Webex deployment FAQ

Owned by Yoav Crombie
Last updated: Feb 21, 2024
3 min read

Why O365 tenant is needed?

Accessing the Portal is done by Active Directory authentication. Ideally , product is configured with Azure AD as it is in the cloud. This is why we need an O365 tenant- just for managing the users in Azure AD .

To access customer Azure AD is done by using Azure app. For this customer will need a global admin to register the app with a valid O365 license as explain below.

Please contact AGAT Support if you don’t have your users managed in Azure AD users to explore using Local AD.

 

Which users are needed in Webex for the solution?

To allow the Adapter to get access to your Webex events and content , SphereShield uses a Webex app that the customer must register . For this , the product requires a user with compliance officer role with admin permission as explained in the links below.

https://agatsoftware.atlassian.net/wiki/spaces/SFTKB/pages/607879169/Webex+integration+App+for+Webex+Teams#HowtoconfiguretheSphereShieldWebexApp%3F-CreateanIntegrationapplicationintheWebexDeveloperPortal

 

Security considerations - permission access and data flow of the Webex solution

The are 2 access point of SphereShield to the company data:

  1. Azure app - Authenticating to the Portal using Azure AD / Local AD

  2. Webe app - Getting Webex event for compliance inspection and action by the Webex app on behalf of the Webex Compliance Officer

High level security overview

The app has access and full permission to all Webex data of the company. It is designed to get all Webex events which are inspected but does not store the content

 

Azure app access point

This access point allow SphereShield to access company users and group . Groups are needed to specify which users should be inspected and allow different policies per group if needed.

Authentication to the portal is utilizing Azure app as can be read in details here:

https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

 

The permission needed for authentication to the AD are explained here:
https://agatsoftware.atlassian.net/wiki/spaces/SFTKB/pages/911048867

 

Webex app access point

The webex app is required to get access to Webex developer API

The app are used to request permission to invoke the Webex REST API on behalf of another Webex user.

Authentication is based on Oauth2 using a secure token of the compliance user.

See more info here:

 

To allow full functionality the app requires the permission listed here

 

Webex data flow:

Messages and Files :

To get all messages and files events, the app invokes the following API

This API updates on any event done in the company . This is done by polling (routine schedule of the code calling this API ) controlled by the CASB Adapter component.

Events are then stored in a queue and later inspected by the Ethical wall/ DLP / eDiscovery engines.

When only part of the company (groups to be inspected) is required for the product control, the events of members that are not related to the group to be inspected are not stored in the queue.

 

Audio / Video / Meetings

The A/V and meetings events are handled by Webhooks. Polling is expected to be released in later versions.

Webhook is as explained in more details here an HTTP callback, or an HTTP POST, to a specified URL that notifies your app when a particular activity or “event” has occurred in one of your resources on the Webex platform.

The Webhook notifies the Admin portal site of the events. At later releases, it is designed to have a separate Web site listener only for this for performance reasons.

Similar to the messaging and files flow, once an event is received, it is stored in the queue. In case the event is not related to a user that is a member of the group to be inspected , the event is ignored and not stored.

Handling data

Handling both Audio / Video and messaging / files are done using the relevant API allowing us to delete content or hangup call or remove users from spaces / meetings.

Storing Data

If eDiscovery is not enabled, SphereShield does not store the content.

If DLP is not enabled , content is not inspected

Ethical wall auditing only includes meta-data of the event identified. For example bob attempted to send a file to Alice

Also product logs that are in the DB can be schedule automatically to be deleted after some period.

Files system logs are also deleted after some period. Logs do not contain content of messages and files.

Audio and Video are not inspected or stored unless using eDiscovery and specifying this.