Cloud Security in Contact Centers: The Questions to Ask, The Answers to Expect

The cloud is about to get a lot more crowded. That is the conclusion reached by a new research report that projects the cloud-based contact center market to grow from $4.15 billion this year to $10.9 billion in 2019, at a compound annual growth rate of more than 20 percent. There are a number of reasons why contact centers are moving away from environments where data is centrally accessed and stored, and into a distributed, virtualized system. These include lower upfront cost, scalability, ease of upgrade, speed of implementation, and many others covered in previous blog posts and articles. Security, however, remains a point of contention with some companies. The Cloud Industry Forum surveyed 250 senior IT and business decision-makers on what they view as key challenges to cloud adoption. More than 60% identified security as a leading issue.

Is the Cloud Secure?

The short answer is yes. The cloud offers a much higher grade of security than most internal IT departments, and at a much lower cost. However, contact centers should also be aware of the differences between cloud providers, and the right security-related questions to ask.

What Constitutes Security?

Achieving an adequate level of security at a contact center requires the coordination of many systems and applications, as well as vigilance on the part of agents. There are five layers in all, each of which plays a vital role:

Physical Security

The data uploaded to a cloud resides in one or more data centers. These centers should be protected by multiple security perimeters, including electronic surveillance, qualified 24/7 security staff and multi-factor access to keep physical intruders away. The centers should also be equipped with state-of-the-art environmental systems that make certain that operations are not disrupted. To avoid any data compromise from a fire or natural disaster, data should be stored in multiple geographic regions.

Network Security

Network security is perhaps the most significant threat to contact center data. Network architecture must be protected from a wide array of outside threats. A firewall is usually the first line of defense, while anchoring additional security measures, such as web application firewalls and intrusion detection technologies. This firewall is a barrier between the public Internet and the cloud infrastructure, that controls traffic between trusted and untrusted networks.

An intrusion detection system provides an alert when someone is attempting to compromise systems or data, and responds quickly to minimize the possibility of a security compromise. Before such systems are triggered, regular vulnerability assessments identify any weaknesses in a cloud system that can be exploited by hackers. The web application firewall blocks non-essential traffic to the application layer and protects poorly coded applications. It can block both SQL injection attempts and XML-RPC Exploit attacks.

Also, while many may be aware of load balancers as they relate to application availability, they have a security component as well, as they allow for termination of SSL traffic, provide centralized certificate management, central restriction of weak SSL ciphers and HTTP and HTTPS session persistence. Finally, log management helps protect, detect and respond to security incidents by identifying unauthorized access attempts.

Systems and Application Security

The focus here is on how contact center platforms and applications are designed and built. Security should be a priority at each stage of the development cycle. Cloud software that was designed from the ground up has built-in security optimized for the cloud. Traditional on-premise software that is offered as a hosted solution might have some more security challenges, because the solution was not designed and optimized to be delivered over the web. Frequent testing is required to confirm adherence to industry-standard security requirements. All code releases should undergo both automated and manual reviews, as well as in-depth penetration testing prior to release.

Information Security

Cloud providers verify their security controls through third-party certifications such as ISO 27001 or ISO 27002, standards recognized globally as the most comprehensive framework for establishing security best practices. As many contact centers field orders from customers where credit card information will be provided, the cloud system should be compliant with the 12 security domains of PCI-DSS standards. The PCI DSS requires file encryption, secure storage and the deletion of certain information, such as the credit card security code. Contact centers affiliated with the healthcare industry should also be HIPAA compliant.

Agent Security

Of course, the client must accept some of the responsibility for security as well. This includes using complex passwords and limiting access to online data within your organization. The flexibility and scalability of the cloud model makes it easier for contact centers to employ remote and home-based agents. These agents must be held to the same standard as those that work within the contact center, and that extends to security concerns. Agent-customer interactions should be monitored regularly.  Call recording should be used for security compliance, and providers should have visibility into data collected by these agents. Desktops used by remote agents must be secured in a way that ensures compliance and data encryption.

Asking the Right Questions

To make an informed decision, here are some of the most important questions to ask a potential cloud provider.

  • How long have you been providing a cloud-based contact center platform?
  • How many security perimeters are in place around your data centers?
  • Do your data centers have 24/7-staffed security?
  • What types of security measures have you taken to protect your network?
  • What security measures were taken throughout the development of your platform and applications?
  • Are you compliant with established third-party security standards?


The protection of information is vital to corporations in the digital age, and while no system is 100% secure, current technology is more than a match for any outside attempt at a data breach. Partnering with the right provider is the best way to achieve confidence in the transition to the cloud. Several layers of security measures and processes are built into the cloud infrastructure, platform and services. All client access endpoints are secured, with alerts for password brute-force attacks that prevent those accounts from being compromised. Built-in firewalls provide additional protection, and many clouds also offer encrypted data storage. As organizations become more experienced in cloud security options and best practices, cloud security will become less of a concern. Please contact us if you would like to learn more about cloud security in contact centers.