Communication and collaboration have become essential aspects of today's business environment. With more people preferring to work remotely, choosing the right communication tool is a key aspect to enhance productivity and meet expected outcomes.
Slack is one of the most popular ways for businesses to communicate with each other. It's estimated to have more than eight million daily active users and is used extensively for communication among remote teams. Its popularity stems from its ease of use, its ability to switch workspaces, clean interface, quick and reliable communication, and more.
Now comes a big question, how secure is Slack for your business? Let's look at the security features to understand how secure the messages that you send through Slack are.
Existing Security Features
Slack comes with many built-in security features, and this is why it's considered to be one of the best today. That said, are the available security features enough to protect your assets from sophisticated cyberattacks? Before we answer this question, here's a look at all that Slack offers on the security front.
Defense-in-Depth Approach
According to Slack, its security is based on a defense-in-depth approach, where it secures every data layer in your organization. As a result, the chances of unauthorized access or cyberattack due to misconfigurations are greatly reduced. Slack also claims to continuously evaluate its security and work on fixing issues, if any come up. The overall security at Slack is headed by its Chief Security Officer (CSO) and is supported by the Slack security team. They focus on many aspects of security like security engineering, risk and compliance, security architecture, and more.
Security in Design
Slack has a robust and secure development lifecycle, and it greatly leverages its open-source tool called goSDL. The team also aims to catch most security issues and gaps during the design and testing phases. Beyond this, Slack offers a public bounty program where anyone in the public gets rewarded for identifying bugs in Slack.
Identity and Device Management
Slack has streamlined access mechanisms to ensure that only authorized people can join a Slack domain. Most enterprises prefer to opt for single sign-on, so they can further control access by role and department. Likewise, admins have complete visibility into all that transpires, and this has both positive and negative repercussions. The positive aspect of such visibility is that organizations can be on the lookout for disgruntled employees and prevent a possible insider attack.
Privacy
Slack offers private and public channels for communication. Out of the two, public channels are accessible by all employees within an organization such as a channel for announcements, random cooler banter, anniversaries, etc. Similarly, there are private channels too where conversations are limited to a small group of people, usually within a team. These private channels are visible only to the individuals who are a part of them. Also, an existing member has to add another individual to the channel.
Other than these group channels, employees can always have private one-on-one conversations with one or more individuals, and these are not visible to other employees in the organization, except the admin.
This separation of communication into private and public channels ensures secure communication with authorized employees.
However, note that those with admin rights have complete access to all communication, so the conversations are not 100% private.
Encryption
Slack supports end-to-end encryption for data at rest and data in transit. Again, this end-to-end encryption does not keep your data 100% safe, as organizations may want to check the content. Also note that Slack generates audit logs that can be used for checking, troubleshooting, and internal compliance.
Plus, Slack integrates well with some of the best Data Loss Prevention (DLP) providers to further protect your data from outside access.
Slack Encryption Key Management
Slack Enterprise Key Management is a feature where Slack provides you with encryption keys to your data. These keys can be used to encrypt your files and data and are stored in AWS Key Management Service (KMS). This way, you can have complete control and visibility and the IT admins can revoke access to keys at a granular level to reduce disruption to other team members.
Governance
Another key aspect of security is governance. Slack offers extensive risk management capabilities including flexible retention policies, eDiscovery, and other support and service requirements that your organization may require. It also helps to enforce the security policy of your organization for all communication and collaboration that happens through slack.
Compliance
Slack complies with leading security standards such as ISO 27001, SOC2, SOC3, Cloud Security Alliance, and more. It also follows compliance with leading standards for particular industries like HIPAA for healthcare, FINRA for financial services, and more. Slack is also FedRAMP Moderate, so organizations that communicate with government departments can use Slack.
This means it has to follow a set of standard security best practices, and your organization can benefit from these practices too.
Securing Endpoint Devices
Slack uses a secure endpoint policy, where the devices of all Slack personnel are configured for improved security and configuration. As an organizational policy, it mandates secure passwords, updated software, monitoring tools to remove potential malware and high-security standards for connected mobile devices. These measures bring down the chances of phishing and malware attacks through compromised employee accounts and devices.
Data Retention
Data retention policies are an essential part of security. At Slack, the customer's data is removed as soon as the user deletes the message. Also, it's deleted as soon as the message exceeds the time limit configured by the admin. As per Slack, it immediately deletes the information from production systems, and backups, if any, are destroyed within 14 days.
From the above discussion, it's clear that Slack is highly secure and can safeguard your messages. But is it secure enough for transmitting sensitive business information? Let's see next.
Slack Security Limitations
The above-mentioned security features may make you think that Slack is the most secure platform when it comes to communication and collaboration. Though Slack has robust security mechanisms, some limitations come with it.
Firstly, Slack doesn't use end-to-end encryption because most employers want visibility and control of all organizational communications. From an employer's standpoint, this visibility is justified, but from an employee's perspective, this can sound intrusive and overarching. More importantly, this lack of end-to-end encryption opens up the possibility for hackers to access sensitive information of organizations. A good example of such a hack is the proof-of-concept exploit.
The Proof-of-concept Exploit
Frans Rosen, an ethical hacker and security advisor at Detectify, made a Slack connection to his server, and using this exploit, he stole a user's private Slack token and logged into the organization's Slack service. He explained that he used certain code functions to go ahead with this hack. In the process, he also found many minor flaws such as browser notifications, the ability to switch between chats, and more. He could also drop calls and intercept messages on Slack using a few flaws in Slack's calling functionality.
This hack threw light on how any hacker can manipulate this lack of end-to-end encryption and other minor flaws to steal data from an organization. Though Slack has fixed this vulnerability, it's hard to ascertain how many more vulnerabilities can be unearthed through Slack's code functions.
The Electronic Arts Hack
Another well-known Slack hacking incident happened in the Slack channel of Electronic Arts, a video game maker. The hackers bought cookies for $10 and used the login details saved in the cookie to hack into an Electronic Arts employee's Slack channel. Through this channel, the group stole the source code of the FIFA 21 game, along with 780 GB of data. They threatened to sell all this on the dark web.
The Twitter Attack
Not so long ago, many famous Twitter accounts belonging to Barack Obama, Elon Musk, Kanye West, and Bill Gates were hacked. A group of young and inexperienced hackers used social engineering tactics to gain access to an unwitting employee's internal Slack channel. From there, the hackers managed to access some of the most popular Twitter accounts.
The above attacks clearly show that Slack is not the most secure option out there, despite its popularity and convenience. Also, your communication is not completely private or secure, as organizations always have control and visibility into what you send or receive. In this sense, it's not a completely secure app for communication.
Here are some alternatives to consider.
Slack Alternatives
Below are some Slack alternatives to consider.
- Discord This VoIP and instant messaging platform enables users to communicate through messages, voice calls, video calls, and more. You can also securely share files and media content in communities or groups called “servers” or through private chats.
- Microsoft Teams Microsoft Teams is more than just a communication tool. It's an entire workspace that supports seamless collaboration and communication among your employees. With this tool, you can create and attend meetings, share files and apps, create groups, send messages to groups or individuals, and more.
- Flock A messaging and collaboration tool that comes with many built-in apps for productivity. It offers shared notes, reminders, polls, to-do lists, and so much more to create a conducive workspace. With this tool, you can also do voice and video calls with any employee or team in any part of the world. A highlight of Flock is that you can configure external apps and integrations, and receive notifications and updates about these apps through Flock.
- Rocket.Chat A unique app that enables you to communicate with any individual or group, regardless of the collaboration platform they use. This open-source and customizable collaboration platform ensures high levels of data privacy and security. You can deploy it on Docker, Kubernetes, or Podman.
- Twist A communication and collaboration app that you can download from the Apple Store. It organizes your team's communication and reduces the need for continuous meetings, emails, and chats. Twist maintains one thread per conversation to ensure that important communication is not lost in the process. Also, its features like specific tagging, historical record keeping, and structured silos enhance the productivity of employees.
- Troop Messenger This office chat application supports safe and secure business data sharing. It enables you to send private messages, start and communicate in a group chat, send bulk messages, and more. File sharing, remote screen sharing, and end-to-end encryption are other important features of this tool.
- Cisco Webex One of the leading solutions for video and web conferencing. It offers unified communication as a service and is a good choice for online meetings, webinars, screen sharing, and more. It supports up to 100 participants and HD video for video conferences and webinars. Interactive whiteboards, personal rooms, etc. are some of its other salient features.
- Mattermost A highly secure and open-source platform for communication and collaboration. It's also well-known for its seamless orchestration of workflows across different teams. At the heart of it all, Mattermost is a chat feature that comes with advanced search and file-sharing capabilities. It integrates well with a ton of devices as well.
All the above tools come with excellent built-in security capabilities to enhance productivity and collaboration for employees. They have intuitive interfaces along with standard features such as file sharing and search. Undoubtedly, any of the above tools are a good alternative to Slack.
Final Thoughts
In all, Slack is a popular messaging app among employees today because it comes with many convenient features and an intuitive user interface. Its features support extensive communication and collaboration among remote teams and employees. However, its security has been in the spotlight for the last few years, though Slack has worked extra hard to fix the identified vulnerabilities. In this context, we discussed the existing security features of Slack and its limitations in this article. Finally, we listed a bunch of Slack alternatives for you to consider.
We hope this was an interesting read. For more such articles, browse through www.ittsystems.com.
