How to secure Slack?

What is Slack?

Slack is one of the leading solutions in workplace communication. Companies worldwide use Slack to keep in touch with team members, sync on tasks, and track progress. Companies can create a Slack workspace that all of their members can join. A workspace includes different channels, which can be organized by team (e.g., engineering, marketing), by topic (e.g., general, miscellaneous), by specific people (e.g., Joey, Chandler), or all of the above.

Why is it essential to secure Slack workspaces?

Slack is a cornerstone of many companies' workplace technology solutions. Particularly with more companies working in a remote or hybrid setting, or even companies working between multiple locations, Slack is indispensable to their daily operations. However, the more information companies put in a Slack workspace, the greater their risk in the event of a data breach. Think of the most recent Uber Data breach because an employee's slack credentials were compromised due to a phishing scam.

Low-Hanging Fruits to secure Slack

1. Enable Two-Factor Authentication

‎As is recommended for all services, setting up two-factor authentication is a simple yet powerful way to protect against bad actors seeking to log in with your credentials. Slack supports most time-based, One-Time Password (TOTP) applications you may already be using, such as Duo Mobile, 1Password, Microsoft Authenticator, Google Authenticator, and more.

2. Making channels private

‎You can set permissions on an individual channel to further protect sensitive information. Making a channel "private" prohibits members from seeing the channel unless they are invited. This feature is great for channels in which sensitive information may be discussed. For example, a board of directors channel discussing high-level information may be best kept private.

3. Limit Access To Workspace

Security's best practice is to grant access to employees or guests only when they need to be part of a slack channel or workspace. It is best practice to revoke access once the business function is done. Slack has written some of the key guidelines here: https://slack.com/help/articles/115004155306-Security-tips-to-protect-your-workspace#limit-who-has-access

Are there any Security & Compliance Risks that are not solved in Slack?

Even with solid security practices, like two-factor authentication and limiting access to who needs it, sharing customers' most sensitive information or businesses' confidential secrets/keys is still risky over Slack.

1. There is no way to prevent employees from sending sensitive data like Drivers licenses, identity pictures, SSNs, bank statements OR even API Keys/secrets/private keys. There is a massive risk of data loss exfiltration.
2. Slack has different channels: public, private, DM (Direct Message), and Group DM. These channels allow employees to share sensitive data making it harder for IT and Security auditors to oversee what information is shared.
3. There is no way for the business to implement GDPR or CCPA's Right To Delete control as data is all over the place for a customer.

Modern Data Loss Prevention (DLP) Solution

Strac's Data Loss Prevention (DLP) Solution for Slack Free, Pro, Business and Enterprise plans automatically detects and redacts (masks) sensitive data like PII (SSN, DL, Passport, etc.), PHI (patient data, dob, etc.), credit card numbers, bank account details, API keys, and more from Slack messages.

Below is a sample list of sensitive data elements that will be detected & redacted in Slack workspace:

• Identity: Drivers License, Passport, SSN (Social Security Number), National Identification Number, etc.
• PII: Name, Address, Email, Phone, DoB, Age, Gender, Ethnicity, etc.
• PHI: PII data, Medical Record Number (MRN), Insurance ID, Health Plan Beneficiary Number, Biometric, Medical Notes, etc.
• Payments: Bank Account, Routing Numbers, Credit Card, Debit Card, IBAN, etc.
• Secrets: API Keys, Passwords, Passphrases, etc.
• Vehicle: License Plate, Vehicle Identification Number (VIN), etc.
• Physical Network: IP Addresses, MAC Address, etc.
• Crypto Secrets: Seed Phrase, Bitcoin, Ethereum, Litecoin Addresses, etc.
• Profanity: Curse words, abuse words, etc.
• Custom: Create your own rules or use regex

Strac's Redactor is powered by its Machine Learning models that help businesses comply with PCI, HIPAA, SOC2 and various privacy laws by automatically redacting sensitive data. Strac also exposes REST APIs for redacting (or masking) any data.

‎

Book a demo to see how Strac's unique redaction technology will eliminate your security and compliance risks.‎