Compliance vs. Security in Enterprise Networking: the Cisco Approach

Organizations all over the world are entering a period of extended — and potentially permanent — hybrid work. As more people do their jobs outside the traditional office, IT administrators are becoming overwhelmed with managing hybrid workers, devices, and all the complexities that come with it.

The changing workplace underscores the importance of ensuring that organizations remain secure, comply with regulations, and protect their employees/data from cyber threats.

Security and compliance are core to Cisco Webex 

Cisco has been providing secure access and collaboration for many years. I recently tapped a panel of experts from Cisco to outline how the vendor is helping organizations achieve security and compliance in collaboration as they enter a new era of hybrid work.

I spoke with Radhika Chagarlamudi, vice president of Cisco Webex Platform and Infrastructure Engineering, and Niraj Gopal, director of product management for Webex Enterprise Security and Compliance, in my first three-person ZKast interview. Highlights of the ZKast video, done in conjunction with eWEEK eSPEAKS, are below:

Security and compliance are both important but very different 

• Security and compliance are interchangeably used terms because both have to do with managing risk. But there is a different between the two.

• Security is the implementation of technical controls that protect the confidentiality, integrity, and availability of an organization’s critical assets—both physical assets and data. 
• Compliance is the process of implementing controls—whether it’s a solution provider, an enterprise, or a regulation mandating those controls. 
• Security and compliance provide people with trust that they’re being protected.
• For example, a security control is when an organization ensures that passwords are rotated frequently, while compliance is the process of validating that an organization actually rotated those passwords.

Security is integrated into Webex 

• Cisco’s approach is unique because security is built into every Webex feature from the start, rather than being an add-on.
• Cisco follows a 360 approach to security, where it examines the overall application attack surface and builds controls into the app to mitigate those risks. 

• When it comes to user identity, everybody must be authenticated on their device. Only then can a user host a meeting, share files, or perform other actions.
• Cisco also offers data loss prevention (DLP) by integrating with threat intelligence industry partners like Talos.
• Since every organization is different, Cisco provides additional controls to fine tune individual deployments through the Control Hub—a single pane of glass for the Webex suite.
• Control Hub simplifies the process for administrators by allowing them to set policies for specific groups and workflows.

Lack of awareness could cause businesses to violate policies 

• Enterprise users are often unaware that they’re violating compliance policies, such as by using a personal device to forward a file to co-workers and exposing the organization to malware.
• Cisco has controls that protect external collaboration. DLP policies follow users, no matter who they’re talking to externally. 
• On the data governance end, Cisco classifies conversations based on content. For instance, a message announcing a company picnic is classified as public, whereas a shared confidential file is classified as restricted.

End-to-end encryption is a must have in collaboration 

• Cisco specializes in end-to-end-encryption for meetings and messaging to protect content in the cloud. 
• Cisco has built its own security endpoint within Webex—a combination of hardware and software.
• Cisco provides end-to-end encryption for both room devices and third-party devices to secure the entire collaboration experience, whether participants are joining a meeting at work or at home with a personal laptop. 

• When a user is in a secure meeting, the devices visibly show (with a badge on the screen) that the experience is end-to-end encrypted.
• The Webex meeting client itself also shows that the identity of the participants in that meeting has been verified.

Webex has a broad partner ecosystem 

• Cisco has an open Webex ecosystem, where it partners with the best-in-class security and compliance providers. 
• Cisco has one of the biggest partner ecosystems in industry with 15-plus partners.
• Cisco has a developer portal that lists of all of its public application programming interfaces (APIs), which developers use to build integrations. 
• Cisco takes a similar approach with security through a public events API, which can be integrated into any tool or partner solution. 
• Cisco also works with some competitors like Microsoft. For example, Microsoft Cloud App Security (MCAS) can be used with Webex without additional license fees.

Buyers should use security and compliance as part of the decision criteria 

• When considering a collaboration solution provider, organizations should look for:
• A company that’s not just checking the box for security, but has security built into its DNA.
• The right security capabilities that align with the organization and its requirements.  
• A company that values data privacy and transparency. Cisco conducts third-party penetration tests and shares the results with its customers—an example of the company’s privacy and transparency.
• A company that goes beyond compliance basics like FedRAMP and keeps up with global certifications.