Hybrid Data Security Overview
From day one, data security has been the primary focus in designing the Cisco Collaboration Cloud. The cornerstone of this security is end-to-end content encryption, enabled by Cisco Spark clients interacting with the Key Management Service (KMS). The KMS is responsible for creating and managing the cryptographic keys that clients use to dynamically encrypt and decrypt messages and files.
By default, all Cisco Collaboration Cloud customers get end-to-end encryption with dynamic keys stored in the cloud KMS, in Cisco's security realm. Hybrid Data Security moves the KMS and other security-related functions to your enterprise data center, so nobody but you holds the keys to your encrypted content.
Security Realm Architecture
The Cisco Collaboration Cloud architecture separates different types of service into separate realms, or trust domains, as depicted below.
Figure 1. Cisco Collaboration Cloud Realms of Separation (without Hybrid Data Security)
To further understand Hybrid Data Security, let's first look at this pure cloud case, where Cisco is providing all functions in its cloud realms. The identity service, the only place where users can be directly correlated with their personal information such as email address, is logically and physically separate from the security realm in data center B. Both are in turn separate from the realm where encrypted content is ultimately stored, in data center C.
In this diagram, the client is the Cisco Spark app running on a user's laptop, and has authenticated with the identity service. When the user composes a message to send to a space, the following steps take place:
The client establishes a secure connection with the key management service (KMS), then requests a key to encrypt the message. The secure connection uses ECDH, and the KMS encrypts the key using an AES-256 master key.
The message is encrypted before it leaves the client. The client sends it to the indexing service, which creates encrypted search indexes to aid in future searches for the content.
The encrypted message is sent to the compliance service for compliance checks.
The encrypted message is stored in the storage realm.
When you deploy Hybrid Data Security, you move the security realm functions (KMS, indexing, and compliance) to your on-premises data center. The other cloud services that make up Cisco Spark (including identity and content storage) remain in Cisco’s realms.
Collaborating with Other Organizations
Users in your organization may regularly use Cisco Spark to collaborate with external participants in other organizations. When one of your users requests a key for a space that is owned by your organization (because it was created by one of your users) your KMS sends the key to the client over an ECDH secured channel. However, when another organization owns the key for the space, your KMS routes the request out to the Cisco Collaboration Cloud through a separate ECDH channel to get the key from the appropriate KMS, and then returns the key to your user on the original channel.
The KMS service running on OrgA validates the connections to KMSs in other organizations using x.509 PKI certificates. See Complete the Prerequisites for Hybrid Data Security for details on generating an x.509 certificate to use with your Hybrid Data Security deployment.
Expectations for Deploying Hybrid Data Security
A Hybrid Data Security deployment requires significant customer commitment and an awareness of the risks that come with owning encryption keys.
To deploy hybrid data security, you must provide:
Complete loss of either the configuration ISO that you build for Hybrid Data Security or the PostgreSQL database that you provide will result in the loss of the keys. Key loss prevents users from decrypting space content and other encrypted data in Cisco Spark. If this happens, you can build a new deployment, but only new content will be visible. To avoid loss of access to data, you must:
Manage the backup and recovery of the database and the configuration ISO.
Be prepared to perform quick disaster recovery if a catastrophe occurs, such as database disk failure or datacenter disaster.
High-level Setup Process
This document covers the setup and management of a Hybrid Data Security deployment:
Set up Hybrid Data Security—This includes preparing required infrastructure and installing Hybrid Data Security software, testing your deployment with a subset of users in trial mode, and, once your testing is complete, moving to production. This converts the entire organization to use your Hybrid Data Security cluster for security functions.
The setup, trial, and production phases are covered in detail in the next two chapters.
Maintain your Hybrid Data Security deployment—The Cisco Collaboration Cloud automatically provides ongoing upgrades. Your IT department can provide tier one support for this deployment, and engage Cisco support as needed. You can use on-screen notifications and set up email-based alerts in Cisco Spark Control Hub.
Understand common alerts, troubleshooting steps, and known issues—If you run into trouble deploying or using Hybrid Data Security, the last chapter of this guide and the Known Issues appendix may help you determine and fix the issue.
Hybrid Data Security Deployment Model
Within your enterprise data center, you deploy Hybrid Data Security as a single cluster of nodes on separate virtual hosts. The nodes communicate with the Cisco Collaboration Cloud through secure websockets and secure HTTP.
During the installation process, we provide you with the OVA file to set up the virtual appliance on the VMs that you provide. You use the HDS Setup Tool to create a custom cluster configuration ISO file that you mount on each node. The Hybrid Data Security cluster uses your provided Syslogd and PostGreSQL database (configured in the HDS Setup Tool). Figure 3. Hybrid Data Security Deployment Model
The minimum number of nodes you can have in a cluster is two. We recommend at least three, and you can have up to five. Having multiple nodes ensures that service is not interrupted during a software upgrade or other maintenance activity on a node. (The Cisco Collaboration Cloud only upgrades one node at a time.)
All nodes in a cluster access the same key datastore, and log activity to the same syslog server. The nodes themselves are stateless, and handle key requests in round-robin fashion, as directed by the cloud.
Nodes become active when you register them in Cisco Spark Control Hub. To take an individual node out of service, you can deregister it, and later reregister it if needed.
We support only a single cluster per organization.
Hybrid Data Security Trial Mode
After setting up a Hybrid Data Security deployment, you first try it with a set of pilot users. During the trial period, these users use your on-premises Hybrid Data Security domain for encryption keys and other security realm services. Your other users continue to use the cloud security realm.
If you decide not to continue with the deployment during the trial and deactivate the service, the pilot users and any users they have interacted with by creating new spaces during the trial period will lose access to the messages and content. They will see “This message cannot be decrypted” in the Cisco Spark app.
If you are satisfied that your deployment is working well for the trial users and you are ready to extend Hybrid Data Security to all of your users, you move the deployment to production. Pilot users continue to have access to the keys that were in use during the trial. However, you cannot move back and forth between production mode and the original trial. If you must deactivate the service, such as to perform disaster recovery, when you reactivate you must start a new trial and set up the set of pilot users for the new trial before moving back to production mode. Whether users retain access to data at this point depends on whether you have successfully maintained backups of the key data store and the ISO configuration file for the Hybrid Data Security nodes in your cluster.