Chatbot Security

While security is important to every company, it is particularly important to the healthcare, financial and government sectors. If we consider the security issues that are important to these sectors, we will at least be able to cover the issues that are relevant for all companies.

There are a number of points to consider when it comes to bot security. These can be broadly addressed through the following questions:

What environment is used to build the bot?
Where is the bot hosted?
What are the security features of technology on which the bot is built?

I will address these questions one by one.

Environment

Access to the environment used by developers (both staff and contractors) to develop the bot need to be secured and permissioned. This means not only securing and source controlling the code but also securing communications and making sure the environment is free of viruses and other threats.

Standards need to be in place for anti-virus installation, encryption, access control, mandatory information security training and activity logging. Procedures and policies also are needed to govern the testing of security features and change control in that developers cannot make a change to the source code without the explicit approval of a senior engineer.

Hosting

There are many options for hosting these days, from public cloud, to private cloud, to on-prem (on premises / in-house).

Companies that need a superior degree of information security will opt for either a private cloud or on-prem installation depending on the nature of the use case.

It is important to understand that hosting is not just about hosting the bot itself. If the bot uses third-party services such as an NLP engine, then similar hosting and information security issues associated with these services need to be taken into account. Are these services SAAS or available on-prem for example? Do they isolate client data, or is all data pooled in some form?

The front end of the bot is another consideration of course. If the bot is used over a chat platform such as Facebook Messenger the client’s information will be exposed to and recorded by this platform. This may or may not be an issue, but clearly it needs consideration.

Enterprises concerned about transmitting their conversation data over chat platforms such as Facebook Messenger and Slack, can use alternative means to communicate with their customers via on-prem or private cloud solutions such as Mattermost or Web Chat.

Security Features

Whether the bot is hosted in the cloud or on-prem, there are many bot related security features to consider.

Access of administrative staff to the bot management system needs to be tightly controlled through built in role based security and multi-user management. If required, this access control can be integrated with with the enterprise internal on-prem Identity & Access Management solution such as Active Directory and LDAP.

The system should include comprehensive and detailed logs showing user (including admin users) and system activity. Alerts should be set to notify admins and others of if specific activity occurs.

Aside from normal alerts, special alerts should be be setup to notify admins and others of specific suspicious activity, incidents and exceptions.

Data and records that are stored on servers such as customer records/interactions, authentication data need to be encrypted with some sort of industry standard encryption such as AES-256.

Message transmission between end users and servers, as well as connections between front-end (such as Webchat, web pages or a chat platform) and back-end systems need to be encrypted with industry standards such as TLS.

Policies and Procedures

Of course it is critical for all of the above that relevant policies and procedures that govern standards for information security are put in place. Information security is not a once-off setup but an ongoing activity.

These policies and procedures will govern not only how the relevant software is set up but will also specify when and how regular training sessions and tests will be carried out.

Securing a bot is no different to securing any other piece of software. There needs to be an assessment made at the beginning of the process as to how confidential the underlying data is and that will determine measures the organisation needs to take to ensure the data is kept safe.

Hopefully, this article has given you a high level overview as to some of the issues involved in creating a secure bot.