Deployment guide for Webex Hybrid Data Security (2024)

From day one, data security has been the primary focus in designing Webex App. The cornerstone of this security is end-to-end content encryption, enabled by Webex App clients interacting with the Key Management Service (KMS). The KMS is responsible for creating and managing the cryptographic keys that clients use to dynamically encrypt and decrypt messages and files.

By default, all Webex App customers get end-to-end encryption with dynamic keys stored in the cloud KMS, in Cisco's security realm. Hybrid Data Security moves the KMS and other security-related functions to your enterprise data center, so nobody but you holds the keys to your encrypted content.

The Webex cloud architecture separates different types of service into separate realms, or trust domains, as depicted below.

To further understand Hybrid Data Security, let's first look at this pure cloud case, where Cisco is providing all functions in its cloud realms. The identity service, the only place where users can be directly correlated with their personal information such as email address, is logically and physically separate from the security realm in data center B. Both are in turn separate from the realm where encrypted content is ultimately stored, in data center C.

In this diagram, the client is the Webex App running on a user's laptop, and has authenticated with the identity service. When the user composes a message to send to a space, the following steps take place:

1. The client establishes a secure connection with the key management service (KMS), then requests a key to encrypt the message. The secure connection uses ECDH, and the KMS encrypts the key using an AES-256 master key.

2. The message is encrypted before it leaves the client. The client sends it to the indexing service, which creates encrypted search indexes to aid in future searches for the content.

3. The encrypted message is sent to the compliance service for compliance checks.

4. The encrypted message is stored in the storage realm.

When you deploy Hybrid Data Security, you move the security realm functions (KMS, indexing, and compliance) to your on-premises data center. The other cloud services that make up Webex (including identity and content storage) remain in Cisco’s realms.

Users in your organization may regularly use Webex App to collaborate with external participants in other organizations. When one of your users requests a key for a space that is owned by your organization (because it was created by one of your users) your KMS sends the key to the client over an ECDH secured channel. However, when another organization owns the key for the space, your KMS routes the request out to the Webex cloud through a separate ECDH channel to get the key from the appropriate KMS, and then returns the key to your user on the original channel.

The KMS service running on Org A validates the connections to KMSs in other organizations using x.509 PKI certificates. See Prepare Your Environment for details on generating an x.509 certificate to use with your Hybrid Data Security deployment.

A Hybrid Data Security deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys.

To deploy Hybrid Data Security, you must provide:

• A secure data center in a country that is a supported location for the Cisco Webex Teams plans.

• The equipment, software, and network access described in Prepare Your Environment.

Complete loss of either the configuration ISO that you build for Hybrid Data Security or the database that you provide will result in the loss of the keys. Key loss prevents users from decrypting space content and other encrypted data in Webex App. If this happens, you can build a new deployment, but only new content will be visible. To avoid loss of access to data, you must:

• Manage the backup and recovery of the database and the configuration ISO.

• Be prepared to perform quick disaster recovery if a catastrophe occurs, such as database disk failure or data center disaster.

There is no mechanism to move keys back to the Cloud after an HDS deployment.

Within your enterprise data center, you deploy Hybrid Data Security as a single cluster of nodes on separate virtual hosts. The nodes communicate with the Webex cloud through secure websockets and secure HTTP.

During the installation process, we provide you with the OVA file to set up the virtual appliance on the VMs that you provide. You use the HDS Setup Tool to create a custom cluster configuration ISO file that you mount on each node. The Hybrid Data Security cluster uses your provided Syslogd server and PostgreSQL or Microsoft SQL Server database. (You configure the Syslogd and database connection details in the HDS Setup Tool.)

The minimum number of nodes you can have in a cluster is two. We recommend at least three, and you can have up to five. Having multiple nodes ensures that service is not interrupted during a software upgrade or other maintenance activity on a node. (The Webex cloud only upgrades one node at a time.)

All nodes in a cluster access the same key datastore, and log activity to the same syslog server. The nodes themselves are stateless, and handle key requests in round-robin fashion, as directed by the cloud.

Nodes become active when you register them in Control Hub. To take an individual node out of service, you can deregister it, and later reregister it if needed.

We support only a single cluster per organization.

After setting up a Hybrid Data Security deployment, you first try it with a set of pilot users. During the trial period, these users use your on-premises Hybrid Data Security domain for encryption keys and other security realm services. Your other users continue to use the cloud security realm.

If you decide not to continue with the deployment during the trial and deactivate the service, the pilot users and any users they have interacted with by creating new spaces during the trial period will lose access to the messages and content. They will see “This message cannot be decrypted” in the Webex App.

If you are satisfied that your deployment is working well for the trial users and you are ready to extend Hybrid Data Security to all of your users, you move the deployment to production. Pilot users continue to have access to the keys that were in use during the trial. However, you cannot move back and forth between production mode and the original trial. If you must deactivate the service, such as to perform disaster recovery, when you reactivate you must start a new trial and set up the set of pilot users for the new trial before moving back to production mode. Whether users retain access to data at this point depends on whether you have successfully maintained backups of the key data store and the ISO configuration file for the Hybrid Data Security nodes in your cluster.

During deployment, you set up a secure standby data center. In the event of a data center disaster, you can manually fail your deployment over to the standby data center.

The databases of the active and standby data centers are in sync with each other which will minimize the time taken to perform the failover. The ISO file of the standby data center is updated with additional configurations which ensure that the nodes are registered to the organization, but will not handle traffic. Hence, the nodes of the standby data center always remain up-to-date with the latest version of HDS software.

The active Hybrid Data Security nodes must always be in the same data center as the active database server.