View
5
Download
0
Category
Preview:
Citation preview
Stanislav Cherepanov
CCSI
22.12.2020
Cloud Collaboration Solutions
C97-739799-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
8 :00 am
Message
Jump start your day! Say goodbye to email. Quickly catch-up on your conversations
9:00 am
Call
Never miss a customer call - calls are routed to any device, any w here.
11:30 am
Schedule
Use your Microsoft or Google calendar to schedule a meeting.
1:00 pm
Whiteboard
Jump into a meeting and sketch out ideas as if you w ere in the same room.
2:00 pm
Co-edit a file
Access and w ork on f iles together - right from w ithin a message.
3:00 pm
Message 3rd parties
Simply and securely send messages and files to people outside your company
10:00 am
Meet
Check in w ith a colleague 1:1, or w ith the w hole team. See 25 people at one time.
4:00 pm
Add some fun
Add an emoji of animated GIF to show appreciation of good w ork
10:45 am
Review
Search for and view meeting highlights. Share actions w ith team
Be productive
from anywhere
WebexHome - Mobile –
Branch locations - Main Office
UnifiedApplication
C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential© 2020 Cisco and/or its affiliates. All rights reserved.
Integrated devicesBetter experiences and lower TCO
SmartDevices
C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential© 2020 Cisco and/or its affiliates. All rights reserved.
Automated intelligence in every workspace
SmartDevices
App-driven call handover
between devices
Shared proximity awareness
connects apps to devices
Context-sensitivity from
headsets to devices
One in-room control point for
desktop and room devices
C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Power of the Webex PlatformConsistent. Comprehensive. Innovative. Open
+ 24,000 more
Open PlatformUn ified Experience
Meetings
Client Framew ork
Common Identity
Calendaring
Cognitive Collaboration
Whiteboarding
Messaging
Pr oximity
Unified Calling Architecture
Media EngineDevice OS
VDI
Global Backbone
Security
Edge & Hybrid Services
and more…
Management Analytics
Netw ork
Calling – Meetings – Teams – Contact Center - Jabber
Single platform advantage
C97-742848-01 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 8
Webex Meetings Data Centre Locations
• Webex Meeting related Services
• Meetings/ Events/ Training /Support
• Identity
• Site Administration/ Analytics/ Billing
• Recording/ Transcription
• Webex Media Services
• Media Nodes for Webex Meetings and Webex Teams :
• Voice, Video and Content Sharing services
• PSTN access for Meetings
• Multiple data centre locations worldwide
• Internet Points of Presence
• Used to route Webex Meetings traffic to a Cisco Data Center Location
Virginia
Texas
California
LondonAmsterdam
Regional Data Centre Locations
North Carolina
Webex Meetings-related services (not media)
Webex Media services
Bangalore
New York
Singapore
Sydney
Tokyo
Internet Point of Presence
Hong Kong
New JerseyIll inois
9© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings related Services (not media services)
Meeting CentreService
Events CentreService
IdentityService
RecordingService
Data Centre A Data Centre B Data Centre C
Data Centre A’ Data Centre B’ Data Centre C’
Webex Services for Webex Meetings/Events/Training/Support, Identity, Recording, Transcription, Billing, Analytics and Administration are distributed and replicated across multiple independent data
centres.
User Generated Content (e.g. Recordings, Transcripts, Uploaded Files) is stored in the data centerclosest to a Customer’s location as provided during the ordering process
Webex Meetings Data residency locations : EMEAR/ APJ/ US/ Australia
Training CentreService
Support CentreService
AnalyticsService
TranscriptionService
Site AdminService
10© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings App – TLS/HTTPS signaling traffic
Meetings ServicesPrivate IP address range
TLS TerminationPrivate IP address range
Firewall Router
1:1 NAT
Firewall Router
Secure Webex Data Centre
TLS/HTTPS Proxy
Webex
Meetings
Serv ice
TLS
Public IP Addresses
Internet
Webex Perimeter Protection
DDOS ProtectionTraffic Filtering
Behavioural Analysis TLS/HTTPS Proxy
TLS/HTTPS Proxy
TLS/HTTPS Proxy
Webex
Meetings
Serv ice
Webex
Meetings
Serv ice
Webex
Meetings
Serv ice
11© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
MediaService
MediaService
MediaService
MediaService
Webex Meetings Media Services
MediaService
Data Centre A Data Centre B Data Centre C
Data Centre D Data Centre E Data Centre F
Webex Media services are globally distributed across multiple data centres
Media Server clusters in each data centre provide local and geographic redundancy
Media servers support voice, video and content sharing
All media is encrypted
MediaService
MediaService
MediaService
MediaService
MediaService
MediaService
MediaService
12© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Internet
Webex Media Services– Cloud Security and DMZ
Meetings ServicesPrivate IP address range
Media ServicesPublic IP address range
Firewall Router
Firewall Router
Webex Perimeter
Protection :
UDP/TCP/TLS Media
Traffic Filtering
Volumetric Attack
Protection
Media Node
OS Services
OS firewall module OS Hardening
Security Patches
Logging / Metrics agents
Secure Webex Data Centre
Webex
Meetings
Serv ice
Webex
Meetings
Serv ice
Webex
Meetings
Serv ice
Webex
Meetings
Serv ice
Media Node
OS Services
Media Node
OS Services
UDP Media Port 9000
TCP Media Port 5004
TLS Media Port 443
Encrypted Media
13© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
IdentityService
Webex Meetings – User, Identity & Access Management
Directory Sync
Webex Identity Service
User account creation methods:
- Webex Directory Connector
• Active Directory Sync Tool
• Control Hub only
- System for Cross-Domain Identity Management
(SCIM) API
• Sync from Cloud IdP
• e.g. Azure AD, Okta User DB
• Control Hub only
- Webex User/People API
- Manually add Users
- CSV File upload
Webex Cloud
Active Directory
Azure/Okta
Cisco Directory Connector
SCIM
W ebex Control Hub
Meeting CentreService
RecordingService
Site AdminService
AnalyticsService
14© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
IdentityService
Webex Cloud
Azure/Okta
SCIM
Meeting CentreService
RecordingService
Site AdminService
AnalyticsService
Directory Sync
Active Directory
Cisco Directory Connector
Webex Meetings – SAML SSO Authentication
SAML
Single Sign On (SSO) for User Authentication :
Administrators can configure Webex Meetings to work with
their existing SSO solution
Webex Meetings supports Identity Providers using Security Assertion Markup Language (SAML) 2.0 for Authentication
and OAuth 2.0 Authorization
For list of supported IdPs see https://help.webex.com/en-us/lfu88u/Single-Sign-On-Integration-in-Cisco-Webex-
Control-HubSSO
IdP
15© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex MeetingsService
Webex Media
Service
TLS Encrypted Signalling
Encrypted Media
Encrypted Media
Webex MeetingsService
Webex Media
Service
TLS Encrypted Signalling
East Coast
West Coast
Cascaded
Encrypted
Media
Connecting to the Webex cloud – Apps and Devices
Cisco Webex Meetings Apps :- Windows, Mac- iOS, Android- WebAuthentication – User Sign InAuthorization – OAuth 2.0
Cisco Webex Devices :- Webex Room Series- Webex Desktop Series- Webex BoardOnboarding – Activation CodeAuthentication - Machine AccountAuthorization – OAuth 2.0
All initiated connections are outbound only, from the Enterprise to Webex Cloud
16© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings
Service
Webex Meetings App – cloud connection -summary
1) Customer downloads and installs the Webex Meetings App
2) Webex Meetings App establishes a secure TLS connection with the Webex
Cloud
3) Webex Identity Service prompts User for
their Webex site URL e.g.
cisco.webex.com
4) User Authenticated by Webex Identity
Service, or Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens
created and sent to Webex Meetings App
• The Access Token contains details of the
Webex Meetings resources the User is
authorised to access
• Webex Meetings App presents its Access
Token to register with Webex Meetings Services over a secure channel
Webex Cloud
IdentityService
IdP
17© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex
Image Store
Identity
Serv ice
Webex - Device Onboarding
Webex
Serv ice
1234567890123456
Webex Device application software and
embedded OS installed as a firmware binary image before leaving the factory
WebexMeetings image
Discov ery
Serv iceWebex Control Hub Admin generates device
activation code for the device
User prompted for activation code during
device installation. Activation code sent to Webex discovery service, which determines
the device’s organization and redirects to the Identity Service
Identity Service sends OAuth tokens and
Trusted Root Certificate list (can include Enterprise CA Certs for TLS inspection) to
deviceDevice checks current software version. If
upgrade required, a signed image is sent to the device. Device will not load an unsigned
imageDevice registers to Webex Services
18© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Authorization Service
Webex Identity Service
TLS encrypted signalling
TLS encrypted signalling
Authorization Request with Webex Site ID and OAuth Token Scopes
Not Authenticated – Refer to Identity Service for Authentication
Initial HTTP Request GET HTTPS: //meetings. webex. com
No OAuth Access Token - Redirect to Authorization Server
1
2
3
4
Webex Meetings App : User Authentication (1)
To access any Webex Meetings service – the App/ Device must present a validate OAuth Access TokenIf no Access Token is present - the App/Device is redirected to the Authorization Service
The Webex Site ID in the Authorization request determines the User’s Org and Identity ServiceApp/ Device redirected to Identity service for Authentication
19© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings App : User Authentication (2)
Users can Authenticate to the Webex Identity service (typically consumer accounts), or to an Enterprise (on-premises, or cloud) IdP that supports Single Sign on (SSO) using Security Assertion Markup Language version (SAML) 2.0 (as shown above)
Webex Authorization Service
Webex Identity Service
TLS encrypted signalling
TLS encrypted signalling
Authentication Request to Identity Serv ice
Using SSO w ith Enterprise IdP –> Redirect to IdP
5
6
7
IdPSAML User Authentication 8
Return SAML Assertion
20© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings App : User Authentication (3)
Webex Meetings users using Single Sign On, use a combination SAML for authentication and the OAuth Authorization Code Grant method (as shown above), or Client Credential Grant method for authorization
Webex Authorization Service
Webex Identity Service
TLS encrypted signalling
TLS encrypted signalling
POST SAML Assertion to Identity Service for validation
Redirect to Authorization Service with User ID
9
10
POST SAML Assertion & User ID to Authorization Service
Return Authorization Code
12
11
21© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings App : User/Device Authorization
Once the Webex Meetings App/ Device is authenticated the OAuth Grant flow is used to deliver OAuth Access and Refresh Tokens to the App/ Device
The Access Token must be presented to gain authorized access to Webex services
WebexAuthorization Service
WebexIdentity Service
TLS encrypted signalling
Send Authorization Code & Client Secret to Authorization Service
Return OAuth Access Token and Refresh Token
14
Request Webex Meetings Service with Access Token
Webex Meetings Service Access Granted
16
15
13
Webex MeetingsService
TLS encrypted signalling
22© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings : OAuth Access and Refresh Tokens
OAuth Access Token – Uses JSON Web Token (JWT) format, signed (JWS)
Webex MeetingsService
Webex MeetingsService
Request Webex Meetings Service with Access Token
Webex Meetings Service Access Granted
OAuth Refresh Token – Presented to the authorization service to renew the Access token
Access tokens allow apps and devices to gain access to authorized servicesAccess tokens contain scopes that define which services are authorized
Access tokens are renewed when they reach 75% of their lifetime
23© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings : OAuth Access and Refresh Tokens
OAuth Access Token scopes Define which Meetings services Webex Apps and Devices are permitted to use e.g : Read User data, Read Meeting data, Read Recording
data, Write User data, Write Meeting data, Write Recording data, Write Settings data
Webex Apps and Devices have more than one access token e.g. Webex Cloud Identity Services token, Webex Meetings Token
Webex Access Token lifetimes vary by device e.g. Meetings App access token lifetime = 6 hoursDevice access token lifetime = 6 hoursDirectory Connector access token lifetime = 1 hourAccess Token renewed by sending Refresh Token when lifetime = 75% Token lifetime values can be reconfigured by service request
Webex Refresh Token lifetime typically 60 days Lifetime values can be reconfigured by service requestRefresh Token renewed when Access Token renewedRefresh Token renewal (on/off) configurable by service requestIf Refresh Token renewal = Off : App logged-out, Device off-boarded when Refresh Token lifetime expires
25© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Access to Webex Meetings Media Services (1)
Webex Data Centre
Webex Meetings Application and
Webex Devices
Encrypted HTTPS Signalling
Encrypted Voice, Video and Content Sharing
MediaService
MediaService
MediaService
MediaService
InternetInternet
Access Options
Internet Access
Signalling and Media traverse the Internet
Private Peering
Media traverses Equinix Private Link
Non Webex App signalling traverses Internet
Equinix IXE
Private Link
26© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Access to Webex Meetings Media Services (2)
Webex Data Centre
SIP Endpoints
Cisco SIP devices
3rd Party SIP devices
Optional Signalling Encryption
Optional Media Encryption
Voice and Video supported
MediaService
MediaService
MediaService
MediaService
PSTNInternet
SIP signallingInbound Calling
Outbound CallingVoice & Video
Inbound CallingOutbound CallingVoice Only
PSTN Endpoints
PSTN Phones
Mobile Phones
PSTN Signalling not encrypted
PSTN Media not encrypted
Voice Only
27© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings - Media Encryption ciphers
Webex Data Centre
MediaService
MediaService
MediaService
3rd Party SIP devicesMedia Encryption optional
AES-CM-128-HMAC-SHA1 cipherOn Premises registered Cisco Devices
Media Encryption optionalAES-CM-128-HMAC-SHA1 cipher
Webex AppMedia Always Encrypted
AES-128-CBCAES-256-GCM*
Cloud Registered Webex DeviceMedia Always Encrypted
AES—CM-128-HMAC-SHA1 cipher
TLS/HTTPSEncrypted Media
SIPOptionally Encrypted Media
* AES-256-GCM media encryption - roll out commences June 2020
28© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings Encryption – Devices using SRTP
Webex Data Centre
MediaService
MediaService
Devices using SRTPCloud Registered Webex Devices
On Premises registered Cisco Devices3rd Party SIP devices
Media Encryption Cipher AES—CM-128-HMAC-SHA1
A unique pair of encryption keys used for each media stream
A pair of master encryption keys used for each media stream are securely exchanged over the TLS
signalling channel
Since each call leg uses a unique pair of keys for each media stream, decryption and re-encryption
must be performed between call legs
TLS/HTTPSSRTP Encrypted Media
SIP over TLSSRTP Encrypted Media
TLS
29© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings App - Media Encryption
Webex Data Centre
MediaService
MediaService
Webex Meetings AppsWindows, Mac, iOS, Android
Media Encryption Cipher AES-128-CBC
AES-256-GCM*Webex Apps share a single symmetric per meeting
encryption key for all media streams
* Roll-out starts June 2020
The meeting encryption key is generated by the media server and securely exchanged over the TLS
signalling channel
Media streams between Webex Apps can be switched without decryption. Media streams from
Webex Apps to other SRTP endpoints are decrypted and re-encrypted
TLS/HTTPSEncrypted Media
TLSMedia
Service
30© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Standard Webex Meetings
Webex Data Centre
MediaService
MediaService
SIP/TLSEncrypted MediaOptionally Encrypted Media
TLS/HTTPS
Unencrypted PSTN audio
Webex Device Media Service
Standard Webex Meetings allow users to join via :
Webex Apps
Webex Devices
SIP Voice and Video Devices
PSTN
PSTN
31© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings Apps – Strong End to End Encryption
Webex Data Centre
Webex SignalingService
With End to End Encryption for Webex Meetings - Webex servers do not have a copy of
the encryption key used by the meeting participants and cannot decrypt any meeting
data.
MeetingHost
MeetingParticipant 1
TLS encrypted channel
End to End Encryption is only supported by the Webex Application (desktop & mobile
apps)
The master End to End Encryption key is generated by the meeting host.
Each participant’s Webex App establishes a secure connection with the meeting host’s
Webex App to retrieve the end to end encryption key for the meeting
TLS encrypted channel
MeetingParticipant 2
Meeting E2E Encryption key
32© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings Apps – Strong End to End Encryption
Webex Data Centre
Webex SignalingService
MeetingHost
MeetingParticipant 1
TLS encrypted channel
Each participant’s Webex App generates a 2048 bit RSA public and private key pair
The public key is sent to the meeting host over TLSThe meeting host uses the participant’s public key to encrypt the Meeting E2E encryption key
and returns the encrypted key to the participant over TLS
Using this method to exchange the meeting E2E encryption key excludes it use by SIP endpoints, PSTN participants and recording services
i.e. E2E meeting encryption is supported by Webex Meetings Apps only
TLS encrypted channel
Meeting E2E Encryption key MeetingParticipant 2Participant 2 Public & Private key
Participant 1 Public & Private key
33© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex Meetings Apps – Strong End to End Encryption
Webex Data Centre
Webex MediaService
Webex signaling Service
With Strong End to End Encryption - Webex servers do not have a copy of the E2E encryption
key used by the Webex Application to encrypt meeting data.
The media is switched un-decrypted by the media server based on the speaker volume, which
is indicated in the unencrypted packet header
Encrypted chat messages are distributed to all participants over encrypted TLS channels
TLS/HTTPSEncrypted Media
MeetingHost
MeetingParticipant
Webex text chat Servicechat chat
Voice
Video
Voice
Video
34© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Webex MeetingsService
Webex Media
Service
Encrypted
Meeting
Media and
Content
Webex Meetings : Network Based and Local Recording
Meeting Host Recording entitlements
Start recording in meeting
Automatically start recording w hen the meeting starts
Record Audio & content only, or Audio, Video & content
Recorded meeting file editing options: Include/Exclude :
Chat, Q&A, Polling, Participants, Transcripts
Site Admin Meeting Recording options
Recordings can be passw ord protected
Recordings can be streamed or dow nloaded
Dow nloading of recordings can be blocked
View ing can be restricted to signed in users only
Netw ork Based Recordings
Stored in regional Webex Data Centers
Encrypted using AES-256-GCM
Master key stored in HSM
Configurable Retention period
Local Recording
Optionally enabled by site Admin
Meeting saved on host’s computer as MP4 or WRF
M eetings Recording Service
Hardware
Security
Module
Recording Storage Service
Webex Teams
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
######
Certificate
Authority
App
Store
CA returns Signed
Softw are Publisher
Certificate
CA Root
Certificate
Create
Digital
Signature
Upload Webex Teams
Image, Digital Signature and Certificate
123456
WebexTeams image
Create Hash
Public Key
Private Key
Public Key
Private Key
#######
WebexTeams image
Send Certificate Signing
Request
Webex Teams Apps – Co-signed software images
Cisco uses a CA-signed software
publishing certificate to digitally sign
the software image.
And then uses the code-signing
infrastructure of each platform
vendor (Microsoft/Apple/Google) to
co-sign a PKCS #7-signed data object
file containing the signed Webex
Teams image, digital signature, and
software publishing certificate.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Certificate
Authority
CA Root
Certificate
######
WebexTeams image
Verify signed data object file
Generate and Compare
Digital Signatures
Install
Webex Teams Image, Digital Signature, Certificate
######
WebexTeams image
OS TrustStore
App
Store######
WebexTeams image
WebexTeams image
Webex Teams App: Software image verification
When a user dow nloads the Webex Teams softw are image, the platform operating system verifies the digital signature PKCS #7-signed data object file ands then verifies the digital signature of the Webex Teams image
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Webex Teams Apps : Encryption of Data at Rest
What data is cached and encrypted :
Space details and Encryption Keys
Meeting details and Encryption Keys
Whiteboard details and Encryption Keys
Messages
Transcoded Files
(Downloaded File location: user selected)
OAuth Tokens
Stored Data encrypted using :
AES-256-OFB
Windows, Mac, iOS, Android
(Teams Web App does not store data)
Master Key stored in OS secure Store
Data Wipe capability for mobile AppsWindows
Encrypted SQLite Database
OS Certificate Store
Masterkey for DB
OS Secure Store
Ent. CARoot CA
Platform OS
Mac
iOS
Android
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Webex Teams App and devices Proximity –Device detection and pairing
Webex Teams
Service
Webex Teams
Service
Webex Teams
Service
TLS Encrypted Signalling
TLS Encrypted Signalling
1
3
2
Cloud-registered Webex devices use
ultrasonic signalling and tokens to
discover* and pair with Webex
Teams apps
A Webex Teams app within range of
the ultrasound signal can use the
received token to pair with Webex
device, by sending the token to the
Webex cloud service.
* WiFi discovery optional
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Webex Teams
Service
Webex Teams
Service
Webex Teams
Service
TLS Encrypted Signalling
TLS Encrypted Signalling
Shared Content and Device Control
Webex Teams Apps and Devices – Content sharing and device controlOnce the paired via the Webex
cloud, the Webex Teams app can
control the Webex device, for
example to make calls, mute etc,
and also share content on the
Webex device. Both the app and
device use their existing TLS
connections to the Webex cloud, to
exchange call control signalling and
media for content sharing.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
AI and Machine Learning in collaborative environments
Defining Cognitive Collaboration
Computer Vision
Face, Gesture and Object Recognition
Audio & Speech Technologies
Noise Detection
Speech Integration
Meeting Transcription
Multi-modal Bots & Assistants
Collaboration Assistants
Care Assistants
Relationship Intelligence
People Profiles
Company Information
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Content Server Key Mgmt Service
####### #######message####file
message
Webex Teams- Encrypting Messages and Content
Webex Teams App requests a
conversation encryption key from
the Key Management Service
Any messages or files sent by an
App are encrypted before being
sent to the Webex Cloud
Each Webex Teams Space uses a
different Conversation Encryption
key
Key Management Service
AES256-GCM cipher used for Encryption
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Encrypted messages sent by the App
are stored in the Webex Cloud and
also sent on to every other App in the
Webex Teams Space
Key Mgmt Service
message#######message
Content Server
####### #######message
Webex Teams - Decrypting Messages and Content
If needed, Webex Teams Apps can
retrieve encryption keys from the Key
Management Service
Key Management Service
Each encrypted message also
contains a link to the conversation
encryption key
Webex Cloud
AES256-GCM cipher used for Encryption
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Webex Teams : Access Tokens and controlled access to User Generated Content
To gain access to any Webex Teams space and to read the content associated with that space, a user must first request the encryption key for that space using the KMS Access Token for their organization
Key Mgmt Service
KMS Resource Object (KRO) A data structure that is used to track the encryption key for a space and the people that are authorized to receive the key
Space Name
Space Ow ner
Space Key ID
Org ID
Participants:
User ID A
User ID B
User ID C
---
User ID A
Client ID
Org ID
Scopes :
- Read messages
- W rite messages
- Read space memberships
- W rite space memberships
- ---
Send me the encryption key to Space A
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Indexing Service
Webex IS the messageWebexIS themessage
Content Server
Webex IS the message
Key Mgmt Service
###################
Searching Webex Teams Spaces: Building a Search Index
The Indexing Service : Enables users to search for
names and words in the encrypted messages stored in
the Content Server without decrypting content
A Search Index is built by creating a fixed length hash* of
each word in each message within a Space
###################
B957FE48
B9 57 FE 48
Hash Algorithm
#################
Indexing Service
The hashed indexes for each Webex Teams Space are stored
by the Content Service
#################
*A new (SHA-256 HMAC) hashing key (Search Key) is used for each space
Search ServiceWebex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Indexing Service
“Webex”Webex
Content Server Key Mgmt Service
###################
Webex Teams spaces : Querying a Search IndexSearch for the word “Webex”
App sends search request
over a secure connection to
the Indexing Service
The Search Service
searches the for a match in
the hash tables and returns
matching content to the
App *
###################
B957FE48
B9 57 FE 48
Hash Algorithm
Indexing Service
“Webex”
Search for the word “Webex”
“B9”######################################
Webex IS the Message
B9The Indexing Service uses
per space search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message
Search ServiceWebex Cloud
B9 57 FE 48
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Webex Control Hub
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
###################
Webex Teams E-Discovery Service : (1)
Compliance Officer selects
messages and files to be
retrieved for E-Discovery
e.g. : based on date range/
content type/ username(s)
The Content Server returns
matching content to the
E-Discovery Service###################
X1GFT5YYHash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
###################
X1GFT5YY
The Indexing Service
requests a search of related
hashed content
E-Discovery Service
###################
Jo Smith’s Content
###################
Jo Smith’s Content
#################
Search Service
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
E-Discov. Storage
E-Discovery ServiceContent Server Key Mgmt Service
Webex Teams E-Discovery Service : (2)
The E-Discovery Service :
Decrypts content from the
Content Server, then
compresses and re-
encrypts it before sending it
to the E-Discovery Storage
Service
The E-Discovery Storage
Service :
Sends the compressed and
encrypted content to the
Administrator on request
E-Discovery Service
Cisco Webex Control Hub
Jo Smith’s Content###################Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
####################
####################
#################
####################
####################
#################
Jo Smith’s Messages
and Files
Search Service
Webex Cloud
E-Discovery Content Ready
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Secure Data Center
Content Server
Key Mgmt Service
Webex Teams – Hybrid Data Security (HDS)
E-Discovery ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services =
On Premise :Key Management Server
Indexing ServerE-Discovery Service
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
####### #######messagemessage
HDS - Encrypting Messages & Content
Webex Teams Apps request an encryption key from the HDS Key Management Server
Any messages or files sent by an App are encrypted before being sent to the Webex Cloud
Encrypted messages and content stored in the cloud
Key Management Service
Encryption Keys stored locally
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Secure Data Centre
App to Cloud TLS connection
Content Server
Search Service
Hybrid Data Security Node
App to HDS secure connection (ECDHE- AES-256-GCM)
Hybrid Data Security – Secure App ConnectionsWebex Teams Apps establish a direct
secure connection to the On Premise HDS
node KMS service
This encrypted peer to peer session
traverses the Webex Cloud
Webex T eamsService
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Secure Data Centre
Indexing Service
Webex IS the messageWebex ISthe message
Content Server
Webex IS the messageKey Mgmt Service
#################
The Indexing Service : Enables users to search for names and words in the encrypted messages stored in the Content Server without decrypting
content
#################
B957FE48
B9 57 FE 48
Hash Algorithm
#################
Indexing Service
#################
* A new hashing key (Search Key) is used for each space
Hybrid Data Security: Search Indexing Service
Search Service
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Search Service
Secure Data Center
Indexing Service
“Webex”Webex
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search IndexSearch for the word “Webex”
The Indexing Service sends a hashed
index of the App’s search request to
the Search Service
#################
B9
B9 57 FE 48
Hash Algorithm
Indexing Service
“W ebex”
Search for the word “Webex”
“B9”
B9 57 FE 48
##################################
Webex IS the Message B9
*A link to Conversation Encryption Key is sent w ith the message
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Secure Data Center
Indexing Service
Content Server
Webex Teams E-Discovery Service : (1)
X1GFT 5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceE-Discovery Service
####################################################################
####################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT 5YY”X1GFT 5YY
Hash Algorithm
Compliance Officer selects a group of
messages and files to be retrieved for E-
Discovery e.g. : based on date range/
content type/ username(s)
The Indexing Service sends hashed
search criteria to the Search Service
Search Service
Webex Cloud
Cisco Webex Control Hub
The Content Server returns matching
content to the E-Discovery Service
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Secure Data Center
Key Mgmt ServiceE-Discovery Service
E-Discov. StorageContent Server
Webex Teams E-Discovery Service : (2)
E-Discovery Service :
Decrypts content from the Content Server,
then compresses and re-encrypts it before
sending it to the E-Discovery Storage
Service
E-Discovery Storage Service :
Sends the compressed and encrypted content
to the Administrator on request
Jo Smith’s Content#################Jo Smith’s Content#################
Jo Smith’s Content#################
Jo Smith’s Messages and Files
###################
###################
#############
###################
###################
#############
Jo Smith’s Messages and Files
Search Service
Webex Cloud
E-Discovery Content Ready
Cisco Webex Control Hub
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
message
Webex Teams Spaces with
users from multiple
Organisations can share
encrypted messages and
content
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Encryption Keys & Users in other Organizations
Organisation A Organisation B
######message ###### ######
How do external users retrieve
encryption keys from the KMS
of the Organisation that owns
the Webex Teams Space ?
?
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Hybrid Key Management
Servers in different
Organisations establish an
encrypted connection via the
Webex Cloud
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
Hybrid Key Management
Servers make outbound
connections only :
HTTPS, Web Socket Secure
(WSS)
Organisation A Organisation B
messagemessage
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
With a secure connection
between Key Management
Servers…
Key Mgmt ServiceKey Mgmt Service
Content Server Key Mgmt Service
HDS: Key Management Server Federation
Organisation A Organisation B
Federated KMSs can request
space Encryption Keys from one
another on behalf of their Users
message messagemessage
Webex Cloud
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The most advanced collaboration platformComprehensive | Unified | Open | Interoperable
Microsoft
Slack
Salesforce
Jira
+ 24,000 more
Network
En terprise-grade securityEdge services
On -prem, hybrid & cloud Cognitive collaboration
Cisco Webex
Call Message Devices Contact
center
IntegrationMeet
Across devices& browsers
Openplatform
G lobal BackboneAn alytics
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo: WebexMeetings, Webex Teams, ControlHub
Recommended