Cisco Cisco WebEx Meeting Center WBS29.11 White Paper
Web Conferencing: Unleash the Power of Secure Real-Time Collaboration
White Paper
Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved.
11
Administrative data: Information about employees
or representatives of a customer or other third
party that is collected and used by Cisco in order to
administer or manage Cisco’s delivery of products or
services, or to administer or manage the customer’s
or third party’s account for Cisco’s own business
purposes. Administrative data may include the
name, address, phone number, email address, and
information about the contractual commitments
between Cisco and a third party, whether collected
at the time of the initial registration or later in
connection with the management or administration
of Cisco’s products or services.
Administrative data may also include the meeting
title, time, and other attributes of the meetings
conducted on Cisco WebEx by employees or
representatives of a customer. Other examples
of Administrative Data may include meeting title,
meeting time and other attributes of the meetings
hosted on Cisco WebEx.
Customer data: All data (including text, audio,
video, image files, and recordings) that is either
provided to Cisco by a customer in connection with
the customer’s use of Cisco products or services,
or developed by Cisco at the specific request of
a customer pursuant to a statement of work or
contract. Customer data includes log, configuration,
or firmware files, and core dumps. It is data taken
from a product or service and provided to Cisco to
help us troubleshoot an issue in connection with a
support request. Customer data does not include
administrative data, support data, or telemetry data.
Support data: Information that Cisco collects when
a customer submits a request for support services
or other troubleshooting, including information about
hardware or software. It includes details related
to the support incident, such as authentication
information, information about the condition of the
product, system and registry data about software
installations and hardware configurations, and
error-tracking files. Support data does not include
log, configuration, or firmware files, or core dumps
taken from a product and provided to us to help us
troubleshoot an issue in connection with a support
request, all of which are examples of customer data.
Telemetry data: Information generated by
instrumentation and logging systems created through
the use and operation of the product or service.
All data collected in Cisco WebEx Cloud is protected
by several layers of robust security technologies and
processes. Below are examples of controls placed in
different layers of Cisco WebEx operations to protect
customer data:
•
Physical access control: Physical access is
controlled through biometrics, badges, and video
surveillance. Access to the data center requires
approvals and is managed through an electronic
ticketing system.
•
Network access control: The Cisco WebEx
network perimeter is protected by firewalls. Any
network traffic entering or leaving the Cisco WebEx
data center is continuously monitored using an
intrusion detection system (IDS).
The Cisco WebEx network is also segmented into
separate security zones. Traffic between the
zones is controlled by firewalls and access control
lists (ACLs).
•
Infrastructure monitoring and management
controls: Every component of infrastructure,
including network devices, application servers,
and databases, is hardened to stringent guidelines.
They are also subject to regular scans to
identify and address any security concerns.
•
Cryptographic controls: As noted earlier, all
data to and from the Cisco WebEx data center
to Cisco WebEx clients is encrypted, except for
unencrypted video devices in a CMR Cloud–
enabled meeting. Additionally, critical data stored
in Cisco WebEx, such as passwords, is encrypted.
Cisco employees do not access customer data
unless access is requested by the customer for
support reasons. Access to systems in this case
is allowed by the manager only in accordance with
the “segregation of duties” principle. It is granted
only on a need-to-know basis and with only the
level of access required to do the job. Employee
access to these systems is also regularly reviewed
for compliance. Employees with such access are
required to take annual International Organization for
Standardization (ISO) 27001 Information Security
Awareness training.
In addition to these specialized controls, every Cisco
employee undergoes a background check, signs
an NDA (nondisclosure agreement), and completes
COBC (Code of Business Ethics) training.