My company is an ISV selling software to banks and credit unions. We provide customer support via WebEx but every once in a while we'll have a customer that won't open their firewall to the WebEx domain. This provides some difficult support logistics but I understand where the bank's CSO is coming from. Does anyone have any guidance or recommendations in either defending WebEx's security model or offering more secure alternatives that might appease bank CSO's?
Thanks.
If it were me, I'd be speaking to my WebEx account manager, and ask them to assist you. For example, they could dig out their customer documents explaining how they ensure their datacentre(s) are kept secure, how their ActiveX/Java applet is penetration tested, Etc.
Probably better asked here: http://security.stackexchange.com , but you can point them to docs like: http://www.webex.com/pdf/ds_Compliance.pdf
In the end though, it's up to the banks and their own corporate security policies. If they choose to err on the side of caution with WebEx for whatever reason then they should at the least work with you to come to an agreement on how you can provide support to them. While they are the customer, and "the customer is always right", they need to realize that if WebEx is how your company provides customer support then they can't simply say "SUPPORT US!" without working with you to find out a solution to provide that support that is amicable for both parties.
It's doubtful you are their only vendor that provides support to them, so I'm sure with some friendly conversations you can work out with them a solution. For instance, find out how others support them by asking the bank.
