Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained

232 vues

Publié le

Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained

  1. 1. Cisco Connect Ottawa Canada • 2 October 2018 Cloud and On Premises Collaboration Security Joseph Bassaly Architect
  2. 2. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 What will we cover today ? • Cisco Collaboration Elements • Managing Identity • Cisco WebEx Teams Security concepts • Cisco WebEx Team compliance and Archival • Cisco Enterprise Content Management (Coming Soon) • Cisco Control Hub Security Capabilities • Cisco WebEx Team Network Security • Cisco WebEx Teams Security Roadmap
  3. 3. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 Messaging Call ControlMeetings Seamless Collaboration Experience Link on-premises assets to the cloud
  4. 4. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 WebEx Teams Client Collaboration Elements WebEx Board Video End Points MEDIA NODES Expressway Existing Services Teams Meeting Jabber IM & Presence Communication Manager Unity Connection
  5. 5. 5© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . Managing Identity
  6. 6. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 6 IdP – Identity Provider: RP – Relying Party Users IndirectAgreem ent Authentication Explicit Initial Trust Agreement Identity Framework 6
  7. 7. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 7 Alex Authentication and Authorization (AuthN and AuthZ) Authentication Authorization 7 Authentication verifies that “you are who you say you are” Authorization verifies that “you are permitted to do what you are trying to do”
  8. 8. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 8 Authentication and Authorization (SAML and OAuth) Authorization Client Services IdP Authentication
  9. 9. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 9 User & Device Management Roles based Access Security & Compliance Analytics & Reports SSO & Directory Sync Manage Services & Integrations 9 Cisco Control Hub
  10. 10. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 0 10BRKCOL-2080 User Provisioning • Directory Connector (recommended) • Manual creation Add or modify users Bulk CSV import • Convert existing users who already have a Spark account Directory Connector Active Directory Cisco Collaboration Cloud Identity/SSO HTTPS
  11. 11. 1 1© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . Cisco WebEx Team Security
  12. 12. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 2 Webex Cloud Security - Realms of Separation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Webex logically and physically separates functional components within the cloud Identity Services holding real user Identity (e.g. email addresses) are separated from : Encryption, Indexing and E-Discovery Services, which are in turn separated from : Data Storage Services Data Center A Data Center B Data Center C 12© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud
  13. 13. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 3 Realms of Separation – Identity Obfuscation Identity Service Content Server Key Mgmt Service Indexing Service E-Discovery Service Outside of the Identity Service - Real Identity information is obfuscated : For each User ID, Webex Teams generates a random 128-bit Universally Unique Identifier (UUID) = The User’s obfuscated identity No real identity information transits the cloud Data Center A Data Center B Data Center C jsmith@abc.comhtzb2n78jdbc9e 13© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud
  14. 14. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 4 Directory Sync Identity Service © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud Webex Teams – User Identity Sync
  15. 15. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 5 Directory Sync SAML SSO Identity Service IdP Webex Cloud Webex Teams SAML Authentication
  16. 16. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 6 Webex Teams App – Cloud connection IdP Identity Service Webex Teams Service Webex Cloud
  17. 17. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 7 Webex Teams Device – cloud connection Identity Service 1234567890123456 17 Webex Teams Service Webex Cloud
  18. 18. 1 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . WebEx Teams Secure Messages and Content
  19. 19. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 1 9 Content Server Key Mgmt Service ####### #######message ####filemessage Webex Teams- Encrypting Messages and Content Key Management Service AES256-GCM cipher used for Encryption 19 Webex Cloud
  20. 20. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 0 Key Mgmt Service message#######message Content Server ####### #######message Webex Teams - Decrypting Messages and Content Key Management Service 20 Webex Cloud
  21. 21. 2 1© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . WebEx Teams Secure Search and Indexing
  22. 22. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 2 Indexing Service Webex IS the messageWebexIS themessage Content Server Webex IS the message Key Mgmt Service ################### Searching Webex Teams Spaces: Building a Search Index ################### B957FE48 B9 57 FE 48 Hash Algorithm ################# Indexing Service ################# * A new (SHA-256 HMAC) hashing key (Search Key) is used for each space Search Service Webex Cloud
  23. 23. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 3 Indexing Service “Webex”Webex Content Server Key Mgmt Service ################### Webex Teams spaces : Querying a Search Index Search for the word “Webex” ################### B957FE48 B9 57 FE 48 Hash Algorithm Indexing Service “Webex” Search for the word “Webex” “B9”###################################### Webex IS the Message B9 *A link to Conversation Encryption Key is sent with encrypted message Search Service Webex Cloud B9 57 FE 48
  24. 24. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 4 Cisco Webex Control Hub Indexing Service Jo Smith’s ContentJo Smith’s Content Content Server Key Mgmt Service ################## # Webex Teams E-Discovery Service ################## # X1GFT5YY Hash Algorithm Indexing Service Jo Smith’s Content “X1GFT5YY” Jo Smith’s Content ################## # X1GFT5YY E-Discovery Service ################## # Jo Smith’s Content ################## # Jo Smith’s Content ################# Search Service Webex Cloud
  25. 25. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 5 E-Discov. Storage E-Discovery ServiceContent Server Key Mgmt Service Webex Teams E-Discovery Service E-Discovery Service Cisco Webex Control Hub Jo Smith’s Content################## #Jo Smith’s Content################## # Jo Smith’s Content ################## # Jo Smith’s Messages and Files #################### #################### ################# #################### #################### ################# Jo Smith’s Messages and Files Search Service Webex Cloud E-Discovery Content Ready
  26. 26. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 6 Secure Data Center Content Server Key Mgmt Service Webex Teams – Hybrid Data Security (HDS) E-Discovery ServiceIndexing Service Hybrid Data Security Hybrid Data Services = On Premise : Key Management Server Indexing Server E-Discovery Service 26© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud
  27. 27. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 7 Hybrid Key Management Servers in different Organizations establish an encrypted connection via the Webex Cloud Key Mgmt ServiceKey Mgmt Service Content Server Key Mgmt Service HDS: Key Management Server Federation Hybrid Key Management Servers make outbound connections only : HTTPS, Web Socket Secure (WSS) Organization A Organization B messagemessage Webex Cloud
  28. 28. 2 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . Compliance and Archival
  29. 29. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 2 9 Security & Compliance Program Compliance Content Ownership, Retention, Archival, E-Discovery, Legal Hold, Events APIs Device and User Management Mobile App Management, Identity, Integration & Ent Admin Management Data Security End to End Encryption, On-Premises Key Management System (KMS), Cloud KMS Network Connectivity Proxy & Firewall rules for Webex Apps and Endpoints. TLS 1.2, 802.1X Certifications & Regulations Certifications (ISO27K, SOC-2/3, HIPAA, PCI), Regulatory compliance (GDPR, MIFID, BCR) Webex Teams Security and Compliance Initiative Enterprise Content Management Support for External 3rd Party File Systems, Transcoding 29
  30. 30. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 0 Compliance Officer : Advanced filters for search The Compliance Data Search function is restricted to compliance officer(s) only Search for content in messages and file names Search by e-mail addresses, or Space IDs Search by date range https://admin.webex.com/ediscovery/search
  31. 31. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 1 Compliance Officer : Search Results Report Summary 31
  32. 32. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 2 Webex Teams Control Hub : Administrator defined Retention Policy • Default Retention Period : Indefinite • Subject to storage limits • Configurable Retention Period : 1 to 120 months Webex Teams Message and File Retention https://admin.webex.com/settings
  33. 33. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 3 How can you archive Webex Teams data? Use Cases • Sophisticated eDiscovery • Legal Hold • Retention policies based on groups Options • Out-of-the-box Solution : Integrations with Archival partners e.g. Actiance • Custom Solution : Cisco Advanced Services software & services e.g. Global Relay • DIY : Use Systems Integrator or self integrate Events API with Archival software Archival System Events API Enterprise E-Discovery Application Webex Cloud 33
  34. 34. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 4 Archival Vendors : Feature support (June 2018) Actiance Global Relay Verint Verba Archive Messages Yes Yes Yes Archive Files Yes Yes Yes Integrate with eVaults Veritas, HP, IBM N/A Yes On-premise vs Cloud On-Prem, Cloud, Hybrid Yes On-premise Native-integration vs Services engagement Native-integration Cisco AS engagement Native-integration
  35. 35. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 5 Webex Teams Events API enables polling for Events and Content generated by users Allows organizations to monitor and correct user behavior (e.g. Delete Content, Alert User, Alert Administrator), preventing the loss of sensitive data Webex Cloud Events API Content Property Membership Events DLP or CASB Policies Corrective Actions Delete content/ Alert user/ Alert admin Data Loss Prevention (DLP) : Monitor and React Webex Teams Integrations Cisco Cloudlock Third Party Vendors Skyhigh, Global Relay etc. CASB : Cloud Access Security Broker
  36. 36. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 6 Webex Teams Integrations Compliance: Data Loss Prevention & Archival (Cisco Advanced Services offering) 36
  37. 37. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 7 Data Loss Prevention : Feature support (June 2018) Cisco Cloudlock Symantec SkyHigh Netskope Bitglass Verint Verba Monitor Messages Yes Future Yes Yes Yes Yes Monitor Files Yes Yes Yes Yes Yes No Alerts on violations Yes Yes Yes Yes Yes Yes Deletion of offending Messages Yes Future Yes Yes Yes Yes Deletion of offending Files Yes Future Yes Yes Yes No Malware detection/removal No Yes (Detection) Future Future Yes No Configure policy per space or group Yes (User, Space) Yes (User, Space, Team) Yes (AD groups) Yes Yes Yes
  38. 38. 3 8© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . WebEx Teams Control Hub Security Settings
  39. 39. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 3 9 Controlling User Generated Content Fine grained controls : DLP/CASB policy enforcement • Block Social Security Numbers, Credit Card Details • Block High Risk Users • Block Highly Confidential Content Coarse grained controls: Organization wide settings in Webex Teams Control Hub • Block External Communication • Block File download • Block File upload Finer controls enable IT Departments to enable external communications while still being secure Block All Block Highly Confidential Block Social Security Numbers Allow But Warn Users Warn me about communications with competitors Block High Risk User Groups Block File Types based on AD Group Block content from being sent to users in China 39
  40. 40. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 0 File Sharing Control • Allows Webex Teams customers to control file downloads and uploads on specific client types : Desktop/ Web/ Mobile/ Bots • Administrator Controlled • Files and Whiteboard icons greyed • User warning if file share attempted Addresses : Data Loss concerns Malware concerns Provides : Mobile Application Management controls on Bring Your Own Devices
  41. 41. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 1 Webex Teams : Blocking External Communication What: Provide administrator with controls to prevent external communication § Users within the org cannot add users outside the org in spaces owned by the org § Users within the org will not be able to join external spaces § Meetings are still allowed Why: Need to control Webex Teams usage § Mitigate data loss (accidental or intentional) § Regulatory implications of external comms
  42. 42. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 2 Webex Teams : Blocking consumer account use on Corporate networks What: • Allow enterprise customers to block users from accessing Cisco Webex with non-corporate/personal accounts. • Users can log in only to whitelisted domains. • Why: • Enterprise customers require control in a lockdown environment • Reduces risk of data exfiltration from corporate network • Compliance with company policies
  43. 43. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 3 • Ensures the Webex Teams application can only accessed on Passcode protected mobile devices • Helps protects company data when accessing Webex Teams from a mobile device • Mobile phone message will warn user and point to passcode settings Client Security: PIN Lock on mobile devices
  44. 44. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 4 Webex Teams Control Hub – User Devices : Token Revocation and Remote Wipe • Administrator can revoke Access Tokens for a User’s Devices • Reset Access force the User to login the next time they access Webex Teams. • Reset Access also wipes the cached content on mobile devices. • Ensures Secure User access to Webex Teams after a device is compromised.
  45. 45. 4 5© 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . WebEx Teams Network Security
  46. 46. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 6 Connecting to Webex through Enterprise Firewalls : Webex Teams Apps and Devices Firewalls : Whitelisting Ports and Destinations You will need to allow Webex Teams media and signaling traffic to pass through your Enterprise Firewall – For white listing details refer to : Media Port Ranges : Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299 Source TCP/ HTTP Ports : Ephemeral (=> No DSCP re-marking) Destination UDP/ TCP/ HTTP Port : 5004 Destination IP Addresses : Global IP subnets listed in doc above Webex Teams Network Requirements doc : https://collaborationhelp.cisco.com/article/en-us/WBX000028782 Webex Cloud Signalling UDP Media
  47. 47. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 7 • Basic Authentication Common Proxy Authentication Methods • NTLMv2 Authentication • Negotiate Authentication • Kerberos • Digest Authentication 47© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud Signalling UDP Media
  48. 48. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 8 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Room OS Webex Board Windows Mac iOS Androi d No Authenticatio n Basic Digest TBD TBD NTLM Planning Planning TLS Inspection Planning Q3CY18 Q3CY18 Kerberos Investigating Investigating Q3CY18 Q3CY18 TBD TBD Webex Teams : Proxy Authentication Support Refer to https://collaborationhelp.cisco.com/article/en-us/WBX000028782 for up to date details of feature support
  49. 49. © 2 0 1 6 C is c o a n d /o r its a ffilia te s . A ll rig h ts re s e rv e d . 4 9 Connecting to Webex from the Enterprise – 802.1X 802.1X Operation ??? • Switch port network access restricted • Client presents credentials to Authentication Server • After successful Authentication – switch port configured for the Device e.g. VLAN(s), ACLs Authentication Server 49© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Cloud
  50. 50. Thank you.

×