Contenu connexe
Similaire à Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained (20)
Plus de Cisco Canada (20)
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
- 2. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2
What will we cover today ?
• Cisco Collaboration Elements
• Managing Identity
• Cisco WebEx Teams Security concepts
• Cisco WebEx Team compliance and Archival
• Cisco Enterprise Content Management (Coming Soon)
• Cisco Control Hub Security Capabilities
• Cisco WebEx Team Network Security
• Cisco WebEx Teams Security Roadmap
- 3. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3
Messaging Call ControlMeetings
Seamless Collaboration Experience
Link on-premises assets to the cloud
- 4. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4
WebEx Teams Client
Collaboration Elements
WebEx Board Video End Points
MEDIA
NODES
Expressway
Existing Services
Teams Meeting
Jabber
IM & Presence
Communication
Manager
Unity
Connection
- 5. 5© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
Managing Identity
- 6. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 6
IdP – Identity Provider: RP – Relying Party
Users
IndirectAgreem
ent
Authentication
Explicit Initial Trust
Agreement
Identity Framework
6
- 7. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 7
Alex
Authentication and Authorization
(AuthN and AuthZ)
Authentication
Authorization
7
Authentication verifies that
“you are who you say you are”
Authorization verifies that
“you are permitted to do what you are trying to do”
- 8. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 8
Authentication and Authorization
(SAML and OAuth)
Authorization
Client Services
IdP
Authentication
- 9. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 9
User & Device
Management
Roles based
Access
Security &
Compliance
Analytics
& Reports
SSO &
Directory Sync
Manage Services
& Integrations
9
Cisco Control Hub
- 10. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 0
10BRKCOL-2080
User Provisioning
• Directory Connector (recommended)
• Manual creation
Add or modify users
Bulk CSV import
• Convert existing users who already have a Spark account
Directory
Connector
Active
Directory
Cisco
Collaboration Cloud
Identity/SSO
HTTPS
- 11. 1 1© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
Cisco WebEx Team Security
- 12. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 2
Webex Cloud Security - Realms of Separation
Identity Service Content Server
Key Mgmt Service Indexing Service E-Discovery Service
Webex logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses)
are separated from :
Encryption, Indexing and E-Discovery Services,
which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C
12© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
- 13. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 3
Realms of Separation – Identity Obfuscation
Identity Service Content Server
Key Mgmt Service Indexing Service E-Discovery Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Webex Teams generates a random 128-bit Universally
Unique Identifier (UUID) = The User’s obfuscated identity
No real identity information transits the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e
13© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
- 14. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 4
Directory
Sync
Identity Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
Webex Teams – User Identity Sync
- 15. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 5
Directory
Sync
SAML
SSO
Identity Service
IdP
Webex Cloud
Webex Teams SAML Authentication
- 16. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 6
Webex Teams App – Cloud connection
IdP
Identity Service Webex Teams
Service
Webex Cloud
- 17. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 7
Webex Teams Device – cloud connection
Identity Service
1234567890123456
17
Webex Teams
Service
Webex Cloud
- 18. 1 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
WebEx Teams
Secure Messages and Content
- 19. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 9
Content Server Key Mgmt Service
####### #######message
####filemessage
Webex Teams- Encrypting Messages and Content
Key Management Service
AES256-GCM cipher used for Encryption 19
Webex Cloud
- 20. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 0
Key Mgmt Service
message#######message
Content Server
####### #######message
Webex Teams - Decrypting Messages and Content
Key Management Service
20
Webex Cloud
- 21. 2 1© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
WebEx Teams
Secure Search and Indexing
- 22. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 2
Indexing Service
Webex IS the messageWebexIS themessage
Content Server
Webex IS the message
Key Mgmt Service
###################
Searching Webex Teams Spaces: Building a Search Index
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
#################
Indexing Service
#################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each space
Search Service
Webex Cloud
- 23. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 3
Indexing Service
“Webex”Webex
Content Server Key Mgmt Service
###################
Webex Teams spaces : Querying a Search Index
Search for the word “Webex”
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Webex”
Search for the word “Webex”
“B9”######################################
Webex IS the Message
B9
*A link to Conversation Encryption Key is sent with encrypted message
Search Service
Webex Cloud
B9 57 FE 48
- 24. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 4
Cisco Webex Control Hub
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
##################
#
Webex Teams E-Discovery Service
##################
#
X1GFT5YY
Hash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
##################
#
X1GFT5YY
E-Discovery Service
##################
#
Jo Smith’s Content
##################
#
Jo Smith’s Content
#################
Search Service
Webex Cloud
- 25. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 5
E-Discov. Storage
E-Discovery ServiceContent Server Key Mgmt Service
Webex Teams E-Discovery Service
E-Discovery Service
Cisco Webex Control Hub
Jo Smith’s Content##################
#Jo Smith’s Content##################
#
Jo Smith’s Content
##################
#
Jo Smith’s Messages
and Files
####################
####################
#################
####################
####################
#################
Jo Smith’s Messages
and Files
Search Service
Webex Cloud
E-Discovery
Content Ready
- 26. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 6
Secure Data Center
Content Server
Key Mgmt Service
Webex Teams – Hybrid Data Security (HDS)
E-Discovery ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service
26© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
- 27. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 7
Hybrid Key
Management
Servers in different
Organizations
establish an
encrypted
connection via the
Webex Cloud
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
Hybrid Key
Management
Servers make
outbound
connections only :
HTTPS, Web Socket
Secure (WSS)
Organization A Organization B
messagemessage
Webex Cloud
- 28. 2 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
Compliance and Archival
- 29. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 9
Security &
Compliance
Program
Compliance
Content Ownership,
Retention, Archival,
E-Discovery,
Legal Hold,
Events APIs
Device and User
Management
Mobile App
Management, Identity,
Integration & Ent
Admin Management
Data Security
End to End Encryption,
On-Premises Key
Management System
(KMS),
Cloud KMS
Network
Connectivity
Proxy & Firewall rules
for Webex Apps and
Endpoints. TLS 1.2,
802.1X
Certifications &
Regulations
Certifications (ISO27K,
SOC-2/3, HIPAA, PCI),
Regulatory compliance
(GDPR, MIFID, BCR)
Webex Teams Security and Compliance Initiative
Enterprise
Content
Management
Support for External
3rd Party File Systems,
Transcoding
29
- 30. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 0
Compliance Officer : Advanced filters for search
The Compliance Data Search function is restricted to compliance officer(s) only
Search for content in messages and file names
Search by e-mail addresses, or Space IDs
Search by date range
https://admin.webex.com/ediscovery/search
- 31. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 1
Compliance Officer : Search Results
Report Summary
31
- 32. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 2
Webex Teams Control Hub : Administrator defined Retention Policy
• Default Retention Period : Indefinite
• Subject to storage limits
• Configurable Retention Period : 1 to 120 months
Webex Teams Message and File Retention
https://admin.webex.com/settings
- 33. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 3
How can you archive Webex Teams data?
Use Cases
• Sophisticated eDiscovery
• Legal Hold
• Retention policies based on groups
Options
• Out-of-the-box Solution : Integrations with Archival partners e.g. Actiance
• Custom Solution : Cisco Advanced Services software & services e.g. Global Relay
• DIY : Use Systems Integrator or self integrate Events API with Archival software
Archival System
Events API
Enterprise
E-Discovery
Application
Webex Cloud
33
- 34. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 4
Archival Vendors : Feature support (June 2018)
Actiance Global Relay Verint Verba
Archive Messages Yes Yes Yes
Archive Files Yes Yes Yes
Integrate with eVaults Veritas, HP, IBM N/A Yes
On-premise vs Cloud On-Prem, Cloud,
Hybrid
Yes On-premise
Native-integration vs
Services engagement
Native-integration Cisco AS engagement Native-integration
- 35. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 5
Webex Teams Events API enables polling for Events and Content generated by users
Allows organizations to monitor and correct user behavior (e.g. Delete Content, Alert
User, Alert Administrator), preventing the loss of sensitive data
Webex Cloud
Events API
Content
Property
Membership Events
DLP or CASB
Policies
Corrective Actions
Delete content/ Alert user/ Alert admin
Data Loss Prevention (DLP) : Monitor and React
Webex Teams
Integrations
Cisco Cloudlock
Third Party
Vendors Skyhigh,
Global Relay etc.
CASB : Cloud Access Security Broker
- 36. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 6
Webex Teams Integrations
Compliance: Data Loss Prevention & Archival
(Cisco Advanced Services offering)
36
- 37. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 7
Data Loss Prevention : Feature support (June 2018)
Cisco
Cloudlock
Symantec SkyHigh Netskope Bitglass Verint
Verba
Monitor Messages Yes Future Yes Yes Yes Yes
Monitor Files Yes Yes Yes Yes Yes No
Alerts on violations Yes Yes Yes Yes Yes Yes
Deletion of
offending
Messages
Yes Future Yes Yes Yes Yes
Deletion of
offending Files
Yes Future Yes Yes Yes No
Malware
detection/removal
No Yes (Detection) Future Future Yes No
Configure policy
per space or group
Yes
(User, Space)
Yes
(User, Space, Team)
Yes
(AD groups)
Yes Yes Yes
- 38. 3 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
WebEx Teams Control Hub
Security Settings
- 39. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 9
Controlling User Generated Content
Fine grained controls : DLP/CASB policy enforcement
• Block Social Security Numbers, Credit Card Details
• Block High Risk Users
• Block Highly Confidential Content
Coarse grained controls: Organization wide settings in Webex Teams Control Hub
• Block External Communication
• Block File download
• Block File upload
Finer controls
enable IT
Departments to
enable external
communications
while still being
secure
Block All
Block Highly
Confidential
Block Social Security Numbers
Allow But Warn Users
Warn me about communications
with competitors
Block High Risk User Groups
Block File Types based on AD Group
Block content from being
sent to users in China
39
- 40. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 0
File Sharing Control
• Allows Webex Teams customers to
control file downloads and uploads on
specific client types : Desktop/ Web/
Mobile/ Bots
• Administrator Controlled
• Files and Whiteboard icons greyed
• User warning if file share attempted
Addresses :
Data Loss concerns
Malware concerns
Provides :
Mobile Application Management
controls on Bring Your Own Devices
- 41. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 1
Webex Teams : Blocking External Communication
What:
Provide administrator with controls to prevent
external communication
§ Users within the org cannot add users outside
the org in spaces owned by the org
§ Users within the org will not be able to join
external spaces
§ Meetings are still allowed
Why:
Need to control Webex Teams usage
§ Mitigate data loss (accidental or intentional)
§ Regulatory implications of external comms
- 42. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 2
Webex Teams : Blocking consumer account use
on Corporate networks
What:
• Allow enterprise customers to block users from
accessing Cisco Webex with non-corporate/personal
accounts.
• Users can log in only to whitelisted domains.
• Why:
• Enterprise customers require control in a lockdown
environment
• Reduces risk of data exfiltration from corporate network
• Compliance with company policies
- 43. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 3
• Ensures the Webex Teams application can only
accessed on Passcode protected mobile devices
• Helps protects company data when accessing
Webex Teams from a mobile device
• Mobile phone message will warn user and point to
passcode settings
Client Security: PIN Lock on mobile devices
- 44. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 4
Webex Teams Control Hub – User Devices :
Token Revocation and Remote Wipe
• Administrator can revoke
Access Tokens for a User’s
Devices
• Reset Access force the
User to login the next time
they access Webex Teams.
• Reset Access also wipes
the cached content on
mobile devices.
• Ensures Secure User
access to Webex Teams
after a device is
compromised.
- 45. 4 5© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d .
WebEx Teams
Network Security
- 46. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 6
Connecting to Webex through Enterprise Firewalls :
Webex Teams Apps and Devices
Firewalls : Whitelisting Ports and Destinations
You will need to allow Webex Teams media and signaling traffic to pass
through your Enterprise Firewall – For white listing details refer to :
Media Port Ranges :
Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299
Source TCP/ HTTP Ports : Ephemeral (=> No DSCP re-marking)
Destination UDP/ TCP/ HTTP Port : 5004
Destination IP Addresses : Global IP subnets listed in doc above
Webex Teams Network Requirements doc :
https://collaborationhelp.cisco.com/article/en-us/WBX000028782
Webex Cloud
Signalling
UDP Media
- 47. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 7
• Basic Authentication
Common Proxy Authentication Methods
• NTLMv2 Authentication
• Negotiate Authentication
• Kerberos
• Digest Authentication
47© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud
Signalling
UDP Media
- 48. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Room OS
Webex
Board
Windows Mac iOS
Androi
d
No
Authenticatio
n
Basic
Digest TBD TBD
NTLM Planning Planning
TLS
Inspection
Planning Q3CY18 Q3CY18
Kerberos Investigating Investigating Q3CY18 Q3CY18 TBD TBD
Webex Teams : Proxy Authentication Support
Refer to https://collaborationhelp.cisco.com/article/en-us/WBX000028782 for up to date details of feature support
- 49. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 9
Connecting to Webex from the Enterprise – 802.1X
802.1X Operation
???
• Switch port network access restricted
• Client presents credentials to Authentication Server
• After successful Authentication – switch port configured for the
Device e.g. VLAN(s), ACLs
Authentication
Server
49© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex Cloud