Webex Team Data Protection

Webex Teams uses the following mechanisms to protect data in transit:

• All signaling connections from Webex Teams and Webex devices are protected using an encrypted TLS session. TLS cipher suites use 256-bit or 128-bit symmetric cipher key sizes, and SHA-2 family hash functions. TLS cipher suites using 256-bit symmetric cipher keys are preferred. For example:

TLS_EDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• Only TLS version 1.2 is supported.

• Webex Teams TLS servers also support TLS_FALLBACK_SCSV (https://datatracker.ietf.org/doc/rfc7507/) to prevent TLS version downgrade attacks.

• All messages and content (files) sent by Webex Teams are encrypted before they are sent over the TLS connection. Encrypted messages and content sent by the Webex Teams use AES_256_GCM encryption keys.

• Media streams (voice, video, and screen share) from Webex Teams and devices are encrypted using SRTP with AES_CM_128_HMAC_SHA1_80 ciphers. SRTP ciphers are negotiated using SDES. For more information, see https://tools.ietf.org/html/rfc4568.

Figure 6-45 shows TLS connections from Webex Teams and Webex devices to the Webex cloud.


Figure 6-45 TLS connections from Webex Teams and Webex devices to the Webex cloud

Webex Teams and Webex devices make outbound connections only to the Cisco Webex cloud, and Webex Teams services only support TLS versions 1.2.

Webex Teams supports the TLS Fallback Signaling Cipher Suite Value (SCSV) feature, which is used to prevent TLS version downgrade attacks, by indicating to the TLS server that the connection should only be established if the highest TLS version supported by the server is equal to, or lower than, that received by the app. Also, all Webex Teams data in transit (including the UUID) is encrypted using Transport Layer Security (TLS).

By default, all encrypted files and encrypted messages sent by Webex Teams to the Webex Teams Service are stored in U.S. data centers. The encrypted files and messages are stored in an encrypted database that is replicated for redundancy. For files, customers can choose to deploy an Enterprise Content Management service, such as Microsoft OneDrive or SharePoint Online for Webex Teams file storage and distribution.

Any customers who are concerned about Cisco storing their message and file encryption keys and content can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers. Encryption keys for content are created, distributed, and stored on the customer’s premises. KMS has a secure (TLS) connection to the Webex cloud and can distribute keys to Webex Teams over a dedicated TLS connection between the KMS and Webex Teams. As shown in Figure 6-46, the on-premises KMS service can run on one or more Hybrid Data Security Nodes in your data center.


Figure 6-46 On-premises hybrid data security services

When Hybrid Data Security Nodes are deployed on the customer premises, encrypted files and content are stored in Webex Teams data centers, while their encryption keys are stored and managed locally. To read any file or message sent to the Webex cloud, two pieces of information are required:

• The encrypted file or message

• The encryption key used to secure it

All customer data within Webex Teams is encrypted and is inaccessible to Cisco personnel without authorization. Attempts to access encrypted customer content without authorization by any employee would be a violation of Cisco policy and would be investigated, and the employee would be subject to disciplinary action up to and including termination of employment.

In an effort to protect customers’ interests, Cisco has outlined the steps for sharing requests for data. Details can be found at https://www.cisco.com/c/en/us/about/trust-center/transparency.html.

By default, all content (messages and files) sent to Webex Teams spaces is securely stored in Webex Teams data centers. Using Webex Teams APIs, customers have the option to archive a copy of this content with a third-party data archival company (for example, Actiance, Global Relay, or Verint Verba). Customers can retrieve and store content on their own archival system.

Cisco has also developed a Webex Teams API framework that allows enterprise customers to store all their files with their preferred Enterprise Content Management (ECM) provider instead of in the Webex cloud (for example, OneDrive, Box, or Google Drive). Customers can also use the API for Enterprise Content Management to store files within their enterprise network. For more information, see the “Webex App | Microsoft OneDrive and SharePoint Online” article at https://help.webex.com/article/nuz39yeb. Figure 6-47 shows the Webex Teams API for Enterprise Content Management.


Figure 6-47 Webex Teams API for Enterprise Content Management

File version control is maintained by the ECM application. Webex Teams uses Microsoft standard Graph API for ECM integration to Microsoft OneDrive or SharePoint Online. For more information, see https://docs.microsoft.com/en-us/onedrive/developer/rest-api/?view=odsp-graph-online.

Leave a Reply

Your email address will not be published. Required fields are marked *