Security in the Cloud

Sexy and new, voice biometrics caught enterprise customers’ fancy nearly a decade ago. But like a typical crush, interest quickly subsided when the technology’s limitations, complexities, and high costs began to surface. But the flame did not go out entirely. During the years that followed, voice biometrics vendors vastly improved the technology, which about 18 months ago once again caught customers’ eyes. Alas, the economy went sour, and companies that might have flirted with the idea of a voice biometrics deployment put their projects on hold once again.

Jilted but not undeterred, voice biometrics has started to make yet another comeback, reignited organically by vendors that are changing how they offer solutions.

Where solution providers used to rely entirely on large-scale deployments costing hundreds of thousands of dollars each, they have recently turned to multiple revenue streams, deriving revenue not only from software licensing and systems integration, but also from hosting fees that can be levied on a per-minute, per-user, per-transaction, or per-stored-voiceprint basis. For up to half of all vendors of the technology, moving voice biometrics into the cloud has been the answer to the sticker shock that was the single largest barrier to more widespread adoption. 

 “There needed to be other ways of approaching the pricing issue given the current market conditions,” says Julia Webb, executive vice president of American sales and marketing at VoiceVault, one of the first companies to offer fully hosted voice biometrics applications. “With current market pressures, resource pressures, and budget constraints, hosting allows projects to go forward. Companies really see [hosting] as a necessity to moving projects forward.”

But calling the hosted model a game changer in the speech security space is probably a bit premature. Judith Markowitz, president of J. Markowitz Consultants, which specializes in voice biometrics solutions, prefers to call the hosted model a “market enhancer” instead. “It’s going to become one of the regular options we see,” she says. “As we move more into cloud computing, it will be more of an option. And it’s going to last; it’s certainly not a fly-by-night thing.”

Markowitz sees hosting in the voice biometrics space continuing to fly well after the economic recovery sets in. “It’s going to be an option for companies that do not have the wherewithal, even in good times, to get this kind of application or service,” she adds.

Brian Eastley, director of hosted and on-demand marketing strategy at Convergys, agrees. “It really has changed the nature of the interest and how we go to market,” he says. “The recession capped capital expenditures, but with hosting/on-demand [solutions], we’re seeing interest grow again.”

Money Matters 

To say that organizations have been eager to take the hosted bait would be an understatement. Thanks to hosted offerings, the voice authentication market is expected to grow fivefold by 2011, hitting the $260 million mark by 2014, according to Opus Research. Interest has been highest in the financial services, utilities, technology, healthcare, insurance, and government sectors.

For organizations like these, the reasons for buying into hosted voice biometrics applications are many. Chief among them is the cost avoidance that goes with having someone else house and manage an application. That’s because hosting arrangements typically eliminate the large up-front capital expenses that previously made the technology too expensive for all but a select few.

“Hosting is a good way for something like speaker verification to become accessible to more organizations because it costs less than trying to buy it and build it yourself,” Markowitz says. “It’s not like buying an on-premises solution where you’re responsible for all the hardware, software, training, etc.”

Companies looking to invest in an on-premises voice biometrics application could easily pay around $100,000 to start, but prices have been known to go as high as $250,000 or even $500,000 for some of the larger, more highly specialized and custom deployments. 

Conversely, technology vendors with a hosted offering typically charge between 25 cents and 50 cents per use, and volume discounts can bring fees down to pennies per call.  

Call volume affects the overall cost in other ways. Take, for example, a health insurance provider whose call volume often spikes at the end of the year during open enrollments. Rather than purchasing a certain amount of on-premises capacity that sits idle for large blocks of time, a hosted solution allows the organization to pay only for what it uses, when it uses it. “It really allows you to conserve your capital expense. You pay as you go, so you’re not paying for what you don’t use,” Eastley explains. 

But it is vitally important for the enterprise to alert its service provider to these spikes ahead of time “so we can provision our resources and capacity accordingly,” Webb says.

Driving a Hybrid

Another pricing option that has also found favor with a number of organizations is a hybrid approach that brings together the best of hosted and on-premises solutions. With this option, companies outsource some parts of an application and keep others in-house. Providers of this option predicate their pricing on how much of the overall application is hosted. 

According to Chuck Buffum, vice president of authentication solutions in the Mobile and Enterprise Division at Nuance Communications, a voice biometrics solution essentially comprises four parts:

• the voice biometrics engine and companion decisioning engine;
• the voiceprint database;
• the telephony interface layer; and
• the dialogue component that lays out the prompts and drives the customer interaction.

Nuance can host any or all of these layers, and that is a key element in determining the fees it charges per month, Buffum says. 

The hybrid approach is an especially attractive option for companies that are reluctant to turn over very sensitive data—in this case, customer voiceprints and account information—to outside firms over which they have little or no direct control. “We’re certainly seeing a lot of organizations that we are talking to that want to keep the [voiceprint] database in-house behind their own firewalls,” Buffum says. “At least for the next few years, I don’t see hosting of the voiceprints as the norm, but the logic to make the decisions, that’s not something that people want to do on their own.”

VoiceVault’s Webb offers a different perspective. She says about 95 percent of her company’s customers have opted for a fully hosted deployment because they simply do not have the resources or expertise to keep the solution in house. Of the 5 percent that have opted to keep some part of the application in house, most are high-volume financial services firms that log millions of calls per month, she says.

A Matter of Trust

For many of the organizations that keep the voiceprint database in house, it simply comes down to a question of security. It’s an understandable concern. “There’s a lot of sensitive data, and you need to have confidence in the organizations that you trust with it,” says Brian Contos, chief security strategist at Imperva, a data security firm based in Redwood Shores, Calif.

Markowitz agrees. “You are trusting someone else to do things for you, and if they have a failure, you have a failure,” she says. Likewise, if the hosting company has a breach of security, then all of its customers, and their clients, are also affected.

“The answer to this issue may very well be in managed services, where you have the database in house and you pay someone else to manage the operation of it for you,” Markowitz adds.

But no matter where the database resides, security should be priority No. 1, Contos advises. In the case of hosting, “it behooves you to research how the [hosting] firms handle security. As a customer, you need to do due diligence on your service providers,” Contos says.

And when you’ve completed your research, the conclusion invariably will be that the firms hosting the voice security applications have the security issue pretty well in hand. “People can feel confident with the hosting companies. [Security] is being done, and it’s being done better than what the [customer] can do on its own locally,” Contos says.

That’s because so many companies today are still clinging to old technology and security protocols that don’t adequately address modern threats. Attacks of the past used to target internal networks, and it was a good day for a hacker when he was able to bring a company’s servers or networks to a screeching halt. Today’s hackers are looking instead to capture data and either do something with it themselves or sell it to someone else who can use it, according to Contos.

“The notion of protecting data seems like such a simple thing, but so many organizations are doing security the way they did it 10 years ago. You will not be able to protect yourself with the controls you used 10 years ago,” he says. “There needs to be a fundamental shift in the way we think. It’s not just about protecting the network, but about the data, as well.”

Proper data security should involve three components: prevention, detection, and auditing, Contos suggests. “At any point in time, you should be able to see who accessed the information, when, what files they accessed, and what they did with them,” he says.

That’s a tall order, and many of the firms that would employ voice biometrics applications on-premises simply are not up to the task. “The cloud providers are stepping up,” Contos says. “They take security very seriously. For a hosting company, the entire brand reputation is at stake, and there are big ramifications for screwing up.”

Beyond basic firewalls and encryption, security is not just about where the data is stored, but what is stored. At VoiceVault, “all we store is the voiceprint and an identification number that is then linked at the financial institution to the account information in their database,” Webb says.

Eastley points out that Convergys does not store personally identifiable information with the application. “The voiceprint cannot be traced to any specific person and is not tied to any account information,” he says. “We have a bunch of encrypted files, and they have no meaning outside the context of this environment.”

More simply put, data files that accompany a voice biometrics application by themselves are meaningless to a hacker. The voiceprint database is not a collection of identifiable audio files, recordings, words, or wave patterns, but rather a digital matrix of numbers that relate to the physical and behavioral characteristics of each person’s unique voice. Algorithms typically use more than 100 calculations to generate a voiceprint, and a hacker would need access to the algorithm, voice biometrics engine, and corresponding back-end systems for voiceprint files to be actionable in any way. 

Close to Home

Hosting companies have also allayed customer fears about data security by moving their data centers closer to their customers’ sites. VoiceVault, which is based in England, established a data center in Los Angeles for its U.S. customers who were worried about having their data stored overseas. 

In most cases, it’s more a matter of perception than a real threat. “The perception is that information is better stored locally,” Eastley says, “so Convergys has collocation agreements with the major carriers around the world.”

Companies that would employ a hosted voice biometrics solution can also take comfort in knowing hosted service providers have undergone very rigorous government and private-sector reviews to ensure their data security protocols are top of the line. A number of national and international standards bodies are involved, and companies that pass their tough scrutiny receive certifications with fancy alphanumeric combinations, like ISO-27001.

At least for the next few years, security experts predict hosting companies will use these certifications as differentiators that set them apart from their competitors. But eventually the entire industry will have to seriously address the data security issue if cloud solutions ever have a shot at becoming not just economically tantalizing, but within the bounds of acceptable risk for customers. 

“You always have to balance the loss of control over your data and processes with the savings you get,” Markowitz advises. “It’s something you’ll always have to think about and may need to re-evaluate from time to time.”

This will be especially true as the financial picture develops fully over time. “Over a five-year ownership cycle, [total costs for a hosted solution] in most cases will be roughly equivalent to a premises-based solution,” Nuance’s Buffum says. “Years one and two—when you’re just getting started—is when you see the real value to outsourcing. Hosting definitely de-risks the early stages of the process.”

As the hosting agreement plays out beyond the first year or two, that’s when companies will have to look at other metrics, he says.

Less Obsolescence

In addition to lower start-up costs, greater flexibility, and tighter security, hosting ensures an application is current. By turning an application over to a hosted service provider, it becomes the service provider’s responsibility to update and maintain all of the necessary components of a speech application, including the software, hardware, and staffing. 

“Improvements in technology are coming so quickly, and hosting allows companies to get those updates quickly,” VoiceVault’s Webb says.

With that comes faster application development. Under a hosting arrangement, voice biometrics applications can be rolled out in a matter of weeks rather than months. That’s because the hosting provider already has the entire infrastructure in place and just has to link its servers and databases to the customer’s existing call center systems, usually through a Web-based application programming interface that the customer can access from anywhere.

“For an on-premises solution, it can take a year or more to deploy and start seeing a [return on investment],” Convergys’ Eastley explains. “It can be a few months with hosting.”

“You should get lower starting capital costs and scalability without having to buy the infrastructure,” Buffum adds. “And you’re paying someone else for all the maintenance, updating, operation, and management of a solution. You’re saying, ‘It’s not my core competency, so I’m letting someone else do it for me.’”

And predictions are that more and more companies will think that way as time goes on.

“In a couple of years from now, everyone will be using some form of hosting,” Imperva’s Contos predicts. “People do not want to be custodians of information systems anymore.”

Sidebar: Millions of Passwords Are Easy to Steal

In late January data security firm Imperva released a study analyzing 32 million passwords exposed to hackers in the mid-December breach of Rockyou.com, a site dedicated to social networking applications and the hub for many social networking sites, such as Bebo, Facebook, and MySpace.

Imperva’s Application Defense Center analyzed the strength of the passwords in a report, “Consumer Password Worst Practices,” and found the 10 most commonly used passwords were:

1. 123456; 
2. 12345;
3. 123456789;
4. Password;
5. iloveyou;
6. princess;
7. rockyou;
8. 1234567;
9. 12345678; and
10. abc123.

According to the survey, nearly 50 percent of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, etc.). 

It’s a problem that has changed very little during the past 20 years, according to Brian Contos, chief security strategist at Imperva, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “People are still using the same bad passwords,” he says. “After all the education and awareness training, people are still taking simplicity over security.”

Part of the reason for this is that the modern consumer relies on and uses so many applications and services that require passwords. “The real problem is that because you have so many passwords, people use the same one. The same one they use for Facebook they use at Bank of America and to file a health insurance claim,” Contos explains. 

According to Contos, everyone needs to understand what the combination of poor passwords means: With minimal effort, a hacker can gain access to 1,000 accounts every 17 minutes.

“At a minimum, everyone should have two sets of passwords: one for more general activities and one for more important activities,” Contos advises.

Banks, financial firms, insurance providers, and others that rely on customers to provide passwords also have an obligation to better advise their account holders. “Organizations should recommend that their clients give more and different passwords,” Contos says. “And they can use things like voice biometrics more.”

Sidebar: The High Cost of Credit Fraud

For consumers—and the banks and financial services firms that manage their accounts—the rise in identity theft crimes and credit fraud is especially troubling. The U.S. Treasury’s Financial Crimes Enforcement Network reported recently that suspicious credit card activity in the United States increased by 95 percent from 2007 to 2008, and that figure is expected to rise again for 2009. The U.S. Department of Homeland Security has said the cost of credit card fraud might be as high as $500 million a year. And when fraud does happen, it’s not just the credit card issuer that’s left holding the bag. Merchants often pay a high price, but so do cardholders, who often face economic losses and lengthy legal battles and have to expend huge amounts of time and effort to repair their damaged credit records.