img_blog

How to Create a Dynamic, Secure IVR using Amazon Connect

Create a secure interactive IVR by configuring Amazon Connect with AWS Encryption SDK 

An interactive voice response system (IVR) is a powerful tool to simplify and personalize the customer experience. These systems automate the process of routing calls and verifying customer identity using personal information, but safely and securely. 

That might sound like a system that requires a team of PhDs to implement, but Amazon Connect contact flows allow anyone to create a dynamic interactive voice response solution securely with AWS Encryption SDK. 

Interactive IVR systems are easy for customers to navigate using straightforward menu options. They eliminate the long wait times associated with live agent systems. Compared to sharing personal information with a live customer service agent, they are more secure, especially if you follow best practice guidelines during implementation and beyond. 

The entire data encryption process is automated from start to finish with no room for human error. Compliance can be an issue for human beings, but it rarely is for an automated system. 

At the same time, it’s critical to make sure that your implementation follows the best practices for IVR security. 

Why does a secure PCI IVR or HIPAA data IVR matter?

Having a secure IVR matters because it handles personal information that requires secure handling.  

Payment card industry (PCI) IVRs handle payment processing and store customer credit card numbers every day — and those digits are vulnerable. If you’re verifying customer identity using birth dates or social security numbers at the start of a call, those digits are vulnerable too. 

PCI IVR compliance standards require companies to abide by the PCI DSS, or Data Security Standards, which include:

  • 6 objectives
  • 12 key requirements
  • 78 base requirements
  • Over 400 test procedures 

HIPAA data IVRs are just as vulnerable and could put your company in breach of HIPAA regulations if they are not implemented properly.

All these requirements are in place for one reason: to protect your customer’s data. 

IVR allows the caller to provide credit card information to the secure IVR system without reading it to a human agent, where it could potentially be captured in the call recording. Once the order is ready, the agent can transfer the caller to the IVR to collect the payment data. If the payment goes through, it is confirmed on the call automatically and a second confirmation notice is sent via another channel (SMS, email, push message, etc.). If the payment fails, the call goes to an exception queue to be handled by the same agent.

This all happens automatically, so your agent can move on to the next caller but pick this call back up if it returns to the exception queue for additional assistance.

Implementing a secure IVR

You can implement contact flows in Amazon Connect to create a dynamic and secure IVR solution. This solution encrypts customer data both in motion and in storage, letting you comply with encryption requirements effortlessly. 

This can be done with the AWS Encryption SDK using an envelope encryption approach, which protects the raw data but also the data keys that encrypt it. 

It’s a five-step process that includes: 

  1. Generating encryption and decryption keys
  2. Securely storing decryption keys
  3. Creating an AWS Lambda function to decrypt data
  4. Uploading the public key to Amazon Connect for encryption
  5. Creating the encrypting contact flow 

Before you get started, make sure the AWS Command Line Interface is installed and configured. If you’re not sure, try running “AWS configure” from the terminal window and verify the default region name as correct. 

Step 1: Create private keys and public keys 

The first step is to create encryption and decryption keys using OpenSSL. We need to generate three files: 

  • A private key file, connect.private.key
  • A certificate file, connect.certificate.key
  • A public encryption key file, blog.connect.public.key

You’ll start by running this command: 

$ openssl req x509 sha256 nodes newkey rsa:4096 keyout blog.connect.private.key days 730 out blog.connect.certificate.pem

This generates a private key file and certificate file with a validation that lasts for 2 years. (That’s an arbitrary length you can change to suit your company’s needs, but it’s important to monitor and remember when the validation ends.) 

Next, run this command to generate the public encryption key: 

$ openssl x509 pubkey noout in blog.connect.certificate.pem > blog.connect.public.key

Step 2: Store the decryption private key securely

Next, you need to ensure that your decryption is stored securely in the AWS Parameter Store in Systems Manager. For this exercise, we’ll save the private key under the parameter “CONNECT_INPUT_DECRYPTION_KEY.” 

Before running this command, make sure that you’re logged in to an AWS user that has:

  • Permission to create parameters
  • Access to AWS Systems Manager

Run this command to send the decryption key to the AWS Parameter Store: 

$ aws ssm putparameter type SecureString name CONNECT_INPUT_DECRYPTION_KEY description “Private key” value “$(<blog.connect.private.key)”

Check the Parameter Store in the AWS Systems Manager console to make sure the private key’s parameter appears. The parameter should be the one you saved earlier, “CONNECT_INPUT_DECRYPTION_KEY” or something similar. 

If you have trouble seeing the parameter, check for permissions issues and try again. 

Step 3: Create the Lambda function for decrypting

Now you can use AWS CloudFormation to create the functions that will decrypt the personal data you collect. First, log into your AWS console and make sure that the correct Region is selected and that the Amazon Connect service appears available. 

If everything looks correct, launch the stack by following this link and signing in. 

On the AWS CloudFormation page that follows, choose a name for the stack and keep the other options as default. Then, select “Create Change Set” to create the stack using transforms. 

The output from this step should be the value of the AWS Lambda resource name (ARN). Save that value, then check to make sure the Amazon Connect instance has access to the new Lambda function. 

You can do this with these two steps:

  1. Choose “Contact Flows” in the Amazon Connect console and go to the bottom of the AWS Lambda section
  2. Choose “DecryptCustomerInput” in the Function dropdown and choose “+Add Lambda Function” 

Step 4: Upload the public key to Amazon Connect 

Open the Amazon Connect console and the instance, then choose “Contact Flows” in the left-hand menu. From there, choose “Add Key” and paste the content of the public key file (you can access the content by using any text editor). 

Save the public key by choosing “Add,” which generates a key ID for your public ID. Copy and save the ID before moving to the next step. Now Amazon Connect knows to use the encryption key when encrypting customer data. 

Step 5: Create a contact flow that encrypts data

Before you begin this step, download this contact flow (we’ll import it and configure it shortly). Then, open Amazon Connect’s console, choose “Overview,” and log in as an administrator. 

From there, choose “Contact Flows” from the Routing menu and choose “Create contact flow.” You’ll see a dropdown menu with options including “Import flow,” choose that option. After it finishes importing, choose “Store customer input” and enter the key ID from Step 3 with the content of the public certificate file from Step 2.  

Update the “Function ARN” field using the value that the CloudFormation stack returns, which will point the contact flow to invoke Lambda to the DecryptCustomerInput block. That’s the last change you’ll have to make, so go ahead and save! 

To test your implementation, attach the contact flow to a test phone number and dial it to follow the dialogue. Then, check the entry in the Amazon CloudWatch Log to confirm that the test data was encrypted and passed on to AWS Lambda for decryption. 

Transform your AWS implementation with CloudHesive 

Now you know how to implement a secure IVR that encrypts customer data and moves the data along for decryption in Lambda, but perhaps you still need more support to get that peace of mind regarding your data security. 

After all, it’s your customers’ private and personal information at stake. CloudHesive has the expertise and the resources to take implementation off your hands while meticulously maintaining compliance. For HIPAA data IVRs and any PCI IVRs, that’s a critical part of any secure system. 

Need help with technical architecture, strategic deployment and more? Reach out to CloudHesive to see how we can get it done!