#ciscolivela 2017 presentacion de miro polakovic

Presentation Title

Presenter Name and TitleSession ID

Cisco Spark Platform & On Premise Security Explained

Miro Polakovic

Technical Marketing Engineer

Cisco Collaboration Technology Group

BRKCOL-2030

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco SparkQuestions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App2. Click “Join the Discussion”3. Install Spark or go directly to the space4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOL-2030Cisco Spark spaces will be available until November 17, 2017.

AgendaIntroduction – Cisco Spark Security

Realms of Separation and Identity Obfuscation

Cloud based Data Security and Data ServicesSynchronizing User IDs with Cisco Spark Platform & Single Sign On Support

Secure Cloud Connection, Data Encryption, secure search indexing

Compliance & E-Discovery Services, Retention Policies, Data ownership

Hybrid Data Security (HDS)KMS on premise, Architecture, Search, Firewalls, Federation

Firewalls and Proxies SupportWebEx update

Management, Pro-Pack, SSO, Best Practices


Business Messaging Over Time…

BRKCOL-2030

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Lock rooms to moderate room participants and content*

*Not included in free

User Access Controls IT Management

Add Single Sign-On, directory sync, and view analytics

End-to-end encryption in the cloud, and in-transit and media encryption

Encryption

Business Class Security Features

BRKCOL-2030


Security and Compliance ChallengeShadow IT vs. Corporate IT

Open Collaboration Secured

Anywhere Access

Fully Searchable

Data, App IntegratedCloud Managed

DiscoverableEnterprise Integrated

EncryptedCompliant

No CompromiseCollaboration

BRKCOL-2030

Cloud Based Security and Data Services


Cisco Spark Platform

EndtoEndEncryption+KeyManagement

HybridDataSecurity

AdvancedAnalytics

ü Operationalü Behavioralü Productivityü Utilization

EnterpriseIdentity&AccessManagement

RetentionPolicies

eDiscoverySearch

DataLossPrevention

Security, Compliance & AnalyticsIT Requirements

Meetings

Business Messaging

Cisco Spark Devices

Bots,Integrations

Calling

FileSharing


Cisco Collaboration Cloud Security - Realms of Separation

10BRKCOL-2030

Identity Service Content Server

Key Mgmt Service Indexing Service Compliance Service

Cisco Spark logically and physically separates functional components within the cloud

Identity Services holding real user Identity (e.g. email addresses) are separated from :

Encryption, Indexing and Compliance Services, which are in turn separated from :

Data Storage Services

Data Center A Data Center B Data Center C


Realms of Separation – Encryption and Storage

11BRKCOL-2030



Cisco Spark logically and physically separates functional components within the cloud

Data Services such as Encryption Key Generation, Secure Message Indexing for Data Search, and Data Compliance functions operate in different Data Centers from the Data Center that encrypted content is

stored in

Data Storage services never have access to Encryption Keys


xxxxxxxxmessage


Realms of Separation – Identity Obfuscation

12BRKCOL-2030



Outside of the Identity Service - Real Identity information is obfuscated :

For each User ID, Spark generates a random 128-bit Universally Unique Identifier (UUID) = The User’s obfuscated identity

No real identity information transits, or is stored elsewhere in the cloud


[email protected]


Cisco Spark – User Identity Sync and Authentication

13BRKCOL-2030

Directory Sync

User Info can be synchronized from the Enterprise Active Directory

Multiple User attributes can be synchronized

Scheduled sync tracks employee changes

Passwords are not synchronized - User :1) Creates a password

or2) Uses SSO for Auth

Identity Service


Cisco Spark – SAML SSO Authentication

14BRKCOL-2030

Directory Sync

SAML SSO

SSO for User Authentication :

Administrators can work with their existing SSO solution

Identity Providers are using Security Assertion MarkupLanguage (SAML) 2.0 and OAuth 2.0

Identity Service

IdP


On - Premise Identity as a Service

Cisco Collaboration Identity PartnersCisco Spark Integrates to Enterprise IDP’s on Premise or in Cloud

Cloud Based SecuritySecure Messages and Content

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCOL-2030

Direct Internet access – Cisco Spark app connection

Cisco Spark Services

IdP

Identity Service

1) Customer downloads and installs Cisco Spark application (with Trust anchors)

2) Cisco Spark Client establishes a secure TLS connection with Cisco Spark Platform

3) Cisco Spark Identity Service prompts for an e-mail ID

4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO)

5) OAuth Access and Refresh Tokens created and sent to Cisco Spark app

• The Access Tokens contain details of the Spark resources the User is authorized to access

5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCOL-2030

Direct Internet access – Cisco Spark Device connection

Spark ServiceIdentity Service

1) User enters 16 digit activation code received via e-mail from the Spark provisioning service

2) Device authenticated by Identity Service (Trust anchors sent to device and secure connection established)

3) OAuth Access and Refresh Tokens created and sent to Spark Client

• The Access Tokens contain details of the Spark resources the User is authorized to access

5) Spark Client presents its Access Tokens to register with Spark Services over a secure channel

1234567890123456


Content Server Key Mgmt Service

message messagemessagefilefilemessage

Cisco Spark - Encrypting Messages and Content

19BRKCOL-2030

Spark Clients request a conversation encryption key from

the Key Management Service

Any messages or files sent by a Client are encrypted before being sent to the Cisco Spark Platform

Each Spark Room uses a different Conversation Encryption key

Key Management Service

AES256-GCM cipher used for Encryption


Encrypted messages sent by a Client are stored in the Cisco Spark

Platform and also sent on to every other Client in the Spark Space

Key Mgmt Service

messagemessagemessage

Content Server

message messagemessage

Cisco Spark - Decrypting Messages and Content

20BRKCOL-2030

If needed, Cisco Spark app can retrieve encryption keys from the Key

Management Service


The encrypted message also contains a link to the conversation encryption

key

Cloud Based SecuritySecure Search, Indexing & eDiscovery


Indexing Service

Spark IS the messageSparkIS themessage

Content Server

Spark IS the message

Key Mgmt Service

###################

Searching Spaces: Building a Search Index

22BRKCOL-2030

The Indexing Service : Enables users to search for

names and words in the encrypted messages stored

in the Content Server

A Search Index is built by creating a fixed length

hash* of each word in each message within a Space

###################

B957FE48

B9 57 FE 48

Hash Algorithm

###################

Indexing Service

The hashes for each Spark Space are stored by the

Content Service

###################

* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room


Indexing Service

“Spark”Spark


###################

Searching Space: Querying a Search IndexSearch for the word “Spark”

23BRKCOL-2030

Client sends search request over a secure connection to

the Indexing Service

The Content Server searches for a match in it’s

Hash tables and returns matching content to the

client *###################

B957FE48

B9 57 FE 48

Hash Algorithm

Indexing Service

“Spark”

Search for the word “Spark”

“B9”

B9 57 FE 48

######################################

Spark IS the Message

B9 The Indexing Service uses Per Space Search keys to

hash the search terms

*A link to Conversation Encryption Key is sent with encrypted message

Enterprise Compliance - eDiscovery Search§ Compliance Console and eDiscovery features support investigating DLP and

other compliance events with speed and accuracy§ Events API allows integration with systems for IT governance (CASB, DLP)

Value to Enterprise§ Meet HR, GRC & Legal compliance mandates§ Only authorized members of the DLP, HR and

GRC teams can investigate events


Organization (org)

• Collection of users under the administrative domain of a single entity and has rights to the content of users.

Spaces

• Ownership falls on the org of the user that creates the space.

• Space properties, content, events

Teams• Ownership falls on the org of the user that creates the team.• This organization also owns all spaces created under the team.

Cisco Spark Content Ownership


What does Content Ownership get you?Owning Organization Participating

OrganizationCREATEPost content into the space No NoREADRead content (messages and files) posted by its own users into the space Yes Yes

Read content posted by any user in the space Yes No

UPDATE

Modify content posted by users into the space No No

DELETE

Delete content posted by its own users in the space Yes Yes

Delete content posted by any user in the space Yes No

Define retention policies for the space Yes No

Protect the End user!

Compliance Officer role


Search Spark Space Activity

Cisco Spark Search and Extraction ConsoleEnable legal discovery and incident investigation

Extension of Cisco Cloud Collaboration

Management

Compliance Officer Role

Search on email ID, Room ID, keywords

Extraction of texts, Files and

contextual data

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicCloud Collaboration Management Portal

Indexing Service

Jo Smith’s ContentJo Smith’s Content


###################

Cisco Spark Compliance Service : E-Discovery (1)

Compliance Officer selects a group of messages and files to be retrieved for E-Discovery e.g. : based on date range/ content type/

user(s)

The Content Server returns matching content to the

Compliance Service

###################

X1GFT5YYHash Algorithm

Indexing Service

Jo Smith’s Content

“X1GFT5YY”


###################

X1GFT5YY

The Indexing Service searches Content Server for

related content

Compliance Service

###################


###################


###################


E-Discov. Storage

Compliance ServiceContent Server Key Mgmt Service


The Compliance Service :Decrypts content from the

Content Server, then compresses and re-

encrypts it before sending it to the E-Discovery Storage

ServiceThe E-Discovery Storage

Service : Sends the compressed and

encrypted content to Compliance Officer

Compliance Service

Cloud Collaboration Management Portal

Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################

Jo Smith’s Messages and Files

######################################################

######################################################


E-Discovery Content Ready


Event API for Data Loss Prevention (DLP) Integrate with DLP, Cloud Access Security Broker (CASB), Archival and eDiscovery solutions

Provides a stream of events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data

Third party DLP or CASB

Cisco Spark Stream of events

policiesCorrective actions

Delete contentRemove user

Delete title

Content Server

Key Management

Server

Retention Policies§ Match message, meeting record and file storage for corporate risk management§ Includes white board records§ Content is deleted -- including backups

Value to Enterprise§ Control exposure by limiting amount of content in the cloud§ Align and unify policies across email, message products

Customer Controlled SecurityHybrid Data Security

Hybrid Data Security§ Creates a secure enclave in the customer data center to manage and provide

visibility to the keys that secure the content, actions, & data within Spark

Value to Enterprise§ Ownership & Control of key management § Assist enterprises in more highly regulated industries with meeting highest standards of

encryption and data loss prevention


Secure Data Center

Content Server

Key Mgmt Service

Cisco Spark – Hybrid Data Security (HDS)

34BRKCOL-2030

Compliance ServiceIndexing Service

Hybrid Data Security

Hybrid Data Services =

On Premise :Key Management Server

Indexing ServerE-Discovery Service


Secure Data Center

Content Server Key Mgmt Server

Cisco Spark – Hybrid Data Security: Key Management

35BRKCOL-2030

The Hybrid Key Management Server performs the same

functions as the Cloud based Key Management Server

Now all of the keys for messages and content are owned and managed by the Customer

BUT


Key Mgmt Service


Secure Data Center

Content Server

Key Mgmt Service

Hybrid Data Security traffic and Firewalls

36BRKCOL-2030

Compliance ServiceIndexing Service

Hybrid Data Servicesmake outbound connections only from the Enterprise to Cisco Spark Platform, using

HTTPS and Secure WebSockets (WSS)

No special Firewall configuration required

FirewallHybrid Data Security


Secure Data Center

Content Server

The Hybrid Data Security is managed and upgraded from the

cloud

Customer’s can access usage information for the HDS Servers via the cloud management portal

Multiple HDS servers can be provisioned for

Scalability & Load Sharing

Key Mgmt ServerKey Mgmt Service

Hybrid Data Security - Scalability





Secure Data Center

Key Mgmt Service


message messagemessagemessage

HDS - Encrypting Messages & Content

38BRKCOL-2030

Cisco Spark app request an encryption key from the Hybrid Key Management

Server

Any messages or files sent by a Client are encrypted before being sent to the

Cisco Spark Platform

Encrypted messages and content stored in the cloud


Encryption Keys stored locally


Secure Data Center

Key Mgmt Service

Encrypted messages from Clients are stored in Cisco Spark Platform

Key Mgmt Service

message

Content Server

message messagemessage

Cisco Spark App will retrieve encryption keys from the Hybrid Key

Management Server


These messages are sent to every other Client in the Spark Room and

contain a link to their encryption key on the Hybrid Key Management

Server

HDS - Decrypting Messages & Content

39BRKCOL-2030


Secure Data Center

Indexing Service

Spark IS the messageSparkIS themessage

Content Server

Spark IS the messageKey Mgmt Service

###################

The Indexing Service : Enables users to search for

names and words in the encrypted messages stored

in the Content Server

###################

B957FE48

B9 57 FE 48

Hash Algorithm

###################

Indexing Service

###################

* A new hashing key (Search Key) is used for each room

Hybrid Data Security: Search Indexing Service

40BRKCOL-2030


Secure Data Center

Indexing Service

“Spark”Spark

Content Server

Key Mgmt Service

###################

Hybrid Data Security: Querying a Search Index

41BRKCOL-2030

Client sends its search request over a secure

connection to the Indexing Service

###################

B9

B9 57 FE 48

Hash Algorithm

Indexing Service

“Spark”

Search for the word “Spark”

“B9”

B9 57 FE 48

######################################

Spark IS the Message B9

*A link to Conversation Encryption Key is sent with the encrypted message


Secure Data Center

Indexing Service

Content Server


X1GFT5YY

Indexing Service

Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content

Key Mgmt ServiceCompliance Service


############################################################################

######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY

Hash Algorithm

Admin selects a group of messages and files to be retrieved for E-Discovery

e.g. : based on date range/ content type/ user(s)

The Content Server returns matching content to the

Compliance Service

The Indexing Service searches the Content

Server for selected content


Secure Data Center

Key Mgmt ServiceCompliance Service


E-Discov. StorageContent Server

Cisco Spark Compliance Service : E-Discovery (2)The Compliance Service :Decrypts content from the

Content Server, then compresses and re-encrypts it

before sending it to the E-Discovery Storage Service

E-Discovery Storage Service : Sends the compressed and

encrypted content to the Administrator on request

Jo Smith’s Content###################Jo Smith’s Content###################Jo Smith’s Content###################


######################################################

######################################################


E-Discovery Content Ready

Customer Controlled SecurityKey Management Server Federation


Hybrid Key Management Servers

in different Enterprises establish

a Mutual TLS* connection via Cisco

Spark Platform

Key Mgmt ServiceKey Mgmt Service


HDS: Key Management Server Federation

45BRKCOL-2030

Enterprise A Enterprise B

Hybrid Key Management Servers

make outbound connections only :

HTTPS, Web Socket Secure (WSS)

*AllconnectionstoandwithinCiscoSparkPlatformuseECDHtogeneratesymmetricEncryptionKeys


With a secure connection between

Hybrid KMSs…

Users can be added to rooms created by each

Enterprise

Key Mgmt ServiceKey Mgmt Service


HDS: Key Management Server Federation

46BRKCOL-2030

Enterprise A Enterprise B

Mutually Authenticated Hybrid

KMSs can request Room Encryption

Keys from one another on behalf of their

Users

Customer Controlled SecurityArchitecture and considerations


Secure Data Center A

Hybrid Data Security Architecture

vSphereHybrid Data Services Node (VM)

Docker

ECP MgmtContainer

HDSContainers

Hybrid Data Services Node (VM)

Docker

ECP MgmtContainer

HDSContainersHDS Cluster

Config File

IDE Mount

IDE Mount

ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions such as sending health checks and checking for new versions of HDS.HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services.HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection settings, Database Master Encryption key, etc. IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.

Customer Provided Services

PostgresDatabaseSyslogd

DatabaseBack Up

System Back Up


HDS includes:ü KMSü Search indexerü eDiscovery backend

Whilst HDS offers unique security features to customers in that they, and they alone, can store and own the encryption keys for their messages and content….

These benefits also come with significant responsibilities :

A HDS Deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys…

Complete loss of either the configuration ISO or the Postgres Database will result in loss of the decryption keys stored in HDS. This will prevent users from decrypting space content and other encrypted data. If this happens, an empty HDS can be restored, however, only new content will be visible.

49BRKCOL-2030

Hybrid Data Security – Positioning :HDS may not be desirable for all customers


HDS Install PrerequisitesSee prerequisites in https://www.cisco.com/go/hybrid-data-security

X.509 Certificate, Intermediates and Private KeyPKI is used for KMS to KMS federation (Public Key Infrastructure)Common Name signed by member of Mozzila Trusted Root StoreNo SHA1 signaturesPKCS12 format

2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 maxMinimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per serverkms://cisco.com easily supports 15K users per HDS.

1 Postgres 9.6.1 Database Instance (Key datastore)8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database.

1 Syslog Hosthostname and port required to centralize syslog output from the three HDS instances and management containers

A secure backup locationThe HDS system requires organization administrators to securely backup two key pieces of information. 1) A configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will result in loss of customer data. See <Section on Disaster Recovery>.

NetworkOutbound HTTPS on TCP port 443 from HDS hostBi-directional WSS on TCP port 443 from HDS hostTCP connectivity from HDS host to Postgres database host, syslog host and statsd host

50BRKCOL-2030

Cisco Spark Platform & Enterprise Firewalls


Connecting from the Enterprise - Firewalls

BRKCOL-2030 52

Whitelisted Ports and Destinations :

Media Port Ranges: Source UDP Ports : Voice 52000 - 52099, Video 52100- 52299Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)Destination UDP/ TCP/ HTTP Port : 5004, 5006Destination IP Addresses : Any

• Spark Call (7800, 8800 Phones)• Spark Desk and Room Devices• Spark Clients• See following slides for details

SignallingMedia

Supported by most devices today, remaining devices on roadmap


Voice and Video Classification and MarkingSource Range Summary – Endpoints and Clients

BRKCOL-2030 53

Audio:52000-52099

Spark Soft Clients Spark Devices

Video:52100-52299

52000 - 52049 52050 - 52099 52100 - 52199 52200 - 52299


Spark Apps : Network Port and Whitelist RequirementsSpark Device Protocol Source Ports Destination

PortsDestination Function

Spark applications :

Windows, Mac, iOS,Android, Web

UDP Voice 52000 – 52049 Video 52100 – 52199

Exception - Windows (OS Firewall issue) Ephemeral source ports used today (Fix due by Q3 CY '17)

5004 &5006

Any IP Address SRTP over UDP to Cisco Spark Media Nodes

TCP Ephemeral 5004 & 5006

Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes

TCP Ephemeral 443identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com*.appsflyer.com*.adobetm.com*.omtrdc.net*.optimizely.com

HTTPSSpark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous AnalyticsMobile Clients only - Ad AnalyticsWeb Clients only - AnalyticsWeb Clients only - TelemetryWeb Clients only - Metrics


Spark Devices : Network Port and Whitelist Requirements

Spark Device Protocol Source Ports Destination Ports

Destination Function

Desktop and Room Systems :

SX SeriesDX SeriesMX SeriesRoom KitsSpark Boards*

UDP Voice 52050 – 52099Video 52200 – 52299

5004 &5006

Any IP Address SRTP over UDP to Cisco Spark Media Nodes

TCP Ephemeral 5004 & 5006

Any IP Address SRTP over TCP or HTTP to Cisco Spark Media Nodes* (Not Spark Board)

TCP Ephemeral 443

identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.rackcdn.com*.crashlytics.com*.mixpanel.com

HTTPS

Spark Identity ServiceOAuth ServiceCore Spark ServicesIdentity managementCore Spark ServicesContent and Space StorageContent and Space StorageAnonymous crash dataAnonymous Analytics

Spark Board TCP Ephemeral 80 www.cisco.com orwww.ciscospark.com orwww.google.com orwww.amazon.co.uk

HTTTP for time synchronization



BRKCOL-2030 56

Media Port Ranges: Source UDP Ports : Voice and Video 34000 - 34999Source TCP/ HTTP Ports : Ephemeral ( => No DSCP re-marking)Destination UDP/ TCP/ sRTP Port : 5004, 5006Destination IP Addresses : Any

Hybrid Media Node (HMN) :• Can be used to limit source IP address range to HMNs only• Hybrid Media Node Source UDP ports for voice and video are different to

those used by endpoints – Used for cascade links to Cisco Spark Platform• Voice and Video use a common UDP source port range : 33434 - 33598

SignallingMedia



BRKCOL-2030 57

Hybrid Data Security Node (HDS) :• Key Management Service• Indexing (Search) Service• E-Discovery Service

SignallingMedia

Hybrid Data Services

• HDS Signaling Traffic Only• Outbound HTTPS and WSS Signaling Only


HMN & HDS Nodes: Network Port & Whitelist Requirements

BRKCOL-2030 58

Spark Device Protocol Source Ports Destination Ports

Destination Function

Hybrid Media Node (HMN)

UDP Voice and Video use a common UDP source port range :

34000 - 34999

5004, 5006 Cascade Destination

Any IP Address Cascaded SRTP over UDP Media Streams to Cloud Media Nodes

TCP Ephemeral 5004Cascade Destination

Any IP Address Cascaded SRTP over TCP/HTTP Media Streams to Cloud Media Nodes

TCP Ephemeral 123, 53, 444 Any NTP, DNS, HTTPS

TCP Ephemeral 443 *wbx2.com*idbroker.webex.com

HTTPS Configuration Services

Hybrid Data Security Node (HDS)

TCP Ephemeral 443 *.wbx2.comidbroker.webex.comidentity.webex.comindex.docker.io

Outbound HTTPS and WSS

Cisco Spark Platform &Enterprise Proxies


• Proxy Address given to Device/Application……….

Connecting from the Enterprise - Proxy Types

BRKCOL-2030 60

Proxy Types:

• Transparent Proxy (Device/Application is unaware of Proxy existence)

• In Line Proxies (e.g. Combined Proxy and Firewall)

• Traffic Redirection (e.g. Using Cisco WCCP)

SignallingUDP Media

HTTP/HTTPS traffic only sent to the Proxy server e.g. Destination ports 80, 443, 8080, 8443


• Proxy Detection (Proxy Address given to Device/Application)

Connecting from the Enterprise – Proxy Detection

BRKCOL-2030 61

• Manual Configuration

• Auto Configuration (Proxy Auto-Config (PAC) files)

Proxy Address

Proxy Address

Proxy Address

PACPACPAC

SignallingUDP Media


Network Capabilities Spark Devices – Proxy Detection

BRKCOL-2030 62

Spark Device Protocol Software Train Proxy Detection Granular Configuration

Windows, Mac, iOS, Android, Web

HTTPS WME Yes : Manual Yes : PAC Files

Manually Configure Proxy Address or Use PAC files (or Windows GPO)

DX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

SX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

MX HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

Room Kits HTTPS Room OS Yes : Manual using Web access Configure Proxy Address via device Web interface

Spark Board HTTPS Spark Board OS Yes : Manual Configuration Manual Configuration of Proxy Address

7800 Phones SIPHTTPS

Synergy Lite SIP – N/AHTTPS – No (Planned)

Deploy In Line Proxy or Traffic Redirection (WCCP)



Deploy In Line Proxy or Traffic Redirection (WCCP)

ATA SIP ATA SIP - N/A N/A


• Proxy Authentication

Connecting from the Enterprise – Proxy Authentication

BRKCOL-2030 63

• Proxy intercepts outbound HTTP request

• Authenticates the User (Username & Password)• Authenticated User’s traffic forwarded• Unauthenticated User’s traffic dropped/blocked

SignallingUDP Media

Proxy Authentication is not mandatory, Many Enterprises do No Authentication


• Basic Authentication

Common Proxy Authentication Methods

BRKCOL-2030 64

• Digest Authentication

• NTLMv2 Authentication

• Negotiate Authentication

• Kerberos

SignallingUDP Media


Proxy Authentication Bypass Methods

BRKCOL-2030 65

Manually Configure Proxy Server with :• Device IP Address

IP Address 10.100.200.1

SignallingUDP Media

10.100.200.3

identity.webex.comidbroker.webex.com*.wbx2.com*.webex.com*.ciscospark.com*.clouddrive.com*.crashlytics.com*.mixpanel.com*.rackcdn.com

• Whitelisted Destinations (e.g. *ciscospark.com)


Network Capabilities Spark Devices – Proxy Authentication

BRKCOL-2030 66

Spark Device Protocol Software Train Proxy Authentication Granular Configuration

Windows, Mac, iOS, Android, Web

HTTPS WME Basic - NoDigest - NoNTLM - Yes (Windows)Kerberos - No

Windows Only TodayOthers OSs use Authentication By Pass(Basic/ Digest/ Kerberos – Planned)

DX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned

Configure Username and Password for Proxy Authentication (Basic Auth)

SX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


MX HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


Room Kits HTTPS Room OS Yes : Basic Auth – Web based ConfigDigest Auth - planned


Spark Board HTTPS Spark Board OS Yes : Basic Auth - Manual Configuration Configure Username and Password for Proxy Authentication (Basic Auth)



Authentication Bypass



Authentication Bypass

ATA SIP ATA SIP – N/A N/A


What do we send to Third Party sites?

BRKCOL-2030 67

Site Clients that Access It What is sent there UserPII?

AnonymizedUsage info?

EncryptedUser GeneratedContent

*.clouddrive.com Win, Mac, iOS, Android, Web, Spark Board

Encrypted files for Spark file sharing.Part of Rackspace content system.

N N Y

*.rackcdn.com Win, Mac, iOS, Android, Web, Spark Board

Encrypted files for Spark file sharing.Part of Rackspace content system.

N N Y

*.mixpanel.com Win, Mac, iOS, Android, Web

Anonymous usage data N Y N

*.appsflyer.com iOS, Android Anonymous usage data related to onboarding

N Y N

*.adobedtm.com Web Anonymous usage data N Y N

*.omtrdc.net Web Anonymous usage data N Y N

*.optimizely.com Web Anonymous usage data for AB testing

N Y N

WebEx update


Where should a new WebEx site be managed?

Choose Cisco Spark Control Hub:

• Customer is rolling out both WebEx and Cisco Spark and they desire a unified management experience across both

• When the customer doesn’t need the following features:

1. Extensive WebEx site branding and customization2. Tracking Codes for intra-company billing3. Group-level feature assignment

Choose WebEx Site Administration:

• The customer requires 1 or more of the advanced management features (1-3listed to the left)

• The customer can accept segregated management of WebEx and Cisco Spark

Document with detail on how to choose and feature differences will be linked in the UX and available at: https://goo.gl/EAK9ZY


• Cisco Spark linking is a process to enable WebEx sites WBS31 or above that are managed by WebEx Site Administration to leverage improved WebEx analytics on Cisco Spark Control Hub, and if the customer has purchased Pro Pack for Cisco Spark Control Hub can also leverage diagnostics.

• Note: WebEx sites that are already managed using Cisco Spark Control Hub do not need Cisco Spark linking

When should I use Cisco Spark linking? WebEx site is WBS31 or above & managed by WebEx Site Administrationand

1. wants WebEx analytics that are available through Cisco Spark Control Hub - OR -2. wants to easily roll out Cisco Spark for WebEx users

What is Cisco Spark Linking?


Pro-Pack for Cisco Spark Control Hub

Engagement, performance, diagnostics

Topline metrics

Visualization of trends / patterns (down to the individual user)

Key usage & user behavior


WebEx Analytics via the Pro Pack for Cisco Spark Control Hub

Identify recurring anomalies within historical trends

Easily see and drill down on problem areas

Explore detailed quality data(at the meeting and user level)

Search meetings in real-time


Single Sign-On (SSO) EnhancementsAdd Attendance Security to Internal Meetings

Feature Highlights• Identify or “tag” attendees in Participant list as

SSO authenticated: “Internal” or “Guest”• Require all participants to authenticate with SSO• Set up invite-only meetings and require internal

participants to authenticate with SSO(no forwarding of invite allowed)

• Available in Cisco WebEx® Meeting Center, Training Center, and Event Center

BRKCOL-2160 73

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOL-2160

SAML Session TokensIdP Session Token TTL

Generally less than one business day or 8 hours2nd Factor may or may not be stored or cached

WebEx SP Session Token TTLBrowser: 90 minutes (default)Mobile/Client: 336 hours or 14 days (default)TTL values can be customized upon request

SAML Session Tokens can expire before their TTL expiresUser closes browser or signs-outLoss of network connectionTokens have be revoked

74


Distinguish User Type in Lobby

• List of users in lobby sorted by signed in/non-signed in user

• Security feature of differentiating between internal and external users

• Option to select who can join

Remember Home Page

• Remembers signed-in user’s previously visited page

• Returns to previous visited page when app is relaunched

Mobile Improvements

BRKCOL-2160 75


Audio devices or Video end points do not have lobby experience. Hence these devices do not obey the new settings and unauthenticated users are still placed directly into open rooms.

Note: Video devices can be completely blocked today from Personal Room when this setting is on, but hurts the user experience. (Not Recommended)

Limitations and Caveats

BRKCOL-2160 76


WebEx: Secure as You Want it to BeSite level settings- Decline to list meeting on WebEx public site- Block Guest Access and ‘Join Before Host’- Exclude the meeting password from invitations (we do this by default now)- Control audio privileges (global call back, toll and toll free options) - Restrict mobile device access types- Press ‘1’ to connect on audio- Control global session types [chat/desktop share/remote control/file xfer/etc]Authentication based- Require meeting password, set password length/complexity requirements- Manually approve account sign-ups- Require Attendees to login. SSO even better- Leverage ‘guest’ vs ‘internal’ user labels. Inform hosts that on a per-meeting basis

they can exclude non-internal users- Speak with each call-in user in the meeting, and verify identity


WebEx: Secure as You Want it to BePersonal Room Settings- Force unauthorized users to Personal Room lobby- Autolock Personal Room after [n] minutesTelePresence Settings- Require TelePresence authentication/Meeting Pin- Enforce TLS for TelePresence participants In-Meeting Settings- Control in-meeting session types [chat/desktop share/remote control/file xfer/etc]- Eject/remove users that aren’t behaving properly, followup w/TAC InfoSEC if necessaryRecording Policy- Enforce recording passwords and authentication to retrieve.- Pull recordings from the site after (n) days

Cisco Spark Platform & On Premise Security Summary

What you’ve learnedCisco Spark have multiple data stores, Obfuscated User Identity

Cloud based Data Security and Data ServicesOption to sync user data and enable SSO

Traffic is always encrypted, Data-at-rest stored encrypted as well with Secure Search

Compliance & E-Discovery Services, Retention Policies, Data ownership

Hybrid Data Security (HDS)KMS on premise, Architecture, Search, Firewalls, Federation

Firewalls and Proxies Support

WebEx updateManagement, Pro-Pack, SSO, Best Practices


Continue Your Education• Demos in the Cisco campus

• Meet the Engineer 1:1 meetings

• Related sessions• BRKCOL-2699 Authorization and Authentication concepts for Collaboration• BRKCOL-2607 Understanding Cloud and Hybrid Cloud Collaboration Deployment• BRKCOL-2444 Evolution of Core Collaboration: Cloud and Hybrid Architectural Design• BRKCOL-2281 Steps to Successfully deploy Cisco Spark along with a media strategy

82BRKCOL-2030

Thank you