Introduction

This document is intended for: 

• Developers who have customised an Amazon Connect CCP, and who are looking to further customise Cyara LiveVQ.
• Administrators of an Amazon Connect deployment who want to enable Cyara LiveVQ capability by installing the LiveVQ Library.
• Information Security Engineers who are seeking to understand the inner workings of LiveVQ on an agent desktop.

If you are currently implementing Cyara LiveVQ or are interested in the platform for future adoption, this document is your primary resource.

Transparency 💯

We value transparency. This document will cover the implementation of Cyara LiveVQ within your Amazon Connect Contact Center, so that you can be confident that sensitive customer data is not shared outside of your network. It is important for us at Cyara to build trust through transparency.

Data Flow

Code First

Extension COMING

Hybrid (Code First + Extension) COMING

Browser APIs

RTCPeerConnection >>

Interface representing a WebRTC connection between the local computer and a remote peer. It provides methods to connect to a remote peer, maintain and monitor the connection.

navigator.hardwareConcurrency >>

The number of logical processors available to run threads on the user's computer.

Modern computers have multiple physical processor cores in their CPU (two or four cores is typical), but each physical core is also usually able to run more than one thread at a time using advanced scheduling techniques. So a four-core CPU may offer eight logical processor cores, for example. The number of logical processor cores can be used to measure the number of threads which can effectively be run at once without them having to context switch.

navigator.deviceMemory >>

The approximate amount of device memory in gigabytes.

The reported value is imprecise to curtail fingerprinting. It’s approximated by rounding down to the nearest power of 2, then dividing that number by 1024. It is then clamped within lower and upper bounds to protect the privacy of owners of very low- or high-memory devices.

possible values:

0.25, 0.5, 1, 2, 4, 8

navigator.geolocation.getCurrentPosition >>

enableHighAccuracy: false

The Geolocation API is used to retrieve the user's location, so that it can for example be used to display their position using a mapping API.

GeolocationPosition {
    coords: {
        accuracy: 114
        altitude: null
        altitudeAccuracy: null
        heading: null
        latitude: -27.451541499999998
        longitude: 153.0438438
        speed: null
    }
    timestamp: 1609292699868
}
            

3rd Parties

 

APIs

Location IQ >>

Reverse Geocoding: Converts coordinates to human-readable addresses. Breaks down addresses into elements like Street, city, state etc.

{
    "place_id": "330564223547",
    "licence": "https://locationiq.com/attribution",
    "lat": "-27.451511",
    "lon": "153.043939",
    "display_name": "35, Longland Street, Teneriffe, Brisbane, Queensland, qld, 4006, Australia",
    "boundingbox": [
        "-27.451511",
        "-27.451511",
        "153.043939",
        "153.043939"
    ],
    "importance": 0.2,
    "address": {
        "house_number": "35",
        "road": "Longland Street",
        "city": "Teneriffe",
        "county": "Brisbane",
        "state": "Queensland",
        "state_code": "qld",
        "postcode": "4006",
        "country": "Australia",
        "country_code": "au"
    }
}
            

IPStack by API Layers >>

Determine the Internet Service Provider, and autonomous system organization and number associated with an IP address. Fallback geo data if no triangulation was possible via GPS or WiFi signals.

{
    "ip": "122.199.46.46",
    "type": "ipv4",
    "continent_code": "OC",
    "continent_name": "Oceania",
    "country_code": "AU",
    "country_name": "Australia",
    "region_code": "QLD",
    "region_name": "Queensland",
    "city": "Brisbane",
    "zip": "4000",
    "latitude": -27.467580795288086,
    "longitude": 153.02789306640625,
    "location": {
        "geoname_id": 2174003,
        "capital": "Canberra",
        "languages": [{
                "code": "en",
                "name": "English",
                "native": "English"
            }
        ],
        "country_flag": "https:\/\/assets.ipstack.com\/flags\/au.svg",
        "country_flag_emoji": "\ud83c\udde6\ud83c\uddfa",
        "country_flag_emoji_unicode": "U+1F1E6 U+1F1FA",
        "calling_code": "61",
        "is_eu": false
    },
    "time_zone": {
        "id": "Australia\/Brisbane",
        "current_time": "2020-12-30T15:49:38+10:00",
        "gmt_offset": 36000,
        "code": "AEST",
        "is_daylight_saving": false
    },
    "currency": {
        "code": "AUD",
        "name": "Australian Dollar",
        "plural": "Australian dollars",
        "symbol": "AU$",
        "symbol_native": "$"
    },
    "connection": {
        "asn": 38195,
        "isp": "Superloop"
    }
}
            

Time Synchronization Service >>

This configurable service is used to determine the offset of the Agent's PC clock with a constant time.

Libraries

M-Lab >>

Measurement Lab (M-Lab) provides the largest collection of open Internet performance data on the planet. As a consortium of research, industry, and public-interest partners, M-Lab is dedicated to providing an ecosystem for the open, verifiable measurement of global network performance.

NDT is a single stream performance measurement of a connection’s capacity for “bulk transport” (as defined in IETF’s RFC 3148. NDT measures “single stream performance” or “bulk transport capacity”. NDT reports upload and download speeds and latency metrics.

Data Collected by NDT includes the IP address provided by your Internet Service Provider will be collected along with your measurement results. M-Lab conducts the test and publishes all test results to promote Internet research. NDT does not collect any information about you as an Internet user.

M-Lab’s Privacy Policy

WebRTC adapter by The WebRTC project >>

adapter.js is a shim to insulate apps from spec changes and prefix differences in WebRTC. The prefix differences are mostly gone these days but differences in behaviour between browsers remain.

Detect RTC >>

A tiny JavaScript library that can be used to detect WebRTC features e.g. system having speakers, microphone or webcam, screen capturing is supported, number of audio/video devices etc.

Luxon >>

Luxon is a library that makes it easier to work with dates and times in Javascript. If you want, add and subtract them, format and parse them, ask them hard questions, and so on, Luxon provides a much easier and comprehensive interface than the native types it wraps.

UUIDjs >>

Generate RFC-compliant UUIDs in JavaScript.

UI Libraries

Tippy >>

Tippy.js is the complete tooltip, popover, dropdown, and menu solution for the web, powered by Popper.

It's a generic abstraction for the logic and styling of elements that pop out from the flow of the document and float next to a reference element, overlaid on top of the UI.

Popper >>

Position any UI element that "pops out" from the flow of your document and floats near a target element. The most common example is a tooltip, but it also includes popovers, drop-downs, and more. All of these can be generically described as a "popper" element.

Snackbar >>

A tiny browser library for showing a brief message at the bottom of the screen (1kB gzipped).

Material Icons >>

Material icons are delightful, beautifully crafted symbols for common actions and items. Download on desktop to use them in your digital products for Android, iOS, and web.

Google Fonts >>

Automatically send the smallest possible file to every user based on the technologies that their browser supports. For example, we use WOFF 2.0 compression when available. This makes the web faster for all users—particularly in areas where bandwidth and connectivity are an issue. Now everyone can enjoy the same quality and design integrity in their products and web pages, no matter where they are in the world.

Transparency Mode

When the API is configured for transparency mode [during development or monitoring], you can expose all data received by the LiveVQ Host by using DevTools.

Not all data is necessarily stored, however it shows all data that is exposed to the LiveVQ platform.

Security (AppSec)

Authorization

An Agent is authorized access to the Live VQ Backend through the following process:

1. The application access key and secret (provided by Cyara and defined in the variables CYARA_LIVEVQ_APPID and CYARA_LIVEVQ_KEY) is base64 endcoded and added to the Authorization header for the request.
2. Information about the Agent is added to the request body.
3. The backend will validate the supplied information and return a short-lived JWT.
4. This JWT will be added to the uri for the secure WebSocket to validate the socket connect.

Code Analysis

Our code is statically analysed leveraging Veracodes Static Analysis tools. This provides feedback throughout CI/CD pipeline, and conducts a full Policy Scan before deployment.

Dynamic Code Scans

The LiveVQ Portal is continually tested against dynamic attacks by our friends at Rapid7.

Firewall Exceptions

To enable full operation of the LiveVQ integration, the following endpoints must be accessible from the agents browser:

Purpose	Ports	Domains
Network Performance	3001-3010 and 32768-65535	ndt.iupui.mlab*.measurement-lab.org
Reverse Geocoding	443	https://*.locationiq.com/*
ISP Lookup	443	https://*.ipstack.com/*
LiveVQ Platform	443	https://*.execute-api.*.amazonaws.com/*
NTP *	443	https://time.livevq.cyara.com/

* Used to enable the HTTPS wrapper on NTP

Data Maps

 

Amazon Connect Streams

To see what Amazon Connect Streams data is generated and exposed to the LiveVQ platform, please review the PDF at the end of this article.

API

See more information on how to integrate LiveVQ into your Amazon Connect instance.