Security specifications

Last Updated : Oct 03, 2025 |

The following sections outline CMS security features. For more information about security best practices, see Avaya Call Management System Security.

Operating system hardening

CMS achieves operating system hardening through the following measures:

  • Patch management and qualification: CMS includes all necessary components, including security patches, in each release. Avaya receives additional patch notifications and certifies new Linux® OS patches. Avaya then assembles these patch clusters and makes them available to customers through Product Change Notices (PCN).

  • Security logs and audit trails: You can use operating system-level log files to detect suspicious activity. Review these log files routinely to identify unusual behavior.

  • Banner modifications: Modify Telnet and FTP service banners to hide operating system details from potential attackers.

  • Email and SMTP configuration: Do not configure CMS as a mail relay. Disable the Simple Mail Transfer Protocol (SMTP) daemon.

Authentication and session encryption

CMS uses the following methods for authentication and session encryption:

  • User authentication and authorization: CMS uses Linux® OS login and password security measures and provides multiple levels of system access. To authenticate users, CMS uses OS capabilities based on Pluggable Authentication Modules (PAM). At the system level, CMS uses the standard operating system permissions. You can administer data permissions for each user within CMS.

  • Password complexity and expiration: You can enable and modify password expiration attributes through the CMSADM menu. Set expiration intervals from 1 to 52 weeks.

  • Failed login logging: You can log the failed login attempts in the system message log, syslog.

  • Concurrent login prevention: With the APS hardening offer, you cannot log in more than once concurrently.

  • Secure login using SSH: CMS simplifies the installation of a secure Supervisor client login over public or unsecured networks using Secure Shell (SSH). This protocol encrypts packets between the client workstation and host server, securing login credentials and other sensitive data.

Note:

For information about FIPS 140-2 encryption, see Maintaining and Troubleshooting Avaya Call Management System and Avaya Call Management System Release Notes.

Data privacy regulations

Many organizations have policies for handling personal data. For example, the European Union issued the General Data Protection Regulation (GDPR), and the State of California created the California Consumer Privacy Act (CCPA). To support these policies, CMS encrypts personal data at rest and in transit. CMS also provides tools and guidelines to manage personal data. For more information about how CMS protects personal data, see Product Privacy Statement for Avaya Call Management System.

Encryption of personal data at rest

CMS supports encryption for personal data at rest. Supported platforms encrypt disks by default or with minimal configuration.

Encryption of personal data in transit

Personal data in transit can be encrypted between CMS and its connected ACD systems. CMS encrypts the SPI link automatically when you administer the connection between systems. This encryption is invisible to the user.

Encryption of personal data in transit is available with CMS Release 19.1 and later, as well as Communication Manager Release 8.1.2 and later.

Optional data encryption features

  • You can encrypt data sent over LDAP connections to an Active Directory server.

  • You can also encrypt data sent over ODBC and JDBC connections.

Application security

CMS provides application security through the SPI link, application-level audit logging, and database security controls.

Physical security

CMS achieves physical security through physical server protection and EEPROM/BIOS security.

Services security and CMS support

CMS ensures services security and CMS support through remote connectivity, authentication, and password management for services.

Personal data in CMS

CMS stores the following types of personal data:

  • Information about call center agents.

  • Information about CMS users.

  • Phone numbers dialed by individuals placing calls into the call center.

  • Phone numbers dialed by agents placing calls outside the call center.

The agent and user information applies to company employees who use CMS. CMS stores only the personal data required to support standard employee operations.

For callers and agents, CMS stores only the dialed digits.

You can use CMS logs and tools to manage personal data. For more information, see Maintaining and Troubleshooting Avaya Call Management System.