Covid has accelerated adoption of modern collaboration services by the public sector. While the switch to cloud provides a variety of benefits for hybrid work, it also raises concerns about exposing sensitive information that can be included in documents, whiteboards, meeting recordings, rosters, and attendee information used in collaboration.
Global governments, Defense, and critical national infrastructure entities, as well as other regulated organizations, need to protect the personally identifiable information (PII) of their citizens and keep content secure and private. Additionally, they need to comply with regional regulations and certifications like GDPR in Europe and IRAP in Australia and keep collaboration services and data local.
Webex has changed the landscape of collaboration with security and compliance innovations in data privacy, residency, and sovereignty. With industry-leading products and an uncompromising commitment to privacy, regulated organizations can be sure we do everything possible to keep data protected and their users’ personal information secure and confidential.
We are guided by a clear vision and work every day to achieve the highest standards in privacy and compliance for our customers. Today I am sharing our approach for local collaboration services and highlighting the steps we have taken to deliver a range of sovereignty options for our customers that match their unique needs.
“Local Collaboration” Ladder of Excellence
Cisco does not believe in a one-size-fits-all approach to sovereignty. We provide best-fit collaboration services that help our customers realize the outcomes they want for data locality and sovereignty. Our Ladder of Excellence lists levels of locality, their key characteristics and proof points of solutions we have delivered recently at each tier.
As collaboration has become mission critical, customers and regions want improved performance so local users have the best experience, can join their meetings faster, and do not experience delays. Webex is available in 200+ countries with 47 data centers around the globe. We continuously work with customers and regions to build out our footprint and deliver improved performance. We recently added a new data center in Singapore and I’m excited to share that our new India data center will go live by early Fall 2022.
True data residency means that all data, including PII and user-generated content, remain in-country. When your data is processed by other parties you need to understand where data will be stored and how it will move around the world, especially when processing and storing data across regional or national borders. With the continuing transition to cloud communication, regulated and public sector organizations require digital and data sovereignty to meet compliance and regulatory policy requirements. These policies include ensuring the confidentiality of sensitive and personal data and ensuring the flexibility, scalability, resilience, security, and ability to collaborate with a diverse ecosystem of customers and partners.
Data Residency in Europe & Canada
Some regions – like Europe and Canada – have stricter data residency policies. Our European customers can count on Webex to store and process all Webex user-generated content and user profiles in the European Union (EU) for new and existing customers, from both the public and private sectors as listed in data localization journey. We are the only mainstream collaboration service with temporary approval from the European Data Protection Supervisor (EDPS) for use by the Court of Justice of the EU . Additionally, EU customers who had set up their accounts in the US prior to data residency availability have an option to migrate their organization’s data and user content to the EU. We also offer data residency for Canadian customers for meetings and user profiles. And we continue to respond to regulatory needs and requests from customers in countries throughout the world.
Customers who want to know where Webex houses their user profiles, recordings, transcripts and messages can simply check Webex Control Hub.
U.S. Trusted Cloud
The U.S. government is one of the biggest technology buyers in the world and has established a standardized approach to security assessment and authorization for cloud products and services used by U.S. federal agencies and the Department of Defense. The government allows cloud providers to use any infrastructure or software services – on-prem or cloud-based – if they meet standard requirements.
FedRAMP stands for the “Federal Risk and Authorization Management Program.” The goal is to make sure federal data is consistently protected at a high level in the cloud using one set of standards for all government agencies and all cloud providers. FedRAMP Moderate allows handling of non-public data like PII and requires 325 security controls with a mandate that the cloud must be operated by U.S. nationals.
Webex for Government operates a FedRAMP authorized U.S. Trusted Cloud with dedicated processing and storage within restricted data centers located in-country and adhering to FedRAMP regulations. This solution provides a modern experience to U.S. federal and state agencies on par with our Webex commercial solution.
The Defense Information Systems Agency (DISA) is an agency of the U.S. Department of Defense (DoD) that is responsible for establishing baseline security requirements used by the DoD to assess the security posture of a cloud service and grant authorization to host DoD data. There are several Impact Levels (IL) and IL5 allows storage and handling of Controlled Unclassified Information (CUI) and unclassified National Security System (NSS) information. This is a very rigorous authorization and has 47 additional controls on top of 325 FedRAMP Moderate controls with Security Technical Implementation Guides (STIGs) to make the cloud service and infrastructure as secure as possible. The cloud service must be operated by U.S. citizens.
Webex for Defense is authorized by DISA to operate at DoD IL5 and offers end-to-end support of the DoD’s national security systems, higher sensitivity CUI, and mission-critical information across all workloads, including calling, meeting, and messaging.
Global Trusted Cloud
Governments and highly regulated organizations outside the U.S. require private and secure communications, requiring their data to be stored in a data center that is owned by a local entity. To protect against foreign government interference, use of U.S. or foreign entity’s data center or public clouds is not allowed, and service operations need to be performed by a local entity. In addition to operating its own local data centers, Cisco has been delivering hosted collaboration services through data centers owned and operated by Webex partners for 10+ years. In the future, Webex SaaS services will support this model based on market needs.
Air-gapped Trusted Cloud
The highest level of cloud deployments is trusted service that is isolated from the Internet, operated by local staff with specific security clearances to handle classified, secret, and top-secret data. There can be additional security and compliance requirements per customer.
Cisco has enabled multiple intelligence or Defense customers around the globe to deploy our collaboration on-premises solution in their top-secret air-gapped data centers and offer this as a service to their sub-agencies and employees. Cisco provides technical support, keeps the service updated and resolves any issues during the lifecycle. Customers have full operational control of the production environment and software updates. This is a highly secure environment, isolated from the public internet.
Webex Provides the Best Security Controls
Webex has iron clad security controls that span all privacy and access levels and have been built to protect content on any device, used anywhere by all Webex collaboration services, including calling, meetings, messaging and more. Techvision Research named Webex a clear leader in cloud collaboration with the best security and privacy, and others, like the U.S.’s National Security Agency (NSA) have confirmed that Webex offers the most complete set of security and privacy tools to help organizations reduce risk across the entire collaboration ecosystem.
Zero Trust, End-to-end Encryption
Webex Meetings offers end-to-end encryption with Zero Trust security, a standards-based protocol for end-to-end encryption with identity verification and added support for Webex Devices. This means that our cryptology is formally vetted by industry leaders and academic experts and you know you’re getting the best and most up-to-date security protocols.
Bring Your Own Key
We also provide flexible options for encryption and key management for your content stored in the Webex cloud. We offer on-premises key management, also known as Hybrid Data Security (HDS), as well as bring your own key (BYOK) in the cloud capabilities. With BYOK or HDS you retain full control of your stored data – no one can access your data unless you explicitly authorize it – not even Webex.
Ethical wall capabilities allow organizations to create communication barriers between restricted groups of people via intuitive and easy-to-use interfaces in Control Hub. This helps organizations in regulated industries, such as financial and legal, comply with regulatory mandates around internal communications involving certain restricted groups and people. It also handles retroactive enforcement of policy when employees change jobs or roles internally and allows customers to maintain authorized access to confidential data.
Granular Controls and Data Loss Prevention
Additionally, Webex offers an array of options to keep information protected, including the ability to set granular security and compliance policies to prevent certain files and information from being shared with people outside the organization or between groups within the organization. And for customers who want more visibility and control over sensitive data Webex offers advanced data loss prevention (DLP) capabilities, allowing policies to follow employees when they collaborate internally and externally.
Webex is compliant throughout the world
Webex compliance includes:
- United States Government: FedRAMP, DISA IL-5, HIPAA,
- European Union: EU Cloud Code of Conduct for GDPR
- Germany: BSI C5 2020 Cloud Computing Compliance Controls Catalog
- UK: Cyber Essentials
- Spanish: ENS (Esquema Nacional de Seguridad (National Security Framework)
- Canada: PIPEDA (Personal Information Protection and Electronic Documents Act),
- Australia: IRAP (Infosec Registered Assessors Program)
- Global: SOC 2 & 3, ISO, CSA STAR (Security, Trust, Assurance, and Risk)
Cisco has achieved external validation of our protections for personal data. This includes our EU BCR-Cs, which were assessed by the European Data Protection Authorities, and APEC privacy certifications. Our future strategy is to continue to expand the regulatory engagement for global acceptance.
Webex is accomplishing the vision
The Webex vision for sovereignty is to secure cross-company, cross-border collaboration for governments, businesses and consumers that is compliant with local regulations on data residency, access, and controls. Our data residency solution provides privacy protection through local data centers that are compliant. Our Trusted Cloud solutions for regulated and government organizations provide for data protection, local authority, and no outside interference. When you think of privacy with your collaboration, know that Webex is focused on exceeding expectations. Stay tuned for new announcements across all these tiers.