SECURITY AND PRIVACY WHITE PAPER
Poly G7500, Poly Studio X50, and Poly Studio X30
Part 3725-86421-001
Version 03
August 2021
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
Introduction have not yet registered for access to the Poly Lens This white paper addresses security and privacy cloud service. For security and privacy details related information for the Poly G7500, Poly Studio related to Poly Lens, please refer to the Poly Lens X50, and Poly Studio X30 products. Security and Privacy White Paper located here.
This paper also describes the security features and For security and privacy details related to the Poly access controls in Poly’s processing of personally RealPresence Resource Manager System, please identifiable information or personal data (“personal refer to the Privacy section of the Operations Guide data”) and customer data in connection with the for Poly RealPresence Resource Manager System. delivery of G7500, Studio X50, and Studio X30 features, including the location and transfers of Security at Poly personal and other customer data. Poly will use such Security is always a critical consideration for Poly data in a manner consistent with the Poly Privacy products and services. Poly’s Information Security Policy, and this white paper which may be updated Management System (ISMS) has achieved ISO from time to time. This white paper is supplemental to 27001:2013 certification. ISO/IEC 27001 is the most the Poly Privacy Policy. The most current version of widely accepted international standard for information this white paper will be available on Poly’s website. security best practices.
G7500, Studio X50, and Studio X30 products provide Product security at Poly is managed through the video conferencing and content-sharing solutions for Poly Security Office (PSO), which oversees secure small, medium, and large conference rooms. They software development standards and guidelines. are deployed on-premises within the customer’s The Poly Product Security Standards align with NIST environment. As these systems are deployed in the Special Publication 800-53, ISO/IEC 27001:2013, customer’s environment, it is the responsibility of the and OWASP for application security. Guidelines, customer to protect data that resides on the systems. standards, and policies are implemented to provide our developers with industry approved methods for Optional Integrations Available adhering to the Poly Product Security Standards. Poly G7500, Poly Studio X50, and Poly Studio X30 products are capable of being configured Secure Software Development Life Cycle to integrate with the following optional Poly Poly follows a secure software development life cycle products: (S-SDLC) with an emphasis on security throughout the product development process. Every phase of the Optional Other Services Provisioning development process ensures security by configuration establishing security requirements alongside Poly Lens Yes Analysis & Reporting functional requirements as part of initial design. Architecture reviews, code reviews, internal penetration testing, and attack surface analysis are Poly Yes Device Management RealPresence & Monitoring performed to verify the implementation. Resource Manager System The S-SDLC implemented by Poly also includes a (on customer significant emphasis on risk analysis and vulnerability premises) management. To increase the security posture of Poly products, a defense-in-depth model is By default, certain personal data is sent to the Poly systematically incorporated through layered Cloud for use by the Poly Lens service even if you defenses. The principle of least privilege is always
2
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
followed. Access is disabled or restricted to system Android Security Practices services nonessential to standard operation. On all Poly video endpoints, the Android operating system is locked down. Android features and Standards-based Static Application Security Testing functions that are not necessary for standard (SAST) and patch management are cornerstones of operation of a given device are disabled. our S-SDLC. • Devices run a modified and restrictive implementation of Android which limits the Privacy by Design capabilities of the device as compared with Poly implements internal policies and measures commonly available Android phones and tablets. based on perceived risks which meet the principles • Poly removes the ability to side-load APKs or of data protection by design and data protection by access the Google Play store, and we formally default. Such measures consist of minimizing the test that these restrictions remain in place across processing of personal data, anonymizing personal product releases. data as soon as possible, transparently documenting • We follow Android recommended guidelines for the functions and processing of personal data, and signature verification of installed applications, providing features which enable the data subject to and all device software updates are restricted to exercise any rights they may have. Poly signed update packages. Ecosystem partner applications enabled on Poly devices may allow When developing, designing, selecting, and using over the air updates of the partner application, applications, services and products that are based on independent of the device firmware update. the processing of personal data or process personal • All devices are tested against known rooting and data to fulfill their task, Poly considers the right to jailbreaking methods and are hardened against data protection with due regard. architecture modification. • Physical ports are hardened to protect the device Security by Design from common Android attack vectors. Poly follows Security by Design principles • Endpoints are designed and tested to ensure that throughout our product creation and delivery a device administrator can configure the security lifecycle which includes considerations for posture according to local needs. Examples of confidentiality, integrity (data and systems), and configuration options available to a local availability. These extend to all systems that Poly administrator include configuration of password uses – both on-premises and in the cloud as well as policy, encryption strength, and responses to to the development, delivery and support of Poly failed login attempts. Logging, both internally and products, cloud services, and managed services. remotely, is also configurable.
The foundational principles which serve as the Partner APKs that are installed on Poly devices are basis of Poly’s security practices include: subjected to Poly security review and all installed 1. Security is required, not optional Poly and partner APKs are tested for common 2. Secure by default, Secure by design Android vulnerabilities including: 3. Defense-in-depth • Data leakage 4. Understand and assess vulnerabilities and • Sensitive data storage threats • Outside influence 5. Security testing and validation • Malicious modifications 6. Manage, monitor, and maintain security posture
7. End-to-end security: full lifecycle protection
3
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
Security Testing NOTE: After the installation to Poly devices of certain Both static and dynamic vulnerability scanning as 3rd party apps or services via the Poly software well as penetration testing are regularly performed for promotion process, please be aware that personal production releases and against our internal data may still be available to those apps or services corporate network by both internal and external test via the device APIs even if sending data to Poly has teams. been turned OFF. Please refer to the documentation of those 3rd party applications or services for details. Patches are evaluated and applied in a timely fashion based on perceived risk as indicated by CVSSv3 If someone is an individual user of G7500, Studio scores. X50, or Studio X30, and their employer has purchased and configured the system on their Change Management behalf, all the privacy information relating to A formal change management process is followed by personal data in this white paper is subject to all teams at Poly to minimize any impact on the their employer’s privacy policies as controller of services provided to the customers. All changes such personal data implemented to Poly G7500, Poly Studio X50, and Poly Studio X30 products and related Poly cloud Data Processing services go through vigorous quality assurance By default, the following information is testing where all functional and security requirements processed and stored locally on the Poly are verified. Once Quality Assurance approves the G7500, Poly Studio X50, and Poly Studio X30 changes, the changes are pushed to a staging devices: environment for UAT (User Acceptance Testing). • MAC address Only after final approval from stakeholders, changes • Serial number are implemented in production. While emergency • Display name changes are processed on a much faster timeline, • System name risk is evaluated, and approvals are obtained from • IPv4/v6 addresses stakeholders prior to applying any changes in • SIP username production. • SIP URI • Local contacts Data Collection • Admin ID and password By default, Poly G7500, Poly Studio X50 and Poly • Full Call detail record (CDR) Studio X30 devices automatically send product • System log files usage data, device data, call detail records and • Directory entries quality of service data to the Poly Cloud for use with the Poly Lens service. Data collected will be used • IP peripheral details for the purposes identified in the table below. For o MAC address of paired and unpaired details about this data processing, please refer to devices the Security and Privacy White Paper for Poly Lens o IP address located here. o Serial number o Encryption key (remote) To turn OFF data collection, please see the “Turn off o MAC address the System Usage Data Collection” section in the o Serial number G7500, Studio X50, and Studio X30 Administrator’s o Display name Guide in the product documentation. This information is used by the device to provide
4
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
basic functionality, device pairing operations, enable also maintain a local call detail record (CDR) which the REST API functionality, and to enhance the user contains call information such as local and remote experience by providing easy access to call history party identification, number dialed, time and date of and frequently used contacts. the call, and call duration. The CDR is enabled by default but can be disabled if required. If you elect to use the G7500, Studio X50, and Studio X30 products with the optional Poly The local CDR data is saved automatically to the RealPresence Resource Manager System, it will local database residing on the device file system. send information to that system for the purpose of Only the administrator has access to the device file provisioning and management. For details about this system based on the principles of “least privilege” data processing, please refer to the Privacy section and “need-to-know.” of the Operations Guide for Poly RealPresence Resource Manager System. If the device is configured to use an optional Poly RealPresence Resource Manager System as a As these devices and systems are deployed in the provisioning server, the local contacts file, the customer’s environment, it is the responsibility of the device logs and the CDR data will be securely customer to protect the data processing. sent to the solution for backup. There is also a configurable option for the user to stop uploading Purpose of Processing of the local contacts through a menu item accessible from the device’s administrative web Information that is processed is used for enhancing interface. the user experience, allowing configuration of settings required for proper delivery of services and For the set of usage data sent to Poly Lens, data is easy access to frequently used data. stored in a database server located in a data center
in the United States that is SSAE 16 Type II certified When configured to use an optional Poly device and runs dedicated databases and application management solution, the on-premises server or servers. When the Poly database server receives cloud service processes configuration files and their data from the customer, it is verified for integrity, overrides to aid the management of the devices in a given deployment. The server or cloud service may processed, and saved in the database. also process device network information, media statistics and device asset information to aid in Poly may change the location of the database server device analytics, which enables device performance and details of any such change shall be set forth in validation and visibility into customer quality of the latest copy of this white paper available on Poly’s experience and service performance. website.
How Customer Data is Stored and Protected The Poly database and application servers reside in The Poly G7500, Poly Studio X50, and Poly the Azure data center behind a fully patched firewall Studio X30 products save all local contacts to the that is also managed. Access for any services not local database residing on the device file system required by Poly is blocked. from which the .xml file is generated. When a user adds, deletes, or modifies contacts in the local contact directory, those details are stored in a local contact directory file.
The G7500, Studio X50, and Studio X30 products
5
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
Source from Where Business Purpose Disclosed to the following Categories of PI Collected PI Collected for Collection Service Providers Device Identifier • Device ID • Internal research (product Azure (used by Poly Lens) Information • Device display name improvement, development, and • IP address analytics) • MAC address • Activities to verify or maintain the (for both primary device quality (Product and Sales and paired/ unpaired IP Engineering Support) peripherals) • Serial number • Detecting security incidents • PCS Number • Debugging • PCS Account Code • System name • Device geolocation data including Time zone • Encryption key (remote) Device User • User ID • Internal research (product Azure (used by Poly Lens) Information • SIP username improvement, development and • SIP address analytics) • SIP alias name • Activities to verify or maintain the • Admin name and quality (Product and Sales password (hashed) Engineering Support) • Local contacts • Detecting security incidents • Log files • Debugging • Tenant ID • Short-term, transient use (login) • Email address • Organization name
Local and remote call • Full Call detail record • Internal research (product Azure (used by Poly Lens) participant Information (CDR) improvement, development and • Dial string number analytics) • Call ID • Activities to verify or maintain the • Participant names quality (Product and Sales (local and remote) Engineering Support) • Participant IP • Detecting security incidents addresses (local and • Debugging remote) • Short-term, transient use (login)
6
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
Data Deletion and Retention Please consult the G7500, Studio X50 and Studio For clearing of the contacts stored on your local X30 Administrator Guide for further details device, there is an option presented to the regarding deployment configurations and options. administrator through the web interface. An administrator can select this option to clear all the Server Access and Data Security local contacts. For clearing of local device call log All customer data sent to the Poly cloud is encrypted information, please refer to the Poly G7500, Poly both at rest and in transit using strong cryptography Studio X50, and Poly Studio X30 Administrator’s including AES-256 and TLS up to v1.2. Guide and Privacy Guide in the product documentation. All customer data sent to the Poly cloud is backed up daily in digital form using the Azure data factory. All contact and call log data are deleted (but not Normal access controls of authorized users and data overwritten) when the device is reset to factory security policies are followed for all backup data. No default settings. physical transport of backup media occurs. The backup data during rest and while in transit is For details related to clearing of G7500, Studio encrypted using AES-256. X50, and Studio X30 data stored in your organization’s RealPresence Resource Manager Servers are in a secure data center, with only System, please refer to the Privacy section of the authorized staff members having access. The servers Operations Guide for Poly RealPresence Resource are not directly accessible from outside the data Manager System. center.
For the set of usage data sent to the Poly Lens cloud Cryptographic Security service, Poly may retain customer data for as long as Poly G7500, Poly Studio X50, and Poly Studio needed to provide the customer with any Poly cloud X30 products use secure communication services for which they have subscribed and for channels for all connections with content-sharing product improvement purposes. When a customer devices and over data networks. G7500, Studio makes a request for deletion to [email protected], X50, and Studio X30 products implement Poly will delete the requested data within 30 days, cryptographic libraries on the system and will unless the data is required to provide the service to encrypt all data being transmitted. Data customer. transfers use HTTPS data stream over port 443, using TLS 1.2 and symmetric encryption Poly may “anonymize” personal data in lieu of algorithms AES-128 and AES-256. deletion. The anonymization process is irreversible and includes but is not limited to searching and The G7500, Studio X50, and Studio X30 sanitizing all customer-specific data (e.g., name, site products implement FIPS 140-2 certified information and IP address) with randomly generated cryptographic libraries on the system for all alphanumeric characters. data transmission and will encrypt all data being transmitted. Modules and TLS cipher Secure Deployment suites implemented in the G7500, Studio X50, Poly G7500, Poly Studio X50, and Poly Studio and Studio X30 products are open (i.e. publicly X30 products are deployed and administered on- disclosed) and have been peer reviewed. premises within the customer’s environment. Cryptographic libraries are regularly updated. Deployment options are available to support a variety of scenarios and work environments. Data sent to Poly, as well as data sent to the
7
SECURITY AND PRIVACY WHITE PAPER FOR POLY G7500, POLY STUDIO X50, AND POLY STUDIO X30
optional Poly RealPresence Resource Manager Subprocessors System, are protected with encryption as Poly uses certain subprocessors to assist in providing indicated. our products and services. A subprocessor is a third- party data processor who, on behalf of Poly, Authentication processes customer data. Prior to engaging a The customer’s administrator can access Poly subprocessor, Poly executes an agreement with the G7500, Poly Studio X50, and Poly Studio X30 subprocessor that is in accordance with applicable products for management and configuration by using data protection laws. the device’s web interface. Access to the device’s web interface requires administrator credentials to The subprocessor list here identifies Poly’s be entered via a web browser. authorized subprocessors and includes their name, purpose, location, and website. For questions, please Disaster Recovery and Business Continuity contact [email protected]. Poly G7500, Poly Studio X50, and Poly Studio X30 products are deployed on customer Prior to engagement, suppliers that may process data premises. Primary responsibility for Disaster on behalf of Poly must undergo a privacy and Recovery and Business Continuity resides with security assessment. The assessment process is the customer. designed to identify deficiencies in privacy practices
or security gaps and make recommendations for Additionally, the G7500, Studio X50, and Studio X30 reduction of risk. products are architected to provide high reliability, resiliency, and security. Suppliers that cannot meet the security requirements
are disqualified. Poly has a Business Continuity and Disaster
Recovery Plan reviewed and approved by Additional Resources management to ensure that we are appropriately To learn more about Poly G7500, Poly Studio X50, prepared to respond to an unexpected disaster and Poly Studio X30, visit our product website. event. Poly tests disaster recovery processes and procedures on an annual basis. We use the results of this testing process to evaluate our preparedness Disclaimer for disasters and to validate the completeness and This white paper is provided for informational accuracy of our policies and procedures. purposes only and does not convey any legal rights to any intellectual property in any Poly product. Security Incident Response You may copy and use this paper for your internal The Poly Security Office (PSO) promptly investigates reference purposes only. POLY MAKES NO reported anomalies and suspected security breaches WARRANTIES, EXPRESS OR IMPLIED OR on an enterprise-wide level. You may contact the STATUTORY AS TO THE INFORMATION IN THIS PSO directly at [email protected] WHITE PAPER. THIS WHITE PAPER IS PROVIDED “AS IS” AND MAY BE UPDATED BY POLY FROM The PSO team works proactively with customers, TIME TO TIME. To review the most current version independent security researchers, consultants, of this white paper, please visit our website. industry organizations, and other suppliers to identify possible security issues with Poly products and networks. Poly security advisories and bulletins can be found on the Poly Security Center.
© 2021 Plantronics, Inc. All rights reserved. Poly and the propeller design are trademarks of Plantronics, Inc. The Bluetooth trademark is owned by Bluetooth SIG, Inc. and any use of the mark by Plantronics, Inc. is under license. All other trademarks are the property of their respective owners.
8