Since its launch in August of 2013, Slack has enjoyed remarkable growth in its user base. As of 2016, Slack boasted 4 million active users, with 28 of the Fortune 100 companies using Slack in some capacity. Despite the rapidly growing presence of Slack at enterprises, security concerns around Slack have kept IT departments from formally sanctioning enterprise-wide Slack deployments. Instead, Slack adoption was primarily driven by individuals or groups of individuals within certain departments. To mitigate security concerns and encourage organization-wide adoption of its product, Slack recently released Slack Enterprise Grid, giving organizations the ability to integrate and centrally manage distinct Slack accounts.
While Slack has built a robust security infrastructure and controls in its enterprise offering, like most cloud providers it follows a shared responsibility model that puts the onus on the customer to follow best practices in enforcing the appropriate level of security and compliance controls within Slack. We asked IT security teams at enterprises we work with how they are addressing the security of their data in Slack. Below are 6 proven Slack security best practices enterprises are adopting to ensure sensitive corporate data is protected.
1) Identify sensitive data and relevant security controls to protect that data
One of the first things IT security needs to do is identify the types of data that is being uploaded to Slack. Doing so will allow them to start categorizing data by type (PHI, PII, PCI, etc.) and identify relevant internal policies and external regulations that apply to the data. Once data has been inventoried, the security team can identify the necessary compliance controls they need to enforce to protect the data.
2) Enforce data loss prevention policies for files and messages across all Slack channels
There are two primary mechanisms by which sensitive or regulated data may be uploaded to Slack. Users may upload a file containing sensitive information or they may add sensitive information within a Slack message. Since 18.1% of all documents uploaded to cloud-based file sharing collaboration services contain sensitive data—including protected health information, personally identifiable information, payment card information, intellectual property, etc.—it’s imperative that enterprises enforce appropriate data loss prevention (DLP) policies to ensure compliance with industry regulations such as HIPAA, PCI-DSS, SOX, etc.
3) Implement appropriate access control policies based on user role, device, and location
While cloud-based collaboration services like Slack help make employees more productive by giving them access to critical resources from anywhere, at any time, using any device, they also present security risks where sensitive data could be exposed through unmanaged or unsecure device, untrusted location, or through non-compliant sharing.
Enterprises need to enforce context-aware access controls based on whether the device is managed or unmanaged, if the IP is blacklisted or safe, or whether the traffic originates from a trusted or untrusted location. In addition, enterprises should look to force additional authentication steps if certain predefined risk thresholds are met.
4) Capture a complete audit trail of all user and administrator activity
One of the more critical security requirements for Slack is the need to capture a comprehensive audit trail of activities performed by users and administrators. This will not only help identify anomalous or inappropriate user behavior (see below), but having an audit trail will also support and accelerate post-incident forensic investigations as part of an incident response workflow. The Slack API provides a complete feed of all user events, which can be imported into third-party security solutions to analyze this activity.
5) Detect activities indicative of insider threats and compromised accounts
There are myriad of threats that arise in the cloud. The average organization experiences 23.2 cloud-related security incidents each month, which includes insider threats (accidental and malicious), compromised accounts, and attacks that use the cloud as a vector to exfiltrate data.
According to Verizon’s 2016 Data Breach Investigations Report, 63% of known data breaches involved compromising a weak, default, or stolen user password. Moreover, some of the most damaging data breaches in recent years have been due to a compromised account attack (eBay, DNC, Anthem, etc.). It’s imperative for an enterprise to have security controls put in place that can rapidly detect and remediate unauthorized access to Slack user accounts.
And while external threats to data in Slack merits concern, enterprises also need to look within to identify and mitigate internal threats. According to a 2015 report by Intel Security, 43% of data loss incidents were traced to internal employees (half malicious, half accidental). Insider threats may come in the form of a well-intentioned Slack user uploading or sharing sensitive data in a non-compliant manner or a privileged user accessing and stealing data for financial gain. For these reasons, organizations must implement security controls that will identify anomalous user behavior that may be indicative of an insider threat.
6) Implement a uniform set of security policies across Slack and other cloud services
The security controls offered by cloud providers vary widely. Enterprises should strive to apply the same set of controls to Slack as they would to other popular cloud applications like SharePoint Online, Box, Salesforce, and Dropbox. In practice, this means the same DLP policy that identifies and protects Social Security numbers should apply to all cloud services. Likewise, any access control or threat protection capability should be enforced in a cross-cloud manner. There are couple of reasons why this is a best practice.
First, it is significantly easier and more efficient to manage policies from a single console. Furthermore, enforcing security policies from a single control point ensures there is a single place to review and remediate all cloud incidents, rather than a separate dashboard for each cloud service. Lastly, many cloud threats span multiple cloud services. For example, a rogue insider who logs into Slack and downloads sensitive data before uploading it to an unsanctioned cloud storage service, requires a view of both services in order to detect the threat.