Webex Security and Compliance Overview

Explore Webex's security and compliance postures, including identity and device management, data protection, and adherence to top security certifications.

Natasha Serafimovska

When it comes to enterprise collaboration, security is paramount. It’s the dealbreaker between flawless rollout and postponed implementation.

In this post, we walk through the key features of Webex security and compliance, and take a look at the certifications already attained.

Key features of Webex security

Webex uses standards-based, zero-trust, end-to-end (E2E) encryption to protect data transfers from your device to any other device in the world.

Messages are already encrypted before they arrive at servers in Cisco’s cloud and they are only decrypted when it reaches the destination device.

Cisco prides itself on security and has three dedicated departments which look specifically at security across all its products and services:

Cisco Information Security (InfoSec) Cloud team
Cisco Product Security Incident Response Team (PSIRT)
Cisco TalosThreat Intelligence Group

Let’s dive into the four key areas when it comes to Webex security.

1 - Identity and device management

The Webex Control Hub is your secure gateway to managing all your devices, users, and permissions from a single interface.

When it comes to identity management, Webex incorporates adaptive authentication which applies a zero-trust approach to security and allows your IT department to enforce adaptive access policies based on various risk factors.

SAML-based single sign-on

Security assertion markup language (SAML) is a commonly used security standard that allows identity providers to share user authentication tokens with another service provider.

This means that users can enter their login information just once and be able to access multiple applications.

You can use the Webex Control Hub to link your identity provider to your organization which then helps your users to use the same credentials across all Webex apps and other internal tools you use.

Idle timeout

Webex allows you to set different idle timeouts depending on whether or not your users are on your organization’s network (in-network) or an outside network (off-network).

You can choose anything from 0 (no timeout until the user decides to log out) to twelve hours of inactivity before the profile signs out automatically.

You can manage both from your Control Hub if you click on Management and then Organization Settings. Once there, go to Idle Timeouts and toggle on Webex web client timeout.

For off-network: click on Off Network and specify the amount of time a Webex app can remain idle for;
For in-network: enter a URL that allows CORS requests from web.webex.com. Then click on In-network and specify the amount of time an app can remain idle for;

Multi-factor authentication (MFA)

Administrators can add multi-factor authentication by visiting https://admin.webex.com, then going to Management -> Organization Settings and visiting the Authentication section.

Multi-factor authentication means that users would have to use a time-based, one-time password (TOTP) in order to access Webex.

They’d need to use authenticator apps like Windows Authenticator or Google Authenticator, although Duo is free both for iOS and Android.

User and group provisioning via SCIM

The system for cross-domain identity management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems.

Using SCIM for user or group provisioning means you can easily add and remove users from your company directory and external apps like Salesforce or Atlassian.

You can use Webex provisioning from the Control Hub to integrate users across multiple systems.

But, if you use Okta Integration Network, you first need to add Webex from the Okta application gallery to your managed applications and then proceed with configuring your Control Hub.

You can also add Webex to your Azure Active Directory and use the Azure AD Wizard app to configure which users, groups, or attributes to synchronize.

Domain claiming

Domain claiming means that you automatically associate your users with your organization once they join Webex.

If you don’t claim your domain, then your users are created in a general organization alongside all other “free” users. If you already have such users, it’s best to convert them to your organization first before you claim your domain.

2 - Mobile device management

IT administrators can enforce specific limitations and rules around how users can use Webex on their mobile devices, either through the Control Hub or a third-party service provider.

Enterprise mobility management (EMM)

EMM allows your administrators to manage on what devices and under what conditions your Webex application can be accessed.

If the devices are owned by the enterprise, then these devices and all apps are enrolled in the mobile device management (MDM) app.

If, however, the devices are personally owned by the users, the Webex app is enrolled in and managed by the mobile application management (MAM) app.

You can set up your EMM using either one of these options (listed in the recommended order by Webex):

Microsoft Intune
AppConfig
App Wrapping
Admin controls in Control Hub

Secondary authentication

Secondary authentication is an added security measure to make sure that only authorized individuals can access the application.

In the Authentication section, admins can enable MFA per user, for selected applications, or for the whole organization.

Block message copy and file download

Admins can use Microsoft Intune or AppConfig to block users from copying and pasting messages from within the app or to take screenshots from the app screen.

For example, Microsoft Intune can prevent users from sharing information between Webex for Intune and other apps but allow it for other corporate policy-managed applications.

Admins can also control how users share files by using Pro Pack from Control Hub (an add-on service).

Simply go to https://admin.webex.com and then Services -> Messaging -> Collaboration Restrictions.

There you can block file download, upload, or preview for different types of internal or external users.

Block jailbroken or rooted devices

Microsoft Intune also has the option to restrict users to access Webex for Intune on jailbroken or rooted devices in order to gain administrative or root access controls.

Minimum app version

Webex for Intune allows admins to specify the minimum app version in order for the application to run on mobile devices.

This is an important security measure, considering that security threats can evolve and change and software providers need to keep their app version up-to-date.

3 - Data protection

Webex offers two types of data encryption:

End-to-end encryption for messages and other user-generated content
Zero-trust end-to-end encryption for meetings

While both provide extra layers of protection against external attacks, there are some differences in the level of confidentiality they offer.

The end-to-end encryption uses the Webex Key Management System (KMS) to manage encryption keys while the zero-trust encryption uses Messaging Layer Security (MLS), which allows participants to generate a common encryption key available only to them and no one else (not even the Webex service, hence the Zero-Trust name).

Enterprise encryption

Webex offers several levels of data encryption when it comes to data sharing or web conferencing. These are different based on your subscription plan with the Enterprise plan offering the highest levels of security encryption.

For instance, all plans offer TLS 1.2 (signaling) & AES-256-GCM (media) for high-speed data transference. However, recording encryption is available only on their Plus and Enterprise plan.

Data-sharing restrictions via Pro Pack are available only on the Enterprise plan.

Enterprise key management (EKM) or bring your own key

Users across all plans can use the platform’s native cloud Key Management Service (KMS) to encrypt any content before it leaves the Webex app. Enterprise clients also have the option to deploy all servers on-premise for an added level of security.

KMS provides encrypted search capabilities, controlled authorization, and industry-standard encryption of user-generated content, among other benefits.

Data loss prevention (DLP)

Webex offers a twofold approach to DLP.

First, the application keeps users aware of any data loss risks, the presence of external participants, or the retention policies applied for the context in which they’re communicating.

This comes with propagation control features such as read receipts, space access control, and moderator privileges.

The second approach allows for integration with third-party DLP software to monitor user actions and remediate possible violations.

Businesses can use out-of-the-box solutions with existing providers, work with Cisco Advanced Solutions to build custom integrations, or use the existing API documentation to build their own solutions.

This is the list of existing DLP solutions that integrate with the Webex app:

Audit logs API

Having access to any admin changes or actions within the application is a common requirement for compliance purposes.

Full administrators can see any changes to the organizational settings as well as filter actions per user, date range, or per specific action. All of this information is available via the Control Hub and exposed to the REST API.

App and integration management

There are a number of Webex integrations to help businesses streamline and automate their operations. You can browse apps by category, product, or app type to find what you need.

4 - Information governance

Global retention policies

Webex clients can define their own retention policy which will apply to all of their meeting sites.

Admins can manage their retention periods by going to https://admin.webex.com and then Organizational Settings -> Retention.

Here, you can define how long you want to keep messages, whiteboards, and shared files as well as meetings recordings and other meeting-related content.

eDiscovery

Compliance officers can use the Webex Control Hub to search content and metadata posted via the app by a specific user to make sure they’re complying with all internal and external regulations.

eDiscovery is available only for businesses that have a single Meeting site. If you have multiple Meeting sites, you’re advised to contact Cisco support for assistance.

Webex compliance certifications

Cisco has some of the most sought-after security and compliance certifications, so you can rest assured that your data and business are in safe hands.

Here’s a list of Webex’s compliance certificates:

Standard	Scope	Status
SOC2 Type II and SOC 3	Service Organization Control (SOC) report is an audit on how a cloud-based service handles sensitive information. Both SOC 2 and SOC 3 are independent security frameworks developed by the American Institute of Certified Public Accountants (AICPA). The only difference between the two is the level of detail required (with SOC 2 requiring more detailed input).	✅
ISO 27001 / 27017 / 27018	These are internationally recognized standards for information security.	✅
ISO 9001 certificate	This standard sets out the criteria for a quality management system and follows clearly defined principles on how companies can obtain certification.	✅
Cloud Computing Compliance Controls Catalog (C5)	C5, also referred to as C5:2020, is developed by the German Federal Office for Information Security (BSI) and is a standard that sets out a baseline security for cloud services providers.	✅
HITRUST (Webex Teams)	HITRUST stands for Health Information Trust Alliance which creates and maintains the Common Security Framework (CSF) for the healthcare industry.	✅
FedRAMP (Webex Teams, UCM Cloud for Government)	The Federal Risk and Authorization Framework (FedRAMP) is a government-wide framework that offers a standardized approach to security when it comes to using cloud services and products.	✅

Posted in:

Webex

Collaboration Software

Get the latest news from Mio in your inbox.

Join over 4,000 people who get collaboration tips once a month.