies
  • Ensure our policies and practices are implemented throughout our product development processes
  • Establish customer trust in our security policies
  • Document and communicate these to BroadSoft staff and other parties

Watch a Video Interview with Mark

 

 

Report a Security Vulnerability

At BroadSoft, we are committed to providing a secure product and appreciate help from independent researchers, industry organizations, vendors, customers and other sources in identifying ways we can improve the security, integrity, and reliability of all BroadSoft products. 

However, there are some caveats to the above statement that we believe fall outside of what we consider responsible community help.

Permission is not granted and we ask that you refrain from any of the following actions:

  • Test our capacity, or run denial of service attacks or similar exploits
  • Run any automated exploit scanners without limiting scope
  • Conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure
  • Attack, in any way, our end users, or engage in trade of stolen user credentials or data
  • Perform automated/scripted testing of web forms
  • Continue a test if encountering misuse banners or login warnings

To report a suspected security vulnerability, email corporate security.

background-mobile

Have a GenEral Security Inquiry?

Have a general security inquiry? Get in touch with us by completing this form.