Genesys Cloud (formerly PureCloud)

Discussion Thread View
Expand all | Collapse all

can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

  • 1.  can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    Posted 15 days ago
    can we encrypt task/flow variables for sending sensitive data in json body to customer end points in additional to various security mechanisms provided by Genesys like https, mTLS, OAuth, etc. ?
    #PlatformAdministration
    #Roadmap/NewFeatures
    #Routing(ACD/IVR)
    #Security

    ------------------------------
    Ajay Vadluri
    Kroll Information Assurance Inc.
    ------------------------------


  • 2.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    Top 25 Contributor
    Posted 12 days ago
    Let me know if you find something that will do this.  All I can think of is a Lambda code that will take the token and the data generate the JWT or JWK.  Here is a good article about this and some code:  How to protect APIs with JWT and API Gateway Lambda Authorizer | by Mariano Calandra | The Startup | Medium

    ------------------------------
    Robert Wakefield-Carl
    Avtex Solutions, LLC
    Contact Center Innovation Architect
    robertwc@avtex.com
    https://www.Avtex.com
    https://RobertWC.Blogspot.com
    ------------------------------



  • 3.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    NEW MEMBER
    Posted 12 days ago
    Hi Ajay,

    As far as a I know GC does not have functionality to encrypt task/flow variables. But you can implement your own middleware between GC and Customer to encrypt data before sending to Customer end points.

    ------------------------------
    Taras Buha
    Noralogix PTY (Ltd)
    ------------------------------



  • 4.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    Posted 11 days ago
    I think GC should natively provide us option to encrypt the variables from architect, implementing any middleware like a lambda function still we have to send data as json body to lambda for encryption and GC logs would still have sensitive data as plain text for data actions so middleware still defeats the purpose. other cloud vendors like incontact provides such flexibility as string functions https://help.incontact.com/Spring21/EN/Content/Studio/Actions/SNIPPET/hash.htm?Highlight=encrypt, GC should have something like this in their roadmap. i have created an idea for this https://genesyscloud.ideas.aha.io/ideas/CLPLA-I-1170 if you are interested please vote for this.

    ------------------------------
    Ajay Vadluri
    Kroll Information Assurance Inc.
    ------------------------------



  • 5.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    GENESYS
    Posted 11 days ago
    What exactly are you trying to accomplish with the encryption?  Is it a concern over securely transmitting it to the external web service?  If so, all data actions utilize TLS 1.2 or 1.3 as the transport mechanism, and do not log the payloads of the request or response.  Additionally, you can leverage secure IVR flows within Genesys Cloud, which eliminates logging and recording within the IVR session so the variables you're setting within the flow and sending to the external web service are not captured anywhere within Genesys Cloud.

    ------------------------------
    Richard Schott
    Genesys - Employees
    ------------------------------



  • 6.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    Top 25 Contributor
    Posted 11 days ago
    Richard,
    Are you saying that if from a Secure Flow, we send out credit card and token to another service like Lambda or an https web service to create the JWE, we will still remain PCI-compliant?

    ------------------------------
    Robert Wakefield-Carl
    Avtex Solutions, LLC
    Contact Center Innovation Architect
    robertwc@avtex.com
    https://www.Avtex.com
    https://RobertWC.Blogspot.com
    ------------------------------



  • 7.  RE: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?

    GENESYS
    Posted 11 days ago

    Genesys Cloud PCI compliance deals only with our handling of information on the Genesys Cloud platform, and its transmission of information to another platform.  Your proposed workflow would need to be separately vetted by a PCI auditor, as it extends beyond the boundaries of Genesys cloud, but the Genesys Cloud portion of this would remain in compliance by virtue of leveraging the secure flow and a data action to securely transmit PCI related data to an external platform.  

    My response was really more in relation the overall security of data actions, and specifically pointing out that the information sent to an external web service via a data action is 1. already encrypted via the TLS transport mechanism, and 2. not logged as part of the data action process.  The mention of secure flows had more to do with further limiting logging and blocking recording.  Encrypting strings prior to sending data over an encrypted channel is not really necessary if you're simply worried about protecting sensitive data.



    ------------------------------
    Richard Schott
    Genesys - Employees
    ------------------------------