Security for 8x8's SMS API Platform

Product Security

Secure Standards

Transport Layer Security (TLS) version 1.2 is used on the endpoints. Short Message Peer-to-Peer (SMPP) protocol via TLS is available, and the SMPP interface is protected by an Iptables configuration. Strong encryption parameters are used for remote user access. Federal Information Processing Standards (FIPS) 140-2 and National Institute of Standards and Technology (NIST) standards are used to underpin 8x8’s SMS API encryption practices.

Secure Standards

Transport Layer Security (TLS) version 1.2 is used on the endpoints. Short Message Peer-to-Peer (SMPP) protocol via TLS is available, and the SMPP interface is protected by an Iptables configuration. Strong encryption parameters are used for remote user access. Federal Information Processing Standards (FIPS) 140-2 and National Institute of Standards and Technology (NIST) standards are used to underpin 8x8’s SMS API encryption practices.

Secure Procedures

The Secure Software Development Life Cycle Policies and Procedures define the process to support the approval, planning, and lifecycle development of 8x8 information systems. During initial design, security is evaluated in terms of the overall functional design specification, and the information processed by the application is classified in accordance with the Data Classification Standard.

Additional procedures to enhance security include:

  • 8x8 has antivirus software installed on all devices and product infrastructure.
  • A customer’s API keys are managed in the customer portal. Creation and deletion are only accessible by the customer admin.
  • High availability is built into the products to ensure uptime.

Secure Procedures

The Secure Software Development Life Cycle Policies and Procedures define the process to support the approval, planning, and lifecycle development of 8x8 information systems. During initial design, security is evaluated in terms of the overall functional design specification, and the information processed by the application is classified in accordance with the Data Classification Standard.

Additional procedures to enhance security include:

  • 8x8 has antivirus software installed on all devices and product infrastructure.
  • A customer’s API keys are managed in the customer portal. Creation and deletion are only accessible by the customer admin.
  • High availability is built into the products to ensure uptime.

Data Retention and Classification

Data is retained only as required to satisfy business, legal, and regulatory requirements. A data classification program is in place to identify and provide reasonable protections to confidential information. The Data Classification, Handling, and Disposal Policy requires data to be classified as restricted, confidential, internal, or public. Restricted data is limited to certain people, and an access granting policy is in place. Confidential data is highly sensitive and is protected by statutes, regulations, policies, and/or contracts.

Data Retention and Classification

Data is retained only as required to satisfy business, legal, and regulatory requirements. A data classification program is in place to identify and provide reasonable protections to confidential information. The Data Classification, Handling, and Disposal Policy requires data to be classified as restricted, confidential, internal, or public. Restricted data is limited to certain people, and an access granting policy is in place. Confidential data is highly sensitive and is protected by statutes, regulations, policies, and/or contracts.

Infrastructure Security

Server Controls

Change Management

System Account Management

8x8 ensures tight security controls are put in place on the infrastructure. 8x8 SMS APIs use Amazon Web Services (AWS) for cloud computing. To set up a secure architecture, virtual private clouds (VPCs), subnets, security groups, and threat detection are used. Also, there is separation between development, quality assurance (QA), and production and between voice, video, and SMS environments.

8x8 maintains an 8x8 Production Server Security and Configuration Management Policy that defines server configuration guidelines. The Information Security Team approves system configurations prior to implementation.

8x8 adheres to Change Control Policies and Procedures, and these procedures define the process for implementing changes to infrastructure. All change requests are entered into a ticket, and the process for implementing the change is tracked on this ticket. Testing plans are developed to determine the success/failure of the change, and backout plans are developed in the event of unsuccessful changes. All changes are subject to peer review, and changes must be approved prior to implementation.

8x8 maintains policies and procedures that address how employee access requests and accounts are managed. The Identity and Access Management Policies and Procedures document requires all identifiers to be unique to each user, and the user IDs cannot be reused. Access is assigned to personnel based on the principle of least privilege, and prior to granting access, the data owner must approve the request.

Server Controls

Change Management

8x8 ensures tight security controls are put in place on the infrastructure. 8x8 SMS APIs use Amazon Web Services (AWS) for cloud computing. To set up a secure architecture, virtual private clouds (VPCs), subnets, security groups, and threat detection are used. Also, there is separation between development, quality assurance (QA), and production and between voice, video, and SMS environments.

8x8 maintains an 8x8 Production Server Security and Configuration Management Policy that defines server configuration guidelines. The Information Security Team approves system configurations prior to implementation.

8x8 adheres to Change Control Policies and Procedures, and these procedures define the process for implementing changes to infrastructure. All change requests are entered into a ticket, and the process for implementing the change is tracked on this ticket. Testing plans are developed to determine the success/failure of the change, and backout plans are developed in the event of unsuccessful changes. All changes are subject to peer review, and changes must be approved prior to implementation.

System Account Management

8x8 maintains policies and procedures that address how employee access requests and accounts are managed. The Identity and Access Management Policies and Procedures document requires all identifiers to be unique to each user, and the user IDs cannot be reused. Access is assigned to personnel based on the principle of least privilege, and prior to granting access, the data owner must approve the request.

Server Controls

8x8 ensures tight security controls are put in place on the infrastructure. 8x8 SMS APIs use Amazon Web Services (AWS) for cloud computing. To set up a secure architecture, virtual private clouds (VPCs), subnets, security groups, and threat detection are used. Also, there is separation between development, quality assurance (QA), and production and between voice, video, and SMS environments.

8x8 maintains an 8x8 Production Server Security and Configuration Management Policy that defines server configuration guidelines. The Information Security Team approves system configurations prior to implementation.

Change Management

8x8 adheres to Change Control Policies and Procedures, and these procedures define the process for implementing changes to infrastructure. All change requests are entered into a ticket, and the process for implementing the change is tracked on this ticket. Testing plans are developed to determine the success/failure of the change, and backout plans are developed in the event of unsuccessful changes. All changes are subject to peer review, and changes must be approved prior to implementation.

System Account Management

8x8 maintains policies and procedures that address how employee access requests and accounts are managed. The Identity and Access Management Policies and Procedures document requires all identifiers to be unique to each user, and the user IDs cannot be reused. Access is assigned to personnel based on the principle of least privilege, and prior to granting access, the data owner must approve the request.

Monitoring and Vulnerability Management

Finding Vulnerabilities

8x8 maintains a formally documented risk assessment methodology that documents the process for identifying and evaluating security vulnerabilities affecting confidentiality, integrity, and availability. The assessment is based on NIST 800-30, and the process is performed annually and/or following significant changes to the environment. Additionally, Incident Response Policies and Procedures are implemented to define incident identification, reporting, containment, and remediation processes.

8x8 uses vulnerability scanners and does internal pen testing to find vulnerabilities. Additionally, 8x8 has a responsible disclosure program through HackerOne to allow anyone to report vulnerabilities.

New application features must undergo security reviews, and all source code is subject to static analysis security testing at least weekly. All software from external sources, such as outsourced code, is reviewed for security implications. A code scanning tool is used to scan source code in all repositories, which manage all source code repositories for 8x8, and access is managed at the individual developer level with groups defined for products and roles. Authentication is configured to require two-step verification, versioning is enabled, and all access must be accomplished through SSH.

Finding Vulnerabilities

8x8 maintains a formally documented risk assessment methodology that documents the process for identifying and evaluating security vulnerabilities affecting confidentiality, integrity, and availability. The assessment is based on NIST 800-30, and the process is performed annually and/or following significant changes to the environment. Additionally, Incident Response Policies and Procedures are implemented to define incident identification, reporting, containment, and remediation processes.

8x8 uses vulnerability scanners and does internal pen testing to find vulnerabilities. Additionally, 8x8 has a responsible disclosure program through HackerOne to allow anyone to report vulnerabilities.

New application features must undergo security reviews, and all source code is subject to static analysis security testing at least weekly. All software from external sources, such as outsourced code, is reviewed for security implications. A code scanning tool is used to scan source code in all repositories, which manage all source code repositories for 8x8, and access is managed at the individual developer level with groups defined for products and roles. Authentication is configured to require two-step verification, versioning is enabled, and all access must be accomplished through SSH.

Monitoring Tools

8x8 maintains network logging and monitoring tools to document system activity and monitor infrastructure. 8x8 also utilizes a host-based intrusion detection solution (HIDS) to actively monitor for intrusions.

Monitoring Tools

8x8 maintains network logging and monitoring tools to document system activity and monitor infrastructure. 8x8 also utilizes a host-based intrusion detection solution (HIDS) to actively monitor for intrusions.

Managing the Process of Security

The security, availability, and confidentiality requirements for 8x8’s SMS API are managed using a combination of:

  1. Documented policies and procedures
  2. Management oversight
  3. Network systems and hardware

These management practices are implemented in all areas to protect systems, data, and personnel and to ensure compliance with industry best practices and standards.

The security, availability, and confidentiality requirements for 8x8’s SMS API are managed using a combination of:

  1. Documented policies and procedures
  2. Management oversight
  3. Network systems and hardware

These management practices are implemented in all areas to protect systems, data, and personnel and to ensure compliance with industry best practices and standards.

Policies

8x8 has a process for reviewing and updating policies. Human Resources (HR) and Engineering review policies to ensure accuracy and validity to current operations. HR is responsible for initiating reviews of personnel-related policies. Engineering covers policies relevant to product development and ongoing operations. All policies are available for review in the company Google Drive, and reviews are initiated as needed.

Policies

8x8 has a process for reviewing and updating policies. Human Resources (HR) and Engineering review policies to ensure accuracy and validity to current operations. HR is responsible for initiating reviews of personnel-related policies. Engineering covers policies relevant to product development and ongoing operations. All policies are available for review in the company Google Drive, and reviews are initiated as needed.

Employee Security

Management Philosophy

Security Training and Background Checks

The Employee Handbook, email communications, and regular meetings are used to communicate the tone and direction for 8x8. The Employee Handbook includes Standards of Conduct and addresses disciplinary actions, including termination, that could result from failing to comply with these standards. Management also sends regular emails and conducts meetings to reinforce the direction of the company. A privacy manual has been published and distributed to communicate requirements for compliance with privacy legislation.

The Background Checks Guidelines require all new employees to undergo a standard background check, and additional checks are completed based on job role and regulations.

Security awareness training and job-specific training are provided to employees at least annually to ensure that personnel are adequately trained to perform their assigned information security related duties and responsibilities. Secure application development training is provided to developers, and incident response training is provided to personnel responsible for security incidents.

All developers are required to attend annual training on Open Web Application Security Project (OWASP) security basics and the latest trends in secure software development to ensure that they are aware of the most current vulnerabilities. Additionally, security training is provided to all personnel.

Management Philosophy

Security Training and Background Checks

The Employee Handbook, email communications, and regular meetings are used to communicate the tone and direction for 8x8. The Employee Handbook includes Standards of Conduct and addresses disciplinary actions, including termination, that could result from failing to comply with these standards. Management also sends regular emails and conducts meetings to reinforce the direction of the company. A privacy manual has been published and distributed to communicate requirements for compliance with privacy legislation.

The Background Checks Guidelines require all new employees to undergo a standard background check, and additional checks are completed based on job role and regulations.

Security awareness training and job-specific training are provided to employees at least annually to ensure that personnel are adequately trained to perform their assigned information security related duties and responsibilities. Secure application development training is provided to developers, and incident response training is provided to personnel responsible for security incidents.

All developers are required to attend annual training on Open Web Application Security Project (OWASP) security basics and the latest trends in secure software development to ensure that they are aware of the most current vulnerabilities. Additionally, security training is provided to all personnel.

Management Philosophy

The Employee Handbook, email communications, and regular meetings are used to communicate the tone and direction for 8x8. The Employee Handbook includes Standards of Conduct and addresses disciplinary actions, including termination, that could result from failing to comply with these standards. Management also sends regular emails and conducts meetings to reinforce the direction of the company. A privacy manual has been published and distributed to communicate requirements for compliance with privacy legislation.

Security Training and Background Checks

The Background Checks Guidelines require all new employees to undergo a standard background check, and additional checks are completed based on job role and regulations.

Security awareness training and job-specific training are provided to employees at least annually to ensure that personnel are adequately trained to perform their assigned information security related duties and responsibilities. Secure application development training is provided to developers, and incident response training is provided to personnel responsible for security incidents.

All developers are required to attend annual training on Open Web Application Security Project (OWASP) security basics and the latest trends in secure software development to ensure that they are aware of the most current vulnerabilities. Additionally, security training is provided to all personnel.

Conclusion

From 8x8’s management philosophy to physical, process, employee, product, and infrastructure security as well as business continuity, 8x8 has put security measures in place to ensure your SMS messages are reliably and securely delivered. To learn more about 8x8's security and compliance capabilities, please reach out and our Security team can address any specific questions you have. If you’d like to dive deeper into the product, below are some additional resources.

SMS APIs Developer Documentation

SMS APIs Tutorial

SMS APIs Sign Up Link

SMS APIs Data Sheet

SMS APIs Customer Case Studies

Conclusion

From 8x8’s management philosophy to physical, process, employee, product, and infrastructure security as well as business continuity, 8x8 has put security measures in place to ensure your SMS messages are reliably and securely delivered. To learn more about 8x8's security and compliance capabilities, please reach out and our Security team can address any specific questions you have. If you’d like to dive deeper into the product, below are some additional resources.

SMS APIs Developer Documentation

SMS APIs Tutorial

SMS APIs Sign Up Link

SMS APIs Data Sheet

SMS APIs Customer Case Studies

Request A Quote

Get your fast, no-obligation quote now

1-866-879-8647


Discuss your needs with an 8x8 expert


Need product help?