How to secure Slack? The actionable guide with config
How to secure Slack?
Slack and similar cloud-based collaboration tools can make work more fun as well as faster and easier; however, these new ways of working also require fresh rules for both behavior and security.
Your organization is responsible for the safeguarding of any sensitive data, be it your own operational data or that entrusted to you by customers.
There will always be individuals with bad intent looking to exploit weak spots in an organization's security infrastructure. As our methods of communication and collaboration evolve, so too do their strategies.
The same can be said for accidental breaches. There will always be that one colleague who falls for phishing emails, clicks on random links, writes passwords down where others can see, and sends work-related emails from their personal account. They're also the ones who roguely install unvetted apps from untrustworthy sources to your workspace without letting anyone know.
Both IT managers and Slack administrators concerned with security have expressed their fear not because Slack cannot be secure, but because it is another opportunity for malicious actors as well as careless employees to cause a security breach.
Is Slack Secure?
When Slack first became available in 2013, it was advertised as a friendlier option to Microsoft’s team tools. One of the key features that drew people in was the ability to communicate instantly using this platform- with group messages and full conversation logs. This made it an attractive choice for businesses who were looking for an easy way share messages internally, especially since it had integrations with other business apps.
However, in 2015 Slack was hacked, revealing the company's lack of security. For four days hackers had access to the system, which resulted in stolen data such as email addresses and passwords.
Additionally, Slack discovered some doubtful activity on user accounts which suggests that at least some of these accounts were accessed without proper authorization. If a Slack account belonging to a CEO or another high-ranking executive is compromised, it has the potential to cause just as many security issues as a hacked email would. Because of this hack, Slack implemented two-factor authentication.
What can businesses do to protect themselves while using Slack?
The Fundamentals
While complex security measures do have their time and place, a great foundation for security starts with these easy and cheap tips that anyone can follow. Most of the following measures don't require anything other than common sense yet they're still neglected by many organizations.
(Available in all plans)
App Installation
One of the greatest benefits of Slack is its ability to integrate all types of third-party tools into your daily workflows. It offers several features that provide control over which apps, and which types of tools can be installed.
Restricting installations to Slack App Directory:
One of the easiest ways to protect your workspace from unauthorized app installations is to limit app installation to those from the official Slack App Directory. Every app in the directory is reviewed by Slack before it becomes available to everyone.
While not every app in the directory is guaranteed to be privacy/security risk-free for your organization--that varies depending on the company--it does help reduce chances of less reputable apps being added to your workspace without you knowing.
Pre-approval list
To take it a step further, you can whitelist (define a list of pre-approved) apps users in your Slack workspace can install.
Manual app approvals
This method requires more administrative overhead but does offer even greater visibility and control over the apps in your workspace. Users will need to request admin approval for any app they wish to install.
User management
User and access management are crucial to security. Slack offers several options to make it simple to manage access to your workspace and individual areas within that workspace.
Manual, but expedient user management
If you don’t have an automated user management tool in place (many smaller orgs don’t), it’s vital to have an offboarding checklist to help ensure there aren’t any users with access to data they shouldn’t have.
Guest users vs. full users
If you need to bring someone from outside your organization into Slack so they can communicate with your team, you can add them as a guest user and manage which channels they have visibility and access to.
View guest profiles in your workspace directory
Channel privacy
There are some conversations and pieces of data that might be sensitive, even internally. In this case, you can create private Slack channels that are only available to individual invitees.
Channel management tools allow select owners and admins to view a list of existing channels in their workspace or Enterprise Grid organization and take action on them from a central dashboard.
Slack connect
To help you manage Slack Connect for your organization, there are a number of approval settings you can adjust for Slack Connect channels. Keep reading to learn how to manage approval settings, apply approval settings to specific external organizations, and manage invitation requests.
Bot & App Scopes
App/Bot scopes determine the level of access a third-party application has to the data within your Slack workspace. If you’ve ever installed a Slack app or bot, this page probably looks familiar:
Every app and bot in the Slack ecosystem has a scope of access that is granted on installation.
Historically, many cases existed where apps and bots were required to select their required scope from a relatively short list of access levels. This caused issues for many developers because it forced them to request a greater scope of access than they actually needed.
Slack listened to customer and developer feedback on this topic and deployed a solution. During the 2019 Spec Developer Conference, Slack released a more granular set of scopes that application developers could use in order to request an appropriately limited amount of access in order to provide their service, and nothing more.
From Slack on your desktop, you can view any apps installed to your workspace by other members. To open the app browser, click ****Apps**** in the top left of your sidebar. If you don’t see this option, click **More to find it.
Force Two-Factor Authentication (2FA)
(Available in all plans)
Two-factor authentication is one of the quickest, easiest, and most accessible way of increasing account security without adding any extra hurdles. As a workspace administrator, you can require all users in your workspace to set up 2FA.
While 2FA is a significant step toward greater security, there are still varying levels of effectiveness, based on the 2FA format you choose.
Alternatively you see who has 2FA set up.
Enable Google Sign-In
Google Workspace single sign-on (SSO) lets all members of your workspace sign in to Slack using their Google accounts. This can be set up in two ways: with Google Auth using OAuth 2.0 or Google SAML using SAML 2.0.
Advanced settings
SAML/SSO
(Available in Plus and Enterprise Grid)
Single Sign On (SSO) providers like Okta make it possible for employees to log into apps and services without managing individual account login credentials. By eliminating individual account credentials you’re eliminating a vast number of potential attack vectors.
Slack offers SSO integration functionality at the Plus and Enterprise Grid level.
Automated User Management (provisioning/de-provisioning via SCIM)
(Available in Free, Standard, Plus, and Enterprise Grid)
Automated user management makes it simple to provision and deprovision user accounts automatically. For example, if an employee is marked as ‘terminated’ or moved to a different department in your HRIS, their requisite accounts will be de-provisioned across all the applications they had access to (or provisioned, in the case of a departmental transfer or promotion).
In many cases, SSO providers also handle automated user management.
Without automated user management, it’s surprisingly common for users to retain access to a live user account despite no longer being a member of an organization. Even if you don’t have automated user management, make sure you have an offboarding checklist that ensures departing users' access to critical systems is revoked.
Domain Whitelisting
(Available in Plus and Enterprise Grid)
At its most simple, Domain whitelisting restricts access to your Slack account based on what network the traffic is coming from. This means even if someone has all the correct login credentials, they won’t be able to log in unless they’re coming from one of the networks you’ve whitelisted (for example, from a network at your HQ).
This way, even if every other security protocol is breached, there’s no way to log in and access your data without additional access to your whitelisted networks.
Mobile Password / Biometric ID
(Available in Enterprise Grid)
By enforcing a mobile passcode or biometric ID challenge, even if an employee’s device is stolen, their devices won’t be able to log into your slack account without their individual device passcode, or biometric “key” (most commonly a fingerprint or Face ID).
Block File Downloads and Message Copying
(Available in Enterprise Grid)
Admins of Enterprise Grid accounts can restrict file downloads and message copying capabilities to devices managed by an Enterprise Mobility Management (EMM) provider.
Expert settings
Encryption Key Management (EKM) (API)
(Available in Enterprise Grid)
Encryption Key Management (EKM) allows organizations to shut off access to content unilaterally in an instant. This is particularly useful to organizations in heavily regulated or sensitive industries.Slack introduced EKM capability to Enterprise Grid users.
Audit logs (API)
(Available in Enterprise Grid)
Audit logs make it possible to see who took what actions within a system, where they took those actions from, and when. This information can be incredibly useful in keeping track of potential security issues or looking back in retrospect.
Enterprise Grid users get access to the Audit Logs API, which can be connected in a variety of ways, from specialized third-party tools to custom internal apps.
Session Management (API)
(Available in Enterprise Grid)
Session management allows admins to end the session of any user in their workspace. This is often useful in the case of a device loss, or for any other reason that might require a device to have its access revoked temporarily until the user re-authenticates.
Slack provides session management functionality to Enterprise Grid users through its Session Management API.
Human factor
Establishing Security Policies and Procedures
The first step to ensuring secure systems is establishing clear and comprehensive security policies and procedures. These should be non-negotiable rules that all users must abide by; for example, only approved employees should be allowed access to certain areas or data sets. It’s also important that these policies are communicated effectively to all users so there is no confusion about what is expected of them. Finally, it’s essential that these policies are enforced consistently; this will send a clear message that breaches of policy will not be tolerated.
Education on Security Matters
In addition to having clear security policies and procedures in place, it’s also important for organizations to provide education on security matters. This includes making sure all team members stay up-to-date with the latest security news and trends as well as understanding the basics of cyber hygiene such as good password practices and recognizing phishing emails.
Making Secure Operation Easier and Frictionless
Finally, it’s important that secure operations don’t become too much of a burden on those responsible for implementing them. Automating processes where possible can help make life easier while also reducing the chances of human error occurring during implementation. Introducing tools designed specifically for secure operation can also help here; they should enable users to operate securely without disrupting their user experience too much. Additionally, utilizing technologies like encryption can make operations more efficient as well as more secure.
In conclusion, it is essential for IT managers to have effective security policies, procedures, and education in place in order to ensure their systems remain secure from potential threats. By making sure these components are clear and comprehensive then enforcing them consistently alongside providing ongoing education on security matters, organizations can give themselves the best chance of staying safe from cyberthreats.
In conclusion
Security is an important factor in determining which systems you use. Slack has a great set of security features and tools that you can leverage to fortify your infrastructure, but it’s just as important to develop a working security plan, solid procedures, and to ensure members of your organization follow them.
It's not only Slack's top-notch security features that make it a great option for your business – although, those are impressive enough. You also need to consider things like developing a comprehensive security plan and ensuring everyone in your organization knows and follows procedure.
