Securing Slack: Is your organisation protected?

The popularity of Slack is growing at an exponential rate, but many organisations are still struggling with how to best maintain data security

In a few short years, Slack has transformed from a relatively unknown cloud application into one of the most popular team collaboration solutions in the world. For many enterprises, Slack is initially used in small, unsanctioned (shadow IT) deployments amongst internal workgroups. From there, use of the app typically balloons so quickly that it simply cannot be ignored. Today, Slack boasts over 10 million daily active users and more than 85,000 paying customers worldwide.

As organisations allow sensitive information to move off premises and into Slack, they must take concrete steps to ensure that their data is being used and secured properly. This article will look at some of the key challenges faced amidst this effort, as well as how they can be overcome through the use of modern security solutions that are built for the cloud.

Data overload

Every day, Slack users around the world send billions of messages and files to each other. It has even become its own verb; “I’ll Slack you” has entered the global vernacular as shorthand for sending information via the platform.

While Slack can do wonders for business productivity, it can also cause major security headaches. Employees are able to share a wide range of sensitive files with each other on the app, ranging from architecture diagrams and proprietary code to personally identifiable information (PII), financial data, and more; naturally, all of this could be extremely damaging in the wrong hands.

Unfortunately, most companies lack the resources needed to manually monitor all of the information passing through the application. Additionally, Slack’s private channels and direct messaging capabilities mean that IT admins often have no direct visibility over what information is being shared, creating an obvious security risk.

Best practices

There are, of course, simple best practices that organisations should apply when employees are using collaboration tools like Slack. For example, they should make sure that their employees receive regular training on best practices for cloud security. They should also educate all of their employees on their specific preferences and requirements regarding who can access certain types of data. Good password hygiene is another basic yet helpful tactic.

Solving the security challenge with CASBs

One of the best ways of doing this is through the use of a cloud access security broker (CASB). These solutions not only provide robust controls for how and when users can access applications like Slack, but also deliver visibility and control over how data is shared within it.

Leading CASBs allow organisations to see the sensitive data that is being shared, who is sharing it, what type of data it is, and where it has already been shared. To prevent sensitive data patterns from falling into the wrong hands, organisations can set up policies within a CASB that will automatically hide said data in Slack messages and files as needed.

In addition to the above, CASBs provide a breadth of other capabilities that are indispensable for securing the use of Slack and defending enterprise data. Multi-factor authentication (MFA) verifies user identity beyond the mere use of a password, data loss prevention (DLP) extends varied levels of data access to users based on their needs and privileges, and advanced threat protection (ATP) prevents malware of proliferating through the cloud.

How do CASBs work?

By integrating with Slack’s API (application programming interface) and proxying user traffic, a CASB can automatically scan an enterprise’s entire Slack deployment across all of its teams and channels, all while enforcing real-time policies that secure user behavior even within private channels and direct messages. In this way, sensitive data is discovered, while high-risk sharing can be quickly identified and automatically mitigated. This saves IT security teams a significant amount of time and keeps data safe.

Leading CASBs are also agentless, which means that enterprises can achieve the desired level of visibility and control over data within Slack without having to install agents onto every single employee device. This can be particularly beneficial in large organisations with thousands of employees as installing agents on all devices used to access corporate data can be highly logistically challenging – not to mention the regular software updates that must be rolled out individually for every device’s agent.

Additionally, agentless solutions are critical in bring-your-own-device (BYOD) environments where employees are allowed to work from their personal endpoints and do not want anything installed on them for fear of their privacy being invaded. As agent-based tools capture all traffic on the devices on which they are installed (corporate and personal alike), employees typically resist them. In light of the above, an agentless CASB with a full feature set is critical for comprehensive, deployable Slack security that respects user privacy.

The popularity of Slack is growing at an exponential rate, but many organisations are still struggling with how they can best maintain data security as they use it – particularly from an end-user perspective. Fortunately, solutions like CASBs now let organisations achieve robust cybersecurity in the cloud, meaning that they can confidently enjoy the productivity benefits of Slack as well as any other app.