Posts By :

Christian Grunkemeyer

Adding a Secure Message Center to Self-Service Portals and Apps 1024 403 Christian Grunkemeyer

Adding a Secure Message Center to Self-Service Portals and Apps

Self-service started long ago with things like the self-service gas pump (1947) and automated teller machine (1967) – primarily for economic reasons. Self-service often helps to reduce the cost of doing business, and when it comes to digital self-service – is available 24×7. But ever since the introduction of online banking and online brokerage services, the idea of “self-service” has become increasingly more important – particularly in financial services. Account holders want online access to view a balance, initiate payment transactions, buy investments or to check credit account charges – from portals and smartphone apps. A perfect self-service arrangement – convenient and efficient for both the consumer and the business. But every self-service process can reach its limit – and then customers want an equally effective communication channel to get help. That’s where a secure message center becomes a key link between efficient self-service and efficient customer service.

What is a secure message center?

A secure message center adds web-mail, web-form or web-chat services natively to financial services customer portals or apps so that clients can easily ask questions about their account and even share supporting files or images (receipts for a credit charge dispute, a tax return as part of a loan application process). Client messages and files are routed to responsible employees – account teams, support personnel, or contact center agents for a response. Case numbers may be assigned for tracking in ticketing systems, and response notifications are sent via email or SMS text channels to notify customers of a waiting reply. For security and regulatory compliance reasons, the message content (and any uploaded file or image attachments) must use encryption for security, and detailed logging and tracking reports which provide history and proof for compliance audits.

How is a secure message center enabled?

Enabling an efficient secure message center requires an assessment of the workflows end-to-end. What type of inquires are expected? Can they be categorized for efficient routing? What is the log-on process to use it? How should the secure message center look? What type of message features does it need? What type of file attachments do customers need to upload and share? Which employees need to respond to messages? What type of applications and user interfaces will the employees use to receive messages? There’s a litany of questions that will drive the design and requirements for the secure message center – all centered around making the communications workflow as seamless and efficient as possible.

Figure: Secure Message Center architecture

How should customers access a secure message center?

Secure message centers have evolved from traditional email encryption services, which provide similar security and tracking features, but generally force users to create a separate login on a separate web-portal to send or receive secure messages. By contrast, an integrated secure message center shares a financial services portal login (via SSO techniques) at a minimum, and at best – blends seamlessly into the service portal’s user interface. Taken a step further – corresponding mobile apps can be offered as an alternative to web portal access and the secure message center features and functions are replicated in the mobile app as well. Under the hood – this requires a secure messaging service that supports SSO services and exposes web service APIs for the secure messaging service functions, management and provisioning. This simplifies the addition of secure message center features in financial services portals and mobile apps.

How do employees access the secure message center?

For account management and lower volume, or ‘un-categorized’ inquires – an email client such as Outlook may be most suitable. For high volume, contact center workflows, employees will often use a CRM like Salesforce Service Cloud to manage the customer database, automate and track customer interactions for support and retention – even for marketing and sales touchpoints. So, the secure message center must integrate with the backend applications and UIs that your employees use, while maintaining end-to-end message security and verifiable compliance with security policy and privacy regulations – always ‘must have’ table stakes of a secure message center design for financial services firms.

The benefits to digitally integrating and transforming your self-service customer portal

By updating your self-service customer portal and mobile apps with a secure message center, you can transform the way you and your customers/clients work together. Your customer feels enabled to easily do business with you. Your response and outreach are more complete and efficient. And, your business can often reduce costs. A win-win for everyone. This solution is a notch on the belt of “digital transformation” and how to improve the interaction between clients and your customer teams that respond to their needs.

Want to learn more about how to secure workflows in self-service customer portals? Visit us at the DataMotion Developer’s Center, financial services solutions pageor Contact Us for a consultation.

Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.