April 01, 2024 | 1139 view(s) | 1 people thought this was helpful
In this article
Preface
New and changed information
Get Started with Hybrid Data Security
Hybrid Data Security Overview
Security Realm Architecture
Realms of Separation (without Hybrid Data Security)
Collaborating with Other Organizations
Expectations for Deploying Hybrid Data Security
High-level Setup Process
Hybrid Data Security Deployment Model
Hybrid Data Security Deployment Model
Hybrid Data Security Trial Mode
Standby Data Center for Disaster Recovery
Setup Standby Data Center for Disaster Recovery
Proxy Support
Prepare Your Environment
Requirements for Hybrid Data Security
Cisco Webex License Requirements
Docker Desktop Requirements
X.509 Certificate Requirements
Virtual Host Requirements
Database server requirements
External connectivity requirements
Proxy Server Requirements
Complete the Prerequisites for Hybrid Data Security
Set up a Hybrid Data Security Cluster
Hybrid Data Security Deployment Task Flow
Download Installation Files
Create a Configuration ISO for the HDS Hosts
Install the HDS Host OVA
Set up the Hybrid Data Security VM
Upload and Mount the HDS Configuration ISO
Configure the HDS Node for Proxy Integration
Register the First Node in the Cluster
Create and Register More Nodes
Run a Trial and Move to Production
Trial to Production Task Flow
Activate Trial
Test Your Hybrid Data Security Deployment
Monitor Hybrid Data Security Health
Add or Remove Users from Your Trial
Move from Trial to Production
End Your Trial Without Moving to Production
Manage your HDS Deployment
Manage HDS Deployment
Set Cluster Upgrade Schedule
Change the Node Configuration
Turn off Blocked External DNS Resolution Mode
Remove a Node
Disaster Recovery using Standby Data Center
(Optional) Unmount ISO After HDS Configuration
Troubleshoot Hybrid Data Security
View Alerts and Troubleshoot
Alerts
Common Issues and the Steps to Resolve Them
Troubleshoot Hybrid Data Security
Other Notes
Known Issues for Hybrid Data Security
Use OpenSSL to Generate a PKCS12 File
Traffic between the HDS Nodes and the Cloud
Configure Squid Proxies for Hybrid Data Security
Websocket Cannot Connect Through Squid Proxy
Deployment guide for Webex Hybrid Data Security
In this article
Get Started with Hybrid Data Security
Hybrid Data Security Overview
From day one, data security has been the primary focus in designing Webex App. The cornerstone of this security is end-to-end content encryption, enabled by Webex App clients interacting with the Key Management Service (KMS). The KMS is responsible for creating and managing the cryptographic keys that clients use to dynamically encrypt and decrypt messages and files.
By default, all Webex App customers get end-to-end encryption with dynamic keys stored in the cloud KMS, in Cisco's security realm. Hybrid Data Security moves the KMS and other security-related functions to your enterprise data center, so nobody but you holds the keys to your encrypted content.
Security Realm Architecture
The Webex cloud architecture separates different types of service into separate realms, or trust domains, as depicted below.
To further understand Hybrid Data Security, let's first look at this pure cloud case, where Cisco is providing all functions in its cloud realms. The identity service, the only place where users can be directly correlated with their personal information such as email address, is logically and physically separate from the security realm in data center B. Both are in turn separate from the realm where encrypted content is ultimately stored, in data center C.
In this diagram, the client is the Webex App running on a user's laptop, and has authenticated with the identity service. When the user composes a message to send to a space, the following steps take place:
-
The client establishes a secure connection with the key management service (KMS), then requests a key to encrypt the message. The secure connection uses ECDH, and the KMS encrypts the key using an AES-256 master key.
-
The message is encrypted before it leaves the client. The client sends it to the indexing service, which creates encrypted search indexes to aid in future searches for the content.
-
The encrypted message is sent to the compliance service for compliance checks.
-
The encrypted message is stored in the storage realm.
When you deploy Hybrid Data Security, you move the security realm functions (KMS, indexing, and compliance) to your on-premises data center. The other cloud services that make up Webex (including identity and content storage) remain in Cisco’s realms.
Collaborating with Other Organizations
Users in your organization may regularly use Webex App to collaborate with external participants in other organizations. When one of your users requests a key for a space that is owned by your organization (because it was created by one of your users) your KMS sends the key to the client over an ECDH secured channel. However, when another organization owns the key for the space, your KMS routes the request out to the Webex cloud through a separate ECDH channel to get the key from the appropriate KMS, and then returns the key to your user on the original channel.
The KMS service running on Org A validates the connections to KMSs in other organizations using x.509 PKI certificates. See Prepare Your Environment for details on generating an x.509 certificate to use with your Hybrid Data Security deployment.
Expectations for Deploying Hybrid Data Security
A Hybrid Data Security deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys.
To deploy Hybrid Data Security, you must provide:
-
A secure data center in a country that is a supported location for the Cisco Webex Teams plans.
-
The equipment, software, and network access described in Prepare Your Environment.
Complete loss of either the configuration ISO that you build for Hybrid Data Security or the database that you provide will result in the loss of the keys. Key loss prevents users from decrypting space content and other encrypted data in Webex App. If this happens, you can build a new deployment, but only new content will be visible. To avoid loss of access to data, you must:
-
Manage the backup and recovery of the database and the configuration ISO.
-
Be prepared to perform quick disaster recovery if a catastrophe occurs, such as database disk failure or data center disaster.
There is no mechanism to move keys back to the Cloud after an HDS deployment. |
High-level Setup Process
This document covers the setup and management of a Hybrid Data Security deployment:
Set up Hybrid Data Security—This includes preparing required infrastructure and installing Hybrid Data Security software, testing your deployment with a subset of users in trial mode, and, once your testing is complete, moving to production. This converts the entire organization to use your Hybrid Data Security cluster for security functions.
The setup, trial, and production phases are covered in detail in the next three chapters.
-
Maintain your Hybrid Data Security deployment—The Webex cloud automatically provides ongoing upgrades. Your IT department can provide tier one support for this deployment, and engage Cisco support as needed. You can use on-screen notifications and set up email-based alerts in Control Hub.
-
Understand common alerts, troubleshooting steps, and known issues—If you run into trouble deploying or using Hybrid Data Security, the last chapter of this guide and the Known Issues appendix may help you determine and fix the issue.
Hybrid Data Security Deployment Model
Within your enterprise data center, you deploy Hybrid Data Security as a single cluster of nodes on separate virtual hosts. The nodes communicate with the Webex cloud through secure websockets and secure HTTP.
During the installation process, we provide you with the OVA file to set up the virtual appliance on the VMs that you provide. You use the HDS Setup Tool to create a custom cluster configuration ISO file that you mount on each node. The Hybrid Data Security cluster uses your provided Syslogd server and PostgreSQL or Microsoft SQL Server database. (You configure the Syslogd and database connection details in the HDS Setup Tool.)
The minimum number of nodes you can have in a cluster is two. We recommend at least three, and you can have up to five. Having multiple nodes ensures that service is not interrupted during a software upgrade or other maintenance activity on a node. (The Webex cloud only upgrades one node at a time.)
All nodes in a cluster access the same key datastore, and log activity to the same syslog server. The nodes themselves are stateless, and handle key requests in round-robin fashion, as directed by the cloud.
Nodes become active when you register them in Control Hub. To take an individual node out of service, you can deregister it, and later reregister it if needed.
We support only a single cluster per organization.
Hybrid Data Security Trial Mode
After setting up a Hybrid Data Security deployment, you first try it with a set of pilot users. During the trial period, these users use your on-premises Hybrid Data Security domain for encryption keys and other security realm services. Your other users continue to use the cloud security realm.
If you decide not to continue with the deployment during the trial and deactivate the service, the pilot users and any users they have interacted with by creating new spaces during the trial period will lose access to the messages and content. They will see “This message cannot be decrypted” in the Webex App.
If you are satisfied that your deployment is working well for the trial users and you are ready to extend Hybrid Data Security to all of your users, you move the deployment to production. Pilot users continue to have access to the keys that were in use during the trial. However, you cannot move back and forth between production mode and the original trial. If you must deactivate the service, such as to perform disaster recovery, when you reactivate you must start a new trial and set up the set of pilot users for the new trial before moving back to production mode. Whether users retain access to data at this point depends on whether you have successfully maintained backups of the key data store and the ISO configuration file for the Hybrid Data Security nodes in your cluster.
Standby Data Center for Disaster Recovery
During deployment, you set up a secure standby data center. In the event of a data center disaster, you can manually fail your deployment over to the standby data center.
The databases of the active and standby data centers are in sync with each other which will minimize the time taken to perform the failover. The ISO file of the standby data center is updated with additional configurations which ensure that the nodes are registered to the organization, but will not handle traffic. Hence, the nodes of the standby data center always remain up-to-date with the latest version of HDS software.
The active Hybrid Data Security nodes must always be in the same data center as the active database server. |
Setup Standby Data Center for Disaster Recovery
Follow the steps below to configure the ISO file of the standby data center:
Before you begin
-
The standby data center should mirror the production environment of VMs and a backup PostgreSQL or Microsoft SQL Server database. For example, if production has 3 VMs running HDS nodes, the backup environment should have 3 VMs. (See Standby Data Center for Disaster Recovery for an overview of this failover model.)
-
Make sure database sync is enabled between the database of active and passive cluster nodes.
1 | Start the HDS Setup tool and follow the steps mentioned in Create a Configuration ISO for the HDS Hosts.
| ||
2 | After configuring the Syslogd server, click on Advanced Settings | ||
3 | On the Advanced Settings page, add the configuration below to place the node in passive mode. In this mode the node will be registered to the organization and connected to cloud, but will not handle any traffic. | ||
4 | Complete the configuration process and save the ISO file in a location that's easy to find. | ||
5 | Make a backup copy of the ISO file on your local system. Keep the backup copy secure. This file contains a master encryption key for the database contents. Restrict access to only those Hybrid Data Security administrators who should make configuration changes. | ||
6 | In the VMware vSphere client's left navigation pane, right-click on the VM and click Edit Settings.. | ||
7 | Click Edit Settings >CD/DVD Drive 1 and select Datastore ISO File.
| ||
8 | Power on the HDS node and make sure there are no alarms for at least 15 minutes. | ||
9 | Repeat the process for every node in the standby data center.
|
What to do next
After configuring passiveMode
in the ISO file and saving it, you can create another copy of the ISO file without the passiveMode
configuration and save it in a secure location. This copy of the ISO file without passiveMode
configured can help in a quick failover process during disaster recovery. See Disaster Recovery using Standby Data Center for the detailed failover procedure.
Proxy Support
Hybrid Data Security supports explicit, transparent inspecting, and non-inspecting proxies. You can tie these proxies to your deployment so that you can secure and monitor traffic from the enterprise out to the cloud. You can use a platform admin interface on the nodes for certificate management and to check the overall connectivity status after you set up the proxy on the nodes.
The Hybrid Data Security nodes support the following proxy options:
-
No proxy—The default if you do not use the HDS node setup Trust Store & Proxy configuration to integrate a proxy. No certificate update is required.
-
Transparent non-inspecting proxy—The nodes are not configured to use a specific proxy server address and should not require any changes to work with a non-inspecting proxy. No certificate update is required.
-
Transparent tunneling or inspecting proxy—The nodes are not configured to use a specific proxy server address. No HTTP or HTTPS configuration changes are necessary on the nodes. However, the nodes need a root certificate so that they trust the proxy. Inspecting proxies are typically used by IT to enforce policies on which websites can be visited and which types of content are not permitted. This type of proxy decrypts all your traffic (even HTTPS).
-
Explicit proxy—With explicit proxy, you tell the HDS nodes which proxy server and authentication scheme to use. To configure an explicit proxy, you must enter the following information on each node:
-
Proxy IP/FQDN—Address that can be used to reach the proxy machine.
-
Proxy Port—A port number that the proxy uses to listen for proxied traffic.
-
Proxy Protocol—Depending on what your proxy server supports, choose between the following protocols:
-
HTTP—Views and controls all requests that the client sends.
-
HTTPS—Provides a channel to the server. The client receives and validates the server's certificate.
-
-
Authentication Type—Choose from among the following authentication types:
-
None—No further authentication is required.
Available if you select either HTTP or HTTPS as the proxy protocol.
-
Basic—Used for an HTTP User Agent to provide a user name and password when making a request. Uses Base64 encoding.
Available if you select either HTTP or HTTPS as the proxy protocol.
Requires you to enter the user name and password on each node.
-
Digest—Used to confirm the account before sending sensitive information. Applies a hash function on the user name and password before sending over the network.
Available only if you select HTTPS as the proxy protocol.
Requires you to enter the user name and password on each node.
-
-
Example of Hybrid Data Security Nodes and Proxy
This diagram shows an example connection between the Hybrid Data Security, network and a proxy. For the transparent inspecting and HTTPS explicit inspecting proxy options, the same root certificate must be installed on the proxy and on the Hybrid Data Security nodes.
Blocked External DNS Resolution Mode (Explicit Proxy Configurations)
When you register a node or check the node's proxy configuration, the process tests DNS look-up and connectivity to the Cisco Webex cloud. In deployments with explicit proxy configurations that do not allow external DNS resolution for internal clients, if the node can't query the DNS servers, it automatically goes into Blocked External DNS Resolution mode. In this mode, node registration and other proxy connectivity tests can proceed.