Webex Security and Compliance Overview
When it comes to enterprise collaboration, security is paramount. It’s the dealbreaker between flawless rollout and postponed implementation.
In this post, we walk through the key features of Webex security and compliance, and take a look at the certifications already attained.
Key features of Webex security
Webex uses standards-based, zero-trust, end-to-end (E2E) encryption to protect data transfers from your device to any other device in the world.
Messages are already encrypted before they arrive at servers in Cisco’s cloud and they are only decrypted when it reaches the destination device.
Cisco prides itself on security and has three dedicated departments which look specifically at security across all its products and services:
- Cisco Information Security (InfoSec) Cloud team
- Cisco Product Security Incident Response Team (PSIRT)
- Cisco TalosThreat Intelligence Group
Let’s dive into the four key areas when it comes to Webex security.
1 – Identity and device management
The Webex Control Hub is your secure gateway to managing all your devices, users, and permissions from a single interface.
When it comes to identity management, Webex incorporates adaptive authentication which applies a zero-trust approach to security and allows your IT department to enforce adaptive access policies based on various risk factors.
SAML-based single sign-on
Security assertion markup language (SAML) is a commonly used security standard that allows identity providers to share user authentication tokens with another service provider.
This means that users can enter their login information just once and be able to access multiple applications.
You can use the Webex Control Hub to link your identity provider to your organization which then helps your users to use the same credentials across all Webex apps and other internal tools you use.
Webex allows you to set different idle timeouts depending on whether or not your users are on your organization’s network (in-network) or an outside network (off-network).
You can choose anything from 0 (no timeout until the user decides to log out) to twelve hours of inactivity before the profile signs out automatically.
You can manage both from your Control Hub if you click on Management and then Organization Settings. Once there, go to Idle Timeouts and toggle on Webex web client timeout.
- For off-network: click on Off Network and specify the amount of time a Webex app can remain idle for;
- For in-network: enter a URL that allows CORS requests from web.webex.com. Then click on In-network and specify the amount of time an app can remain idle for;
Multi-factor authentication (MFA)
Administrators can add multi-factor authentication by visiting https://admin.webex.com, then going to Management -> Organization Settings and visiting the Authentication section.
Multi-factor authentication means that users would have to use a time-based, one-time password (TOTP) in order to access Webex.
They’d need to use authenticator apps like Windows Authenticator or Google Authenticator, although Duo is free both for iOS and Android.
User and group provisioning via SCIM
The system for cross-domain identity management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems.
Using SCIM for user or group provisioning means you can easily add and remove users from your company directory and external apps like Salesforce or Atlassian.
You can use Webex provisioning from the Control Hub to integrate users across multiple systems.
But, if you use Okta Integration Network, you first need to add Webex from the Okta application gallery to your managed applications and then proceed with configuring your Control Hub.
You can also add Webex to your Azure Active Directory and use the Azure AD Wizard app to configure which users, groups, or attributes to synchronize.
Domain claiming means that you automatically associate your users with your organization once they join Webex.
If you don’t claim your domain, then your users are created in a general organization alongside all other “free” users. If you already have such users, it’s best to convert them to your organization first before you claim your domain.
2 – Mobile device management
IT administrators can enforce specific limitations and rules around how users can use Webex on their mobile devices, either through the Control Hub or a third-party service provider.
Enterprise mobility management (EMM)
EMM allows your administrators to manage on what devices and under what conditions your Webex application can be accessed.
If the devices are owned by the enterprise, then these devices and all apps are enrolled in the mobile device management (MDM) app.
If, however, the devices are personally owned by the users, the Webex app is enrolled in and managed by the mobile application management (MAM) app.
You can set up your EMM using either one of these options (listed in the recommended order by Webex):
- Microsoft Intune
- App Wrapping
- Admin controls in Control Hub
Secondary authentication is an added security measure to make sure that only authorized individuals can access the application.
In the Authentication section, admins can enable MFA per user, for selected applications, or for the whole organization.
Block message copy and file download
Admins can use Microsoft Intune or AppConfig to block users from copying and pasting messages from within the app or to take screenshots from the app screen.
For example, Microsoft Intune can prevent users from sharing information between Webex for Intune and other apps but allow it for other corporate policy-managed applications.
Simply go to https://admin.webex.com and then Services -> Messaging -> Collaboration Restrictions.
There you can block file download, upload, or preview for different types of internal or external users.
Block jailbroken or rooted devices
Microsoft Intune also has the option to restrict users to access Webex for Intune on jailbroken or rooted devices in order to gain administrative or root access controls.
Minimum app version
Webex for Intune allows admins to specify the minimum app version in order for the application to run on mobile devices.
This is an important security measure, considering that security threats can evolve and change and software providers need to keep their app version up-to-date.
3 – Data protection
Webex offers two types of data encryption:
- End-to-end encryption for messages and other user-generated content
- Zero-trust end-to-end encryption for meetings
While both provide extra layers of protection against external attacks, there are some differences in the level of confidentiality they offer.
The end-to-end encryption uses the Webex Key Management System (KMS) to manage encryption keys while the zero-trust encryption uses Messaging Layer Security (MLS), which allows participants to generate a common encryption key available only to them and no one else (not even the Webex service, hence the Zero-Trust name).
Webex offers several levels of data encryption when it comes to data sharing or web conferencing. These are different based on your subscription plan with the Enterprise plan offering the highest levels of security encryption.
For instance, all plans offer TLS 1.2 (signaling) & AES-256-GCM (media) for high-speed data transference. However, recording encryption is available only on their Plus and Enterprise plan.
Data-sharing restrictions via Pro Pack are available only on the Enterprise plan.
Enterprise key management (EKM) or bring your own key
Users across all plans can use the platform’s native cloud Key Management Service (KMS) to encrypt any content before it leaves the Webex app. Enterprise clients also have the option to deploy all servers on-premise for an added level of security.
KMS provides encrypted search capabilities, controlled authorization, and industry-standard encryption of user-generated content, among other benefits.
Data loss prevention (DLP)
Webex offers a twofold approach to DLP.
First, the application keeps users aware of any data loss risks, the presence of external participants, or the retention policies applied for the context in which they’re communicating.
This comes with propagation control features such as read receipts, space access control, and moderator privileges.
The second approach allows for integration with third-party DLP software to monitor user actions and remediate possible violations.
Businesses can use out-of-the-box solutions with existing providers, work with Cisco Advanced Solutions to build custom integrations, or use the existing API documentation to build their own solutions.
This is the list of existing DLP solutions that integrate with the Webex app:
- Cisco Cloudlock
- McAfee (formerly SkyHigh)
- Prisma SaaS by Palo Alto Networks
- Microsoft Cloud App Security (MCAS)
- Theta Lake
Audit logs API
Having access to any admin changes or actions within the application is a common requirement for compliance purposes.
Full administrators can see any changes to the organizational settings as well as filter actions per user, date range, or per specific action. All of this information is available via the Control Hub and exposed to the REST API.
App and integration management
There are a number of Webex integrations to help businesses streamline and automate their operations. You can browse apps by category, product, or app type to find what you need.
4 – Information governance
Global retention policies
Webex clients can define their own retention policy which will apply to all of their meeting sites.
Admins can manage their retention periods by going to https://admin.webex.com and then Organizational Settings -> Retention.
Here, you can define how long you want to keep messages, whiteboards, and shared files as well as meetings recordings and other meeting-related content.
Compliance officers can use the Webex Control Hub to search content and metadata posted via the app by a specific user to make sure they’re complying with all internal and external regulations.
eDiscovery is available only for businesses that have a single Meeting site. If you have multiple Meeting sites, you’re advised to contact Cisco support for assistance.
Webex compliance certifications
Cisco has some of the most sought-after security and compliance certifications, so you can rest assured that your data and business are in safe hands.
Here’s a list of Webex’s compliance certificates:
|SOC2 Type II and SOC 3
|Service Organization Control (SOC) report is an audit on how a cloud-based service handles sensitive information. Both SOC 2 and SOC 3 are independent security frameworks developed by the American Institute of Certified Public Accountants (AICPA). The only difference between the two is the level of detail required (with SOC 2 requiring more detailed input).
|ISO 27001 / 27017 / 27018
|These are internationally recognized standards for information security.
|ISO 9001 certificate
|This standard sets out the criteria for a quality management system and follows clearly defined principles on how companies can obtain certification.
|Cloud Computing Compliance Controls Catalog (C5)
|C5, also referred to as C5:2020, is developed by the German Federal Office for Information Security (BSI) and is a standard that sets out a baseline security for cloud services providers.
|HITRUST (Webex Teams)
|HITRUST stands for Health Information Trust Alliance which creates and maintains the Common Security Framework (CSF) for the healthcare industry.
|FedRAMP (Webex Teams, UCM Cloud for Government)
|The Federal Risk and Authorization Framework (FedRAMP) is a government-wide framework that offers a standardized approach to security when it comes to using cloud services and products.
How does Mio ensure Webex security and compliance when sending messages to other platforms?
You can now link Webex to Microsoft Teams using Mio’s connector for genuine message interoperability.
This means you enable cross-platform messaging from Webex to Microsoft (and vice versa).
When you sign up to Mio, you get access to what is effectively middleware that translates messages from Webex to Microsoft Teams.
You, as the admin, do the syncing of channels and enabling of users in the background then let everyone know when they have access to send messages from one platform to another.
What makes Mio’s Microsoft <> Webex connector enterprise-ready?
There are two key elements that qualify Mio as enterprise-ready:
1 – Security
Mio keeps customer data secure and adheres to common global compliance standards, giving you peace of mind.
Mio never stores any messages or files you send cross-platform.
Mio works by receiving an API call from one platform, translating the language into the other platform, and delivering the message cross-platform.
For example, Ian sends a Webex message…
Mio receives the message
Recognizes the user or channel you’re sending to is on Teams
Translates the message from Webex language to Teams language
Mio sends the message to Teams
We classify and prioritize data in advance to ensure your sensitive data is securely handled throughout the transaction.
The biggest question that gets asked is “Does Mio store our files and messages?”
No user messages or files are persistently stored. Message metadata is retained by Mio for future reconciliation across platforms. But the underlying messages and files are not permanently retained.
Speaking of metadata, Mio only stores the following metadata:
- Message identifier (ID)
- Time stamp
- Platform assigned user IDs
- Channel IDs
These get stored for the duration of your service or until Mio is asked to destroy them via a hard delete.
Aside from this, we’re independently audited annually for SOC 2 and adhere to the frameworks outlined by GDPR and CCPS:
- Service Organization Control (SOC) 2 Type II
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
With regards to scopes, Mio never asks for more permissions than necessary. Just the bare minimum is needed to enable cross-platform messages.
- See which Webex scopes are needed
- See which Microsoft Teams scopes are needed
- Download the Mio Security Whitepaper here
2 – Scalability
When you’re dealing with Webex and Microsoft accounts at scale, there are two key areas where Mio is unique from other workaround solutions…
- Automatic failover and contingency plans during outages.
- Automated provisioning and management tools.
Automatic failover and dealing with platform outages
If you look after IT for a large enterprise, you’re responsible for keeping the lights on. And you need your infrastructure and software to do exactly that.
Nobody wants to be held accountable if there’s an outage and you weren’t prepared.
As such, Mio is hosted exclusively in AWS US data centers and uses multi-zone redundancy to maximize availability and uptime. So if AWS fails in one region, another zone is already in tandem.
When things outside of Mio control happen, like if Webex or Microsoft Teams suffers an outage, there are au number of flow controls to maximize message delivery reliability
All message events received by Mio are delivered to front-end servers distributed over multiple availability zones.
For resilience, event payloads are immediately encrypted and placed into a fault-tolerant FIFO queue for processing by the Mio multi-zone, distributed back-end system.
Should Webex or Teams be unavailable, Mio retains the encrypted event in a queue, and will automatically attempt redelivery based on a time-based replay strategy.
Want to learn more about how Mio enables you to send Webex messages to people on Microsoft Teams, Slack, or Zoom?