Cloud Collaboration Solutions

Stanislav Cherepanov

CCSI

22.12.2020

Cloud Collaboration Solutions

C97-739799-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

8 :00 am

Message

Jump start your day! Say goodbye to email. Quickly catch-up on your conversations

9:00 am

Call

Never miss a customer call - calls are routed to any device, any w here.

11:30 am

Schedule

Use your Microsoft or Google calendar to schedule a meeting.

1:00 pm

Whiteboard

Jump into a meeting and sketch out ideas as if you w ere in the same room.

2:00 pm

Co-edit a file

Access and w ork on f iles together - right from w ithin a message.

3:00 pm

Message 3rd parties

Simply and securely send messages and files to people outside your company

10:00 am

Meet

Check in w ith a colleague 1:1, or w ith the w hole team. See 25 people at one time.

4:00 pm

Add some fun

Add an emoji of animated GIF to show appreciation of good w ork

10:45 am

Review

Search for and view meeting highlights. Share actions w ith team

Be productive

from anywhere

WebexHome - Mobile –

Branch locations - Main Office

UnifiedApplication

C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential© 2020 Cisco and/or its affiliates. All rights reserved.

Integrated devicesBetter experiences and lower TCO

SmartDevices

C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential© 2020 Cisco and/or its affiliates. All rights reserved.

Automated intelligence in every workspace

SmartDevices

App-driven call handover

between devices

Shared proximity awareness

connects apps to devices

Context-sensitivity from

headsets to devices

One in-room control point for

desktop and room devices


Power of the Webex PlatformConsistent. Comprehensive. Innovative. Open

+ 24,000 more

Open PlatformUn ified Experience

Meetings

Client Framew ork

Common Identity

Calendaring

Cognitive Collaboration

Whiteboarding

Messaging

Pr oximity

Unified Calling Architecture

Media EngineDevice OS

VDI

Global Backbone

Security

Edge & Hybrid Services

and more…

Management Analytics

Netw ork

Calling – Meetings – Teams – Contact Center - Jabber

Single platform advantage


Webex Cloud

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 8

Webex Meetings Data Centre Locations

• Webex Meeting related Services

• Meetings/ Events/ Training /Support

• Identity

• Site Administration/ Analytics/ Billing

• Recording/ Transcription

• Webex Media Services

• Media Nodes for Webex Meetings and Webex Teams :

• Voice, Video and Content Sharing services

• PSTN access for Meetings

• Multiple data centre locations worldwide

• Internet Points of Presence

• Used to route Webex Meetings traffic to a Cisco Data Center Location

Virginia

Texas

California

LondonAmsterdam

Regional Data Centre Locations

North Carolina

Webex Meetings-related services (not media)

Webex Media services

Bangalore

New York

Singapore

Sydney

Tokyo

Internet Point of Presence

Hong Kong

New JerseyIll inois

9© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

Webex Meetings related Services (not media services)

Meeting CentreService

Events CentreService

IdentityService

RecordingService

Data Centre A Data Centre B Data Centre C

Data Centre A’ Data Centre B’ Data Centre C’

Webex Services for Webex Meetings/Events/Training/Support, Identity, Recording, Transcription, Billing, Analytics and Administration are distributed and replicated across multiple independent data

centres.

User Generated Content (e.g. Recordings, Transcripts, Uploaded Files) is stored in the data centerclosest to a Customer’s location as provided during the ordering process

Webex Meetings Data residency locations : EMEAR/ APJ/ US/ Australia

Training CentreService

Support CentreService

AnalyticsService

TranscriptionService

Site AdminService


Webex Meetings App – TLS/HTTPS signaling traffic

Meetings ServicesPrivate IP address range

TLS TerminationPrivate IP address range

Firewall Router

1:1 NAT

Firewall Router

Secure Webex Data Centre

TLS/HTTPS Proxy

Webex

Meetings

Serv ice

TLS

Public IP Addresses

Internet

Webex Perimeter Protection

DDOS ProtectionTraffic Filtering

Behavioural Analysis TLS/HTTPS Proxy

TLS/HTTPS Proxy

TLS/HTTPS Proxy

Webex

Meetings

Serv ice

Webex

Meetings

Serv ice

Webex

Meetings

Serv ice


MediaService

MediaService

MediaService

MediaService

Webex Meetings Media Services

MediaService

Data Centre A Data Centre B Data Centre C

Data Centre D Data Centre E Data Centre F

Webex Media services are globally distributed across multiple data centres

Media Server clusters in each data centre provide local and geographic redundancy

Media servers support voice, video and content sharing

All media is encrypted

MediaService

MediaService

MediaService

MediaService

MediaService

MediaService

MediaService


Internet

Webex Media Services– Cloud Security and DMZ

Meetings ServicesPrivate IP address range

Media ServicesPublic IP address range

Firewall Router

Firewall Router

Webex Perimeter

Protection :

UDP/TCP/TLS Media

Traffic Filtering

Volumetric Attack

Protection

Media Node

OS Services

OS firewall module OS Hardening

Security Patches

Logging / Metrics agents

Secure Webex Data Centre

Webex

Meetings

Serv ice

Webex

Meetings

Serv ice

Webex

Meetings

Serv ice

Webex

Meetings

Serv ice

Media Node

OS Services

Media Node

OS Services

UDP Media Port 9000

TCP Media Port 5004

TLS Media Port 443

Encrypted Media


IdentityService

Webex Meetings – User, Identity & Access Management

Directory Sync

Webex Identity Service

User account creation methods:

- Webex Directory Connector

• Active Directory Sync Tool

• Control Hub only

- System for Cross-Domain Identity Management

(SCIM) API

• Sync from Cloud IdP

• e.g. Azure AD, Okta User DB

• Control Hub only

- Webex User/People API

- Manually add Users

- CSV File upload

Webex Cloud

Active Directory

Azure/Okta

Cisco Directory Connector

SCIM

W ebex Control Hub


RecordingService

Site AdminService

AnalyticsService


IdentityService

Webex Cloud

Azure/Okta

SCIM


RecordingService

Site AdminService

AnalyticsService

Directory Sync

Active Directory

Cisco Directory Connector

Webex Meetings – SAML SSO Authentication

SAML

Single Sign On (SSO) for User Authentication :

Administrators can configure Webex Meetings to work with

their existing SSO solution

Webex Meetings supports Identity Providers using Security Assertion Markup Language (SAML) 2.0 for Authentication

and OAuth 2.0 Authorization

For list of supported IdPs see https://help.webex.com/en-us/lfu88u/Single-Sign-On-Integration-in-Cisco-Webex-

Control-HubSSO

IdP

https://help.webex.com/en-us/lfu88u/Single-Sign-On-Integration-in-Cisco-Webex-Control-Hub


Webex MeetingsService

Webex Media

Service

TLS Encrypted Signalling

Encrypted Media

Encrypted Media


Webex Media

Service


East Coast

West Coast

Cascaded

Encrypted

Media

Connecting to the Webex cloud – Apps and Devices

Cisco Webex Meetings Apps :- Windows, Mac- iOS, Android- WebAuthentication – User Sign InAuthorization – OAuth 2.0

Cisco Webex Devices :- Webex Room Series- Webex Desktop Series- Webex BoardOnboarding – Activation CodeAuthentication - Machine AccountAuthorization – OAuth 2.0

All initiated connections are outbound only, from the Enterprise to Webex Cloud


Webex Meetings

Service

Webex Meetings App – cloud connection -summary

1) Customer downloads and installs the Webex Meetings App

2) Webex Meetings App establishes a secure TLS connection with the Webex

Cloud

3) Webex Identity Service prompts User for

their Webex site URL e.g.

cisco.webex.com

4) User Authenticated by Webex Identity

Service, or Enterprise IdP (SSO)

5) OAuth Access and Refresh Tokens

created and sent to Webex Meetings App

• The Access Token contains details of the

Webex Meetings resources the User is

authorised to access

• Webex Meetings App presents its Access

Token to register with Webex Meetings Services over a secure channel

Webex Cloud

IdentityService

IdP


Webex

Image Store

Identity

Serv ice

Webex - Device Onboarding

Webex

Serv ice

1234567890123456

Webex Device application software and

embedded OS installed as a firmware binary image before leaving the factory

WebexMeetings image

Discov ery

Serv iceWebex Control Hub Admin generates device

activation code for the device

User prompted for activation code during

device installation. Activation code sent to Webex discovery service, which determines

the device’s organization and redirects to the Identity Service

Identity Service sends OAuth tokens and

Trusted Root Certificate list (can include Enterprise CA Certs for TLS inspection) to

deviceDevice checks current software version. If

upgrade required, a signed image is sent to the device. Device will not load an unsigned

imageDevice registers to Webex Services


Webex Authorization Service


TLS encrypted signalling


Authorization Request with Webex Site ID and OAuth Token Scopes

Not Authenticated – Refer to Identity Service for Authentication

Initial HTTP Request GET HTTPS: //meetings. webex. com

No OAuth Access Token - Redirect to Authorization Server

1

2

3

4

Webex Meetings App : User Authentication (1)

To access any Webex Meetings service – the App/ Device must present a validate OAuth Access TokenIf no Access Token is present - the App/Device is redirected to the Authorization Service

The Webex Site ID in the Authorization request determines the User’s Org and Identity ServiceApp/ Device redirected to Identity service for Authentication



Users can Authenticate to the Webex Identity service (typically consumer accounts), or to an Enterprise (on-premises, or cloud) IdP that supports Single Sign on (SSO) using Security Assertion Markup Language version (SAML) 2.0 (as shown above)





Authentication Request to Identity Serv ice

Using SSO w ith Enterprise IdP –> Redirect to IdP

5

6

7

IdPSAML User Authentication 8

Return SAML Assertion



Webex Meetings users using Single Sign On, use a combination SAML for authentication and the OAuth Authorization Code Grant method (as shown above), or Client Credential Grant method for authorization





POST SAML Assertion to Identity Service for validation

Redirect to Authorization Service with User ID

9

10

POST SAML Assertion & User ID to Authorization Service

Return Authorization Code

12

11


Webex Meetings App : User/Device Authorization

Once the Webex Meetings App/ Device is authenticated the OAuth Grant flow is used to deliver OAuth Access and Refresh Tokens to the App/ Device

The Access Token must be presented to gain authorized access to Webex services

WebexAuthorization Service

WebexIdentity Service


Send Authorization Code & Client Secret to Authorization Service

Return OAuth Access Token and Refresh Token

14

Request Webex Meetings Service with Access Token

Webex Meetings Service Access Granted

16

15

13




Webex Meetings : OAuth Access and Refresh Tokens

OAuth Access Token – Uses JSON Web Token (JWT) format, signed (JWS)



Request Webex Meetings Service with Access Token

Webex Meetings Service Access Granted

OAuth Refresh Token – Presented to the authorization service to renew the Access token

Access tokens allow apps and devices to gain access to authorized servicesAccess tokens contain scopes that define which services are authorized

Access tokens are renewed when they reach 75% of their lifetime


Webex Meetings : OAuth Access and Refresh Tokens

OAuth Access Token scopes Define which Meetings services Webex Apps and Devices are permitted to use e.g : Read User data, Read Meeting data, Read Recording

data, Write User data, Write Meeting data, Write Recording data, Write Settings data

Webex Apps and Devices have more than one access token e.g. Webex Cloud Identity Services token, Webex Meetings Token

Webex Access Token lifetimes vary by device e.g. Meetings App access token lifetime = 6 hoursDevice access token lifetime = 6 hoursDirectory Connector access token lifetime = 1 hourAccess Token renewed by sending Refresh Token when lifetime = 75% Token lifetime values can be reconfigured by service request

Webex Refresh Token lifetime typically 60 days Lifetime values can be reconfigured by service requestRefresh Token renewed when Access Token renewedRefresh Token renewal (on/off) configurable by service requestIf Refresh Token renewal = Off : App logged-out, Device off-boarded when Refresh Token lifetime expires


Access to Webex Meetings Media Services (1)

Webex Data Centre

Webex Meetings Application and

Webex Devices

Encrypted HTTPS Signalling

Encrypted Voice, Video and Content Sharing

MediaService

MediaService

MediaService

MediaService

InternetInternet

Access Options

Internet Access

Signalling and Media traverse the Internet

Private Peering

Media traverses Equinix Private Link

Non Webex App signalling traverses Internet

Equinix IXE

Private Link


Access to Webex Meetings Media Services (2)

Webex Data Centre

SIP Endpoints

Cisco SIP devices

3rd Party SIP devices

Optional Signalling Encryption

Optional Media Encryption

Voice and Video supported

MediaService

MediaService

MediaService

MediaService

PSTNInternet

SIP signallingInbound Calling

Outbound CallingVoice & Video

Inbound CallingOutbound CallingVoice Only

PSTN Endpoints

PSTN Phones

Mobile Phones

PSTN Signalling not encrypted

PSTN Media not encrypted

Voice Only


Webex Meetings - Media Encryption ciphers

Webex Data Centre

MediaService

MediaService

MediaService

3rd Party SIP devicesMedia Encryption optional

AES-CM-128-HMAC-SHA1 cipherOn Premises registered Cisco Devices

Media Encryption optionalAES-CM-128-HMAC-SHA1 cipher

Webex AppMedia Always Encrypted

AES-128-CBCAES-256-GCM*

Cloud Registered Webex DeviceMedia Always Encrypted

AES—CM-128-HMAC-SHA1 cipher

TLS/HTTPSEncrypted Media

SIPOptionally Encrypted Media

* AES-256-GCM media encryption - roll out commences June 2020


Webex Meetings Encryption – Devices using SRTP

Webex Data Centre

MediaService

MediaService

Devices using SRTPCloud Registered Webex Devices

On Premises registered Cisco Devices3rd Party SIP devices

Media Encryption Cipher AES—CM-128-HMAC-SHA1

A unique pair of encryption keys used for each media stream

A pair of master encryption keys used for each media stream are securely exchanged over the TLS

signalling channel

Since each call leg uses a unique pair of keys for each media stream, decryption and re-encryption

must be performed between call legs

TLS/HTTPSSRTP Encrypted Media

SIP over TLSSRTP Encrypted Media

TLS


Webex Meetings App - Media Encryption

Webex Data Centre

MediaService

MediaService

Webex Meetings AppsWindows, Mac, iOS, Android

Media Encryption Cipher AES-128-CBC

AES-256-GCM*Webex Apps share a single symmetric per meeting

encryption key for all media streams

* Roll-out starts June 2020

The meeting encryption key is generated by the media server and securely exchanged over the TLS

signalling channel

Media streams between Webex Apps can be switched without decryption. Media streams from

Webex Apps to other SRTP endpoints are decrypted and re-encrypted


TLSMedia

Service


Standard Webex Meetings

Webex Data Centre

MediaService

MediaService

SIP/TLSEncrypted MediaOptionally Encrypted Media

TLS/HTTPS

Unencrypted PSTN audio

Webex Device Media Service

Standard Webex Meetings allow users to join via :

Webex Apps

Webex Devices

SIP Voice and Video Devices

PSTN

PSTN


Webex Meetings Apps – Strong End to End Encryption

Webex Data Centre

Webex SignalingService

With End to End Encryption for Webex Meetings - Webex servers do not have a copy of

the encryption key used by the meeting participants and cannot decrypt any meeting

data.

MeetingHost

MeetingParticipant 1

TLS encrypted channel

End to End Encryption is only supported by the Webex Application (desktop & mobile

apps)

The master End to End Encryption key is generated by the meeting host.

Each participant’s Webex App establishes a secure connection with the meeting host’s

Webex App to retrieve the end to end encryption key for the meeting



Meeting E2E Encryption key



Webex Data Centre

Webex SignalingService

MeetingHost



Each participant’s Webex App generates a 2048 bit RSA public and private key pair

The public key is sent to the meeting host over TLSThe meeting host uses the participant’s public key to encrypt the Meeting E2E encryption key

and returns the encrypted key to the participant over TLS

Using this method to exchange the meeting E2E encryption key excludes it use by SIP endpoints, PSTN participants and recording services

i.e. E2E meeting encryption is supported by Webex Meetings Apps only


Meeting E2E Encryption key MeetingParticipant 2Participant 2 Public & Private key

Participant 1 Public & Private key



Webex Data Centre

Webex MediaService

Webex signaling Service

With Strong End to End Encryption - Webex servers do not have a copy of the E2E encryption

key used by the Webex Application to encrypt meeting data.

The media is switched un-decrypted by the media server based on the speaker volume, which

is indicated in the unencrypted packet header

Encrypted chat messages are distributed to all participants over encrypted TLS channels


MeetingHost

MeetingParticipant

Webex text chat Servicechat chat

Voice

Video

Voice

Video



Webex Media

Service

Encrypted

Meeting

Media and

Content

Webex Meetings : Network Based and Local Recording

Meeting Host Recording entitlements

Start recording in meeting

Automatically start recording w hen the meeting starts

Record Audio & content only, or Audio, Video & content

Recorded meeting file editing options: Include/Exclude :

Chat, Q&A, Polling, Participants, Transcripts

Site Admin Meeting Recording options

Recordings can be passw ord protected

Recordings can be streamed or dow nloaded

Dow nloading of recordings can be blocked

View ing can be restricted to signed in users only

Netw ork Based Recordings

Stored in regional Webex Data Centers

Encrypted using AES-256-GCM

Master key stored in HSM

Configurable Retention period

Local Recording

Optionally enabled by site Admin

Meeting saved on host’s computer as MP4 or WRF

M eetings Recording Service

Hardware

Security

Module

Recording Storage Service

Webex Teams

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

######

Certificate

Authority

App

Store

CA returns Signed

Softw are Publisher

Certificate

CA Root

Certificate

Create

Digital

Signature

Upload Webex Teams

Image, Digital Signature and Certificate

123456

WebexTeams image

Create Hash

Public Key

Private Key

Public Key

Private Key

#######

WebexTeams image

Send Certificate Signing

Request

Webex Teams Apps – Co-signed software images

Cisco uses a CA-signed software

publishing certificate to digitally sign

the software image.

And then uses the code-signing

infrastructure of each platform

vendor (Microsoft/Apple/Google) to

co-sign a PKCS #7-signed data object

file containing the signed Webex

Teams image, digital signature, and

software publishing certificate.


Certificate

Authority

CA Root

Certificate

######

WebexTeams image

Verify signed data object file

Generate and Compare

Digital Signatures

Install

Webex Teams Image, Digital Signature, Certificate

######

WebexTeams image

OS TrustStore

App

Store######

WebexTeams image

WebexTeams image

Webex Teams App: Software image verification

When a user dow nloads the Webex Teams softw are image, the platform operating system verifies the digital signature PKCS #7-signed data object file ands then verifies the digital signature of the Webex Teams image


Webex Teams Apps : Encryption of Data at Rest

What data is cached and encrypted :

Space details and Encryption Keys

Meeting details and Encryption Keys

Whiteboard details and Encryption Keys

Messages

Transcoded Files

(Downloaded File location: user selected)

OAuth Tokens

Stored Data encrypted using :

AES-256-OFB

Windows, Mac, iOS, Android

(Teams Web App does not store data)

Master Key stored in OS secure Store

Data Wipe capability for mobile AppsWindows

Encrypted SQLite Database

OS Certificate Store

Masterkey for DB

OS Secure Store

Ent. CARoot CA

Platform OS

Mac

iOS

Android


Webex Teams App and devices Proximity –Device detection and pairing

Webex Teams

Service

Webex Teams

Service

Webex Teams

Service



1

3

2

Cloud-registered Webex devices use

ultrasonic signalling and tokens to

discover* and pair with Webex

Teams apps

A Webex Teams app within range of

the ultrasound signal can use the

received token to pair with Webex

device, by sending the token to the

Webex cloud service.

* WiFi discovery optional


Webex Teams

Service

Webex Teams

Service

Webex Teams

Service



Shared Content and Device Control

Webex Teams Apps and Devices – Content sharing and device controlOnce the paired via the Webex

cloud, the Webex Teams app can

control the Webex device, for

example to make calls, mute etc,

and also share content on the

Webex device. Both the app and

device use their existing TLS

connections to the Webex cloud, to

exchange call control signalling and

media for content sharing.


AI and Machine Learning in collaborative environments

Defining Cognitive Collaboration

Computer Vision

Face, Gesture and Object Recognition

Audio & Speech Technologies

Noise Detection

Speech Integration

Meeting Transcription

Multi-modal Bots & Assistants

Collaboration Assistants

Care Assistants

Relationship Intelligence

People Profiles

Company Information


Content Server Key Mgmt Service

####### #######message####file

message

Webex Teams- Encrypting Messages and Content

Webex Teams App requests a

conversation encryption key from

the Key Management Service

Any messages or files sent by an

App are encrypted before being

sent to the Webex Cloud

Each Webex Teams Space uses a

different Conversation Encryption

key

Key Management Service

AES256-GCM cipher used for Encryption

Webex Cloud


Encrypted messages sent by the App

are stored in the Webex Cloud and

also sent on to every other App in the

Webex Teams Space

Key Mgmt Service

message#######message

Content Server

####### #######message

Webex Teams - Decrypting Messages and Content

If needed, Webex Teams Apps can

retrieve encryption keys from the Key

Management Service


Each encrypted message also

contains a link to the conversation

encryption key

Webex Cloud

AES256-GCM cipher used for Encryption


Webex Teams : Access Tokens and controlled access to User Generated Content

To gain access to any Webex Teams space and to read the content associated with that space, a user must first request the encryption key for that space using the KMS Access Token for their organization

Key Mgmt Service

KMS Resource Object (KRO) A data structure that is used to track the encryption key for a space and the people that are authorized to receive the key

Space Name

Space Ow ner

Space Key ID

Org ID

Participants:

User ID A

User ID B

User ID C

---

User ID A

Client ID

Org ID

Scopes :

- Read messages

- W rite messages

- Read space memberships

- W rite space memberships

- ---

Send me the encryption key to Space A


Indexing Service

Webex IS the messageWebexIS themessage

Content Server

Webex IS the message

Key Mgmt Service

###################

Searching Webex Teams Spaces: Building a Search Index

The Indexing Service : Enables users to search for

names and words in the encrypted messages stored in

the Content Server without decrypting content

A Search Index is built by creating a fixed length hash* of

each word in each message within a Space

###################

B957FE48

B9 57 FE 48

Hash Algorithm

#################

Indexing Service

The hashed indexes for each Webex Teams Space are stored

by the Content Service

#################

*A new (SHA-256 HMAC) hashing key (Search Key) is used for each space

Search ServiceWebex Cloud


Indexing Service

“Webex”Webex


###################

Webex Teams spaces : Querying a Search IndexSearch for the word “Webex”

App sends search request

over a secure connection to

the Indexing Service

The Search Service

searches the for a match in

the hash tables and returns

matching content to the

App *

###################

B957FE48

B9 57 FE 48

Hash Algorithm

Indexing Service

“Webex”

Search for the word “Webex”

“B9”######################################

Webex IS the Message

B9The Indexing Service uses

per space search keys to

hash the search terms

*A link to Conversation Encryption Key is sent with encrypted message

Search ServiceWebex Cloud

B9 57 FE 48


Cisco Webex Control Hub

Indexing Service

Jo Smith’s ContentJo Smith’s Content


###################

Webex Teams E-Discovery Service : (1)

Compliance Officer selects

messages and files to be

retrieved for E-Discovery

e.g. : based on date range/

content type/ username(s)

The Content Server returns

matching content to the

E-Discovery Service###################

X1GFT5YYHash

Algorithm

Indexing Service

Jo Smith’s Content

“X1GFT5YY”


###################

X1GFT5YY

The Indexing Service

requests a search of related

hashed content

E-Discovery Service

###################


###################


#################

Search Service

Webex Cloud


E-Discov. Storage

E-Discovery ServiceContent Server Key Mgmt Service


The E-Discovery Service :

Decrypts content from the

Content Server, then

compresses and re-

encrypts it before sending it

to the E-Discovery Storage

Service

The E-Discovery Storage

Service :

Sends the compressed and

encrypted content to the

Administrator on request

E-Discovery Service


Jo Smith’s Content###################Jo Smith’s Content###################

Jo Smith’s Content###################

Jo Smith’s Messages

and Files

####################

####################

#################

####################

####################

#################

Jo Smith’s Messages

and Files

Search Service

Webex Cloud

E-Discovery Content Ready


Secure Data Center

Content Server

Key Mgmt Service

Webex Teams – Hybrid Data Security (HDS)

E-Discovery ServiceIndexing Service

Hybrid Data Security

Hybrid Data Services =

On Premise :Key Management Server

Indexing ServerE-Discovery Service

Webex Cloud


Secure Data Center

Key Mgmt Service


####### #######messagemessage

HDS - Encrypting Messages & Content

Webex Teams Apps request an encryption key from the HDS Key Management Server

Any messages or files sent by an App are encrypted before being sent to the Webex Cloud

Encrypted messages and content stored in the cloud


Encryption Keys stored locally

Webex Cloud


Secure Data Centre

App to Cloud TLS connection

Content Server

Search Service

Hybrid Data Security Node

App to HDS secure connection (ECDHE- AES-256-GCM)

Hybrid Data Security – Secure App ConnectionsWebex Teams Apps establish a direct

secure connection to the On Premise HDS

node KMS service

This encrypted peer to peer session

traverses the Webex Cloud

Webex T eamsService

Webex Cloud


Secure Data Centre

Indexing Service

Webex IS the messageWebex ISthe message

Content Server

Webex IS the messageKey Mgmt Service

#################

The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting

content

#################

B957FE48

B9 57 FE 48

Hash Algorithm

#################

Indexing Service

#################

* A new hashing key (Search Key) is used for each space

Hybrid Data Security: Search Indexing Service

Search Service

Webex Cloud


Search Service

Secure Data Center

Indexing Service

“Webex”Webex

Content Server

Key Mgmt Service

###################

Hybrid Data Security: Querying a Search IndexSearch for the word “Webex”

The Indexing Service sends a hashed

index of the App’s search request to

the Search Service

#################

B9

B9 57 FE 48

Hash Algorithm

Indexing Service

“W ebex”

Search for the word “Webex”

“B9”

B9 57 FE 48

##################################

Webex IS the Message B9

*A link to Conversation Encryption Key is sent w ith the message

Webex Cloud


Secure Data Center

Indexing Service

Content Server


X1GFT 5YY

Indexing Service

Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content

Key Mgmt ServiceE-Discovery Service

####################################################################

####################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT 5YY”X1GFT 5YY

Hash Algorithm

Compliance Officer selects a group of

messages and files to be retrieved for E-

Discovery e.g. : based on date range/

content type/ username(s)

The Indexing Service sends hashed

search criteria to the Search Service

Search Service

Webex Cloud


The Content Server returns matching

content to the E-Discovery Service


Secure Data Center

Key Mgmt ServiceE-Discovery Service

E-Discov. StorageContent Server


E-Discovery Service :

Decrypts content from the Content Server,

then compresses and re-encrypts it before

sending it to the E-Discovery Storage

Service

E-Discovery Storage Service :

Sends the compressed and encrypted content

to the Administrator on request

Jo Smith’s Content#################Jo Smith’s Content#################

Jo Smith’s Content#################

Jo Smith’s Messages and Files

###################

###################

#############

###################

###################

#############

Jo Smith’s Messages and Files

Search Service

Webex Cloud

E-Discovery Content Ready



message

Webex Teams Spaces with

users from multiple

Organisations can share

encrypted messages and

content

Key Mgmt ServiceKey Mgmt Service


HDS: Encryption Keys & Users in other Organizations

Organisation A Organisation B

######message ###### ######

How do external users retrieve

encryption keys from the KMS

of the Organisation that owns

the Webex Teams Space ?

?

Webex Cloud


Hybrid Key Management

Servers in different

Organisations establish an

encrypted connection via the

Webex Cloud



HDS: Key Management Server Federation

Hybrid Key Management

Servers make outbound

connections only :

HTTPS, Web Socket Secure

(WSS)


messagemessage

Webex Cloud


With a secure connection

between Key Management

Servers…



HDS: Key Management Server Federation


Federated KMSs can request

space Encryption Keys from one

another on behalf of their Users

message messagemessage

Webex Cloud

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The most advanced collaboration platformComprehensive | Unified | Open | Interoperable

Microsoft

Google

Slack

Salesforce

Jira

+ 24,000 more

Network

En terprise-grade securityEdge services

On -prem, hybrid & cloud Cognitive collaboration

Cisco Webex

Call Message Devices Contact

center

IntegrationMeet

Across devices& browsers

Openplatform

G lobal BackboneAn alytics

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Demo: WebexMeetings, Webex Teams, ControlHub

Documents

Cloud Collaboration Solutions