How we handle security at Slack
A conversation with Slack’s Chief Security Officer Geoff Belknap
A question we get asked a lot is “How secure is your data?” But what people are really asking is: “How secure is my data?” It’s an important question that deserves an expert answer.
Today we released an update of our security practices in the form of a white paper outlining the many ways Slack’s security team ensures customer data is protected. But rather than summarize those contents here with a long list of acronyms, we thought we’d take this opportunity to hear straight from the source: Geoff Belknap, Slack’s Chief Security Officer.
Belknap joined the team about a year ago and has been steadily scaling Slack’s security program alongside his team of experts. In this interview, we explore some of the unique approaches he and his team have taken to ensure Slack customer data is protected, get a preview of what’s coming up next in the world of security at Slack, and find out what keeps him up at night.
What are you responsible for as the Chief Security Officer?
I like to think about myself as Slack’s Chief Insecurity Officer. My job is to worry. Professionally. So that our customers don’t have to.
I worry about providing the most secure product and the most secure work environment to protect our customers’ data. I take all the things that keep me up at night or that keep our customers up at night, and convert them into plans, metrics, and accountability. Then I get to work with our security team.
All of this is in service of building a security program that our customers can take comfort in and trust. Without that, we can’t build solid partnerships and they can’t unlock the real potential Slack holds for them.
What are some measures the security team takes to ensure the protection of customer data?
Our security program is something I’m really proud of. Our team is made up of some of the most innovative and dedicated security professionals in the industry. They’ve implemented some amazing security controls and had significant influence over security features for the product.
The product security team ensures that all of Slack’s product development work flows through a secure development lifecycle process. Through the use of automated and manual analysis, our product security engineers help ensure we’re shipping things we know, to the best of our abilities, are free from security defects.
These efforts are supported by Slack’s public bug bounty program, which allows us to engage the wider security research community with our product security efforts. If a researcher finds a security flaw, we can immediately turn around and get to work addressing that issue, and reward them for helping us to protect our customers.
To top it off, we perform regular scans, penetration tests, and a growing set of third-party audits that help our customers see for themselves what we’re doing, and how well it’s working. Some of the merit badges we’ve already earned are our SOC 2 Type I and Type II and SOC 3. We also started working with the Cloud Security Alliance. We’ve met the CSA STAR Level 1 requirements and a version of their Consensus Assessments Initiative Questionnaire (CAIQ), available for anyone to download and review from the CSA website.
How are you and your team using Slack features and integrations to ensure data security?
One particularly good example of how we’re using Slack for data security is SecurityBot, our toolkit for distributed security alerting. We’ve taken much of the alerting “noise” that typically comes from a high-scale production environment, and would normally go to a front-line SOC analyst with zero context, and instead implemented a set of rules and a Slack bot that redirects certain alerts back to the user that caused them. This way, those engineers can acknowledge the alerts and provide context or escalate them.
Other alerts that could potentially indicate an “insider threat” go directly to the security team for review. Escalated alerts get much needed context and validation and can route directly to a security team member for an immediate response. All of this happens right within Slack.
Our Security Operations team has written some great blog posts about distributed security alerting. And they’re actually the ones that drove the effort to make some of the security tooling our team uses here at Slack available to the wider security community.
Looking ahead, what else are you working on to ensure Slack customer data stays mighty safe?
We’ll probably see updates to something we rolled out earlier this year to protect API tokens. We now methodically seek out and invalidate customers’ API tokens that have been accidentally posted publicly and follow-up with an automated notification to the customer.
There will definitely be compliance merit badges that we hope to announce in the next couple of days (that’s as much of a hint as I’m able to give you!) [Ed. note: Update! We can now tell you that Slack Enterprise Grid complies with the stringent regulations of HIPAA and FINRA]. What I can tell you is that our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.
Other than that, we’re continuing to sink our teeth into innovating and scaling up our security toolkits, and sharing those updates with our customers and the wider security community.
How good are you at keeping secrets?
I can’t say.
Consider this your Security at Slack appetizer. For the full meal deal on all the ways we approach security at Slack, see the white paper on our security page.