inContact WFO Security Overview

This topic provides an overview of inContact WFO system topology, providing context for discussions about transport and file security. It also discusses basic and enhanced security features built into inContact WFO.

inContact WFO Design

Depending on the integration, inContact WFO receives call audio from either the PBX or agent telephone. Call data comes from the PBX. Screen recording data is received from the agent’s PC over the LAN/WAN. All recording is done on one or more servers located at the customer's site(s).

The audio and screen recording files may be stored only on the recording server(s), or they can alternatively be stored there temporarily and later written to another server or file storage location based on schedules and available bandwidth. In this scenario, the local files are deleted after the recordings are moved. Long-term storage, or archiving, of recordings can be managed in a variety of ways, including variable retention periods and automated purging.

Database records for each recording are created in inContact WFO for file and quality management purposes. These records let the files be located so that users with appropriate permissions can listen to and view the files via the inContact WFO Web Portal. The database can be housed on the recording server, on a separate server, or as an instance in an organization's SQL cluster.

Interactions between inContact WFO components (for example, servers, Web Portal), file servers, and archive devices can be configured to use SSL.

If users are recorded from remote locations or access recordings from remote locations, inContact recommends that a VPN be established to support PCI certification.

Appropriate physical and IT security measures must be used with any servers and workstations included in recording and storage of recording files and data. This is especially true in contact centers that are concerned with PCI compliance. Consider:

  • One or more Windows file servers may be used for storing recording files with cardholder data.
  • Servers, network attached storage devices, removable media, or other devices may be used in archiving recording files with cardholder data.
  • inContact Screen Recording servers may be used, resulting in video files that are stored in a different location from the associated audio files.

The accounts and passwords used to manage these devices and files should also comply with overall security measures. inContact recommends the following:

  • As a precaution, any account used to manage inContact WFO system servers should be secured in order to prevent anyone from tampering with the system’s operations.
  • inContact WFO uses an SQL database, as mentioned previously. For SQL servers, inContact recommends:
    • NT Authority\System for SQL Server Database Engine
    • NT Authority\Network Service for SQL Server Reporting Services
    • NT Authority\Local Service for SQL Server Browser
    Talk to your deployment engineer, or support team for more information.
  • When separate inContact Screen Recording servers are used, the system requires a UNC path for the recording storage location and a user account and password with Write permission for that location. This account should also be secured.

Access Control

Access to inContact WFO configuration, certain features and functionality, and even recording files themselves, can all be limited through user roles. Permissions that can be assigned to these roles are very granular, providing a great deal of flexibility in the way organizations implement the system.

Enhanced Security Features

inContact WFO offers several enhanced security features, including blackouts and encryption. Manual blackout functionality is controlled by permissions. Encryption and automated blackouts are chargeable options.

If these were not originally included with your system, and you would like to add one or both features, consult your inContact Workforce Optimization representative.

Secure Storage and Transport

Interactions between recording servers, inContact WFO Web Portal servers, file servers, and archive devices can use SSL (Secure Socket Layer) and TLS (Transport Layer Security) for data in transit. The use of SSL/TLS requires special configuration, and customers must obtain their own SSL certificate(s).

For transport security to be effective, all communication starting and ending points should be secured. Bear in mind that SSL and TLS are all-or-nothing solutions. For example, if you enable SSL, TLS, or both, on the inContact Screen Recording server, but do not enable these features for the screen recording clients, the clients and server will not be able to communicate.

If users are recorded or access recordings from remote locations, they must go through a VPN for this level of security.

TLS is typically used in conjunction with encryption (discussed in the previous section). The following table summarizes the impacts of encryption and TLS on an inContact WFO system.

Encryption TLS Effects
On On All files stored in supported formats on disk are encrypted.

All Web Player and live monitoring communications are encrypted.

On Off

All files stored in supported formats on disk are encrypted.

Web Player and live monitoring communications are not encrypted.

Off On

Files stored in supported formats on disk are not encrypted.

All Web Player or live monitoring communications are encrypted.

Off Off

Files stored in supported formats on disk are not encrypted.

Web Player and live monitoring communications are not encrypted.

Related Themes