Information security on Slack
Is Slack right for my company’s data?
It’s been a wild year for user data.
With high-profile stories such the Yahoo and Equifax hacks, the Facebook/Cambridge Analytica fiasco, and the due date for GDPR, people are finally becoming aware — and protective — of their data. It’s about time.
So how does this affect you and your forward-thinking business? What does that all mean if you want to collaborate with your team using Slack? (And we think you should!)
When thinking about information security, there are four main topics to consider: application security, data privacy, regulatory compliance, and data retention.
Application Security
Geoff Belknap, Slack’s “Chief Insecurity Officer,” states:
I worry about providing the most secure product and the most secure work environment to protect our customers’ data. I take all the things that keep me up at night or that keep our customers up at night, and convert them into plans, metrics, and accountability. Then I get to work with our security team.
Their Slack’s approach to security white paper provides a great overview of the policies and procedures Geoff has implemented to assure their users’ security.
The most important fact is that all of your data is encrypted in transit and at rest. All of your messages, documents, and rare memes are encrypted before being sent between Slack clients and Slack servers. Furthermore, all of that data is encrypted while stored on Slack’s servers. Though as we’ll discuss later, this doesn’t mean that no one will ever be able to access your team’s data.
Two-Factor Authentication
Unfortunately, it doesn’t matter how strong your defenses are if you leave the front door open.
Let’s face it, your password sucks.
Even if you did follow the NIST’s latest password guidelines and never left your password on a Post-it on your monitor, you’re still the weakest link. Maybe it’s Frank in the next cube over, but you get the point.
The usual username-and-password scheme is inadequate because it only validates one thing: something you know. Two-Factor Authentication (TFA) requires two forms of identity verification: something you know (e.g. a password), something you have (e.g. a cell phone, ATM card), or something you are (i.e. biometrics).
Slack implemented TFA in March 2015. It utilizes the usual password plus a code sent to your phone. The code can be sent via an authentication app like Google Authenticator (my recommendation) or SMS.
If you’re reading this article, you should be using TFA with Slack.
Known “Breaches”
The largest known breach of Slack security occurred in March 2015. Yes, that date should sound familiar. That incident instigated the slightly accelerated release of Slack’s TFA rollout mentioned above. In addition, they also released a “kill switch” for team owners that logs out all users from the workspace and forces them to reset their passwords. No serious sensitive information is known to be compromised by that breach.
The second major flaw in Slack’s security had serious potential. It allowed an attacker to log into any Slack workspace as if they were a legitimate user in that workspace. Luckily, good guy and extremely inactive Medium user Frans Rosén had developed the hack and submitted it to Slack’s bug bounty program. The hole was patched within 5 hours and no trace of anyone actually using the hack was found.
Data Privacy
Thwarting would-be attackers is all smoke and mirrors if your data is just given away, right? So how private is your data? Can anyone besides Frans Rosén read all your private messages?
Yes. They can, but it’s probably not as bad as you think.
Employer View
Your boss (or your boss’s boss) can read your Slack messages. Even your private channels. Even your DMs.
Gizmodo’s What’s Slack Doing With Your Data? article from earlier this year explains:
So, who can see what? There are two types of privileged Slack users: admins and “workspace owners.” Both of these special users can download a “standard export” of anything posted to public channels, but only workspace owners can see your DMs, through what’s called a “compliance export.” Not all workplaces have compliance exports enabled.
As part of their GDPR rollout, Slack’s Compliance Export tool was replace by Corporate Export.
Corporate Export is limited to workspaces with Plus or Enterprise Grid plans. Free and Standard plans must use the Standard Export which only includes information from public channels. Free or Standard workspace Owners must contact Slack and apply to export content from private channels and direct/group messages.
Slack Employee View
While your data is encrypted at rest, Slack holds the encryption keys. This means that Slack has the ability to access and read your data. Geoff Belknap told Gizmodo:
Slack gives its employees the ability to exercise some commands in the event of an emergency, or for a “valid, justifiable reason,” which could potentially expose them to customer data. However, Belknap said the process triggers alerts and is reviewed by the employee’s manager or superior.”
So, certain Slack employees have the ability to access your data. Slack has tooling in place though that would prevent rogue employees from doing so. They must justify their request up the chain before being granted access and alarms are set off if they try to overstep their bounds.
Law Enforcement Requests
As expected, Slack will conform to any law enforcement requests as required by law. Slack’s Data Request Policy is pretty standard.
Since they hold the keys to your data, it is technically possible for them to hand over data that has been unencrypted when required.
They have a fairly nice Transparency Report which details the requests they’ve received and their outcomes.
Will Slack Sell My Data?
Unlike many online platforms where you’re the product (e.g. Google, Facebook), with Slack you’re the customer. Slack is not supported by selling ads or mining your data. They do not sell any data to third parties as of this time. If someone were to acquire Slack or there were an otherwise “change to Slack’s business,” all bets are off as mentioned in their Privacy Policy… but you already knew that.
Regulatory Compliance
Some use cases require additional oversight and Slack has tackled a bunch of them. Their main Security page lists quite a few. I’ll touch on a few of the major ones.
GDPR
Like everyone else who hopes to do work in the EU, Slack was required to meet GDPR standards. There’s tons of fluffy talk on their GDPR page. The most important parts are the Corporate Export mentioned above and their Profile Deletion Tool. The profile deletion tool is a huge component because it guarantees that your personal information will be removed from Slack’s system once requested. This is good for all of us.
HIPAA
If you work in US healthcare, you’re aware of HIPAA.
Vanilla Slack is not HIPAA compliant. Slack does offer an upgraded service tier called Enterprise Grid which incorporates additional security features that help to meet HIPAA compliance (more on Enterprise Grid later).
Enterprise Grid can be HIPAA compliant. That being said, Enterprise Grid cannot be used by any organization to exchange PHI as Slack is explicitly not a “Business Associate.”
PCI
Slack says it best in their Security Practices (under “Confidentiality”):
Slack is a PCI Level 4 Merchant and has completed the Payment Card Industry Data Security Standard’s SAQ-A. We use a third party to process credit card information securely. Slack is not currently a PCI-certified Service Provider.
Basically, they don’t handle payment processing themselves and meet the remaining few requirements
Data Retention
Out of the box, Slack keeps everything in your workspace indefinitely. Even Free plans still maintain data beyond the most recent 10k messages, even if they’re not searchable.
Slack does offer a bit configuration regarding what is kept and for how long.
Data Retention
Deletions in Slack are forever (Forever, forever ever? Forever ever).
Customer data is removed immediately upon deletion or message retention expiration. Slack hard deletes all information from currently running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs). Backups are destroyed within 14 days.
Disaster Recovery and Business Continuity
Slack maintains an industry-standard level of DR and continuity as explained in their white paper. They maintain four physical production sites. While those sites are within the same geographic region, they do maintain remote backup over 2,500 miles from the main site. Full backups are saved daily and restores are tested quarterly.
Enterprise Grid
For organizations requiring additional levels of security and configurability, Slack offers their Enterprise Grid service tier.
In addition to enhanced features regarding multiple workspaces and channels, Enterprise Grid offers central management for security, policies, and compliance. It also offers extended integrations with third party partners for additional security features (e.g. data loss protection, offsite backups).
So what does it all mean?
Is Slack perfect for every organization? Of course not. If anyone tells you that one technology is perfect for every organization, you should just not talk to them anymore.
Slack has had some security concerns in the past, but they’ve dealt with them with more speed, transparency, and professionalism than most.
Slack isn’t the most private communication, but don’t think that any official, digital communication is immune to your company’s prying eyes.
Slack is as secure and private as email, if not more. We trust our organization with Slack and we think you should, too.
My colleagues at Eletype and I would be happy to address security concerns with any of our users or potential customers.
Brian Mullaney | CTO and Co-Founder, Eletype, Inc |@brianpmullaney
