In 2019, Slack reached the 12 million daily user mark, which is likely even higher today as the remote workforce has surged, making the tool a foundational part of corporate and enterprise environments. When your teams, both internal and external, are working in Slack to send files, share sensitive information, and cross communicate between groups, it is incredibly difficult to track what information is being distributed. On top of that, it is nearly impossible to tell which information is sensitive and should be controlled. The characteristics that make Slack easy to use and collaborate with also make it easy to leak information or download potentially risky files.
The Ponemon Institute reports that the average data breach exposes 25,575 records containing sensitive and confidential information. The annual Verizon DBIR continues to report remarkable statistics for compromised accounts: nearly 63% today are tied to weak, default, or stolen passwords.
Against this backdrop, securing Slack is as important as securing any other business-critical system. While security teams struggle to find the right balance of security and productivity, an easy approach is readily available: apply the spirit of your company’s email and access control security policies to Slack.
Following an example from several of our customers provides easy wins when setting up your Slack policies. You can use this as a starting point before building in company-specific requirements.
Apply a data loss policy
Having a single dashboard for configuring policies makes this a relatively simple process. With objects that have been designed for other applications and use cases, you can take previously created objects and apply them to Slack. These should be applied to both the messages in Slack as well as the shared files.
For instance, you can take the DLP-related objects, whether for groups, locations, or the policies themselves, and use them for Slack. Many will provide greater flexibility for specific groups (e.g. admins) and locations (e.g. behind a firewall).
With the flexibility to design policies that fit your requirements, you can scan all uploads for sensitive data and automatically halt them as needed, use a pre-built library of hundreds of data patterns or build custom criteria, and enforce DLP policies for data in transit (redact, DRM) and at rest (quarantine, encrypt). Of critical
importance is the fact that this approach to DLP enables consistent security regardless of the communications channel: whether from a SaaS app, a website, or another communications tool.
Scan for malware
The ease with which Slack can be used to share files makes it a common tool not only to transfer documents, but also to serve as a makeshift data repository—where infected files can easily be housed. A single policy configuration to enable zero-day threat protection can be found below.
This policy will enable your team to block known and zero-day threats with integrated behavior-based protections powered by CrowdStrike and Cylance.
Enforce access based on contextual factors
Take the same SASE access control policies you have configured for other SaaS apps and apply them to Slack. Use either Bitglass’ native single sign-on for authenticating users accessing resources or federate through integrations with leading identity providers (IdPs) including Ping, Okta, and Centrify. At a minimum,
step-up multi-factor authentication options like SMS tokens, hardware tokens, and Google Authenticator should be applied when less trusted context is presented (e.g. unknown locations).
Granular data loss prevention (DLP) policies like redact, encrypt, watermark, and DRM can provide varied levels of access based on user, application, location, device type, and more.
Maintain an audit trail
Confirm that comprehensive activity logs detail all file, user, and app activity. This will ensure you can pass regular audits while confirming that regulated data patterns are safe--critical for demonstrating regulatory compliance.
Want to see some of the top use cases for SASE platforms like Bitglass? Download Top SASE Use Cases below.