Meltdown, Spectre, and Cisco Cloud Collaboration Security
I wanted to provide a few quick answers to questions that we’re being asked about the implications of Meltdown and Spectre on the security of Cisco’s cloud collaboration portfolio. These vulnerabilities are most relevant in multi-tenant cloud environments, where they create the possibility that Cisco’s products could be tampered with by another customer of the same cloud provider.
WebEx does not run in a shared multi-tenant environment. WebEx software runs on Cisco-owned hardware in Cisco-owned and operated data centers in the United States, and in non-Cisco-owned colocation facilities outside of the United States (isolated from other businesses in the same facility).
Thus, these vulnerabilities cannot be used by an external attacker to break into WebEx. In order to exploit these vulnerabilities, the attacker would first need to be able to execute rogue code on the dedicated hardware on which WebEx runs. As updates for server operating systems are released, we will be patching our servers to mitigate the risk of local privilege escalation via these vulnerabilities.
Cisco Spark (Care, Message and Meet, and Call) does run in shared multi-tenant environments. Our IaaS providers have already performed updates to the host operating systems running our virtual machines as needed. As with WebEx, we’ll be updating our guest OSs in due course. In addition, Cisco Spark messaging and the Spark Care Context Service are protected by our end-to-end (E2E) encryption technologies.
The use of E2E encryption means that Cisco Spark cloud components only ever process customer information in encrypted form. Thus, even if the attacker could read the customer information held by a cloud component, it would be useless without the keys. The keys for Cisco Spark E2E encryption are stored separately from the encrypted data, with separate access controls.
For customers that use our Hybrid Data Security solution, the keys are stored in a dedicated Key Management Server on the customer premises. In that case, the attacker would have to breach the customer’s network in addition to the Cisco Spark cloud. For other customers, keys are stored in a Cisco-operated server that is separate from other Cisco Spark cloud components. In either case, the E2E encryption ensures that no single compromise can reveal customer data — the attacker must breach both the cloud service holding the encrypted data and the keys to decrypt it.
Finally, Tropo, like Cisco Spark, also runs in a multi-tenant environment. As with Cisco Spark, our provider has patched the underlying host OS which runs our VMs as needed, and we’ll be updating our host OSs as mitigations are available.