© 2016 Cisco and/or its affiliates. All rights reserved. 1
Cloud and On Premises
Collaboration Security
explained
Vince Chou
Technical Solutions Architect
Nov 16th 2017
Connect
Cisco

© 2016 Cisco and/or its affiliates. All rights reserved. 2
Agenda
• Identity Management
-Authentication
-Authorization
• Cisco Spark Cloud Security
-Realms of separation, identity obfuscation, client
connection, secure search/indexing/E-discovery
-Hybrid Data Security

© 2016 Cisco and/or its affiliates. All rights reserved. 3
References
• Cisco Spark - Cloud and On Premise Security explained
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2030#/session/1484039969829001YwFb
• Cisco Spark Hybrid Services Architectural Design
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2202#/session/1485462759889001X5bX
• Authentication and Authorization in Collaboration Deployments: concepts and architecture
https://www.ciscolive.com/global/on-demand-library/?search=brkcol-2699#/session/1485462759687001XTYU
• Authentication and Authorization in Collaboration Deployments: implementation and troubleshooting
https://www.ciscolive.com/global/on-demand-library/?search=brkucc-2444#/session/1488238596662001CLEl
• Cisco Spark Security and Privacy Whitepaper
https://help.webex.com/docs/DOC-9095

4© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Management

© 2016 Cisco and/or its affiliates. All rights reserved. 5
Guest
5
Authentication and Authorization
After authentication, the
receptionist gives you a
room key
Your room key is your
authorization token for
your room and any other
relevant hotel services
You do not need your passport to enter your room. Your
room key authorizes you to enter your room only.
The room key does not identify the holder of the key.
Authentication verifies that
“you are who you say you are”
Authorization verifies that
“you are permitted to do what you are trying to do”
Authentication
The receptionist
authenticates you by
checking your passport
Authorization

© 2016 Cisco and/or its affiliates. All rights reserved. 6
Authentication and Authorization
(SAML and OAuth)
Authorization
Clients
Services
IdP
Authentication

© 2016 Cisco and/or its affiliates. All rights reserved. 7
SAML v2.0 In Action
SP-initiated Web Browser SSO Flow
7BRKCOL-2699
Service Provider:
CUCM, CUC,
Webex
Application ABC
User
Web
Browser
Metadata
Exchange
1
2
3
4
5
Identity Provider
(IdP)
0
0
6
IdP

© 2016 Cisco and/or its affiliates. All rights reserved. 8
IdP
SAML v2.0 In Action
IdP Cookies Avoid Re-authentication
8BRKCOL-2699
Service Provider:
CUCM, CUC,
Webex
User
Web
Browser
Metadata
Exchange
1
2
3
4
Identity Provider
(IdP)
0
0
5
No authentication
needed if cookie is
valid

© 2016 Cisco and/or its affiliates. All rights reserved. 9
API Authorization Challenges
API/Service 1
API/Service 2
API/Service 3
API/Service N
Identity Provider
(IdP) IdP

© 2016 Cisco and/or its affiliates. All rights reserved. 10
OAuth Authorization Framework
• The OAuth 2.0 standard (RFC 6749) defines a
framework to enable third-party applications to obtain
limited access to a service or API on behalf of a user
Users authorize client applications to securely access
protected resources without sharing their credentials
(access delegation)
Defines authorization tokens: valet key concept
Clients can be web apps, native desktop/mobile apps,
javascript in browser…
• Does not deal with user authentication
• Broad adoption in API-driven world (cloud,
microservices, integrations, …)
Source:
https://www.programmableweb.com/apis/directory/1?auth=OAuth

© 2016 Cisco and/or its affiliates. All rights reserved. 11
An application would like
to connect to your account
The application “XYZ” would like to access
your basic account information.
Allow application “XYZ” access?
AllowDeny
Do these look familiar?
Authorize “XYZ” Application?
This application will be able to:
• Access your basic account information
• Read your posts
• See your list of contacts
Authorize app No, thanks
“XYZ” Application
This application would like to:
• Read and manage your files and documents
• View your email address
AcceptCancel

© 2016 Cisco and/or its affiliates. All rights reserved. 12
Example: “Sign in with Google” at IMDb
IMDb Server
Resource Server
IMDb Web App
Client
Google
Authorization Server
Johnny Example
Resource Owner
IMDb offers several
sign in options

© 2016 Cisco and/or its affiliates. All rights reserved. 13
Example: “Sign in with Google” at IMDb
IMDb Server
Resource Server
IMDb Web App
Client
Google
Authorization Server
Johnny Example
Resource Owner
Google authenticates you

© 2016 Cisco and/or its affiliates. All rights reserved. 14
Example: “Sign in with Google” at IMDb
IMDb Server
Resource Server
IMDb Web App
Client
Google
Authorization Server
Johnny Example
Resource Owner
Google asks you to
authorize IMDb to
access profile data

© 2016 Cisco and/or its affiliates. All rights reserved. 15
Example: “Sign in with Google” at IMDb
IMDb Server
Resource Server
IMDb Web App
Client
Google
Authorization Server
Johnny Example
Resource Owner
Google gives IMDb
an access token that
allows it to access
your profile data
The IMDb Web App shows
you your watchlist,
recommendations, etc.

© 2016 Cisco and/or its affiliates. All rights reserved. 16
OAuth 2.0 In Action
Roles and Generic Flow
Resource Server
CUCM, IM&P,
Expressway,
Unity Connection
Authorization
Server
CUCM(SSOSP)
Resource Owner
(the user)
Client
(the application)
User Agent
(the web browser)
Authentication
(outside OAuth scope)
Grants
Authorization
Requests
Authorization
Trust relationship1
2
3
4
5
IdP

© 2016 Cisco and/or its affiliates. All rights reserved. 17
Authorization Code Grant
Access Tokens and Refresh Tokens
Access Token
A token that authorizes a bearer to access a protected resource
Access Tokens are typically issued to a particular user with a
particular scope and with a specific expiry time
Refresh Token
A token that an OAuth client can use to request a new Access
Token on expiry of an existing Access Token

© 2016 Cisco and/or its affiliates. All rights reserved. 18
Motivation for Architecture Evolution
(New AuthN/AuthZ Flow for Jabber)
Support new
functionality:
• Push notification for
Apple mobile clients
• MRA Access Policy
Scope Support (future)
Simplify
deployments:
• Mobile user experience
• Identity Provider
performance impact
(SSO)
• Local, LDAP Bind, SSO
Solidify
architecture:
• Login complexity
• Enhanced edge security
• Alignment with cloud
solution

19© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Spark Cloud Security

© 2016 Cisco and/or its affiliates. All rights reserved. 20
Spark Cloud Security - Realms of Separation
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Spark logically and physically separates functional components within the cloud
Identity Services holding real user Identity (e.g. email addresses)
are separated from :
Encryption, Indexing and Compliance Services,
which are in turn separated from :
Data Storage Services
Data Center A Data Center B Data Center C

© 2016 Cisco and/or its affiliates. All rights reserved. 21
Realms of Separation – Identity Obfuscation
Identity Service Content Server
Key Mgmt Service Indexing Service Compliance Service
Outside of the Identity Service - Real Identity information is obfuscated :
For each User ID, Spark generates a random 128-bit Universally Unique
Identifier (UUID) = The User’s obfuscated identity
No real identity information transits, or is stored elsewhere in the cloud
Data Center A Data Center B Data Center C
jsmith@abc.comhtzb2n78jdbc9e

© 2016 Cisco and/or its affiliates. All rights reserved. 22
Spark – User Identity Sync and Authentication
Directory
Sync
User Info can be
synchronized to Spark
from the Enterprise
Active Directory
Multiple User attributes
can be synchronized
Passwords are not
synchronized - User :
1) Creates a Spark
password or
2) Uses SSO for Auth
Identity Service

© 2016 Cisco and/or its affiliates. All rights reserved. 23
Spark – SAML SSO Authentication
Directory
Sync
SAML
SSO
Administrators can
configure Spark to
work with their existing
SSO solution
Spark supports Identity
Providers using SAML
2.0 and OAuth 2.0
Identity Service
IdP

© 2016 Cisco and/or its affiliates. All rights reserved. 24
Client Connection
Spark Service
IdP
Identity Service
1) Customer downloads and installs Spark
Client (with Trust anchors)
2) Spark Client establishes a secure TLS
connection with the Spark Cloud
3) Spark Identity Service prompts for an e-
mail ID
4) User Authenticated by Spark Identity
Service, or the Enterprise IdP (SSO)
5) OAuth Access and Refresh Tokens created
and sent to Spark Client
• The Access Tokens contain details of the
Spark resources the User is authorized to
access
5) Spark Client presents its Access Tokens to
register with Spark Services over a secure
channel

© 2016 Cisco and/or its affiliates. All rights reserved. 25
Spark Device connection
Spark ServiceIdentity Service
1) User enters 16 digit activation code
received via e-mail from the Spark
provisioning service
2) Device authenticated by Identity
Service (Trust anchors sent to device
and secure connection established)
3) OAuth Access and Refresh Tokens
created and sent to Spark Client
• The Access Tokens contain details of
the Spark resources the User is
authorized to access
5) Spark Client presents its Access
Tokens to register with Spark
Services over a secure channel
1234567890123456

© 2016 Cisco and/or its affiliates. All rights reserved. 26
Content Server Key Mgmt Service
message messagemessage
filefile
message
Spark - Encrypting Messages and Content
Spark Clients request a
conversation encryption key from
the Key Management Service
Any messages or files sent by a
Client are encrypted before being
sent to the Spark Cloud
Each Spark Room uses a different
Conversation Encryption key
Key Management Service
AES256-GCM cipher used for Encryption

© 2016 Cisco and/or its affiliates. All rights reserved. 27
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
Searching Spark Rooms : Building a Search Index
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
A Search Index is built by
creating a fixed length
hash* of each word in each
message within a Room
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
The hashes for each Spark
Room are stored by the
Content Service
###################
* A new (SHA-256 HMAC) hashing key (Search Key) is used for each room

© 2016 Cisco and/or its affiliates. All rights reserved. 28
Indexing Service
“Spark”Spark
Content Server Key Mgmt Service
###################
Searching Spark Rooms : Querying a Search Index
Search for the word “Spark”
Client sends search request
over a secure connection to
the Indexing Service
The Content Server
searches for a match in it’s
Hash tables and returns
matching content to the
client *
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message
B9
The Indexing Service uses
Per Room Search keys to
hash the search terms
*A link to Conversation Encryption Key is sent with encrypted message

© 2016 Cisco and/or its affiliates. All rights reserved. 29
Cloud Collaboration
Management Portal
Indexing Service
Jo Smith’s ContentJo Smith’s Content
Content Server Key Mgmt Service
###################
Spark Compliance Service : E-Discovery
Administrator selects a
group of messages and files
to be retrieved for E-
Discovery e.g. : based on
date range/ content type/
user(s)
The Content Server returns
matching content to the
Compliance Service
###################
X1GFT5YYHash
Algorithm
Indexing Service
Jo Smith’s Content
“X1GFT5YY”
Jo Smith’s Content
###################
X1GFT5YY
The Indexing Service
searches Content Server for
related content
Compliance Service
###################
Jo Smith’s Content
###################
Jo Smith’s Content
###################

© 2016 Cisco and/or its affiliates. All rights reserved. 30
E-Discov. Storage
Compliance ServiceContent Server Key Mgmt Service
Spark Compliance Service : E-Discovery
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts
it before sending it to the E-
Discovery Storage Service
The E-Discovery Storage
Service :
Sends the compressed and
encrypted content to the
Administrator on request
Compliance Service
Cloud Collaboration
Management Portal
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
###################
###################
################
###################
###################
################
Jo Smith’s Messages
and Files
E-Discovery
Content Ready

© 2016 Cisco and/or its affiliates. All rights reserved. 31
3rd Party Integrations
Cisco has developed key relationships with leading Cloud Access Security Brokers (CASB), compliance,
archival and security vendors to enhance Cisco Spark and deliver key enterprise-grade features:
Compliance and Archiving
Archive content to comply with retention
requirements and enable eDiscovery
Data Loss Prevention
Apply policies to content, violation
alerts, and take remediation actions
Identity Management
Single Sign-On via SAML, Mobile Device
Management (MDM), SCIM user
provisioning and deactivation

32© 2016 Cisco and/or its affiliates. All rights reserved.
Spark Hybrid Data Security

© 2016 Cisco and/or its affiliates. All rights reserved. 33
Secure Data Center
Content Server
Key Mgmt Service
Spark – Hybrid Data Security (HDS)
Compliance ServiceIndexing Service
Hybrid Data Security
Hybrid Data Services
=
On Premise :
Key Management Server
Indexing Server
E-Discovery Service

© 2016 Cisco and/or its affiliates. All rights reserved. 34
HDS includes:
 Key Management Server
 Search indexer
 eDiscovery backend
Whilst HDS offers unique security features to customers in that they, and they alone, can
store and own the encryption keys for their messages and content….
These benefits also come with significant responsibilities :
A HDS Deployment requires significant customer commitment and an awareness of the
risks that come with owning encryption keys…
Complete loss of either the configuration ISO or the Postgres Database will result
in loss of the decryption keys stored in HDS. This will prevent users from
decrypting space content and other encrypted data. If this happens, an empty HDS
can be restored, however, only new content will be visible.
Hybrid Data Security – Positioning :
HDS may not be desirable for all customers

© 2016 Cisco and/or its affiliates. All rights reserved. 35
Secure Data Center
Key Mgmt Service
Content Server Key Mgmt Service
message messagemessagemessage
HDS - Encrypting Messages & Content
Spark Clients request an encryption
key from the Hybrid Key Management
Server
Any messages or files sent by a Client
are encrypted before being sent to the
Spark Cloud
Encrypted messages and content
stored in the cloud
Key Management Service
Encryption Keys stored locally

© 2016 Cisco and/or its affiliates. All rights reserved. 36
Secure Data Center
Key Mgmt Service
Encrypted messages from Clients are
stored in the Spark Cloud
Key Mgmt Service
message
Content Server
message messagemessage
If needed, Spark Clients can retrieve
encryption keys from the Hybrid Key
Management Server
Key Management Service
These messages are sent to every
other Client in the Spark Room and
contain a link to their encryption key
on the Hybrid Key Management Server
HDS - Decrypting Messages & Content

© 2016 Cisco and/or its affiliates. All rights reserved. 37
Secure Data Center
Indexing Service
Spark IS the messageSparkIS themessage
Content Server
Spark IS the message
Key Mgmt Service
###################
The Indexing Service :
Enables users to search for
names and words in the
encrypted messages stored
in the Content Server
###################
B957FE48
B9 57 FE 48
Hash
Algorithm
###################
Indexing Service
###################
* A new hashing key (Search Key) is used for each room
Hybrid Data Security: Search Indexing Service

© 2016 Cisco and/or its affiliates. All rights reserved. 38
Secure Data Center
Indexing Service
“Spark”Spark
Content Server
Key Mgmt Service
###################
Hybrid Data Security: Querying a Search Index
Search for the word “Spark”
Client sends its search
request over a secure
connection to the Indexing
Service
###################
B9
B9 57 FE 48
Hash
Algorithm
Indexing Service
“Spark”
Search for the word “Spark”
“B9”
B9 57 FE 48
######################################
Spark IS the Message B9
*A link to Conversation Encryption Key is sent with the encrypted message

© 2016 Cisco and/or its affiliates. All rights reserved. 39
Secure Data Center
Indexing Service
Content Server
Spark Compliance Service : E-Discovery
X1GFT5YY
Indexing Service
Jo Smith’s ContentJo Smith’s ContentJo Smith’s Content
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
############################################################################
######################################Jo Smith’s Content Jo Smith’s ContentJo Smith’s Content“X1GFT5YY”X1GFT5YY
Hash
Algorithm
Admin selects a group of
messages and files to be
retrieved for E-Discovery
e.g. : based on date range/
content type/ user(s)
The Content Server returns
matching content to the
Compliance Service
The Indexing Service
searches the Content
Server for selected content

© 2016 Cisco and/or its affiliates. All rights reserved. 40
Secure Data Center
Key Mgmt ServiceCompliance Service
Cloud Collaboration
Management Portal
E-Discov. StorageContent Server
Spark Compliance Service : E-Discovery
The Compliance Service :
Decrypts content from the
Content Server, then
compresses and re-encrypts it
before sending it to the E-
Discovery Storage Service
E-Discovery Storage Service :
Sends the compressed and
encrypted content to the
Administrator on request
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Content###################
Jo Smith’s Messages
and Files
###################
###################
################
###################
###################
################
Jo Smith’s
Messages and Files
E-Discovery
Content Ready

© 2016 Cisco and/or its affiliates. All rights reserved. 41
Secure Data Center A
Hybrid Data Security Architecture
vSphereHybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
Hybrid Data Services Node (VM)
Docker
ECP Mgmt
Container
HDS
Containers
HDS Cluster
Config File
IDE
Mount
IDE
Mount
ECP (Enterprise Compute Platform): Management containers which communicate with the cloud and perform actions
such as sending health checks and checking for new versions of HDS.
HDS (Hybrid Data Security): Key Management Server, Search Indexer, and eDiscovery Services.
HDS Cluster Config: An ISO file containing configuration information for the local HDS cluster. e.g. Database connection
settings, Database Master Encryption key, etc.
IDE Mount: Mount point of the read-only HDS Cluster Config ISO file containing the configuration settings for HDS system.
Customer Provided Services
Postgres
Database
Syslogd
Database
Back Up
System Back Up

© 2016 Cisco and/or its affiliates. All rights reserved. 42
HDS Install Prerequisites
See prerequisites in https://www.cisco.com/go/hybrid-data-security
X.509 Certificate, Intermediates and Private Key
PKI is used for KMS to KMS federation (Public Key Infrastructure)
Common Name signed by member of Mozzila Trusted Root Store
No SHA1 signatures
PKCS12 format
2 ESXi Virtualized Hosts: Min 2 to support upgrades, 3 recommended, 5 max
Minimum 4 vCPUs, 8-GB main memory, 50-GB local hard disk space per server
kms://cisco.com easily supports 15K users per HDS.
1 Postgres 9.6.1 Database Instance (Key datastore)
8 vCPU, 16 GB RAM, 2 TB Disk. User created with createuser. Assigned GRANT ALL PRIVILEGES ON database.
1 Syslog Host
hostname and port required to centralize syslog output from the three HDS instances and management containers
A secure backup location
The HDS system requires organization administrators to securely backup two key pieces of information. 1) A
configuration ISO file generated by this process 2) The postgres database. Failure to maintain adequate backups will
result in loss of customer data. See <Section on Disaster Recovery>.
Network
Outbound HTTPS on TCP port 443 from HDS host
Bi-directional WSS on TCP port 443 from HDS host
TCP connectivity from HDS host to Postgres database host, syslog host and statsd host

Thank you.