10 Security Considerations for Slack Admins
I’ll be very honest: I deeply love Slack. This might sound weird, but it has made GSOFT a much better organization. Not only have we gotten more productive, but our company culture improved enormously, as well. Something magical happened, and I’m pretty sure you know what I’m talking about. It comes as no surprise that Slack is one of the fastest growing companies ever, and this is only the tip of the iceberg.
For many organizations, it’s quickly shifting from a sexy communication tool with funny gifs, to a mission critical platform, which is placing a more serious emphasis to the role of Slack Admin. Since this is a fairly new role for the majority of us, here are a few security considerations to help get you started.
Guests are users with limited access to your Slack team. We usually use them for clients and contractors, in order to allow them to collaborate with us. While this is a very useful feature, it’s also just as easy to forget to disable a guest account once it’s no longer needed. Since the lifecycle of a contractor or a client is a little less obvious than an employee who leaves the company, it can very easily fall through the cracks.
Make sure you regularly validate guests who can access your Slack team. You might also want to consider going a step further and creating a checklist to use when someone joins or leaves the organization, so you never run the risk of forgetting important tasks like removing a guest user.
What people are saying
Slack conversations, due to the actual nature of the platform and the way it was designed to engage people, tend to be very friendly. This is amazing for user adoption, but can be dangerous when people get too comfortable. From profanity to credit card numbers, there’s a lot of content that can make your organization vulnerable. As a Slack Admin, it’s your job to manage it well.
You can use the Highlight Words feature to be notified when specific words are mentioned. This way, you’re notified of banned words (ex: swear words). Unfortunately, this approach is very limited and only works for channels you’ve joined.
Creating a code of conduct for everyone in your organization is also a very good idea, so they know exactly what is considered appropriate or inappropriate when using Slack.
Take a look at the Code of Conduct used for the Slack Developer Community.
At the end of the day, you’re very limited in terms of what you can do, and you have to trust your users. Most conversations and files are private, without any access to it. It doesn’t make any sense to read all public conversations, and open each public file one by one. At the very least, make sure you have a clear set of rules and make everyone responsible for keeping Slack safe. The freedom of Slack is dangerous, but is also part of its success.
Two-Factor Authentication adds an extra step when a user logs-in to Slack, and makes it more difficult for an attacker to gain access. This option is available in Slack, but disabled by default. Each user can enable it for their own account if they want, or you can enforce it for everyone.
Yes, it makes the authentication a little more time-consuming, but it’s worth it, especially if Slack is mission critical in your organization. If you don’t want to enforce it for everyone, at least enforce it with Slack Admins and Owners.
Check Uploaded Emojis
Emojis are epic in Slack! At GSOFT, Custom Emojis are uploaded all the time, and we now have hundreds of them. They usually reflect our company culture, since there’s a meaning behind all of them that only we can understand.
By default, anyone can upload a Custom Emoji, and make it visible to everyone. That’s the freedom that makes it so powerful. But what if someone uploads an offensive Emoji? It’s very difficult to detect, as a Slack Admin, and it can really hurt the organization if a screenshot of it leaks publicly. You don’t want your organization associated with an offensive Emoji, especially if you’re a well-known organization.
First, you need to decide if you want to let everyone upload Custom Emojis. If yes, define rules for Slack Emojis in your Code of Conduct. Also, you should regularly check the list of Custom Emojis and make sure none of them are offensive.
Files Shared Externally
By default, all files can be externally shared with the outside world. You select a file, and create a public link. It’s that simple.
It’s a useful feature if you want to send a file to someone outside your team, but the lack of file management capabilities in Slack makes it dangerous. There’s no way to retrieve all files shared externally, and there’s no trace of who did it, except for the notification sent by the slackbot to the file owner.
This means you could have hundreds of random files shared externally, and you wouldn’t know who did it. It’s even worse for private files because they are totally impossible to detect.
Admins & Owners
You’re always just one button away from assigning admin or owner privileges to someone.
Who should you really assign the role of Slack Admin or Owner to in your organization? Think about it carefully. When companies get started with Slack, it doesn’t take long before too many people get promoted as Slack Admin or Owner, and this is exactly when things can get out of control. If Slack is mission critical to your organization, make sure you manage it like a mission critical system.
Slack is an amazing platform because of its successful ecosystem of apps that make people crazy (in a good way). There are many apps built for Slack. Some are good, some are bad, and that’s why you need to keep your eyes open.
Slack tracks all events related to apps in the Activity Log. This is very useful if you want to know exactly what happened with your apps, and you can export it if you want to. Obviously, the only problem with this is that it assumes that you’ll check that log often… which most people don’t.
Slack provides an optional approval process to control the chaos around app installations. As a Slack Admin, you can approve and restrict apps, so you can control exactly what gets installed.
The approval feature should be enabled at all times. And if users want to install a totally new app, they can submit a request directly from the App Directory.
All connections in Slack are tracked in the Access Logs. It tracks the users, the IPs, the devices, and the locations.
This is a good way to detect whether or not an account was compromised. For example, a user currently in the office connecting from another country could be an indication that something is wrong. You should clearly be looking here if you suspect a leak from within your Slack team.
There are many settings available in Slack, and it’s important to understand all of them.
For example, if you allow everyone to invite a member into your Slack team, and you have no restriction on the email domain that can be used to join, you end up in a situation where everyone in your team can invite anyone in the world to join. Two different settings that can compromise your entire Slack team if mishandled. Be careful, and make sure you understand a setting before you change it.
That’s the reason we built Lighthouse. So we could be part of the incredible Slack journey, by bringing control and visibility to their customers, and removing barriers for the many new Slack Admins in the world.
How about you? What are your main challenges as a Slack Admin? Share your stories with me!