WebEx: Securing Web Collaboration

As the global leader in on-demand applications for collaborative business on the web, WebEx isn't taking any chances when it comes to managing the risks associated with software vulnerabilities. Its customers demand no less.

Wherever they may be located and no matter how scattered their organization, WebEx Communications Inc. helps companies communicate and collaborate more effectively. Through such applications as WebEx Meeting Center, used to keep team projects coordinated and on track, and its Sales, Event, Training and Support Centers, WebEx helps companies do what they need to do more efficiently in such areas as distributed project work, marketing collaboration, web-touch sales, online training and remote customer support.

Security and confidentiality are among the top concerns of WebEx customers, which range from small and mid-sized businesses to large corporations and government agencies. Many clients need to keep their intellectual property confidential, while others operate under strict government and industry regulations, such as HIPAA, Sarbanes-Oxley and other privacy regulations from around the globe. That's why WebEx consistently works to ensure the secure infrastructure that its customers need to safely collaborate and share information in real time.

WebEx's vast real-time collaboration infrastructure is made possible by its purpose-built MediaTone Network—optimized and secured for real-time global Web communications. The company's infrastructure is protected by a team of highly trained and certified security professionals who take every precaution to keep customer data safe. All customer session content is fully encrypted and no participant content ever is stored persistently within the WebEx infrastructure. "Data security gets the highest priority from design, deployment, and maintenance of our infrastructure," says Michael Machado, Manager of Security Engineering and Operations at WebEx.

Security Is Central to Its Success

And if those facts aren't assurance enough for its customers, each year WebEx puts its infrastructure through rigorous third-party accreditations, including WebTrust and SAS-70 Type II audits. The WebTrust seal of assurance, established by the American Institute of Chartered Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), is a globally recognized accreditation that is awarded only to companies that consistently adhere to strict security principles, and is verified independently by Ernst & Young LLP. Ernst & Young also performs an annual Statement on Auditing Standards (SAS) No. 70, Service Organizations, for WebEx. SAS-70 is an internationally recognized auditing standard developed by the AICPA, which is widely recognized as the gold standard when it comes to verifying that all adequate controls and safeguards are in place to securely handle and process customer data.

As a central part of its efforts to make certain that its vast infrastructure—which encompasses roughly 2,000 desktops and thousands of servers—doesn't contain system misconfigurations or software vulnerabilities that would jeopardize the company's security, WebEx has put into place a heavily automated and continuous vulnerability and compliance risk management program. Initially, WebEx relied on numerous open source and commercial vulnerability scanners to get the job done, but none seemed to provide a straightforward way for the company to fully operationalize how it identified and fixed vulnerabilities. "We wanted a tool that we could build a process around," says Machado. "The tools we had been using weren't as accurate as we would have liked, and they didn't retain the historical information we needed for trending and analysis," he says. "Everything was a point-in-time scan."

During the subsequent evaluation of several commercial vulnerability scanners, WebEx took notice of the vulnerability and compliance management solution Qualys Enterprise. Qualys Enterprise is designed for large, distributed networks and supports an unlimited number of device assessments. Delivered as an on demand service over the Web, Qualys Enterprise makes deploying, maintaining and updating vulnerability management servers and software all problems of the past.

WebEx piloted Qualys for a number of months, testing its effectiveness on internal, production and beta systems. The trial was an instant success. "Qualys took off from there for us. Within a couple of months of putting Qualys through its paces, we went for full production deployment," says Machado. "Once we saw what it could do, and that it didn't negatively affect our systems, we rolled it out quickly." Qualys’ on demand delivery model made the deployment simple. "What initially attracted us to Qualys, and what we've found to be a great ongoing benefit, is the fact that we didn't have to build anything. Qualys is easy to deploy and it just works," says Machado.

Vulnerability Management Built into the Fabric of WebEx's Security Program

Today WebEx relies on Qualys to identify and help the company better address vulnerabilities throughout its IT architecture, including internal and external networks, and its production data centers used to host online meeting and collaboration services. Qualys plays an essential role in the vulnerability management program necessary for WebEx to maintain its WebTrust and SAS-70 compliance. "Qualys is part of all of these efforts," says Machado.

The flexibility of Qualys’ on-demand Web delivery and management model makes it possible for WebEx to set up routine automated vulnerability assessments that periodically examine segments of its infrastructure. "Our scans are set up to recur continuously throughout our infrastructure. This moving scan schedule keeps us as current as possible on our vulnerability management initiatives," he says.

Beyond the highly accurate vulnerability identification, Qualys provides the insightful trend reports that WebEx sought. "Information provided by Qualys has become a key element in the quarterly snapshots that we create to examine the trends in our environment. It provides the information we need to see how effective we've actually been at patching, compared to our goals," he says.

In addition to assessing the security of its internal, external and production data centers, WebEx has extensive quality assurance and security checklists in place before any new product updates, enhancements or systems go live. "For instance, every time a new server gets built, it undergoes a thorough check before it's sent to our production environment. A Qualys scan is one of those security checks," he says.

"Qualys provides a straightforward way to identify the patching needs in our environment. And once we've identified what needs to be patched, we just have to execute the remediation. Qualys arms us with the information we need to execute; that's the power of this application," says Machado.