For the IT Buyer

Cisco Spark Security

End-to-end encryption of content

Cisco Spark uses industry-leading encryption to ensure data remains confidential, available, and secure at all times.

The Cisco Spark client encrypts your data before it leaves the device. Data stays encrypted when it's in transit to our cloud servers; when we process your data (data in-use) and when we store it (data at-rest).

Encryption of all content is done using dynamic keys from the key management service (KMS). There is a unique key per Cisco Spark space, which only authorized members of the space will be allowed access to obtain. Cisco Spark messaging content, files and Cisco Spark Board content are encrypted using keys from key management services.

Encryption in transit

We use Secure HTTP (HTTPS) to encrypt data in transit between your device and our servers, which protects the identities of the senders and receivers of the encrypted content.

All media in Cisco Spark, such as voice, video, and desktop share, are transmitted using Secure Real-Time Transport Protocol (SRTP; is defined in RFC 3711). Currently, the Cisco Spark Cloud decrypts real-time media for mixing, distribution, and public switched telephone network (PSTN) trunking and demarcation purposes.

Authorization and authentication

Only people who have successfully authenticated with our service can view messages and files in Cisco Spark spaces. Unauthorized people who try accessing the URL of a space can’t see what has been shared.

Cisco Spark Hybrid data security (Spring 2017)

The cornerstone of end-to-end content encryption in the Cisco Spark Cloud is a component known as the key management server (KMS). The KMS is responsible for creating, storing, authorizing, and providing access to the encryption keys that Cisco Spark clients use to encrypt and decrypt messages and files. End-to-end encryption in Cisco Spark is possible because of the architectural and operational separation between the KMS and the rest of the Cisco Spark Cloud. Think of them as being in separate realms, or trust domains, in the cloud: The KMS is in the security realm and all other component services that make up Cisco Spark are in the core. Security-conscious enterprise customers may choose to deploy the security realm services, including the KMS, on their own premises.

The upcoming Hybrid Data Security Limited Availibility release will include:

  • On-prem deployment of the security realm through the CCM
  • Key management services. (Bring your own DB for storage of keys.)
  • Search indexer: Create and encrypt search indexes, submit encrypted search terms for content searches.
  • eDiscovery on-prem engine: While the eDiscovery UI will be hosted in the cloud, the engine remains on-prem for customers who opt to deploy HDS in their data centers.
  • Auto-upgrades, alerts, and notifications.
  • Local logs/audits of access to keys.
Learn about Cisco Spark security (PDF)

Compliance that works on encrypted content (Spring 2017)

Organizations using Cisco Spark need access to the content stored in their spaces for compliance and governance purposes.

The Cisco Spark compliance module is a distributed component in the Cisco Spark security architecture that sits in the security realm along with the Key Management System (KMS). The Cisco Spark compliance module works with the encrypted content in the Cisco Spark Cloud and produces a clear-text feed of activities and content to enable monitoring and extraction into a separate company-owned repository.

The search and extraction console for eDiscovery is the first tool in the Cisco Spark compliance portfolio to use the Cisco Spark compliance module to provide ad-hoc access to data.

Extraction console for eDiscovery and auditing (Spring 2017)

Cisco Spark compliance administrators with sufficient access privileges can query Cisco Spark for content in the spaces they own and download the results in the form of a JSON or CSV file. Results can be imported into Microsoft Excel or full eDiscovery software for further processing.

The Cisco Spark compliance console supports search based on space ID, email ID, date, keywords, or a combination of attributes.

The resulting space activity details and content, including text messages and file names, sizes, types, and URLs , are consolidated in the form of a CSV or JSON file. Files (pictures, Microsoft Office documents, PDFs, etc.) are also attached in original format.

Organization-wide retention policy (Spring 2017)

In the Cisco Spark Management portal, Cisco Spark administrators can define how long content is stored in all the spaces owned by the organization. Cisco Spark will delete messages and files when their timestamps match the retention limit. The default for this setting is “indefinitely.”

Users can view the retention policy of spaces in which they are participating, by accessing the information icon.

Mobile device management (Spring 2017)

Mobile devices running Cisco Spark can be further secured by requiring that the PIN device be configured. This is an organization-wide admin setting. This is in addition to all Cisco Spark content being encrypted at-rest in the device.

Administrators can force the Cisco Spark browser session to time-out when accessing Cisco Spark outside of the company’s intranet. This offers protection against users leaving browser sessions open inadvertently, in public places.

Cisco Spark Administration

Programmatic APIs for user provisioning

Cisco Spark for Developers includes administration APIs that allow administrators to programatically provision a user or the entire organization. By automating administration, user management and provisioning can be centralized in an existing tool. For example, a partner selling multiple collaboration tools to customers can use these APIs to enable Cisco Spark provisioning through a centralized portal.

Using these APIs, an admin can:

  • Create a user
  • Update a user
  • View license usage of an organization
  • View available roles of an organization

Learn about provisioning APIs