Skip to main content
Touch blog
Enhancing Data Security using Customer-Managed Keystores for compliance programmes with Touch Call Recording Service

Enhancing Data Security using Customer-Managed Keystores for compliance programmes with Touch Call Recording Service

Controlling access to sensitive customer data for compliance recording programmes using keystores.

Data breaches of sensitive customer data or financial transactions must be prevented.  So, ensuring the strongest encryption and total control over access to your customer data is imperative, particularly for compliance call recording programmes. That’s where customer-managed keystores can help organisations to retain ultimate control over their data.

Recent years have seen a plethora of data leaks and data breaches, and as malicious actors find increasingly sophisticated measures to gain access to personal data, it is only set to get worse. Breaches of security are also breaches of trust that can have a devasting financial cost – through punitive compliance regulations – as well as damage to brand reputation that can take years to recover from.

According to a survey by secure payments provider PCI Pal, 41% of UK consumers would never return to a brand after their sensitive information had been breached. It means that safeguarding sensitive information has become paramount for organisations across all industries. That’s why Touch Call Recording Service has introduced an advanced layer of security and control through its Customer-Managed Keystore feature, which offers unparalleled protection for your recorded data and strengthens your compliance call recording programme.

This blog outlines how keystores can empower organisations to retain strict control over encryption keys and bring an added layer of security call recording solutions. It will explore how keystores work, the benefits they offer, and the strategic importance of implementing a customer-managed keystore in your data protection strategy to ensure that customer data remains secure and compliant with global regulatory standards. 

What is a customer-managed keystore?

Encryption is imperative when it comes to securing data, but then the question becomes: “Who holds the encryption key?” By default, many cloud providers generate encryption keys for their customers and manage the keys throughout their lifecycle. However, some organisations, such as those in the financial sector, want to maintain total control over their encryption keys, for example to comply with their own internal security processes or just as an added security layer.

There are multiple options, including Bring Your Own key (BYOK), Control Your Own Key CYOK), and Hold Your Own Key, among others. However, these are relatively ill-defined definitions, with varying degrees of overlap. Touch offers all these services.

How do customer-managed keystores work?

While Customer-Managed Keystores (CMK) touches on all of these, it is in fact a clear concept on its own. CMKs reside in the cloud, with the customer retaining ownership of all the encryption keys that protect the data stored by Touch, or any other service provider. It operates on a per-tenant encryption that allows customers to independently monitor – and revoke – access to their data.

CMKs use ‘envelope encryption’, which means that data is first encrypted with a data encryption key (DEK). A second ‘master key is then encrypted to the original DEK, creating an encrypted data encryption key, or encrypted DEK. The original DEK is then deleted, but the encrypted DEK is stored alongside the original data file containing the recording. It means that data is never stored, only metadata and the encrypted DEK.

If Touch, for example, then wanted to access any data, we would need to reach out to the customer to gain the decryption key – the customer can refuse to return the key and instead use an independent audit event for any request. It means that only the customer can approve access to the data stored by Touch. This is the basic premise of customer-managed keystores.

Customer-managed keystores add another layer of security

CMKs add a further layer of security, but prior to any of this, strong data encryption is of course critical. The Touch Call Recording Service is maintained as part of an ISO27001 certified information system, which describes the global standard for encryption. As soon as a recoding is complete (our service is network-based), files are automatically sent, via a secure connection, to the Touch Storage facility, where they undergo a two-stage encryption process, according to ETSI TR 102 661.

First, a new, random secret key is generated for each data file (AES, 256 bits). The secret key is then encrypted with an RSA asymmetric encryption algorithm with a key length of 2,048 bits. The encrypted, secret key is then stored in the database – and mirrored to our geo-redundant site – together with the encrypted data file, which again means that no content is stored in the database, only metadata.

Such a strong level of security is imperative for protecting recorded data and CMKs further strengthen this protection by handing customers complete control of their encryption keys, and who accesses their customer data. This is essential given the growing requirement to meet compliance obligations around data privacy (such as the General Data Protection Regulation) and financial transactions (such as MiFID, MiFID II, and Dodd-Frank), which require access to sensitive data, and data sovereignty to be tightly governed.

Another benefit of CMKs is that organisations are in control of their key management, allowing them to rotate, manage, and revoke keys according to company security policies, the on-boarding and retirement of new employees, and changes to personnel roles, such as a promotion or change of department. Regular rotation of keys is crucial as it provides a further layer of security.

Keystore best practice

When it comes to the management of keystores it is crucial to set out best-practice policies across the entire lifecycle, which may require specialist expertise. Some of the first questions to ask, include:

  • Where and how are keys stored?
  • Who has access to the keystore?
  • How often should access permissions be reviewed (i.e., frequently)?
  • How often should keys be rotated (i.e., frequently)?
  • How do we monitor and record requests for keystore access, and by whom?
  • When should access be granted?
  • When should access be refused?

For example, keys can be stored in vaults, with only privileged user access granted. It is essential, however, to set out policies around the regular rotation of keys and reviews of who has access permission, and under what circumstances should access be granted. It is also imperative to implement a policy that records all attempted accesses to ensure absolute transparency about who requested access and for what reason.

Another essential aspect to keystores is their ability to be easily and seamlessly integrated into existing security infrastructure and policies. Keystores must be incorporated into a unified approach to data protection across all platforms and services. Touch uses open APIs to enable seamless integration with existing infrastructure and systems, but it is as important to ensure that keystores are absorbed into a single, over-arching organisation-wide security strategy.

In conclusion, Touch Call Recording Service enables multiple layers of security through its ISO-certified encryption, geo-redundancy storage, and the ability to offer different types of keystore capabilities, enabling our customers to choose the level of keystore security that suits their needs. To find out more, contact us today.

Explore touch call recording

Touch call recording

Setting clear policies for how financial services companies communicate with their customers is vital

A comprehensive compliance policy is paramount for ensuring that financial advisors and brokers use the right – approved – channels for communicating with customers is essential to meet compliance obligations.

Achieving GDPR compliance with your Genesys Cloud contact centre solution with Touch

Genesys Cloud has become a popular choice for businesses as their contact centre – and has also evolved to become a centralised engagement hub that spans the entire omnichannel customer journey. For businesses that leverage Genesys Cloud, Touch Call Recording Service is widely used as the integrated recording solution to meet all GDPR requirements and to meet compliance obligations.

Sign up today with touch call recording service

Get started with Touch Call Recording Service

Start recording in minutes, not months. Need something specific? Get in touch.

Touch is

Touch Call Recording was recently awarded 'eco-lighthouse' certification, Norway's most widely used certification scheme for enterprises seeking to document their environmental efforts and demonstrate social responsibility.
Eco-lighthouse logo