Technical Security Architecture (TSA) Data Encryption

Many regulations require the encryption of sensitive information. The Customer Sensitive Information class covers all information that is considered sensitive. CXone strives to encrypt all data with some exceptions. CXone uses the following general and specific encryption guidelines.

General Encryption Guidelines

General encryption guidelines for the CXone platform are as follows:

  • Customer Sensitive Information Class: This information must be encrypted both in transit and at rest throughout the platform. Exceptions to this general rule may be approved by the security governance group based on the sensitivity of the information. Customer Sensitive Information should support crypto-shredding. This will ensure that even back-ups will not retain information.
  • Customer Usage Information Class: The following types of information may not require encryption in motion:
    • Address book information.

    • ANI information.

    • Email addresses.

  • All Information: As a matter of industry best practice, all information should be encrypted both in transit and at rest throughout the platform. Exceptions to this general rule may be approved by the security governance group based on the sensitivity of the information. There are many examples where this guideline is not followed today. These will be addressed over time, but any new service should follow this guideline.

Specific Encryption Guidelines

CXone should follow industry best practices relative to specific encryption technologies. The following guidelines should also be used by CXone:

  • For encryption in transit, TLS 1.2 or higher must be used. The specifics should not be specified in the code. They should be inherited from the operating system or other configurable sources instead. The purpose of this practice is to minimize R&D effort when changes need to be made.

  • For Customer Sensitive Information, a specific tenant key should be used. This allows for crypto-shredding. It also meets business unit expectations about the isolation of sensitive information.

  • The rotation of keys should either be part of the underlying technology (like AWS KMS) or supported by the product.

  • Specific encryption ciphers and key management protocols are not mandated. However, only algorithms and protocols that meet NIST requirements should be used. These should be used with a strength equivalent to AES-256.