Demand for business-focused messaging platforms like Slack have surged during the great work-from-home (WFH) migration. While that was a logical move considering the popular platform was literally built for distributed team communications, many security processes got trampled in the stampede.
"This growth in user counts is stress-testing digital collaboration applications — many of which weren't originally crafted to handle such an enormous spike in usage over this short of a time frame," says Michael Gorelik, CTO at Morphisec, an endpoint security provider.
"Our 2020 WFH Cybersecurity Threat Index found that business chat apps such as Slack and Microsoft Teams were rated by WFH employees as their second most essential tool in working remotely. Yet workers acknowledged they were the least cautious in using these types of services," says Gorelik.
Despite, or perhaps because of, remote workers' rather cavalier attitudes, the potential damages to companies from Slack security breaches are quite serious.
"We have all seen the examples of what happens when a CEO's e-mail is leaked to the press, and it contains nuclear opinions on customer, employees, investors, and the market, in general. If people have historically had their guard down when communicating in e-mail, they likely have no filter at all with what they put in Slack," warns Caleb Barlow, CEO of CynergisTek, a healthcare cybersecurity and compliance consultancy and managed services firm.
It is prudent for companies to secure their Slack channels. Here's a roundup of Slack's and security professionals' recommendations of specific steps your company can take toward making Slack safer.
(Continued on next page)
"The reality is you get what you pay for, and Slack's top-level Enterprise Grid offers a wealth of features to help secure your communications," says Kent Blackwell, threat and vulnerability assessment manager at Schellman & Company.
Features available at the enterprise level include single sign-on, integration with data loss prevention and enterprise mobility management tools, and -- as an add-on -- enterprise encryption key management. It also has FedRAMP moderate authorization and supports HIPAA compliance.
"All of these items help reduce the attack surface and offer more granular control over the security settings for Slack's users. The key here, though, is just buying the services isn't enough," Blackwell added. "Implementation and fine-tuning of each of these features is what will provide true security improvements."
Data is encrypted at rest and in transit in all levels of Slack, from free to Enterprise -- but that doesn't mean you should just "set and forget" data-sharing rules. Instead, regularly spot check what items are being shared in Slack.
The Enterprise Grid version provides audit logging tools and integrates with data loss prevention tools. There are also open source options.
"SlackPirate is an open source tool that you should also add to your toolkit to help spot check Slack," says Jerry Gamblin, manager of security and compliance at Kenna Security. "It quickly scans all channels you provide it access to for common items that are shared that may lead to a compromise if a bad actor gains access."
SlackPirate can be used by penetration testers or blue teams to search out passwords, secret keys, and sensitive documents swimming around in Slack workspaces.
Slack enables users to build custom apps, workflows, and integrations -- but these can be sources of vulnerabilities.
"Without the proper security oversight, these custom integrations and workflows can become a nightmare for the security team," says Charles Poff, CISO at SailPoint, an identity and access management provider. "My recommendation is that any custom integration get a thorough security review prior to production use."
Be extra stingy with admin privileges and accounts.
"Instead of giving each contractor or freelancer their own account, give them a guest account that can be easily deleted once their contract is up," says Ian Kelly, vice president of NuLeaf Naturals, a CBD oil distributor. "It should be noted this can only be done on paid versions of the app, but getting the paid version will have more features as well as more security,"
One caveat: Be careful with how much information and conversations you let guest users access.
"Vet the user before giving them access and terminate access as soon as the business is concluded," says Daniel Cooper, Managing Director at Lolly.co, a digital transformation consultancy. "It will help avoid exposing a guest user to what they shouldn't see."
By default, Slack will retain all messages and files for the lifetime of your workspace. And it can add up: The enterprise account allows up to 1TB of storage per user.
"This opens the door to this data being stolen or subject to subpoena," says CynergisTek's Barlow. "The smart approach is to pay serious attention to retention. Even a default retention limit of 30 days can significantly reduce an organization's risk "
One caveat: Be incredibly careful to retain data and observe other litigation hold protocols when customizing data retention policies.
"If there are regulatory requirements for storage, only apply it to those conversations that require it," Barlow says. "Or more likely -- move that collaboration out of a tool like Slack."
"Companies should implement protocols for preserving and retaining data the moment the legal obligation arises," adds Brian McPherson, labor and employment attorney and shareholder at Gunster law firm. "These protocols should also include a method for informing those necessary employees about the specific data that must be preserved."A prolific writer and analyst, Pam Baker's published work appears in many leading publications. She's also the author of several books, the most recent of which is "Data Divination: Big Data Strategies." Baker is also a popular speaker at technology conferences and a member ... View Full Bio