Security Realm Architecture
The Cisco Webex cloud architecture separates different types of service into separate realms, or trust domains, as depicted below.
To further understand Hybrid Data Security, let's first look at this pure cloud case, where Cisco is providing all functions in its cloud realms. The identity service, the only place where users can be directly correlated with their personal information such as email address, is logically and physically separate from the security realm in data center B. Both are in turn separate from the realm where encrypted content is ultimately stored, in data center C.
In this diagram, the client is the Cisco Webex app running on a user's laptop, and has authenticated with the identity service. When the user composes a message to send to a space, the following steps take place:
The client establishes a secure connection with the key management service (KMS), then requests a key to encrypt the message. The secure connection uses ECDH, and the KMS encrypts the key using an AES-256 master key.
The message is encrypted before it leaves the client. The client sends it to the indexing service, which creates encrypted search indexes to aid in future searches for the content.
The encrypted message is sent to the compliance service for compliance checks.
The encrypted message is stored in the storage realm.
When you deploy Hybrid Data Security, you move the security realm functions (KMS, indexing, and compliance) to your on-premises data center. The other cloud services that make up Cisco Webex (including identity and content storage) remain in Cisco’s realms.