Slack is now the most popular and fastest growing instant messaging system for business, with 100% ARR growth and more than 70% market share. For many organizations, it's replaced email for project collaboration, both internally and with their clients, partners, and customers. Like a fairly large chunk of the working population, we love Slack for project management.
But what most members don’t know is that by default, Slack offers no native malware or data filtering protection. They're responsible for purchasing, then configuring those security tools. From there, organizations act on how their company standards for security and compliance align with what is practiced in Slack.
In this post, we mention some common security considerations, then identify (and link to) third-party vendors Slack supports for enterprise class security (which we also link to).
Slack Use Cases
Slack members chat and share information, files, and URLs in realtime.Conversations happen in channels (with multiple members) or direct messages at a workspace. Public and private channels designate specific topics of conversation with a hashtag, such as #projects, #teams, or #project-team.
Messages can be shared internally and—with a couple of clicks—between external vendors, clients, or partners. Slack members can create open channels with other employees and even other people on Slack outside their organization. A single channel could potentially have a dozen people from different organizations in it. At the same time, bots, commands, and app integrations connect the dots between the day's tasks. For example, the slash command /apps* searches for apps in the App Directory.
In the name of security and discoverability, everything shared in Slack is automatically indexed and archived. This reflects how Slack fosters open communication and project visibility.
What could go wrong?
Although Slack is invite-only, ample user privileges and support for hundreds of apps naturally create risk. In shared channels, two organizations with different Slack plans can chat and swap files. (To be clear though, only Workspace Owners or Admins have the permission to connect companies on Slack.) Still, any user on a paid plan can simply join public channels with the same email address tethered to their organizational account.
If you're a CSO at a large organization concerned about compliance, there are some things you should pay attention to.
Because Slack is known to be invite-only, there is a common presumption that everything shared on Slack is private. An employee on any plan can create an external link, which converts a file tethered to an organization into a publicly available URL. Any member of Slack has the potential to create and edit user groups, add apps and integrations, invite new members, and invite a multi-channel guest to a private channel.
Third-Party App Integrations
There are over 900 bots and apps to choose from in Slack. Connecting to Google Drive or Salesforce (as one does in Slack), broadens the attack surface because a vulnerability in those apps could compromise or interfere with Slack itself. This ease of integration at the member level ties back into the reality that Slack members have broad liberties with their data.
Slack Security Explained
On Slack, members are explicitly invited into the workspace. Slack offers all the basic security you'd expect in the cloud, and recommends enabling native two-factor authentication and managed session durations.
Even with those basic protections, how can organizations monitor user and app access, what is being shared, and how in Slack? When it's so easy to build open communication between one or more entities in so many different ways, highly valuable data can become highly vulnerable. Slack's answer for securing interconnected collaboration is integrating with third-party technology.
This table links to important security protections and the vendors who provide them.
|Security Feature||Security App|
|Data Loss/Leakage Prevention (DLP)|
|Tracking suspicious behavior|
Like email, Slack has become a fundamental part of enterprise collaboration. As a general practice, it's important to add layers of technology to meet compliance and security needs. This is Avanan's philosophy.
Conclusion: Make Slack safer with third-party security integrations.
The bottom line is that Slack does not natively enable the monitoring of message content, where most security threats live. Establishing a consistent data governance policy on Slack is as urgent as the daily dance of collaboration itself. Integrating Avanan with Slack takes care of all of the above.