Cisco Connect Toronto 2018 cloud and on premises collaboration security explained

Cisco Connect Toronto
Canada • 18 October 2018
Cloud and On Premises Collaboration Security
Joseph Bassaly
Architect

© 2016 Cisco and/or its affiliates. All rights reserved. 2
What will we cover today ?
• Cisco Collaboration Elements
• Managing Identity
• Cisco WebExTeams Security concepts
• Cisco WebExTeam compliance and Archival
• Cisco Enterprise Content Management (Coming Soon)
• Cisco Control Hub Security Capabilities
• Cisco WebExTeam Network Security
• Cisco WebExTeams Security Roadmap

Messaging Call ControlMeetings
Seamless Collaboration Experience
Link on-premises assets to the cloud

WebEx Teams Client
Collaboration Elements
WebEx Board Video End Points
MEDIA
NODES
Expressway
Existing Services
Teams Meeting
Jabber
IM & Presence
Communication
Manager
Unity
Connection

5© 2016 Cisco and/or its affiliates. All rights reserved.
Managing Identity

IdP – Identity Provider: RP – Relying Party
Users
Explicit Initial Trust
Agreement
Identity Framework
6

Alex
Authentication and Authorization
(AuthN and AuthZ)
Authentication
Authorization
7
Authentication verifies that
“you are who you say you are”
Authorization verifies that
“you are permitted to do what you are trying to do”

Authentication and Authorization
(SAML and OAuth)
Authorization
Client Services
IdP
Authentication

User & Device
Management
Roles based
Access
Security &
Compliance
Analytics
& Reports
SSO &
Directory Sync
Manage Services
& Integrations
9
Cisco Control Hub

10BRKCOL-2080
User Provisioning
• Directory Connector (recommended)
• Manual creation
Add or modify users
Bulk CSV import
• Convert existing users who already have a Spark account
Directory
Connector
Active
Directory
Cisco
Collaboration Cloud
Identity/SSO
HTTPS

Cisco WebEx Team Security

Webex Cloud Security - Realms of Separation
Identity Service Content Server
Key Mgmt Service Indexing Service E-Discovery Service
Webex logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses)
are separated from :
Encryption, Indexing and E-Discovery Services,
which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C
12© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud

Realms of Separation – Identity Obfuscation
Identity Service Content Server
Key Mgmt Service Indexing Service E-Discovery Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Webex Teams generates a random 128-bit Universally Unique
Identifier (UUID) = The User’s obfuscated identity
No real identity information transits the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e
Webex Cloud

Directory Sync
Identity Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
Webex Teams – User Identity Sync

Directory Sync
SAML SSO
Identity Service
IdP
Webex Cloud
Webex Teams SAML Authentication

Webex Teams App – Cloud connection
IdP
Identity Service Webex Teams
Service
Webex Cloud

Webex Teams Device – cloud connection
Identity Service
1234567890123456
17
Webex Teams
Service
Webex Cloud

WebEx Teams
Secure Messages and Content

Content Server Key Mgmt Service
####### #######message
####filemessage
Webex Teams- Encrypting Messages and Content
Key Management Service
AES256-GCM cipher used for Encryption 19
Webex Cloud

Key Mgmt Service
message#######message
Content Server
####### #######message
Webex Teams - Decrypting Messages and Content
Key Management Service
20
Webex Cloud

WebEx Teams
Secure Search and Indexing

Indexing Service
Webex IS the messageWebex IS the message
Content Server
Webex IS the message
Key Mgmt Service
###################
Searching Webex Teams Spaces: Building a Search Index
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
#################
Indexing Service
#################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each space
Search Service
Webex Cloud

Indexing Service
“Webex”Webex
###################
Webex Teams spaces : Querying a Search Index
Search for the word “Webex”
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Webex”
Search for the word “Webex”
“B9”######################################
Webex IS the Message
B9
*A link to Conversation Encryption Key is sent with encrypted message
Search Service
Webex Cloud
B9 57 FE 48

Cisco Webex Control Hub
Indexing Service
Jo Smith’s ContentJo Smith’s Content
###################
Webex Teams E-Discovery Service
###################
X1GFT5YY
Hash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
###################
X1GFT5YY
E-Discovery Service
###################
###################
#################
Search Service
Webex Cloud

E-Discov. Storage
E-Discovery ServiceContent Server Key Mgmt Service
Webex Teams E-Discovery Service
E-Discovery Service
Cisco Webex Control Hub
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
#######################################
##################
#######################################
##################
Jo Smith’s Messages
and Files
Search Service
Webex Cloud
E-Discovery Content
Ready

Secure Data Center
Content Server
Key Mgmt Service
Webex Teams – Hybrid Data Security (HDS)
E-Discovery ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service
Webex Cloud

Hybrid Key Management
Servers in different
Organizations establish
an encrypted
connection via the
Webex Cloud
Key Mgmt ServiceKey Mgmt Service
HDS: Key Management Server Federation
Hybrid Key Management
Servers make outbound
connections only :
HTTPS, Web Socket Secure
(WSS)
Organization A Organization B
messagemessage
Webex Cloud

Compliance and Archival

Security &
Compliance
Program
Compliance
Content Ownership,
Retention, Archival, E-
Discovery, Legal
Hold, Events APIs
Device and User
Management
Mobile App Management,
Identity, Integration & Ent
Admin Management
Data Security
End to End Encryption,
On-Premises Key
Management System (KMS),
Cloud KMS
Network Connectivity
Proxy & Firewall rules for
Webex Apps and Endpoints.
TLS 1.2, 802.1X
Certifications &
Regulations
Certifications (ISO27K, SOC-2/3,
HIPAA, PCI), Regulatory
compliance (GDPR, MIFID,
BCR)
Webex Teams Security and Compliance Initiative
Enterprise Content
Management
Support for External 3rd
Party File Systems,
Transcoding
29

Compliance Officer : Advanced filters for search
The Compliance Data Search function is restricted to compliance officer(s) only
Search for content in messages and file names
Search by e-mail addresses, or Space IDs
Search by date range
https://admin.webex.com/ediscovery/search

Compliance Officer : Search Results Report Summary
31

Webex Teams Control Hub : Administrator defined Retention Policy
• Default Retention Period : Indefinite
• Subject to storage limits
• Configurable Retention Period : 1 to 120 months
Webex Teams Message and File Retention
https://admin.webex.com/settings

How can you archive Webex Teams data?
Use Cases
• Sophisticated eDiscovery
• Legal Hold
• Retention policies based on groups
Options
• Out-of-the-box Solution : Integrations with Archival partners e.g. Actiance
• Custom Solution : Cisco Advanced Services software & services e.g. Global Relay
• DIY : Use Systems Integrator or self integrate Events API with Archival software
Archival System
Events API
Enterprise
E-Discovery
Application
Webex Cloud
33

Archival Vendors : Feature support (June 2018)
Actiance Global Relay Verint Verba
Archive Messages Yes Yes Yes
Archive Files Yes Yes Yes
Integrate with eVaults Veritas, HP, IBM N/A Yes
On-premise vs Cloud On-Prem, Cloud, Hybrid Yes On-premise
Native-integration vs
Services engagement
Native-integration Cisco AS engagement Native-integration

Webex Teams Events API enables polling for Events and Content generated by users
Allows organizations to monitor and correct user behavior (e.g. Delete Content, Alert User, Alert
Administrator), preventing the loss of sensitive data
Webex Cloud
Events API
Content
Property
Membership Events
DLP or CASB
Policies
Corrective Actions
Delete content/ Alert user/ Alert admin
Data Loss Prevention (DLP) : Monitor and React
Webex Teams
Integrations
Cisco Cloudlock
Third Party Vendors
Skyhigh, Global Relay etc.
CASB : Cloud Access Security Broker

Webex Teams Integrations
Compliance: Data Loss Prevention & Archival
(Cisco Advanced Services offering)
36

Data Loss Prevention : Feature support (June 2018)
Cisco Cloudlock Symantec SkyHigh Netskope Bitglass Verint
Verba
Monitor Messages Yes Future Yes Yes Yes Yes
Monitor Files Yes Yes Yes Yes Yes No
Alerts on violations Yes Yes Yes Yes Yes Yes
Deletion of offending
Messages
Yes Future Yes Yes Yes Yes
Deletion of offending
Files
Yes Future Yes Yes Yes No
Malware
detection/removal
No Yes (Detection) Future Future Yes No
Configure policy per
space or group
Yes
(User, Space)
Yes
(User, Space, Team)
Yes
(AD groups)
Yes Yes Yes

WebEx Teams Control Hub
Security Settings

Controlling User Generated Content
Fine grained controls : DLP/CASB policy enforcement
• Block Social Security Numbers, Credit Card Details
• Block High Risk Users
• Block Highly Confidential Content
Coarse grained controls: Organization wide settings in Webex Teams Control Hub
• Block External Communication
• Block File download
• Block File upload
Finer controls
enable IT
Departments to
enable external
communications
while still being
secure
Block All
Block Highly Confidential
Block Social Security Numbers
Allow But Warn Users
Warn me about communications with
competitors
Block High Risk User Groups
Block File Types based on AD Group
Block content from being sent
to users in China
39

File Sharing Control
• Allows Webex Teams customers to control file
downloads and uploads on specific
client types : Desktop/ Web/ Mobile/ Bots
• Administrator Controlled
• Files and Whiteboard icons greyed
• User warning if file share attempted
Addresses :
Data Loss concerns
Malware concerns
Provides :
Mobile Application Management controls
on Bring Your Own Devices

Webex Teams : Blocking External Communication
What:
Provide administrator with controls to prevent external
communication
 Users within the org cannot add users outside the
org in spaces owned by the org
 Users within the org will not be able to join external
spaces
 Meetings are still allowed
Why:
Need to control Webex Teams usage
 Mitigate data loss (accidental or intentional)
 Regulatory implications of external comms

Webex Teams : Blocking consumer account use on
Corporate networks
What:
• Allow enterprise customers to block users from accessing Cisco
Webex with non-corporate/personal accounts.
• Users can log in only to whitelisted domains.
• Why:
• Enterprise customers require control in a lockdown environment
• Reduces risk of data exfiltration from corporate network
• Compliance with company policies

• Ensures the Webex Teams application can only accessed
on Passcode protected mobile devices
• Helps protects company data when accessing Webex Teams
from a mobile device
• Mobile phone message will warn user and point to
passcode settings
Client Security: PIN Lock on mobile devices

Webex Teams Control Hub – User Devices : Token
Revocation and Remote Wipe
• Administrator can revoke
Access Tokens for a User’s
Devices
• Reset Access force the User to
login the next time they access
Webex Teams.
• Reset Access also wipes the
cached content on mobile
devices.
• Ensures Secure User access
to Webex Teams after a device
is compromised.

WebEx Teams
Network Security

Connecting to Webex through Enterprise Firewalls : Webex Teams
Apps and Devices
Firewalls : Whitelisting Ports and Destinations
You will need to allow Webex Teams media and signaling traffic to pass through your
Enterprise Firewall – For white listing details refer to :
Media Port Ranges :
Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299
Source TCP/ HTTP Ports : Ephemeral (=> No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004
Destination IP Addresses : Global IP subnets listed in doc above
Webex Teams Network Requirements doc :
https://collaborationhelp.cisco.com/article/en-us/WBX000028782
Webex Cloud
Signalling
UDP Media

• Basic Authentication
Common Proxy Authentication Methods
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
• Digest Authentication
Webex Cloud
Signalling
UDP Media

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Room OS Webex Board Windows Mac iOS Android
No
Authentication
Basic
Digest TBD TBD
NTLM Planning Planning
TLS Inspection Planning Q3CY18 Q3CY18
Kerberos Investigating Investigating Q3CY18 Q3CY18 TBD TBD
Webex Teams : Proxy Authentication Support
Refer to https://collaborationhelp.cisco.com/article/en-us/WBX000028782 for up to date details of feature support

Connecting to Webex from the Enterprise – 802.1X
802.1X Operation
???
• Switch port network access restricted
• Client presents credentials to Authentication Server
• After successful Authentication – switch port configured for the
Device e.g. VLAN(s), ACLs
Authentication
Server
Webex Cloud

Cisco Connect Toronto 2018 cloud and on premises collaboration security explained

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Connect Toronto 2018 cloud and on premises collaboration security explained

Similar to Cisco Connect Toronto 2018 cloud and on premises collaboration security explained (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Connect Toronto 2018 cloud and on premises collaboration security explained