BRKCOL-2930
Why Collaboration Experts should care about cloud-ready networks
Marc Dionysius – Technical Solutions Architect Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKCOL-2930
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Introduction and Objectives
• Current challenges
• How to address the existing network architecture? • Traditional concepts no longer work! (?) • Proxy Support • Firewall Requirements
• Why are Cloud Ready Network Concepts relevant?
• How Collaboration may help to get there
• Conclusion
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Objectives
Cloud Collaboration services continue to grow and present customers and partners with both opportunities and challenges to deploy those services in today’s customer environments. This session will review design and deployment considerations for secure Cloud Collaboration solutions in the context of current customer network architectures including proxies, centralized internet breakouts but also future evolutions towards cloud-ready networks and SD-WAN technologies. It will NOT deliver deep technical knowledge for Cisco SD-WAN or Cisco Security solutions as it is designed for individuals interested in Collaboration and looking to understand the various aspects, benefits and challenges of moving Collaboration solutions towards Cisco Collaboration Cloud and Cisco Webex.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Current challenges The way we work has changed
Devices & Things
Campus & Branch Users
Mobile Users
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public “Aren’t Cloud and Security mutually exclusive?” Undisclosed customer quote
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 The New Normal
More targeted attacks
More than 100 targeted breach attempts every year
Attacks are faster than ever but still take too long to find Shortage of cybersecurity expertise 82% of compromises measured in 1.5 million job openings by 2019 minutes
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 The shadow IT reality
of end users use software not cleared by 80% IT*
cloud services used 1,220 by average large org*
of enterprise attacks will come 33% from shadow IT by 2020**
*Cisco Cloudlock CyberLab ** Gartner’s Top 10 Security Predictions (ref)
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Users and apps have adopted the cloud… …security must, too. 49% 82% of the workforce admit to not 1 2 is mobile using the VPN Security controls must shift to the cloud 70% 70% increase in of branch SaaS usage3 offices have DIA4
Sources: 1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015 3. “Keeping SaaS Secure” Gartner, 2016
2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016 4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Cloud is less secure than On-Premises ???
Source: Gartner Highlights the Top 10 Cloud Myths
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 “We expect your solution to fit into the security framework we have built and used the last 6+ years.” Undisclosed customer quote
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Collaboration Security – a history tour into 2006
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 How to address the existing network architecture? What topology we typically see in a customer‘s network? Internal DMZ Internet
IdP Cisco Collaboration Cloud Datacenter Cloud
IdP Remote Site Voice Video Endpoints IP WAN
Desktops/Laptops
Teleworker
Wireless Devices BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Webex Teams - Types of Traffic
Webex Clients
Messages, Media Signalization, notifications, Control and Analytics Traffic HTTPS and WSS
Voice, Video and Content Share
SRTP and STUN
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Traffic Flow Scenario 1 - Security relaxed customer, policies only enforced in the FW
Internal DMZ Internet
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Traffic Flow Scenario 2 - Security aware customer, policies enforced in the FW and Proxy
Internal DMZ Internet
Proxy
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Traffic Flow Scenario 3 - Security focus customer, policies enforced in the FW and Proxy plus no direct connection to internet
Internal DMZ Internet
Proxy
VMN
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Proxy support - what does it mean?
• When we talk about proxy support Teams Clients we only talking HTTPS and WSS traffic.
Messages, Media Signalization, • Media over proxies isn’t notifications, Control and Analytics Traffic recommended, proxies were not HTTPS and WSS
designed to handle media, their Voice, Video and Content Share
performance is really bad and SRTP and STUN doesn’t scale.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Traditional concepts no longer work! (?)
2 2 Proxy – Inspection using TLS intercept How does TLS work ? Client Server Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are key components of secure Client Hello communications in insecure medias. Server Hello Server Certificate The privacy, integrity, and authenticity provided by these Cipher Suite Request client Certificate protocols are extremely important to transmit data. Verify Client Certificate Server Cipher suite Modern implementations generally support TLSv1.0, Certificate Client Finished Message TLSv1.1, TLSv1.2 and most recently TLSv1.3 (RFC published in Marc 2018). Server Finished Message All communications relies on the validation of the certificates exchange Encrypted Data
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Proxy – Inspection using TLS intercept How does proxy do TLS intercept ? Client Proxy Server
Interception proxies can be deployed in several ways, depending on their purpose Client Hello Client Hello and what type of inspection they do. Server Hello Server Hello Server Certificate Server Certificate Intercept proxies can do Deep Packet Cipher Suite Cipher Suite Inspection devices, can be included in Request client Certificate Request client Certificate next-generation firewalls, or do data loss Verify Client Certificate Verify Client Certificate prevention (DLP). Server Cipher suite Server Cipher suite Certificate Client Finished Message Certificate Client Finished Message There isn’t much point of doing TLS intercept to Cisco Webex Teams traffic Server Finished Message Server Finished Message since inside the TLS packets there is Data another layer of encryption that proxies Data can’t decrypt, so the only advance would Unencrypted be to know the full URL’s used by Cisco Data Webex Service
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Webex Teams Security Architecture End to End Secure Communication
Transport Key Management
Mutual TLS connection • Secure TLS REST interfaces OAuth to authorize services • Interaction between services based on Inter service message certificate based MTLS transport • Service components authorization by OAuth Establish TLS connection Tokens • Secure client connection to service over TLS Establish end to end ECDHE communication channel • End to End Client to Key Management Client verifies KMS identity through PKI certificate channel negotiated ECDHE Crypto Key operations (key material) not visible to other • Identity of Key Management Service verified cloud components by PKI certificate • Client to Key Management crypto key Establish TLS connection Inter service message operations E2E secured over transport layer transport JSON Web Encryption (JWE, RFC 7516)
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Proxy exceptions for Webex Teams traffic An alternative to TCP Intercept
Most of the Proxy can create rules base on destinations. There are rules like TLS intercept bypass, authentication bypass, etc. For Webex it is public publish the URL’s that we require for the service to work. Some proxies like the Cisco WSA have the capabilities of getting all this URL’s from a single live https://collaborationhelp.cisco.com/article/en- us/n4vzhkx feed: https://www.ciscoSpark.com/content/dam/ciscoSpark/eopi/gl obal/assets/Docs/Spark_wsa.csv
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Cloud Applications in general bring those different requirements
Source: https://docs.microsoft.com/en-us/microsoft- 365/enterprise/networking-configure-proxies-firewalls
Source: https://support.bluejeans.com/knowledge/tcp-udp-ports BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Firewall Requirements Teams Clients Message, Signalization, Notification
Messages, Media Signalization, notifications, Control and Analytics Traffic and Control HTTPS and WSS
Internal DMZ Internet
• Media goes directly to the internet using HTTPS WSS protocol.
Internal DMZ Internet
• Signalization goes through Proxy (rules already in place in the firewall). Proxy
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Protocol and Ports used by Webex Teams Assuming the most simple scenario with direct connection to the internet
Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443
Internal DMZ Internet
Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100-52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 Destination PortBRKCOL : 5004-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Protocol and Ports used by Webex Teams
• From a Media perspective Webex Teams clients always try to use UDP but will fallback to TCP if UDP is close. TCP might impact media quality and it can’t guarantee quality for Real Time Media.
• As last case scenario for the software clients Protocol : TCP (Win, MAC, iOS and Android ) we can use Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP HTTP proxies for media, but it isn’t Destination Port : 443
recommended. Cisco can’t help much if there Internal DMZ Internet will be quality issues with media.
Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100 - 52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 BRKCOL-2930 © 2019 Cisco and/orDestination its affiliates. Port All : rights5004 reserved. Cisco Public 37 Protocols and Ports used by Webex Meetings Assuming the most simple scenario with direct connection to the internet :
Protocol : TCP Source IP : Internal LAN IP address Range Source Port : 443 Destination IP : Any IP Destination Port : 443
Internal DMZ Internet
Protocol : TCP/UDP Source IP : Internal LAN IP Source Port : Voice/Video UDP 48000-65535 Sharing/Whiteboard/Media fallback TCP 443 Destination IP : Any IP Destination PortBRKCOL : TCP-2930 443 / UDP 9000© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 I n ternal DMZ I n ternet
Firewall rules for Media
VMN
Option 1 – Access to the Webex Service through Video Mesh Node. All clients inside the customer network would connect to the Video Mesh Node, if there will be participants outside the customer network then VMN would cascade the media flow to the cloud. Unique sources, very well defines, if necessary in special DMZ’s to protect to connect to the Webex services in the Cloud. Will open UDP connection to a destination port 5004, few additional ports needed, please review reference slides in the Appendix.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Internal DMZ Internet
Firewall rules for Media
Option 2 – Using firewalls with STUN support Defined in RFC3489. Uses UDP from any Webex Teams client inside the customer network using source ports
Voice 52000-52099
Video 52100-52299 Where the destination might be any IP address in the internet with destination port 5004 STUN allow to open up pinholes only if the system is WebRTC compliant, and there is an external recipient expecting the traffic (prevents enterprise from being source of DDoS). From a security perspective this is the recommended model but require Firewalls that use STUN for WebRTC traffic like Cisco ASA.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Internal DMZ Internet
Firewall rules for Media
Option 3 – Direct access to the Webex Teams Service using UDP protocol for media using specific destination IP addresses. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow.
Uses UDP from any Webex Teams client inside the customer network using source ports
Voice 52000-52099
Video 52100-52299 Where the destination might be two /19 prefixed in the internet with destination port 5004
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Firewall pinholes for Cisco IP Media Prefixes
US West US East Sydney Frankfurt Singapore GA GA GA GA GA
Media NodeMedia Node Media NodeMedia Node
Media Node Media Node Network Requirements Media NodeMedia Node
Media Node https://collaborationhelp.cisco.com/article/en- Media NodeMedia Node us/WBX000028782 Cisco Webex IP subnets forMedia media Node Media NodeMedia Node 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range) 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range) Media Node 66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range) Configuration recommendation 173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range) 173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range) Add all ranges to your firewalls, so there is automatic 207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range) 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range) failover with minimal disruption 216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range) 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range) Webex Meetings is by region 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range) 62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range) Webex Teams – not specified by region. 69.26.160.0/19 (CIDR) or 69.26.160.0 - 69.26.191.255 (net range)
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Internal DMZ Internet
Firewall rules for Media
Option 4 – Direct access to the Webex Teams Service using UDP protocol for media. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Webex Teams client inside the customer network using source ports
Voice 52000-52099
Video 52100-52299 Where the destination might be any IP address in the internet with destination port 5004
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Teams Clients Media for Voice, Video and Voice, Video and Content Share Content Sharing SRTP and STUN
• Option 1 – Access to the Webex Service through Hybrid Media Node.
• Option 2 – Direct access to the Webex Service using firewalls with STUN support.
• Option 3 – Direct access to the Webex Service using UDP protocol for media using specific destination IP addresses.
• Option 4 – Direct access to the Webex Service using UDP protocol for media.
• Option 5 – Direct access to the Webex Service using TCP protocol for media.
• Option 6 – Access to the Webex Service (Software Clients only) using Proxy.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Why are Cloud Ready Network Concepts relevant? The „old“ world – centralized and contained
User / Consumer Application / Provider
Branch Internet
Extranet MPLS / Private User
HQ Private VPN DC
Applications running in the DC, Mobile predictable traffic patterns and User volumes
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Why are enterprises thinking about new concepts? 50% of Apps accessed via Internet
58% 32.4% Of IT budgets spent on Cite management of connectivity WAN Connectivity at branch as a challenge
48.6% Cite poor application performance and latency as corporate WAN concern BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Todays cloudy world – highly flexible DCs
Private Geographically distributed Geographically Branches Cloud
Mobile Hybrid WAN Users Cloud Providers Internet IOT
HQ Extranet Partners Extranet Partner Users IOT
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public “With the growing number of Cloud Services consumed by our organization, we have to re-think our current Internet Breakout strategy!” Undisclosed customer – Manager Solution Architecture Network & Unified Communications
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Today, backhauling can impact SaaS performance
Users
Internet
Branch/Campus Data Center
One way
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Today, backhauling can impact SaaS performance
Users
Internet
Branch/Campus Gateway
One way
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Today, backhauling can impact SaaS performance
Users
Internet
Branch/Campus Colocation
One way
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Achieve a better SaaS performance
Users
Gateway
Data Center Branch/Campus
Colocation
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Resulting in a highly complex and dynamic network
Branches
DC/Private Cloud
Mobile Users Internet connectivity becomes IOT business critical SaaS
HQ
Extranet Partner Users IaaS
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Opening up the new Cloud Edge
Branches
DC/Private Cloud
Mobile Users Cloud Edge
IOT SaaS
HQ
Extranet Partner Users IaaS
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Opening up the new Cloud Edge
Branches Cloud Edge DC/Private Cloud
Mobile Security Users Networking IOT SaaS Cloud HQ
Extranet Partner Users IaaS
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Opening up the new Cloud Edge
Branches Cloud Edge DC/Private Cloud
Mobile Different risk exposure Users Inconsistent user experience IOT SaaS Increasing complexity HQ
Extranet Partner Users IaaS
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Improving Cloud User Experience and vPrivate Security CASB / DLP Cloud Internet
DMZ
CoLo • Secure Direct Cloud Access DC • From the DC MPLS INET V V MPLS INET • From the Branch • From a Colocation Facility (Colo) • From within a Cloud Service (AWS, Internet Azure,..) MPLS OpenDNS Umbrella • Pervasive Security • User, Transport, Cloud, Internet & AVC Compliance R14
Branch Site BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Firewall IPS A diversified approach to security DNS Security URL Filtering
MFA
Data Center/ Devices & Things Private Cloud
Campus & SaaS Branch Users
Mobile Users IaaS
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 One Example - DNS Security Malware C2 Callbacks Phishing
Network and endpoint First line It all starts with DNS
Network and endpoint Precedes file execution and IP connection Endpoint Used by all devices
Port agnostic
HQ / Campus Branches Mobile/ Roaming Device BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 How Collaboration may help to get there What‘s the ideal target architecture? It depends! An extreme example – Microsoft‘s recommendation “In the majority of cases, the best user experience is achieved by allowing the customer network to route user requests to the closest Office 365 service entry point, rather than connecting to Office 365 through an egress point in a central location or region.”
“The local egress architecture has the following benefits over the traditional model: • Provides optimal Office 365 performance by optimizing route length. End user connections are dynamically routed to the nearest Office 365 entry point by the Distributed Service Front Door infrastructure. • Reduces the load on corporate network infrastructure by allowing local egress. • Secures connections on both ends by Source: https://docs.microsoft.com/en-us/office365/enterprise/office-365-networking-overview leveraging client endpoint security and cloud security features.”
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 What‘s the ideal target architecture? It depends! An in-between example – Cisco IT
Regional WAN: Americas
Source: Cisco Live US 2018 - BRKCOC-1002 Inside Cisco IT: Cisco MulticloudBRKCOL-2930 Backbone Securely© 2019 Cisco Inter and/or its-connecting affiliates. All rights reserved.Clouds Cisco Public 63 A potential first step – Direct Peering
Webex Edge Connect • A direct peering at Equinix data centers • Bypasses the Internet by providing a direct connection1 to the Webex data center • All Webex media traffic traverses the dedicated link to the meeting (VoIP, video, content sharing) • Can be used in combination with Video Mesh
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 A potential first step – Direct Peering - cont.
• Media flows via Equinix Internal DMZ Internet peering connection.
• Webex Meetings app Webex Teams signaling and media Proxy Signaling only use the peering connection
• Signaling for cloud registered devices and Internet Webex Teams uses the public Internet
• Video Mesh cascades use the peering connection
• Third party services accessed via the Internet
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 More of a proactive approach Cloud Access Security Broker
Unmanaged Users
ADMINPUBLIC Unmanaged API Devices OAUTH ACCESSACCESS Authorized Unmanaged Network
(Cisco?) NGFW/Umbrella DNS
Central Policy Management
Managed Managed Managed Users Devices Network BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 More of a proactive approach – cont. CASB Example
North America 9:00 AM ET Login
. Distance from the US Africa 10:00 AM ET to the Central African Data export Republic: 7362 miles . At a speed of 800 mph, it would take 9.2 hours to travel between them
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 More of a proactive approach – cont. Data Loss Prevention - Define a matching policy
PII Education General PHI PCI
. SSN/ID . Inappropriate . Email address . HIPAA . Credit card numbers content . IP address . Health numbers . Driver license . Student loan . Passwords/ identification . Bank account numbers application login numbers numbers . Passport information information (global) . SWIFT codes numbers . FERPA . Medical compliance prescriptions
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 More of a proactive approach – cont. Events API for Data Loss Prevention, Archival, eDiscovery
Integrations
Cisco Webex Teams Events API*
Policies Corrective actions
Delete content Alert user / admin
*API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Conclusions Conclusions
• Cloud and Security can be absolutely working hand in hand.
• In order to deploy Cisco Collaboration Cloud in a current customer network we may need to elaborate that some things work different but are NOT automatically less secure.
• Understand the bigger picture and the change that Cloud Applications bring to all aspects of a customer network and try to address customer demands and concerns in a cross-architecture approach.
• Leverage the full capabilities of Cisco‘s Collaboration Cloud to include it into a general framework for secure Cloud Application Access to address both, the technical requirements and the user side.
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKCOL-2930
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Complete your online session survey
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Continue Your Education
Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings
BRKCOL-2930 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Thank you