Cyara ResolveAX - Introduction

Introduction

This document is intended for:

  • Administrators of a compatible CCaaS deployment who want to enable Cyara ResolveAX capability.
  • Information Security Engineers who are seeking to understand the inner workings of ResolveAX on an agent desktop.
  • Developers who have customised an Amazon Connect CCP, and who are looking to further customise Cyara ResolveAX. 

If you are currently implementing Cyara ResolveAX or are interested in the platform for future adoption, this document is your primary resource.

Transparency đź’Ż

We value transparency. This document will cover the implementation of Cyara ResolveAX within your Amazon Connect Contact Center, so that you can be confident that sensitive customer data is not shared outside of your network. It is important for us at Cyara to build trust through transparency.

Data Flow

Browser Extension

SDK

Browser APIs

RTCPeerConnection >>

Interface representing a WebRTC connection between the local computer and a remote peer. It provides methods to connect to a remote peer, maintain and monitor the connection.

navigator.hardwareConcurrency >>

The number of logical processors available to run threads on the user's computer.

Modern computers have multiple physical processor cores in their CPU (two or four cores is typical), but each physical core is also usually able to run more than one thread at a time using advanced scheduling techniques. So a four-core CPU may offer eight logical processor cores, for example. The number of logical processor cores can be used to measure the number of threads which can effectively be run at once without them having to context switch.

navigator.deviceMemory >>

The approximate amount of device memory in gigabytes.

The reported value is imprecise to curtail fingerprinting. It’s approximated by rounding down to the nearest power of 2, then dividing that number by 1024. It is then clamped within lower and upper bounds to protect the privacy of owners of very low- or high-memory devices.

possible values:

0.25, 0.5, 1, 2, 4, 8

navigator.geolocation.getCurrentPosition >>

enableHighAccuracy: false

The Geolocation API is used to retrieve the user's location, so that it can for example be used to display their position using a mapping API.

GeolocationPosition {
    coords: {
        accuracy: 114
        altitude: null
        altitudeAccuracy: null
        heading: null
        latitude: -27.451541499999998
        longitude: 153.0438438
        speed: null
    }
    timestamp: 1609292699868
}
            

3rd Parties

 

APIs

Location IQ >>

Reverse Geocoding: Converts coordinates to human-readable addresses. Breaks down addresses into elements like Street, city, state etc.

{
    "place_id": "330564223547",
    "licence": "https://locationiq.com/attribution",
    "lat": "-27.451511",
    "lon": "153.043939",
    "display_name": "35, Longland Street, Teneriffe, Brisbane, Queensland, qld, 4006, Australia",
    "boundingbox": [
        "-27.451511",
        "-27.451511",
        "153.043939",
        "153.043939"
    ],
    "importance": 0.2,
    "address": {
        "house_number": "35",
        "road": "Longland Street",
        "city": "Teneriffe",
        "county": "Brisbane",
        "state": "Queensland",
        "state_code": "qld",
        "postcode": "4006",
        "country": "Australia",
        "country_code": "au"
    }
}
            

IPStack by API Layers >>

Determine the Internet Service Provider, and autonomous system organization and number associated with an IP address. Fallback geo data if no triangulation was possible via GPS or WiFi signals.

{
    "ip": "122.199.46.46",
    "type": "ipv4",
    "continent_code": "OC",
    "continent_name": "Oceania",
    "country_code": "AU",
    "country_name": "Australia",
    "region_code": "QLD",
    "region_name": "Queensland",
    "city": "Brisbane",
    "zip": "4000",
    "latitude": -27.467580795288086,
    "longitude": 153.02789306640625,
    "location": {
        "geoname_id": 2174003,
        "capital": "Canberra",
        "languages": [{
                "code": "en",
                "name": "English",
                "native": "English"
            }
        ],
        "country_flag": "https:\/\/assets.ipstack.com\/flags\/au.svg",
        "country_flag_emoji": "\ud83c\udde6\ud83c\uddfa",
        "country_flag_emoji_unicode": "U+1F1E6 U+1F1FA",
        "calling_code": "61",
        "is_eu": false
    },
    "time_zone": {
        "id": "Australia\/Brisbane",
        "current_time": "2020-12-30T15:49:38+10:00",
        "gmt_offset": 36000,
        "code": "AEST",
        "is_daylight_saving": false
    },
    "currency": {
        "code": "AUD",
        "name": "Australian Dollar",
        "plural": "Australian dollars",
        "symbol": "AU$",
        "symbol_native": "$"
    },
    "connection": {
        "asn": 38195,
        "isp": "Superloop"
    }
}
            

Libraries

M-Lab >>

Measurement Lab (M-Lab) provides the largest collection of open Internet performance data on the planet. As a consortium of research, industry, and public-interest partners, M-Lab is dedicated to providing an ecosystem for the open, verifiable measurement of global network performance.

NDT is a single stream performance measurement of a connection’s capacity for “bulk transport” (as defined in IETF’s RFC 3148. NDT measures “single stream performance” or “bulk transport capacity”. NDT reports upload and download speeds and latency metrics.

Data Collected by NDT includes the IP address provided by your Internet Service Provider will be collected along with your measurement results. M-Lab conducts the test and publishes all test results to promote Internet research. NDT does not collect any information about you as an Internet user.

M-Lab’s Privacy Policy

WebRTC adapter by The WebRTC project >>

adapter.js is a shim to insulate apps from spec changes and prefix differences in WebRTC. The prefix differences are mostly gone these days but differences in behaviour between browsers remain.

Detect RTC >>

A tiny JavaScript library that can be used to detect WebRTC features e.g. system having speakers, microphone or webcam, screen capturing is supported, number of audio/video devices etc.

Luxon >>

Luxon is a library that makes it easier to work with dates and times in Javascript. If you want, add and subtract them, format and parse them, ask them hard questions, and so on, Luxon provides a much easier and comprehensive interface than the native types it wraps.

UUIDjs >>

Generate RFC-compliant UUIDs in JavaScript.

UI Libraries

Tippy >>

Tippy.js is the complete tooltip, popover, dropdown, and menu solution for the web, powered by Popper.

It's a generic abstraction for the logic and styling of elements that pop out from the flow of the document and float next to a reference element, overlaid on top of the UI.

Popper >>

Position any UI element that "pops out" from the flow of your document and floats near a target element. The most common example is a tooltip, but it also includes popovers, drop-downs, and more. All of these can be generically described as a "popper" element.

Snackbar >>

A tiny browser library for showing a brief message at the bottom of the screen (1kB gzipped).

Material Icons >>

Material icons are delightful, beautifully crafted symbols for common actions and items. Download on desktop to use them in your digital products for Android, iOS, and web.

Google Fonts >>

Automatically send the smallest possible file to every user based on the technologies that their browser supports. For example, we use WOFF 2.0 compression when available. This makes the web faster for all users—particularly in areas where bandwidth and connectivity are an issue. Now everyone can enjoy the same quality and design integrity in their products and web pages, no matter where they are in the world.

Transparency Mode

When the API is configured for transparency mode [during development or monitoring], you can expose all data acquired by the LiveVQ Host by using DevTools.

Not all data is necessarily stored, however it shows all data that is exposed to the ResolveAX platform.

devtools-filter-messagehandler.png

Security (AppSec)

Authorization

An Agent is authorized access to the ResolveAX Backend through the following process:

  1. The application access key and secret (provided by Cyara and defined in the variables CYARA_LIVEVQ_APPID and CYARA_LIVEVQ_KEY) is base64 endcoded and added to the Authorization header for the request.
  2. Information about the Agent is added to the request body.
  3. The backend will validate the supplied information and return a short-lived JWT.
  4. This JWT will be added to the uri for the secure WebSocket to validate the socket connect.

Browser Extension Configuration

mceclip2.png

The browser extension is configured in two stages. The first stage is to generate a link containing the encrypted data for the request.

  1. A JWT is created, embedded with the Agent username and unique (one-time) request identifier.
  2. The expiry date is set on the token, which defaults to 24 hours.
  3. The token is encrypted using HMAC SHA-256 and is added to a Url.
  4. This Url is sent to the Agent to initiate the extension configuration process.

The Agent clicks on the provided link to initiate the configuration process for the ResolveAX extension.

  1. The page validates the extension has been installed and prompts to install the extension if it's missing.
  2. The Agent clicks on the configure button.
  3. The token is validated (for tampering and expiration).
  4. The embedded request identifier is validated to ensure it's not been used before.
  5. The embedded Agent username is validated.
  6. A unique access key and secret are generated and associated with the Agent. This together with other configuration data is returned to the Agent.
  7. The extension will intercept the response and store the configuration data in secure browser storage.

Code Analysis

Our code is statically analysed leveraging Snyck Static Analysis tools. This provides feedback throughout CI/CD pipeline, and conducts a full Policy Scan before deployment.

CAUDIT Procurement Webinar

Dynamic Code Scans

The ResolveAX Dashboard is continually tested against dynamic attacks by our friends at Tenable.io

tenable__1_.png

Firewall Exceptions

To enable full operation of the ResolveAX integration, the following endpoints must be accessible from the agents browser:

Purpose Ports Domains
Network Performance 3001-3010 and 32768-65535 ndt.iupui.mlab*.measurement-lab.org
Reverse Geocoding 443 https://api.resolveax.cyara.com/*
ISP Lookup 443 https://api.resolveax.cyara.com/*
ResolveAX Platform 443 https://*.execute-api.*.amazonaws.com/*
NTP * 443 https://*.execute-api.*.amazonaws.com/*

* Used to enable the HTTPS wrapper on NTP

API

See more information on how to integrate ResolveAX into your Amazon Connect instance.

Was this article helpful?

0 out of 0 found this helpful