6. SAML v2.0 In Action
SP-initiated Web Browser SSO Flow
User Authentication (per IdP policy)
Service Provider:
CUCM, CUC,
Webex, Spark
Application ABC
User
SAML Response (with Assertion and cookie)
POST with SAML Assertion
Redirect w/Authentication Request
Resource Request
Metadata
Exchange
1
2
3
4
5
SAML Authentication Request
Identity Provider
(IdP)
0
0
Protected Resource
6
IdP
Web
Browser
7. SAML v2.0 In Action
IdP Cookies Avoid Re-authentication
IdP
Service Provider:
CUCM, CUC,
Webex, Spark
User
Web
Browser
SAML Response (with Assertion)
POST with SAML Assertion
Redirect w/Authentication Request
Resource Request
Metadata
Exchange
1
2
3
4
SAML Authentication Request (with cookie)
Identity Provider
(IdP)
0
0
Protected Resource
5
No authentication
needed if cookie is
valid
8. Which IdP Does Cisco Supports ?
Cisco supports any IdP vendor that is compliant with the
SAMLv2 Oasis Standard.
Internally in our development test cycles, we test our
products against selected authentication methods of the
follow IdP’s :
§ Microsoft Active Directory Federation Services (ADFS) 2.0
§ Open Access Manager (OpenAM) 11.0
§ PingFederate 6.10.0.4
10. OAuth Authorization Framework
• The OAuth 2.0 standard (RFC 6749) defines a
framework to enable third-party applications to obtain
limited access to a service or API on behalf of a user
Users authorize client applications to securely access
protected resources without sharing their credentials
(access delegation)
Defines authorization tokens: valet key concept
Clients can be web apps, native desktop/mobile apps,
javascript in browser…
• Does not deal with user authentication
• Broad adoption in API-driven world (cloud,
microservices, integrations, …)
Source:
https://www.programmableweb.com/apis/directory/1?auth=OAuth
21. Content Server Key Mgmt Service
message messagemessage
filefilemessage
Spark - Encrypting Messages and Content
Spark Clients request a
conversation encryption key from
the Key Management Service
Any messages or files sent by a
Client are encrypted before being
sent to the Spark Cloud
Each Spark Room uses a different
Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption
22. Encrypted messages sent by a Client
are stored in the Spark Cloud and also
sent on to every other Client in the
Spark Room
Key Mgmt Service
messagemessagemessage
Content Server
message messagemessage
Spark - Decrypting Messages and Content
If needed, Spark Clients can retrieve
encryption keys from the Key
Management Service
Key Management Service
The encrypted message also contains
a link to the conversation encryption
key
27. 3rd Party Integrations
Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance,
archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:
Compliance and Archiving
Archive content to comply with retention
requirements and enable eDiscovery
Data Loss Prevention
Apply policies to content, violation
alerts, and take remediation actions
Identity Management
Single Sign-On via SAML, Mobile Device
Management (MDM), SCIM user
provisioning and deactivation
29. Secure Data Center
Content Server
Key Mgmt Service
Spark – Hybrid Data Security (HDS)
E_Discovery ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service
30. Secure Data Center
Content Server
Key Mgmt Service
Hybrid Data Security traffic and Firewalls
Compliance ServiceIndexing Service
Hybrid Data Services
make outbound connections
only from the Enterprise to the
Spark cloud, using HTTPS and
Secure WebSockets (WSS)
No special Firewall
configuration required
Firewall
Hybrid Data Security
31. Secure Data Center
Content Server
The Hybrid Data Security is
managed and upgraded from the
cloud
Customer’s can access usage
information for the HDS Servers
via the Spark Control Hub
Multiple HDS servers can be
provisioned for
Scalability & Load Sharing
Key Mgmt ServerKey Mgmt Service
Hybrid Data Security - Scalability
Hybrid Data Security
Hybrid Data Security
Hybrid Data Security
32. Secure Data Center
Content Server Key Mgmt Server
Spark – Hybrid Data Security: Key Management
The Hybrid Key Management
Server performs the same
functions as the Cloud based Key
Management Server
Now all of the keys for messages
and content are owned and
managed by the Customer
BUT
Key Management Service
Key Mgmt Service
33. Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
Spark Clients request an encryption
key from the Hybrid Key Management
Server
Any messages or files sent by a Client
are encrypted before being sent to the
Spark Cloud
Encrypted messages and content
stored in the cloud
Key Management Service
Encryption Keys stored locally
34. Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are
stored in the Spark Cloud
Key Mgmt Service
message
Content Server
message messagemessage
If needed, Spark Clients can retrieve
encryption keys from the HDS Key
Management Server
Key Management Service
These messages are sent to every
other Client in the Spark Room and
contain a link to their encryption key
on the HDS Key Management Server
HDS - Decrypting Messages & Content
35. Hybrid Data Security – Secure App Connections
Secure Data Center
Content Server
Search Service
Hybrid Data Security Node
App to Cloud TLS connection App to HDS TLS connection
Spark Service
Spark Apps establish a
direct TLS connection to
the On Premise HDS node
and KMS service
This encrypted peer to
peer session traverses the
Spark Cloud
90. Premium Visibility & Control
advanced role based capabilities
Cisco Spark Control Hub
full lifecycle management and security
Pro Pack
premium capabilities1
1 for administrators, security professionals, or compliance officers
who desire greater visibility and control or specific capabilities
Provisioning, Admin, Management
Security
Compliance
Analytics
96. eDiscovery reports console supports investigating DLP and other compliance events
with speed and accuracy
§ Meet HR, GRC & Legal compliance mandates
§ Only authorized members of the legal, HR and GRC teams
can investigate events
§ Will allow to export report to eDiscovery products
Indexing Service
Enterprise Compliance – eDiscovery Reports
99. Archival Strategy
Ø DIY: Use favorite SI or self integrate Events API with Archival software
Ø Out-of-the-box Solution: Integrations with Archival partners e.g. Actiance
Ø E2E Custom Solution: Cisco Advanced Services software packages & services
• Benefits
• Sophisticated eDiscovery
• Legal Hold
• Retention policies based on groups
Archival System
Events API E-Discovery
101. • Cisco will have the best solution here by combining our leading
edge Cloudlock DLP/CASB ( Data Loss Preventions / Cloud
Access Security Brokers ) product with Cisco Spark.
• Customers who don’t want Cloudlock can integrate with their
own DLP systems through an AS offer, or their own custom
development
• We will be integrating with other third party vendors, we are
evaluating Skyhigh and Symantec, but any DLP platform can be
supported by using our API’s. We have a AS offer to address
that space.
• We can support coarse grained and fine grained policies
DLP/CASB integration
Compliance Service
104. Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)
Apps Firewall
Cloud Malware
Shadow IT/OAuth
Discovery and Control
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
Cisco CloudLock