Cisco Cisco WebEx Meeting Center WBS29.11 白書
Web Conferencing: Unleash the Power of Secure Real-Time Collaboration
White Paper
Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved.
4
Cisco InfoSec Cloud
Led by the chief security officer for cloud, this team
is responsible for delivering a safe Cisco WebEx
environment to our customers. InfoSec achieves this
by defining and enforcing security processes and
tools for all functions involved in the delivery of Cisco
WebEx into our customers’ hands.
Additionally, Cisco InfoSec Cloud works with other
teams in Cisco to respond to any security threats to
Cisco WebEx.
Cisco InfoSec is also responsible for continuous
improvement in Cisco WebEx’s security posture.
Cisco Product Security Incident Response
Team (PSIRT)
Cisco PSIRT is a dedicated global team that
manages the inflow, investigation, and reporting
of security issues related to Cisco products and
services. PSIRT uses different mediums to publish
information depending on the severity of the security
issue. The type of reporting varies according to the
following conditions:
•
Software patches or workarounds exist to
address the vulnerability, or a subsequent
public disclosure of code fixes is planned
to address high-severity vulnerabilities.
•
PSIRT has observed active exploitation of a
vulnerability that could lead to a greater risk
for Cisco customers. PSIRT may accelerate
the publication of a security announcement
describing the vulnerability in this case
without full availability of patches.
•
Public awareness of a vulnerability affecting Cisco
products may lead to a greater risk for Cisco
customers. Again, PSIRT may alert customers
even without full availability of patches.
In all cases, PSIRT discloses the minimum amount
of information that end users will need to assess
the impact of a vulnerability and to take steps
needed to protect their environment. PSIRT uses the
Common Vulnerability Scoring System (CVSS) scale
to rank the severity of disclosed issue. PSIRT does
not provide vulnerability details that could enable
someone to craft an exploit.
To learn more about PSIRT, please visit
Security Responsibility
Although every person in the Cisco WebEx team is
responsible for security, the following are the main
roles accountable for it:
•
Chief security officer, Cloud
•
Vice president and general manager, Cisco Cloud
Collaboration Applications
•
Vice president, Engineering, Cisco Cloud
Collaboration Applications
•
Vice president, Product Management, Cisco Cloud
Collaboration Applications
Internal and External Penetration Tests
The Cisco WebEx team conducts rigorous
penetration testing regularly, using internal
assessors. Beyond its own stringent internal
procedures, Cisco InfoSec also engages multiple
independent third parties to conduct rigorous audits
against Cisco internal policies, procedures, and
applications. These audits are designed to validate
mission-critical security requirements for both
commercial and government applications. Cisco also
uses third-party vendors to perform ongoing, in-
depth, code-assisted penetration tests and service
assessments. As part of the engagement, a third
party performs the following security evaluations:
•
Identifying critical application and service
vulnerabilities and proposing solutions
•
Recommending general areas for
architectural improvement
•
Identifying coding errors and providing
guidance on coding practice improvements
Third-party assessors work directly with the Cisco
WebEx engineering staff to explain findings and
validate the remediation. As needed, Cisco
InfoSec can provide a letter of attestation from
these vendors.
Cisco WebEx Data Center
Security
Security
Cisco WebEx is a software-as-a-service (SaaS)
solution delivered through the Cisco WebEx Cloud,
a highly secure service-delivery platform with
industry-leading performance, integration, flexibility,
scalability, and availability. The Cisco WebEx Cloud
is a communications infrastructure purpose built for
real-time web communications.