Cloud Collaboration — Is it Secure?

March 19, 2019

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Network Edge

Everyday, we’re doing more and more in the cloud, to include much if not all of our communications and collaboration. Even on-premises deployments of collaboration solutions have to transit the cloud at some point, and everyone says, “yes, we’re secure … we’re encrypted end-to-end.”  But what does that really mean? Are your communications and content really protected?

The answer can be yes, but it depends on what platform you’re using. Let’s take a look at how Cisco approaches securing your messaging and content in the Webex Cloud.

Regulatory Compliance

Organizations typically have security measures and controls already in place on their networks, addressing things like:

  • Network & Application Security
  • OPSEC
  • Physical Security
  • Change Control
  • Incident Management

But they rightfully need to know if these measures are being carried forth when connecting to a service in the cloud. That’s the importance of choosing a platform that meets regulatory compliance standards. And Webex complies with both ISO 27001 & SOC 2.

These are internationally recognized standards and if you’re not familiar with them, your CISO certainly is. ISO 27001 is really more of a best practices set of guidelines or framework for establishing an InfoSec Management System, whereas SOC 2 provides an organization a way to demonstrate that security practices are in place and actually working.

Compliant. Check.

Securing the Cloud

Your first level of protection is through what Cisco calls “Realms of Separation.” And like in all things networking, it’s clearer if we look at a picture.

The Webex and Webex Teams solution is spread across multiple data centers. Across these data centers, the various components are logically and physically separated as well. So, the Identity Services component (which holds all the real-user identity information) is compartmentalized from the Encryption, Indexing and E-Discovery pieces, which are in turn separated from the Content Servers.

This architecture of separation is important because it really gets rid any “One-Stop Shopping” for potential hackers.  What’s important to note here is:

  1. No data is ever associated with any real-user information (e.g. email addresses). A user identity lives in the Identity Service component and if you were to send any messages or files through the cloud, the Identity Services engine generates a 128-bit UUID to associate with the data; obfuscating the real user’s identity.
  2. The data itself is housed separately, isolated and, of course, encrypted.
  3. The Encryption Keys are housed separately and isolated as well.

So, if someone wanted to hack your data, life is now much more difficult for them. In the previous picture, they’d need to compromise Data Center A and hack into the Identity Services component, find your email address and correlate that to your UUID. With that information they’d then need to hack another data center containing your Content Server and correlate your UUID to your encrypted data. But wait, your data is still encrypted; so, back to work having to find and compromise yet another data center housing your particular Key Management Server, then hack that to get the keys.

Making it difficult for the bad guys. Check, Check.

End to End Encryption

With a secure architecture in place, how are they ensuring the actual data is kept secure? Let’s break this down into two broad categories; Secure Messages and Content, and Secure Search and Indexing:

Secure Messages and Content

For this bit, let’s focus on the Content Server and the Key Management Service (KMS) shown previously. The Content Server is an encrypted database storing messages and files in Webex Teams and the KMS handles the encryption keys for the environment. Again, both of which are homed in different clouds.

The KMS generates a unique encryption key for all spaces in Webex Teams

  • Any message or file you send by an app are encrypted on the client before being sent to the Webex Cloud
  • As the owner of a space you get the encryption key
  • Any users you add to the space will also get that key
  • Data is encrypted with AES-256-GCM and sent via TLS to the encrypted Content Server
  • If the recipient doesn’t have the key for the message
    • The message actually contains a URI pointing to the KMS
    • The recipient App requests the key from the KMS and if authorized the KMS supplies the key

Secure Search and Indexing

At the same time the secure messaging is being sent, the Indexing Service works its magic:

  • Using the same Space encryption key
    • The Indexing Service decrypts the content and creates a hashed index of that message/content
    • The Hashed Index is then associated and stored on the encrypted Content Server
    • No message or content is stored on the Indexing Service
      • Once the indexing function is complete the message is deleted

Now when a user types in a search in the in the Webex Teams app:

  • That search term is encrypted using the unique space key
  • That is sent via TLS to the Indexing Service where the same hash function is performed
  • That hashed output is sent to the Search Service
    • Searches for a matching hash on the Content Server
    • If there’s a match, it will return the corresponding encrypted content to the client
  • If the client has a key, they can read the content
    • If not, the client requests the key from KMS

If you don’t remember anything else from this, remember this:

  • There are unique encryption keys for every Webex Teams Space
  • No unencrypted data is ever stored in the Webex Cloud
    • It’s all referenced by a hashed index

That’s a high-level primer of what going on in the Webex Cloud, and we’ve really just scratched the surface. We haven’t even touched on the intricate details of the connections to the cloud (TLS), ciphers, Hybrid Data Security (HDS) — pulling the KMS functionality (and responsibility) on-prem, E-Discovery, DLP, etc. There are a lot of options, and foundationally I’m impressed with the Architecture and where it’s going.

Have questions? Let’s talk! Hit me up on Webex Teams at kprater@kovarus.com

Don’t have an account? That’s OK too, creating a Teams account is free! Download the Desktop App here:  https://www.Webex.com/downloads