Webex Teams Apps – Data at Rest Protection

Encryption of data at rest applies not only to content stored in the Webex cloud, but also to content stored by Webex Teams apps. The following content is securely stored by Webex Teams for Windows, macOS, iOS, and Android:

• Messages

• Preview files and files converted to Portable Network Graphics (PNG) file format

• Space encryption keys

• Profile pictures

• Space details

• Meeting details

• Whiteboard files

• OAuth tokens

Webex Teams apps on desktop and mobile devices store this content in an SQLite database that is encrypted using the AES-256-OFB algorithm. The master key for the SQLite database is encrypted by and stored in the platform OS secure store (for example, Windows Data Protect API, macOS/iOS Secure Enclave and Keychain, and Android Keystore).

Figure 6-48 shows Webex Teams feature for the encryption of data at rest.


Figure 6-48 Webex Teams encryption of data at rest

Files downloaded by the Webex Teams app are decrypted prior to storage. The storage location of downloaded files is determined by the user (for example, the Windows Downloads folder).

Webex Teams App for Web – Data Storage

Webex Teams for Web (https://teams.webex.com) does not permanently store content. Messages, files, encryption keys, and tokens are deleted when the browser or browser tab is closed. One exception to this case is when the “Remember Me” option is selected by the user to bypass user authentication. In this case, the access and refresh tokens are stored and reused when Webex Teams is relaunched in the browser.

Webex Team Indexing Service

The Webex Teams Indexing Service enables rapid searches of messages, files (filenames), people (usernames) and places (space names and team names) by Webex Teams users.

Typically, the Webex Teams Indexing Service resides in the Webex cloud (see Figure 6-49), but it can also be deployed on a customer’s premises as a component of the Hybrid Data Security Service (see Figure 6-50). This service parses, stems, and hashes terms in all messages and filenames in spaces, as well as usernames and space names, to create a series of hashed indexes. These hashed indexes are stored in the Search Service in the Webex cloud. Indexing takes place for each message and file (name) posted by a Webex Teams user. Indexing involves decrypting the posted content, followed by the indexing process. Decrypted messages and filenames are deleted immediately after the indexing process is completed. User search requests use the Search service in the Webex cloud to find either content in spaces and team spaces that the user is a member of or names of other users and spaces.


Figure 6-49 Webex cloud-based indexing and search services


Figure 6-50 Customer premises-based indexing and search services for Webex Teams hosted on a Hybrid Data Security Node

When deployed on-premises, Hybrid Data Security (HDS) services provide an additional benefit, in that decryption of posted content for indexing takes place on the customer premises, not in the Webex cloud. Additionally, the encryption keys for messages and files are also owned, stored, and managed on the customer’s premises as part of the Hybrid Data Security service.

Leave a Reply

Your email address will not be published. Required fields are marked *