For most of us working from home, Slack is one of the most frequent choices when it comes to communication. These days, Slack is everywhere – people taking a trip by buses use Slack, people at the office use Slack, people at home use Slack, and people working from the bench at the park use Slack.. The question is, how secure is the platform? Is it secure? This is what we’re digging into today.
The Security of Messaging Platforms
In order to tackle the question pertaining to the security of Slack as a platform, we would have to start from the bottom – are messaging platforms as a whole secure?
Of course, there is a whole bunch of messaging platforms – Messenger, Discord, Telegram, Signal, WhatsApp, WeChat… Remember Skype too?
Some messaging apps – think Telegram, Signal, and WhatsApp – are built for safety security, while others pride themselves on convenience or performance, but also keep security in mind. These days, it would be hard to find a messaging platform that could be considered “unsafe” – absolutely all platforms include safety and security as their priority, however, it would be safe to state that users using different kinds of platforms usually have different priorities: we probably won’t find ourselves using Skype for work group chats anymore, etc. As far as work is concerned, almost everyone uses Slack.
The Security of Slack
Slack is no stranger to security – the platform, as almost all platforms nowadays, is secured with TLS, and puts great care into the security of its users. As almost every other platform, Slack also has documentation extensively documenting its practices around availability, performance, capacity, and also security.
Slack is said to have built-in enterprise-grade security enhancements into every aspect of its application without sacrificing performance or UX features. As of the time of this blog post, Slack holds multiple certifications including ISO 27001, ISO 27017, ISO IEC 27018, SOC 2 and SOC 3, CSA, and it helps customers comply with GDPR, HIPAA, and other regulations.
As almost every other popular software solution, Slack also has a dedicated security team working on the product – their security team is said to use industry-standard practices and frameworks to keep data safe. Slack does this by:
- Encrypting data at rest and in transit.
- Focusing their security approach on security governance, risk management and compliance.
- Slack also gives a wide set of security and data protection features that their customers can choose from. They include, but are not limited to:
- Logging out users after amount of time has passed (logging out based on session duration);
- Providing all of their users with two-factor authentication capabilities.
- Providing users with the ability to choose the minimum application version that should be used (the most likely idea of this is to downgrade/upgrade features, but it might have some security concerns surrounding it);
- Providing users with the ability to block jailbroken or rooted devices, if any;
- Providing users with Enterprise Key Management (EKM) and Data Loss Prevention (DLP) capabilities and other tools outlined in its datasheet.
Each of those security capabilities provided by Slack ensures that its users are always safe no matter what happens – and since the security documentation of the platform isn’t of great depth (reading it up should consume minutes), familiarizing themselves with the docs is available to everyone at any moment in time.
Keeping Yourself Safe Outside of Slack
As safe as Slack would be to use, all users should keep safe both during work and outside of their virtual offices as well. Users can accomplish this by:
- Following industry-standard security practices outlined by their local CERT institutions.
- Picking a good, safe, and private workspace to avoid eavesdropping.
- Only using safe (secured) Wi-Fi networks when working from home.
- Using a VPN when necessary to access any company resources such as servers.
- Using multi-factor (2FA) authentication in every service that supports it.
- Avoiding to use any computer networks when they’re not necessary.
By following the outlined security practices, users can make sure all of their data is kept safe both offline and online. Slack provides a good set of industry-standard security practices, but without following basic security guidelines, everyone could be in trouble.
Both enterprise users and individuals can easily secure their infrastructure and themselves using BreachDirectory too – by using the BreachDirectory API users can easily integrate leaked data breach data into their infrastructure and by using the API provided by BreachDirectory, ensure the safety of their employees, contractors, and users – BreachDirectory even offers an enterprise edition of its API meaning that companies can simply load a CSV of all of the users they want to ensure are safe and run them through the API. The BreachDirectory API will then provide all of the necessary results.
Slack keeps all of its users safe by making industry-standard security practices available to all of its users: from TLS to blocking jailbroken or rooted devices – Slack has it all. After all, Slack is trusted by well-known names including the Department of State in the US, Ameritrade, Nikkei, Roche, and AIG (source: Slack), is built with enterprise-grade security in mind, and with a dedicated security team behind the product, there’s certainly no need to worry about the security of the product – every user of Slack is using industry-standard enterprise-grade security features and that makes Slack both extremely popular and a very safe product to use.