Let's examine Cisco Webex - A visionary player

This is the third post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Cisco Webex Meetings and Cisco Webex Teams.  

Other posts include:

• Tixeo
• Skype for Business
• Zoom
• Microsoft Teams
• Google Meet
• Bluejeans
• BigBlueButton
• Jitsi Meet

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.

Update: 01/06/2020

This post updated with miscellaneous changes, new links and some corrections after feedback from Cisco.

Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.

According to Gartner, Webex is the current the market leader and is considered a visionary player in video communication technologies (along with Zoom and Microsoft).

The solution is available in two forms, Webex Teams for collaborative work (addressed later) and Webex Meetings for audio and video meetings (covered here). Webex also offers a wide range of peripheral such as whiteboards, IP phones, screens and cameras for videoconferencing[1]

Features

The Webex Meetings solution is used via a web browser with a plugin. It is also possible to install and use software available for Windows, Android and iOS, for access to organized meetings. Installation of the client requires administrator rights on the computer.

Results table

Encryption

Webex Meetings offers two security modes. By default, communications are encrypted between the server and the clients (hop-by-hop). Cleartext data therefore traverses the server. It is also possible to enable end-to-end encryption when using the thick client. In this model, traffic cannot be deciphered by the Cisco Webex server. This restricts certain features, however, such as Network Based Recording and Remote computer sharing[2]. .

Cisco also encrypts stored Network Based Recordings. During the playback and download flow, the encrypted recording file is then decrypted before or during the operation. Cisco maintains these keys for the customer.

A feature called ‘Hybrid Data Security’ allows organizations to bring encryption key management and other security-related functions into their on-premises data centers.

Authentication

Webex Meetings supports SSO with integration into the customer’s identity management technology (for example, Microsoft Active Directory Federation Services, PingFederate, CA Siteminder Single Sign-On, OpenAM, or Oracle Access Manager) using the Security Assertion Markup Language (SAML) 2.0.

We could not find evidence that Webex Meetings offers any form of Multi Factor Authentication (MFA) natively, but many of the SSO solutions supported via SAML (for example Duo or Okta) would provide that capability.

Jurisdiction & Regulation

Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Meetings[3].  Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).

However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries.

Cisco Webex Meetings explicitly advertises ‘data residency’ options, giving customers the choice over where their stored data resides. It seems that during provisioning, the administrator selects a country, which determines which of two GEO regions the organization’s data resides.

Security Features and Management

Webex Meetings allows users to generate a unique password for every meeting. Administrators define the complexity of the password in order to comply with organizational password policies.

Webex supports role-based access, which defines the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing as necessary.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 33 vulnerabilities for Cisco Webex components (excluding Teams) since the beginning of 2019, several of which were categorized as serious:

Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].

• [1] https://www.cisco.com/c/en/us/products/collaboration-endpoints/collaboration-room-endpoints/index.html?dtid=osscdc000283#~explore-video-devices
• [2] https://help.webex.com/en-us/nwh2wlx/Enable-End-to-End-Encryption-Using-End-to-End-Encryption-Session-Types
• [3] https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
• [4] https://www.cisco.com/c/dam/en_us/about/security/psirt/Cisco-PSIRT-Infographic.pdf

www.webex.com/team-collaboration.html

Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.

The solution is available in two forms, Webex Teams for collaborative work (addressed here) and Webex Meetings for audio and video meetings (covered previously).

Features

Webex Teams is an application that allows you to work in a continuous team using video meetings, group messaging, files and whiteboards sharing. Full use of the Webex Teams solution leverages a client-side applications, available for Windows, iOS, Android and MacOS, but use via a browser is also possible.

Like Webex Meetings, it is possible to interconnect the solution with many services (Google Calendar, Zendesk, Trello, Twitter, etc.).

Combined with the other related products and services provided by Cisco, including switches, phones and cameras, we consider this to be one of the most complete solutions currently available.

Results table

Encryption

Cisco claims that the solution provides end-to-end encryption of all data, and it seems clear that communications and files are encrypted before transmission and are stored encrypted if required[1].

Cisco asserts that all real-time media in Cisco Webex Teams (voice, video, and desktop share) is transmitted using Secure Real-Time Transport Protocol (SRTP), which provides protection against network sniffing. But Cisco also clarifies that real-time media is not always encrypted end-to-end – some data may have to be decrypted in their cloud for mixing, distribution, and public switched telephone network (PSTN) interoperability purposes.

However, Webex Teams also allows customers to keep their encryption keys themselves and thus avoid having to send them into the cloud. Data stored in the cloud would therefore only be accessible to authorized users. Any customers who are concerned about Cisco storing their message and file encryption keys and content, can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers.

Cisco documentation also suggests that under certain circumstances Cisco may access client data with the consent of the client. Our understanding is that the client holds the keys and would have to provide Webex access to them.[2]

Authentication

The solution, like many on the market, allows integration with the company’s Active Directory to facilitate authentication via a single-sign-on and offers additional features like a form of Data Leakage Protection (DLP). This strengthens the protection of stored data. Data can only be shared in closed meeting spaces, where only authorized people can add collaborators.

Jurisdiction & Regulation

Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Teams.  Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).

However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries. However, Cisco offers flexibility in the deployment of the services contained in the Security Realm and offers access to source code for verification of their claims.

Security Features and Management

As a Cloud based service, Webex enjoys the security of Cisco Datacenters which host the service.

Webex supports role-based access, which limits the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing if necessary.

Cisco additionally offers the possibility of federating Webex instances, thereby eliminating the risk of confidentiality and data leaks associated with guest accounts. During internal and external collaboration, customer can therefore control the flow of sensitive content and shared confidential data can be removed.

Like other vendors, Cisco allows the administrator to manage the password criteria as required.

Cisco offers Webex Control Hub as a “web-based, intuitive, single-pane-of-glass management portal that enables you to provision, administer, and manage Cisco Webex services and Webex Hybrid Services, such as Hybrid Call Service, Hybrid Calendar Service, Hybrid Directory Service, and Video Mesh”.

Additionally, Pro Pack for Webex Control Hub is a “premium offer for customers that require more advanced capabilities, or even integrations with their existing security, compliance, and analytics software. Access can be provided specifically to those that need these more advanced capabilities – for example, information security professionals, compliance officers, or business analysts”.

Vulnerability & Exploit History

The NIST National Vulnerability Database records six vulnerabilities for Cisco Webex Teams components since the beginning of 2019, several of which were categorized as serious:

It’s beyond the scope of this assessment to consider to what extent vulnerabilities in other Cisco Webex components would have an impact on the Teams platform. However, as this would technically be true for other integrated products like Microsoft Teams, Skype for Business and Google Meet, we have excluded those vulnerabilities here.

Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].