7 May 2020
This is the third post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Cisco Webex Meetings and Cisco Webex Teams.
Other posts include:
To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.
If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.
Update: 01/06/2020
This post updated with miscellaneous changes, new links and some corrections after feedback from Cisco.
Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.
According to Gartner, Webex is the current the market leader and is considered a visionary player in video communication technologies (along with Zoom and Microsoft).
The solution is available in two forms, Webex Teams for collaborative work (addressed later) and Webex Meetings for audio and video meetings (covered here). Webex also offers a wide range of peripheral such as whiteboards, IP phones, screens and cameras for videoconferencing[1]
The Webex Meetings solution is used via a web browser with a plugin. It is also possible to install and use software available for Windows, Android and iOS, for access to organized meetings. Installation of the client requires administrator rights on the computer.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | All communications between Cisco Webex applications and Cisco Webex Cloud occur over encrypted channels.
Cisco Webex uses TLS 1.2 protocol and uses high strength ciphers (for example, AES 256). User Datagram Protocol (UDP) is the preferred protocol for transmitting media. In UDP, media packets are encrypted using AES 128. The initial key exchange happens on a TLS-secured channel. Additionally, each datagram uses Hashed- Based Message Authentication Code (HMAC) for authentication and integrity. |
Uses a strong encryption key | Fully | AES 256 (stored) / AES 128 (streamed). Cisco has advised us that support for AES 256 is currently on their roadmap. |
Data is encrypted in transit under normal use | Fully | https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
Data stays encrypted in transit on provider servers | Partially | In standard mode media streams flowing from a client to Cisco Webex servers are decrypted after they cross the Cisco Webex firewalls. Full encryption is available however at the cost of some features like cloud recording.
|
Voice, Video and Text are all encrypted | Fully | https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
File transfers & session recordings are encrypted | Fully | https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | Partially | Cisco Webex offers end-to-end encryption. With this option, Cisco Webex Cloud does not decrypt the media streams. All Cisco Webex clients generate key pairs and send the public key to the host’s client. The host generates a random symmetric key encrypts it using the public key that the client sends, and sends the encrypted symmetric key back to the client. The traffic generated by clients is encrypted using the symmetric session key. In this model traffic cannot be deciphered by the Cisco Webex server.
|
Encryption implementation has withstood scrutiny over time | Fully | |
Authentication | ||
Administrators can define password security policies | Fully | Additionally, the administrator can manage password criteria using the following options:
|
Supports MFA as default | No | No native MFA available, needs third party IdP to provide it. |
Can integrate with Active Directory or similar | Fully | |
Can integrate with SSO solutions via SAML or similar | Fully | |
Offers RBAC | Fully | Cisco Webex application behavior is built from the ground up around five roles, each of which is granted different privileges. https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
Allows passwords to be set for meetings | Fully | |
Allows meeting password security policies to be set | Fully | |
Jurisdiction | ||
Headquarters address | USA | Milpitas, California (United States) |
The vendor cannot technically access any data without the client’s consent | Partially | When E2EE is deployed Cisco cannot decrypt the data.
In ‘normal’ mode Cisco says employees do not access customer data unless access is requested by the customer for support reasons. |
A full on-prem version is available for users who don’t want to trust the vendor | Fully | Cisco WebEx Meeting Server
See www.cisco.com/c/en/us/products/conferencing/meeting-server/index.html Moreover, a feature called ‘Hybrid Data Security’ allows organizations to bring encryption key management and other security-related functions into their on-premises data centers |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | Partially | During provisioning, the administrator selects a country, which determines which of two GEO regions the organization’s data resides.
See https://help.webex.com/en-us/oybc4fb/Data-Residency-in-Cisco-Webex-Teams#id_102374 |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | Fully | In addition to complying with our stringent internal standards, Cisco Webex also continually maintains thirdparty validations to demonstrate our commitment to information security. Cisco Webex is:
|
Complies with appropriate privacy standards (e.g. FERPA or GDPR). | Fully | https://help.webex.com/en-us/pdz31w/Cisco-Webex-Compliance-and-Certifications |
Provides a transparency report that details information related to requests for data, records, or content. | Fully | https://www.cisco.com/c/en/us/about/trust-center/transparency.html |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Fully | https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf |
Offers clear central control over all security settings | Fully | |
Allows for monitoring and maintenance of endpoint software versions | Unclear | Not as far as we can see. Control Hub Analytics and Troubleshooting? |
Provides compliance features like eDiscovery & Legal Hold | Fully | https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/webex-room-series/datasheet-c78-740772.html |
Auditing and Reporting | Fully | https://help.webex.com/en-us/n3b0w6x/Audit-Events-in-Cisco-Webex-Control-Hub |
Additional content security controls like DLP, watermarking, etc. | Partially | Third party DLP solutions can be integrated via the Events API |
Vulnerability Management | ||
Percentage of NVD 2019 | 0.15 | |
Percentage of NVD 2020 | 0.09 | |
Vendor discloses which vulnerabilities have been addressed | Fully | Cisco has a clear and comprehensive Security Vulnerability Policy. See https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html and https://help.webex.com/en-us/c3r7uf/Open-and-Resolved-Bugs-for-the-Latest-Webex-Meetings-Updates |
Vendor runs a bug bounty | Partially | Cisco is listed on hackerone but nothing specific for Webex |
Webex Meetings offers two security modes. By default, communications are encrypted between the server and the clients (hop-by-hop). Cleartext data therefore traverses the server. It is also possible to enable end-to-end encryption when using the thick client. In this model, traffic cannot be deciphered by the Cisco Webex server. This restricts certain features, however, such as Network Based Recording and Remote computer sharing[2]. .
Cisco also encrypts stored Network Based Recordings. During the playback and download flow, the encrypted recording file is then decrypted before or during the operation. Cisco maintains these keys for the customer.
A feature called ‘Hybrid Data Security’ allows organizations to bring encryption key management and other security-related functions into their on-premises data centers.
Webex Meetings supports SSO with integration into the customer’s identity management technology (for example, Microsoft Active Directory Federation Services, PingFederate, CA Siteminder Single Sign-On, OpenAM, or Oracle Access Manager) using the Security Assertion Markup Language (SAML) 2.0.
We could not find evidence that Webex Meetings offers any form of Multi Factor Authentication (MFA) natively, but many of the SSO solutions supported via SAML (for example Duo or Okta) would provide that capability.
Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Meetings[3]. Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).
However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries.
Cisco Webex Meetings explicitly advertises ‘data residency’ options, giving customers the choice over where their stored data resides. It seems that during provisioning, the administrator selects a country, which determines which of two GEO regions the organization’s data resides.
Webex Meetings allows users to generate a unique password for every meeting. Administrators define the complexity of the password in order to comply with organizational password policies.
Webex supports role-based access, which defines the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing as necessary.
The NIST National Vulnerability Database records 33 vulnerabilities for Cisco Webex components (excluding Teams) since the beginning of 2019, several of which were categorized as serious:
Year | Reported | NVD Total | Percentage |
2019 | 26 | 17,308 | 0.15% |
2020 | 7 | 7,624 | 0.09% |
Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].
The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].
www.webex.com/team-collaboration.html
Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.
The solution is available in two forms, Webex Teams for collaborative work (addressed here) and Webex Meetings for audio and video meetings (covered previously).
Webex Teams is an application that allows you to work in a continuous team using video meetings, group messaging, files and whiteboards sharing. Full use of the Webex Teams solution leverages a client-side applications, available for Windows, iOS, Android and MacOS, but use via a browser is also possible.
Like Webex Meetings, it is possible to interconnect the solution with many services (Google Calendar, Zendesk, Trello, Twitter, etc.).
Combined with the other related products and services provided by Cisco, including switches, phones and cameras, we consider this to be one of the most complete solutions currently available.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | Advanced Encryption Standard (AES) 128, AES 256, Secure Hash Algorithm (SHA) 1, SHA 256 and RSA. |
Uses a strong encryption key | Fully | AES 256 (stored) / AES 128 (streamed) |
Data is encrypted in transit under normal use | Fully | See https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security
|
Data stays encrypted in transit on provider servers | Fully | According to Cisco the Webex Teams app encrypts messages, files, and names of spaces on the endpoint before sending them to the cloud. It’s processed and stored until it’s decrypted again on the device. However, the app understandably can’t provide end-to-end encryption for messages and files linked to in-app automation tools like bots. |
Voice, Video and Text are all encrypted | Fully | See https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security
- |
File transfers & session recordings are encrypted | Fully | https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | Partially | Cisco Webex Teams makes use of an open architecture for the management of encryption keys, allowing our customers to gain exclusive control over their encryption keys and the confidentiality of their data. This means that content is encrypted on the user’s client and stays encrypted until it reaches the recipient, with no intermediaries having access to decryption keys for content unless the enterprise explicitly chooses to grant such access.
Cisco will provide any enterprise customer, access to the source code for the components contained within the Security Realm in order to allow for inspection, compilation, and binary comparison. See - |
Encryption implementation has withstood scrutiny over time | Fully | Cisco also promises to provide source code for Security Realm services, such as the KMS, to any enterprise customer that requests it for purposes of verification of their claims. |
Authentication | ||
Administrators can define password security policies | Partially | It appears that Webex pre-configure the password requirements, although can be configured for SSO with Active Directory and other IdP’s.
https://help.webex.com/en-us/nxsab72/Webex-Teams-Change-Your-Password |
Supports MFA as default | No | No native MFA available, needs third party IdP to provide it. Cisco have advised that native support for MFA is on their roadmap |
Can integrate with Active Directory or similar | Fully | |
Can integrate with SSO solutions via SAML or similar | Fully | |
Offers RBAC | Fully | https://help.webex.com/en-us/fs78p5/Assign-Organization-Account-Roles-in-Cisco-Webex-Control-Hub |
Allows passwords to be set for meetings | Fully | help.webex.com/en-us/zrupm6/Manage-Security-for-Your-Site-in-Cisco-Webex-Site- Administration |
Allows meeting password security policies to be set | Fully | https://help.webex.com/en-us/zrupm6/Manage-Security-for-Your-Site-in-Cisco-Webex-Site-Administration |
Jurisdiction | ||
Headquarters address | USA | Milpitas, California (United States) |
The vendor cannot technically access any data without the client’s consent | Partially | Cisco claims to have built end-to-end encryption into the fabric of Teams, relying on the separation of the Security Realm from the rest of the Cisco Cloud to make it happen. For customers that want even stronger guarantees that Cisco, as the cloud service provider, has no access to their content, Cisco offers flexibility in the deployment of the services contained in the Security Realm and offers access to source code for verification of their claims.
|
A full on-prem version is available for users who don’t want to trust the vendor | Partially | Any customers who are concerned about Cisco storing their message and file encryption keys and content, can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers.
See https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/esp/Webex-Teams-Security-Frequently-Asked-Questions.pdf and help.webex.com/en-us/nm1m8zv/Get-Started-with-Cisco-Webex-Hybrid-Services |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | Partially | Data Centers location can be selected during setup. |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | Fully | See www.cisco.com/c/en/us/about/trust-center/webex.html |
Complies with appropriate privacy standards (e.g. FERPA or GDPR). | Fully | https://www.cisco.com/c/en_uk/solutions/collaboration/webex-teams/security-compliance-management.html |
Provides a transparency report that details information related to requests for data, records, or content. | Fully | https://www.cisco.com/c/en/us/about/trust-center/transparency.html |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Partially | Requires a Webex Meetings enabled account for some functionality.
https://help.webex.com/en-us/sf4sh1/Webex-Teams-Security-Best-Practices |
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | Appears to require Pro Pack for Cisco Webex Control Hub for the functionality. |
Offers clear central control over all security settings | Fully | https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/webex-room-series/datasheet-c78-740770.html |
Allows for monitoring and maintenance of endpoint software versions | Unclear | Not to our knowledge. |
Provides compliance features like eDiscovery & Legal Hold | Fully | Requires Pro Pack for Cisco Webex Control Hub for additional data retention |
Auditing and Reporting | Fully | https://help.webex.com/en-us/n3b0w6x/Audit-Events-in-Cisco-Webex-Control-Hub |
Additional content security controls like DLP, watermarking, etc. | Fully | Comprehensive DLP is available via Cisco ‘Cloudlock’ as part of an Extended Security Pack, which also offer anti-malware capabilities. |
Vulnerability Management | ||
Percentage of NVD 2019 | 0.03 | |
Percentage of NVD 2020 | 0.02 | |
Vendor discloses which vulnerabilities have been addressed | Fully | https://www.cisco.com/c/en/us/support/unified-communications/spark/products-security-advisories-list.html |
Vendor runs a bug bounty | Partially | Cisco are listed on hackerone but nothing specific for Teams |
Cisco claims that the solution provides end-to-end encryption of all data, and it seems clear that communications and files are encrypted before transmission and are stored encrypted if required[1].
Cisco asserts that all real-time media in Cisco Webex Teams (voice, video, and desktop share) is transmitted using Secure Real-Time Transport Protocol (SRTP), which provides protection against network sniffing. But Cisco also clarifies that real-time media is not always encrypted end-to-end – some data may have to be decrypted in their cloud for mixing, distribution, and public switched telephone network (PSTN) interoperability purposes.
However, Webex Teams also allows customers to keep their encryption keys themselves and thus avoid having to send them into the cloud. Data stored in the cloud would therefore only be accessible to authorized users. Any customers who are concerned about Cisco storing their message and file encryption keys and content, can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers.
Cisco documentation also suggests that under certain circumstances Cisco may access client data with the consent of the client. Our understanding is that the client holds the keys and would have to provide Webex access to them.[2]
The solution, like many on the market, allows integration with the company’s Active Directory to facilitate authentication via a single-sign-on and offers additional features like a form of Data Leakage Protection (DLP). This strengthens the protection of stored data. Data can only be shared in closed meeting spaces, where only authorized people can add collaborators.
Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Teams. Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).
However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries. However, Cisco offers flexibility in the deployment of the services contained in the Security Realm and offers access to source code for verification of their claims.
As a Cloud based service, Webex enjoys the security of Cisco Datacenters which host the service.
Webex supports role-based access, which limits the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing if necessary.
Cisco additionally offers the possibility of federating Webex instances, thereby eliminating the risk of confidentiality and data leaks associated with guest accounts. During internal and external collaboration, customer can therefore control the flow of sensitive content and shared confidential data can be removed.
Like other vendors, Cisco allows the administrator to manage the password criteria as required.
Cisco offers Webex Control Hub as a “web-based, intuitive, single-pane-of-glass management portal that enables you to provision, administer, and manage Cisco Webex services and Webex Hybrid Services, such as Hybrid Call Service, Hybrid Calendar Service, Hybrid Directory Service, and Video Mesh”.
Additionally, Pro Pack for Webex Control Hub is a “premium offer for customers that require more advanced capabilities, or even integrations with their existing security, compliance, and analytics software. Access can be provided specifically to those that need these more advanced capabilities – for example, information security professionals, compliance officers, or business analysts”.
The NIST National Vulnerability Database records six vulnerabilities for Cisco Webex Teams components since the beginning of 2019, several of which were categorized as serious:
Year | Reported | NVD Total | Percentage |
2019 | 4 | 17,308 | 0.02% |
2020 | 2 | 7,624 | 0.03% |
It’s beyond the scope of this assessment to consider to what extent vulnerabilities in other Cisco Webex components would have an impact on the Teams platform. However, as this would technically be true for other integrated products like Microsoft Teams, Skype for Business and Google Meet, we have excluded those vulnerabilities here.
Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].
The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].
1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet
Head of Security Research
Charl van der Walt
Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.
Senior Consultant Cybersecurity
Quentin Aguesse
Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialized in risk assessment, disaster recovery planning, as well as cybersecurity awareness.
Consultant Cybersecurity
Jérôme Mauvais
As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along with his career for his great capacities of knowledge transmission.
Lead Security Researcher (MSIS Labs)
Carl Morris
Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security-related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.