customer care solutions

Transcription

1 customer care solutions from Nuance enterprise white paper :: Nuance VocalPassword Security Overview Version 7.0

2 NUANCE :: customer care solutions Contents About this Document...3 Nuance VocalPassword Security Overview...3 Architecture & System Components...3 System Components...4 Product infrastructure...6 Authentication...7 Web Server Access...7 Database Access...7 LDAP Server Access...7 File System Access...7 Authorization...7 System Authorization...7 Audit...8 Audit levels...8 Audit Protection...9 Audited operations and entities...9 Log viewer...10 Administration...10 Web based administration applications...10 The Web-based Security Console Application Data Security...11 VPMCLI...13 SNMP...14 Data Security Data manipulation...14 Data Integrity & Encryption...14 Custom Encryption Plug-in...14 Multi-tenancy...14 Network Security...15 Interface protection...15 Inter-Process Communication security...15 Voice Biometrics Application Security...15 Mitigating recording threats...15 About Nuance

3 About this Document Nuance VocalPassword is an advanced biometric speaker verification system that verifies a speaker s identity based on voice samples acquired during interaction with voice, Web, or mobile applications. VocalPassword 7.0 delivers state of the art accuracy as well as exceptional ease of integration and deployment, enabling customers to utilize the biometric power of voice to protect personal self-service applications and provide secure, efficient, and convenient access to contact centers and remote applications. This document provides an overview of VocalPassword product security. As an authentication product, VocalPassword implements a wide range of security measures to protect its resources against diversified threats. This document is intended for sales engineers and for IT security personnel who evaluate the use VocalPassword in their protected IT environments. Nuance VocalPassword Security Overview Nuance VocalPassword is a voice biometrics system which is implemented in security-sensitive environments. As such, it must adhere to strict security requirements and comply with privacy and additional industryspecific regulations. VocalPassword is protected at both the application level and the infrastructure level using the standard Four A s of enterprise security: Administration, Authentication, Authorization, and Audit. VocalPassword s security design is based on the Common Criteria Protection Profile for biometric speaker verification systems and has successfully passed third-party security audits and penetration attacks performed by customers. VocalPassword supports integrated Windows security and role based authorization (RBA). Together with the security mechanisms provided by the system infrastructure, the system can be configured to meet the security requirement of financial services, government agencies, healthcare service providers and other securitysensitive organizations. The following diagram provides an overview of VocalPassword security architecture and mechanisms. Integrated Windows Security Voice Platform Web Service SSL Buffer Overflow & SQL Injection Check Admin Apps File System Hashed Audio File Names NTFS IIS VocalPassword TM Processing Server LDAP Authentication, Authorization, Audit Active Directory/ ADAM LDAP VocalPassword TM DB Oracle / SQL Server / Sybase / DB2 Full System Audit Authorization Manager Role-Based Authorization 3

4 NUANCE :: customer care solutions Architecture & System Components VocalPassword includes a set of applications, services and tools that work together in order to provide voice biometrics services. System Components VocalPassword system is comprised of two main logical components the Processing Server and the Data Repository Server. These components can reside on a single machine or distributed among multiple machines. A system can be comprised of multiple instances of each component. Processing Server The Processing Server is the main processing component of the VocalPassword system. Multiple Processing Servers can optionally be used in a redundancy scheme for high availability purposes, or in a load balancing scheme for scalability. The Processing Servers run the VocalPassword application that provides the following functions: Service control The Processing Server exposes a set of Web Services (SOAP/HTTP) which are used by calling applications as well as by the system s administration tools and Web-based GUI Applications. Algorithmic processing This is the core biometric functionality of VocalPassword. Each Processing Server includes two web applications that run under Microsoft IIS: VocalPassword Web Services Provides a set of API methods accessed through SOAP and HTTP. VocalPassword Web Applications These web applications are used by Administrators, IT managers, Security Officers and helpdesk agents. In addition, the VocalPassword system includes a set of utilities/desktop administration applications. These are typically installed with each Processing Server. Data Repository Server The Data Repository Server is the logical name of the component which is responsible for handling and storing persistent data. Each data repository server contains the following components: SQL Database The Database is used to store audit information, log messages and other information used for reports. VocalPassword supports most of the leading Databases. LDAP Directory LDAP directory is used to securely store sensitive persistent data related to speakers, groups, voiceprints, and configurations. VocalPassword supports multiple LDAP directories. Audio Files folder A shared folder used for storing audio files. Persistent Data Replicator (PDR) Nuance s replication service, responsible for duplicating database records and audio files between two data repository servers (Optional). Logger Service This service queues log messages and saves them in the background to the database. A VocalPassword system must include at least one Data Repository Server. Two Data Repository Servers can be used in an active-active configuration for redundancy. 4

5 The following diagram outlines VocalPassword components and architecture. VocalPassword Web Applications VocalPassword Native Web Service APIs Technical Management Platform Admin Voiceprint Helpdesk Security Console Processing Server (VocalPassword Application Pool) Algorithmic Engines Text Dependent Utterance Validation Processing Server (N+1) IIS VXML Gateway Algorithmic Engines Algorithmic Engines Text Prompted Liveness Detection Playback Detection VocalPassword Web Applications Algorithmic Engines Text Independent ASR (Optional) Tools and Services Logger Service SNMP Agent Custom Encryption Hooks Authorization Manager Bit (Quick Test) Calibration Wizard Management Command Line Interface (MCLI) Hashed Audio Files File system Data Repository Server (1+1) User Group Database LDAP Directory Audit, Reports,Logs (Oracle, SQL Server, DB2 Voiceprint, Speakers MySQL, Sybase,Informix) Configuration, Roles, Scopes (Microsoft, AD, IBM Tivoli TDS) Tools and Services PDR - Nuance Data Replicator DB/Audio Sync Logger Service SNMP Agent 5

6 NUANCE :: customer care solutions Product infrastructure Operation System VocalPassword is based on.net framework 4.0 and as such it can run only on Windows machines. Currently the product supports the following OS: Windows XP Windows 2003 Server Windows 2008 Server Windows7 Database A Database is used to store audit information and log messages. The database may be installed on the same machine as the Data Repository or on a remote machine. VocalPassword utilizes common ADO.NET infrastructure to access the database. VocalPassword supports the following databases: Microsoft SQL Server 2005 Microsoft SQL server 2000 Oracle 10g with RAC support Oracle 11g with RAC support DB2 MySQL 5.5 SQL Express LDAP Directory LDAP is an application protocol for reading and editing directories over an IP network. The LDAP Directory is used to securely store the application s persistent data entities such as speakers, voiceprints, and configuration. The supported LDAP Directories are: ADAM Active Directory Application Mode - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows XP and Win2003 Server operating systems. AD LDS Active Directory Lightweight Directory Services - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows 7 and Win2008 Server operating systems. Active Directory Microsoft s Directory Services product - The domain s active directory can be used as the LDAP directory. When used, an extension of the Active Directory Schema is required in order to support VocalPassword entities. TDS IBM Tivoli Directory Server. Web Server VocalPassword system uses IIS (Internet Information Services) as its web server and is based on the IIS ASP. NET 4.0 extension. VocalPassword 7.x offers an enhanced, open, and flexible Web service APIs, ensuring smooth, platform-independent integration using any programming environment. In addition, the VocalPassword 6

7 Web Applications enables easy access to tools and information needed for successful deployment. VocalPassword utilizes IIS web server security mechanisms (i.e. application session timeout, limiting access to specific IPs etc. are supported). Authentication Web Server Access VocalPassword authenticates users based on Windows Integrated Security. This ensures that system policies regarding passwords are handled according to the local domain policies (enforced by the Domain Controller). VocalPassword does not store passwords in its database or in any other application s data store. Users accessing the system, whether by programmatically calling the system s web service API, by using one of the administration applications, or by accessing a web page, are authenticated by the IIS using the Domain Controller. By setting a designated configuration parameter, the system can ensure exclusive log-in to the web applications. Note: Authentication policies supported by Microsoft IIS, such as certificates and passports are also supported by VocalPassword. The VocalPassword Web Applications can be configured to enable Single Sign On which eliminates the need to re-enter user-name and password when accessing the application. Database Access Credentials to the system s database are provided as part of the connection string used by VocalPassword. By default, VocalPassword uses Windows integrated security as the database authentication method. This means that the application s identity is used when accessing the database. Another alternative is to specify a username and a password in the connection string. When this is done, this identity is used by all components accessing the database and must be managed manually. When this option is used, the password is saved encrypted in the system s configuration file. LDAP Server Access The applications access the LDAP Server using Windows Integrated Security. Note that the applications identity is used when accessing the LDAP Server. File System Access File system access is controlled by the operating system. Every access to the file system by the VocalPassword application will be performed under the credentials of the application user. Authorization System Authorization Role-based Authorization (RBA) VocalPassword utilizes Microsoft Authorization Manager (AZMAN) for managing roles and operations. AZMAN is general-purpose role-based security architecture for Windows. Using roles, the operating system determines whether a process or a user is privileged to perform an operation. 7

8 NUANCE :: customer care solutions Roles are defined in the Authorization Store of VocalPassword s LDAP Directory. Each role can be granted permission to perform operations (a basic activity unit that the system performs). Every API method has a corresponding operation. Windows users and groups can be assigned a role, and be authorized to perform operations according to the role s definition. The system is installed with the following predefined roles. These roles can be customized and additional roles can be defined. ClientApplication HelpDesk PlatformAdmin MainScope Security Every access to the Database, the LDAP Server, or the file system by the VocalPassword application is performed using the credentials of the application user. Once the application validated that the network user is permitted to perform a certain operation, the application user serves as a delegate for the network user. This means that in order to allow an application user to perform an operation that will delete a file from the file system for example, it is not required to add write privileges to the network user. Audit VocalPassword Audit is composed of the following elements: Every API method is logged in the system s database. Other standard system infrastructure components (such as the OS, IIS, DB) have their own auditing tools and capabilities that needs to be enabled. Audio files used for Enrollment/Verification may be saved for Audit purposes. Audit levels VocalPassword allows the system administrator to control the level of audit info detail that will be saved by the system. There are three audit levels: Alg Debug Specifies whether to audit detailed algorithmic outputs (mainly used for algorithmic troubleshooting). Operational Specifies whether to save operation level audit information (such as Enroll/Verify/Identify/ Fraudsters detection etc.). There are three options of saving operational level audit information: Always the system saves all audit information. Conditional the system saves audit information only for delete operations and in case of an error in other operations. Never the system does not save operational-level audit information. System - Specifies whether to save system level audit information. There are three options of saving system level audit information: Always the system saves all system level audit information. Conditional the system saves audit information only for system level write operations and in case of an error in read operations. Never - the system does not save system-level audit information. 8

9 In addition, a configuration parameter named log level enables selecting the desired log level, enabling the system to keep different levels of log messages for different applications, services or scopes. Audit Protection VocalPassword audit information is stored securely in the system s database. Besides the system specific audit trail, VocalPassword system infrastructure (IIS, LDAP Directory, Database) logs are protected in diversified (standard) ways. Audited operations and entities Auditing Audio Files VocalPassword support auditing audio files used in the system using two configuration parameters: SaveEnrollAudio - Specifies whether to save enrollment audio. Always Enrollment audio is always saved UntilTrained Enrollment audio is saved temporarily and deleted as soon as the voiceprint is trained. Never Enrollment audio is never saved. SaveOperationalAudio Specifies whether to save operational audio (the audio associated with Verify, Identify, and Fraudsters Detection operations). LDAP Server Audit LDAP Server supports audit capabilities and enables flexible audit configuration. For more information turn to API Audit Every call to an API method is logged in the system s database. The API record includes the following details: Request ID A 64bit unique identifier assigned to each API call. This ID is unique across all the system s servers and can be used to reference other details stored in the database about the request such as verification score, or failure details. Method Name The API method name. Input Parameters The values of the API method parameters. Finish Status An error or success code. Timestamp The exact time of the request execution. Server name The name of the processing server that handled the request. Client ID The IP address of the client. User name The windows username of the client. Data repository server name The name of the data repository server on which the data was originally stored. Session ID A token which is received from the StartSession command that launched the current session. Scope The scope which is the context of the current API operation. 9

10 NUANCE :: customer care solutions Log viewer VocalPassword saves log messages in the database based on the LogLevel parameter in the system configuration. Log messages can be accessed using the Log Viewer which enables online or offline viewing of an application s log messages. The Log Viewer is available as a Windows application or as a web page in the Technical management application. Use the Log functionality to troubleshoot the system or analyze past system activity. The log section is divided into two views: History Log View which enables auditing past system activities. Log information retrieval can be controlled by dates and log level. Once retrieved, log information can be saved, sorted, filtered or saved to a file. Online Log View which is used to monitor system activities in real time. The Online Log View displays system-wide log messages as they are recorded in the VocalPassword data base, enabling isolating faults and communicating them with the vendor. Log messages can be saved to a file. Administration Web based administration applications VocalPassword provides a set of web-based administration applications allowing management of all system aspects. The following applications are provided out-of-the-box: Technical Management Platform Admin VocalPassword Platform Admin is a web based Application that provides a variety of tools for properly setting up the system and its biometric functionality as well as managing speakers, voiceprints and groups. Use this application to configure VocalPassword, perform queries and reports, and monitor the system usage. Voiceprint Helpdesk VocalPassword Voiceprint Helpdesk provides a set of tools enabling auditing and reviewing a speaker s interactions with the system. Use the Helpdesk functions to audit verification results and decisions, edit speaker information, delete a speaker, edit a voiceprint and more. Security Console The VocalPassword Security Console Application enables security personnel to audit VocalPassword operation and analyze specific verification and identification processes. The application provides tools for managing fraudsters voiceprints and groups. In addition, the security console collects and presents diversified security alerts. VocalPassword Technical Management Application enables technical personnel, who are in charge of the systems health, to monitor VocalPassword system s component status, audit system-wide logs, schedule administrative tasks such as audio purging, upload and view system licenses, and more. Access to these applications is controlled by Windows Integrated Security and VocalPassword s role based authorization. 10

11 The Web-based Security Console Application The VocalPassword Security Console Application enables security personnel to audit VocalPassword operation and analyze specific verification and identification processes. The application provides tools for managing voiceprints as well as all aspects of user authorization. The Security Console Application is divided into four functionalities: Authorization Manager, Voiceprint Helpdesk, Configuration, Log. The following screenshot presents these functionality. 1. Authorization Manager Functionality allows managing all aspects of User Authorization. Using roles, the system can make determinations, such as whether a process is privileged to perform an action. VocalPassword utilizes Microsoft s Authorization Manager Infrastructure to manage user authorization in the system. Authorization Manager functionality is divided into three sections: a. Scope management used adding scopes (tenancies) in a multi-tenant system b. User management used for assigning roles to users and groups c. Role management used for defining, creating and customizing roles The following screenshots depict the User Management page and the role customization functionality of the Security Console. 11

12 NUANCE :: customer care solutions 2. Voiceprint Helpdesk functionality provides a set of tools enabling auditing and reviewing a speaker s interactions with the system, editing voiceprint audio and adapting voiceprints with audio used for verification. Voiceprint Helpdesk is divided into two section: a. Audit Speaker Interactions used for reviewing a specific speaker s interactions with the system. Information available includes session info as well as information regarding each and every operation within the session (i.e. Enrolment, Verification etc.). Verification statistics and scores are displayed including decision reasons and extended scoring information. Speaker audit information can be filtered, sorted and grouped for better analysis. Audit information also includes the speaker s audio. This audio can be played back and / or downloaded assuming the system audit configuration is set to store it and the proper security privileges are set. b. Review Voiceprint enables reviewing of a speaker s voiceprint/s. Use this page to listen to audio used for enrollment, and edit it if necessary, removing unrelated or faulty audio. The Edit Voiceprint page enables removing and adding audio segments from / to a speaker s voiceprint and adapting 12

13 it with verification audio segments if available. Use the Edit Voiceprint page to fix problematic voiceprints that deliver high false rejection rate as well as to enhance the quality of existing voiceprints via manual adaptation. 3. Configuration Functionality - enables the system administrator to control and manipulate the system configuration and operation. VocalPassword system supports multiple concurrent configurations that are used to control the system s diversified functionality and multi-engine infrastructure. Use the configuration functionality to comply with diversified requirements (i.e. Security, Audit), optimize the system performance, and adjust its functionality to accommodate for a specific call / verification flow. Configuration is divided into two sections: a. Edit Configuration Sets enables creating, editing, uploading, downloading, and comparing Configuration Sets. A Configuration Set is a set of parameters and their corresponding values that controls the operation of VocalPassword in a specific context which can be an application or a specific operation. Configuration Sets inherit parameters values from the system s Default configuration set and enable the user to overwrite specific ones as necessary. b. Configuration Audit used to track all of the system s configuration changes. Use this page to review configuration changes and filter them by dates, parameter category, and more. Information retrieved includes parameters values, timestamp, change initiator, IP and host name. Configuration Audit page can be used by the system administrator as well as by Nuance support to isolate system problems caused by configuration errors. VPMCLI VocalPassword includes a command line utility that enables administrator to perform various administration tasks such as: retraining voiceprints or deleting history records from the database. A system administrator using the VPMCLI must have the proper credentials and authorization to use the various functionality provided by this utility. 13

14 NUANCE :: customer care solutions SNMP VocalPassword s SNMP agent receives SNMP requests and sends SNMP traps to standard network monitoring consoles complying with SNMPv2 standard. Each Processing Server has an SNMP agent service that handles SNMP Get/Set requests and sends SNMP traps when important system events occur. VocalPassword monitoring can be easily added to standard SNMP-based consoles. Data Security Data manipulation VocalPassword checks every input against data manipulations such as: SQL injection, LDAP injection, Buffer overflow and Cross-Site Scripting (XSS). Data Integrity & Encryption Voiceprints are stored in a proprietary format in the system s LDAP directory and cannot be reverse engineered. Voiceprints are signed with the speaker ID and the customer ID (system ID) which is a unique key assigned to each installation. This signing protects the system voiceprints from being manipulated by authorized users. Voiceprints cannot be used outside the specific system as well as in other VocalPassword systems. Customer related information (Speaker IDs, Group IDs), is encrypted by VocalPassword by default using 128 bit encryption mechanism (Rijndel). Customer-specific encryption mechanisms are supported. Audio Files stored in the files system can be encrypted using standard OS encryption mechanisms. The names of the saved audio files are hashed so that they cannot be associated directly with a specific speaker. LDAP Directory store The LDAP Directory stores used by VocalPassword (Provided by Microsoft/IBM) is encrypted by default using proprietary encryption mechanisms. Database The databases used by VocalPassword can be configured to encrypt stored information. Custom Encryption Plug-in Nuance supplies a built in encryption mechanism which uses Rijndael symmetric encryption (AES) 128bit. In case the customer wishes to control the system s encryption method, he may do so through the encryption plug-in. The encryption plug-in enables customized encryption, giving the customer full control over the encryption algorithm and key. A configuration parameter which points to the encryption software must be set to enable custom encryption. Multi-tenancy Multi-Tenancy enables logical partitioning of the entire system in an effortless manner through the use of scopes. This allows a clear cut separation of the system s data, configuration, audit, roles, etc. within an organization, enabling a single enterprise to use VocalPassword for multiple/distinct applications in different business units. Multi-Tenancy is ideal for a hosted solution, enabling a service provider to offer VocalPassword as a service to multiple enterprises. The benefits are both from a practical aspect and from a security aspect. 14

15 Regardless of what system tool is used or what API method is called, everything is performed in the context of a specific scope. Scopes are assigned to users by the system security administrator. Each session is associated with a certain scope, the configuration set specified when calling an API method is used to determine the desired scope. Network Security Interface protection VocalPassword web service interface acess is controlled using IIS6 or IIS7 security supporting SSL encryption. All authentication schemes are supported: Integrated, Basic, Digest, and Certificates. Inter-Process Communication security VocalPassword processes The different components which compose the VocalPassword system communicate with each other over TCP using WCF (Windows Communication Foundation. Windows Communication Foundation is the technology used for inter process communication between different components of VocalPassword. More information regarding WCF can be found at All ports used for inter-process communication are configurable. This allows System Administrators to specify which ports will be used in their specific site. The component used for inter-process communications is NET.TCP. This standard component secure TCP communications in various ways. Processing Server LDAP Directory communication security VocalPassword communicates with the LDAP directory via a.net component (Microsoft Directory Entry) which is part of Microsoft Directory Services which is part of.net Framework. The component supports LDAPS for secure LDAP communication. Processing Server SQL Database communication security VocalPassword communicates with the SQL Server using database-specific ADO.Net provider. The provider communication security is proprietary and database-specific. Voice Biometrics Application Security Mitigating recording threats Recording threats are the threat of fraudsters using voice recordings of legitimate speakers. Following are three methods in which VocalPassword enables diminishing these threats: Liveness detection (Intra-session voice variation) This unique and patented method significantly reduces recording threats. Following text-dependent verification, this method uses text-independent voice biometrics technology to compare the voice sample captured during the text-dependent verification process, with an additional sample captured by prompting the speaker to repeat a random or semi-random sentence. By combining the obtained biometric scores and validating that the speaker indeed repeated the requested utterance (using VocalPassword s Utterance Validation engine or ASR), a liveness detection score is extracted. 15

16 NUANCE :: customer care solutions Prompted passwords verification Prompted verification requires the user to repeat a random phrase that is a subset of speech atoms (digits/words) trained during enrollment. Prompted verification provides protection against interception and playback attacks, as each session uses a different subset of the trained speech atoms. Playback detection VocalPassword s patented playback detection algorithm runs as part of the verification process and identifies audio segments that unnaturally match audio segments that were previously used for verification/enrollment. About Nuance Communications, Inc. Nuance is a leading provider of speech and imaging solutions for businesses and consumers around the world. Its technologies, applications and services make the user experience more compelling by transforming the way people interact with information and how they create, share and use documents. Every day, millions of users and thousands of businesses experience Nuance s proven applications and professional services. For more information, please visit: Nuance Communications, Inc. All rights reserved. Nuance, the Nuance logo, The experience speaks for itself, SpeakFreely, and VocalPassword are trademarks and/or registered trademarks of Nuance Communications, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are the properties of their respective owners. WP NUCC1061 NUANCE COMMUNICATIONS, INC. one wayside road burlington ma nuance.com