Securing users and devices in Webex
Common security challenges with users and devices
Today there are too many security challenges to the applications used by organizations, and many different vectors need to be secure:
- User identities
The way that we protect the applications is crucial. We need to protect the application access, but also the identity of the user.
It is the job of the IT manager to prevent rogue agents from hijacking user identity and have access to all the different resources that the user is entitled to.
Identity theft has been identified in the Verizon 2019 report as the most common data breach, and if we add phishing attacks and stolen password, we get more than 50% of them. (1)
Protecting user identity
IT departments already understand that passwords are no longer an efficient way of protecting user identity.
It is difficult to manage application access based on passwords, as there are too many challenges:
- Strong password complexity makes them hard to remember
- Passwords should be unique to each app, which make them hard to remember
- Passwords should rotate often which makes them difficult to manage and remember
- Password manager web utilities can also bring security breaches
When deploying Webex, Cisco always recommends that our customers deploy it with a stronger authentication solution; at the same time, we recommend that the devices where Webex applications run are secure.
Strong authentication solution
Many customers want to enable all their applications with stronger authentication. Organizations realize that identity theft is the biggest security concern, and the traditional mechanisms for authentication are no longer effective.
Our customers talk about multifactor authentication (MFA), which means that their users need to provide two different types of authentication. There are three types of authentication mechanisms:
Many vendors deliver these kinds of solutions; normally, we see them associated with Identity Provider (IdP) solutions. Those authentication policy servers, enforce the right authentication policy based on the different factor (location, application type, device type, etc.)
Today there is another trend in the identity market, where authentication mechanisms are people-centric and follow the Zero Trust mode. This allows secure connections to all applications (whether on-premises or in the cloud) based on the trustworthiness of users and devices. The Zero Trust mode enables the customer’s IT to set and enforce risk-based, adaptive access policies, and get enhanced visibility into users’ devices and activities. This concept is also known as Adaptive Authentication.
Cisco Webex has the right architecture to support the Zero Trust mode and allow secure connections based on the trustworthiness of users and devices.
Device validation and health
Device assessment is a must in today’s organizations, identifying risky devices, enforcing contextual access policies, and reporting on device health.
Today organizations are mandated to follow many compliance goals, and they can achieve most of those using device access policies.
Verifying device health before granting access, to preventing exposing your applications to potential security risks is one of the best practices in modern application deployment models.
There are multiple types of devices that an organization’s users utilize every day when they use collaboration tools. Some of the devices are managed by the IT department, which already delivers some security insurance – but it isn’t enough. Some are unmanaged and owned by the employees, which brings interesting challenges from a security perspective.
Corporate managed devices/applications
Normally there is a mix of solutions that can be used for corporate or managed devices, depending on the device type.
Some organizations use MDM/MAM for mobile devices, which allows them to create policies for the corporate application, for example:
- Forcing PIN-lock
- Preventing copy and paste
- Disable screen capture
- Remote wipe
- Preventing tampering with devices
- Requiring a minimum version of OS
- Support for ECM
- Requiring a minimum version of the corporate application
But since IT departments don’t manage only mobile devices, we also need to find a solution for desktops, and there we need to make sure that the corporate – managed applications are also aware of the security policies, and those apps could be aware of features like:
- Versions of Browsers
- OS versions and type
- Disk encryption
- Status on OS, Browsers, and Plugins
- Anti-Virus and Anti-Malware
The protection of the application can be done by using the validations when the user logs in to the applications or during the application usage. The right mechanism, method, and deployment model needs to be chosen by IT administrations when they are in the deployment stage of those applications. The application vendors need to support any policy defined by the IT departments of those customers.
Cisco with Webex Collaboration doesn’t mandate any security strategy to protect the application, but we can integrate with any policy defined by our customer.
It is important that any application that deals with all the IP (Intellectual Property) produced by a company can follow all the policies that exist for devices and applications.
Devices that are owned by the users should not be excluded from the usage of a collaboration application. Examples of that are home computers, personal tablets, and mobile devices. Those devices are especially relevant in scenarios of working from home.
That is why corporate applications need to do extra check to make sure that they follow the minimum-security requirements imposed by the company security policies, for example:
- The device has the firewall turned on
- The device has an endpoint security tool, to protect against malware and viruses
- The device doesn’t have a tampered OS
Normally these kinds of policies, for devices that are unmanaged, need to be enforced at login time.
One of the fundamental principles of good security is to understand your environment. But as environments get more complex with increasing reliance on cloud applications, bring-your-own-device (BYOD) allowances, and mobile and remote work, it’s progressively more difficult to gain that understanding.
For IT administrators, it is important that they have visibility on what devices each application is running; they also need to have visibility on the major characteristics of those devices.
Endpoint visibility also helps you understand and track important user behaviors such as how quickly end-users update their operating systems, browsers, or plugins. It also builds an understanding of when and how frequently end users log into work applications from their personal devices. Tracking these behaviors not only helps you set informed access policies but also helps tailor a more empathetic approach to different groups of users.
When it comes to security, trust Webex
Whether it’s the security of the Webex application itself or securing the devices that connect to it, Cisco Webex has security and privacy built into its DNA. Cisco has invested heavily in building a culture of security with the right checks and balances in place. Webex chooses secure default settings out of the box, thereby enabling users to start collaborating freely without having to worry about configurations. At the same time, Webex delivers a great user experience – one that doesn’t compromise security. That’s collaboration without compromise. That’s the Cisco security difference.
To learn more about Security and Compliance settings, go to the Cisco Webex Control Hub web page.
Sep 27, 2022 — Geoffrey Huang