Securing Cloud-Based Contact Center Solutions

Note: This article is the second in a four-part series. Also read:

• Considerations for Cloud-Based Contact Center Solutions, by Jon Arnold
• Achieving Greater Flexibility in Contact Center Operations, by Lisa Pierce
• "CaaS – Predictability Brings Peace of Mind to Contact Center Deployments," by Nancy Jamison

As enterprise contact centers have become more sophisticated, so have their security requirements. Gone are the days when the main security concerns in the contact center were preventing toll fraud and agent PC anti-virus. In addition to the security concerns that come with the addition of new channels like email, chat, and social networking, many contact centers have significant regulatory and compliance considerations for privacy and protection of sensitive information like account numbers, healthcare data, social security numbers, and more.

Now that UC contact center services are increasingly moving into the cloud, I thought it might be a good idea to investigate how one cloud-based contact center solution provider is tackling these security challenges with their customers. Interactive Intelligence offers a broad range of security capabilities across their solution offerings, and the deployment flexibility of their cloud-based solutions enables customers to keep sensitive databases local or even terminate calls and store recordings locally. Within hosted portions of the solution, server-side virtualization also enables complete separation of customer execution environments.

I’m often asked if a given product or solution is “secure,” and it’s certainly true that with a cloud-based solution like Interactive Intelligence, this question of security is one of the first to surface with customers because the enterprise is still learning what it means to secure cloud-based services in general. In order to answer that question, it helps to translate “secure” into terms that translate into underlying business imperatives. Here are some examples of what an enterprise contact center company might ask of their solution vendor, coupled with how Interactive Intelligence answers them and what to look out for in cases where the industry is still evolving:

• Can a cloud-based contact center solution isolate my company’s data and services from that of its other customers? With the use of server-side virtualization, the execution environment for each Interactive Intelligence customer runs in its own virtual machine and customer data is stored within unique database instances that can be hosted in the cloud on the customer premises. Customer networks are segregated and isolated from each other and from Interactive Intelligence operational networks, and connectivity to customer locations takes place over private MPLS connections. There are a lot of differences here between hosted service providers, so customers are wise to ask detailed questions so they understand exactly how this isolation is delivered.
• How can my organization reap the benefits of a cloud-based contact center solution if we need to terminate calls and store recordings locally because of security or privacy rules and regulations? What’s unique about the Interactive Intelligence solution is its flexibility when it comes to where the IP-PBX function and related recording functionality can reside.  For customers that require it, call termination and recording storage can take place locally within the call center. At some point in the future, standardized and interoperable SIP-TLS and SRTP (something technically possible but rarely practical from hosted service providers in end-to-end form because of interoperability challenges) may be an additional consideration for enterprises that need secure alternatives to premise-based solutions.
• How do I keep sensitive information from leaving my contact center location? Regardless of whether a customer chooses to terminate all calls and storing all recordings locally, sensitive databases can be kept on premise. This might include payment systems, health records, account data, or anything else that may be easier to keep local for privacy, proprietary, or legal reasons. Interactive Intelligence solutions can accommodate any mix of local and hosted databases. In some cases, part of the challenge is found in securing the database access over the networks. Database vendor support for interoperable, TLS-based ODBC access is desirable but can be difficult to implement and is generally not yet supported by hosted service providers.
• Can I do anything to keep sensitive data like PINs, Social Security Numbers, and Account Numbers out of call recordings and log files? Whether it arrives in the form of raw data, speech or DTMF tones, any sensitive data can be kept out of recordings and logs within Interactive Intelligence solutions when coupled with associated configuration and agent training. One of the latest features to be added is the ability to mark certain data fields as sensitive so they don’t find their way into contact center log files where it might otherwise be less protected. And another new feature called “Secure Pause” enables agents to temporarily pause recording for a preset period of time while sensitive information is being spoken (or keyed) by either party.
• My contact center applications need to support sophisticated role-based access controls (RBAC) with multiple profiles for administrators, agents, and supervisors. Are these supported? Interactive Intelligence supports RBAC along two dimensions. First, customizable policy controls for administrators, agents, and supervisors enable you to determine exactly what operations can be performed for a given profile. Second, the scope for each of those operations can be defined within each profile so that agents, supervisors, and administrators can’t affect call center operations beyond that scope. Multiple profiles can be added to individual users as necessary to enable exactly the scoped level of permissions they need.
• How do I ensure my call recordings are safe from unauthorized access? Interactive Intelligence addresses this in two ways, both of which apply regardless of whether recordings are hosted in the cloud or kept on premise. First, role-based access control (RBAC) is applied to enable fine-grained authorization controls for groups of administrators, supervisors, and agents seeking to access the recordings database. Next, the recordings themselves can be individually and automatically encrypted to prevent direct access of recordings through the file system that holds them.
• How do agent and supervisor applications secure their communications with the call center server? Interactive Intelligence uses a certificate-based mechanism to authenticate and encrypt agent and server client application communications with call center servers. This application-layer security adds additional protection to the already-secure private MPLS link connecting the call center premise to Interactive Intelligence servers.
• My company requires stringent password complexity, expiration, and lockout requirements. Are these supported? Interactive intelligence offers sophisticated password complexity, expiration, and lockout policy settings modeled after those found in Active Directory policy settings. In general, this means that if your company’s password requirements have been applied to your desktop and laptop computers, they can be applied to Interactive Intelligence agent, supervisor, or administrator accounts. Companies have found direct integration with enterprise directory, identity, or single sign-on (SSO) can also be an attractive means of addressing these issues, and it has the additional benefit of reducing the amount of passwords each agent (and enterprise) must manage.

Today’s contact center is under more security and regulatory pressure than ever before. The flexibility and built-in security functionality provided by cloud-based providers like Interactive Intelligence offer fairly satisfying answers to essential security needs and in some cases can even exceed those available on premise-only solutions. There’s always room for additional security features in the future, of course. Cloud-based solutions would ideally cover the many signaling, media, and database transport encryption options and integration possibilities with enterprise directory and identity services. Preserving confidentiality, securing access, and isolating shared infrastructure are all essential parts of the security story for cloud-based contact center customers, and the good news is that these goals can be met if they’re a priority for a given customer. 

This paper is sponsored by Interactive Intelligence.