Security for Network Infrastructure

 Potential threats to the network infrastructure, including the application servers, come in two basic forms: unauthorized access and the snooping or hijacking of sessions. End-to-end security provisions capable of preventing both threats are necessary because any chain is only as strong as its weakest link. 

Unauthorized Access

Hackers are constantly attempting to gain access to networked resources through a variety of means. A best practice for preventing attacks is to keep all systems fully up-to-date with the latest software releases and patches. 

• Firewalls. The first line of defense in any network is the firewall. Most configurations now employ the “firewall sandwich,” which protects both the Web application servers and the back-end systems. This configuration is particularly important in the cloud, where back-to-back firewalls often exist at the boundaries of the service provider and enterprise network infrastructures. 
• Authentication. Authentication is the process (embodied in a protocol) for determining users are who they claim to be. The strongest forms of authentication are those that use multiple factors including something the user knows (usually a password) and something the user has, such as a physical token that plugs into a USB port on the PC. An additional layer of protection is afforded by context-based authentication, which uses contextual information to help confirm a user’s identity, such as if s/he is scheduled to work during the period of the log-on attempt. 

Session Snooping or Hijacking

The cloud’s public network infrastructure presents additional vulnerabilities. Hackers attempt to “tap” into sessions to snoop or capture traffic, or worse yet, to actually take over or hijack the session by pretending to be the legitimate user. To address these potential security risks, the industry created the Virtual Private Network (VPN). VPNs establish encrypted (and, therefore, private) “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it virtually impossible for hackers to snoop or hijack virtual private network traffic. 

Security for Virtual At-home Agents

Security for the work at-home, cloud contact center environment involves both the employee agents and their equipment, particularly the PC and telephone. 

Virtual Home-based Agents

All employee agents should undergo an intensive vetting process and a best practice for cloud contact centers is to conduct a particularly rigorous set of background checks. At a minimum, the background check should include verification of citizenship, validation of the Social Security Number, a credit check, and a search of criminal (felony and misdemeanor) data bases at the federal and local levels. For certain programs, additional vetting may be warranted, including for education and employment experience, and drug testing may be justified in some situations. It is also important to have formal employment agreements with all employee agents that outlines the agent’s (versus a contractor’s LLC) responsibilities and obligations, especially with respect to client and customer confidentiality. 

Another best practice is to provide some means for protecting personally identifiable information. The preferred method is to enable customers to enter any such sensitive information directly via the telephone keypad: “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but is masked on every screen so as not to be visible to the agent. Having the customer enter the digits directly also helps improve operational efficiency by minimizing keying errors. 

Security for Home Offices

The best home offices utilize the Public Switched Telephone Network (PSTN) for production voice communications. Not only does the PSTN deliver superior voice quality, it is also inherently secure and reliable. Additionally, securing home office PCs, whether issued by the contact center service provider or owned by the employee agents, requires implementing the very same layers of security found in a data center directly onto the PC. 

PC Lock-DownLocking-down an agent’s PCs prevents any information from being copied, logged, transmitted or otherwise retained. Depending on the situation and applicable regulations, the lock-down may involve disabling the ability to write or save files to disk or any I/O port, and to disable the “copy and paste” function. This normally requires a special security application that disables some of the PC’s system resources during the session. 

Patch Management System

For security software to be completely effective, it must be fully up-to-date with the latest version. A best practice is to have a patch cycle that regularly installs system and security software patches and updates and also includes a prioritization plan to address critical security issues, especially for a new zero-day attack. 

VerificationA common saying in national security issues is “Trust but verify.” This approach is also applicable to the cloud, where the verification for work at-home security is the endpoint HIC (Host Integrity Check). Every time an employee agent logs on, the PC’s operating system and application and security software should be examined to ensure everything is installed, up-to-date and operating properly. The endpoint HIC should also validate the registry settings, confirm that no unauthorized application is currently installed, and verify that the agent is attempting access at a scheduled time and via an authorized network. 

If for any reason the employee agent (after being authenticated) does not pass the endpoint integrity check, the session should be placed immediately in a “quarantine” state. Only upon successfully passing the endpoint integrity check is the user permitted to exit quarantine and, thereby, return to normal, authorized operation. 

The highest levels of security systems and procedures are necessary in any contact center, whether physical or cloud-based. By following the above security provisions, a cloud-based contact center can be made just as secure as one housed within the enterprise. Industry standards and regulations have been established to help executives understand the level of security provided by a network. When considering a virtual at-home call center partners, it is strongly recommended to work with an organization has been able to achieve both HIPAA compliance and Payment Card Industry Data Security Standards (PCI (News - Alert) (News - Alert)- DSS) Level 1 certification—the highest ratings available. 

Rich Sadowski is Vice President of Solutions Engineering for Alpine Access, Inc., the leading provider of employee-based virtual contact center solutions and services. Recently named the best contact center and CRM outsourcer for client satisfaction by Datamonitor’s Black Book of Outsourcing, Alpine Access’ clients include ten of the Fortune 100 companies in the financial services, communications, technology, healthcare, retail, travel and hospitality sectors.