Slack has enhanced its security, but is it enough?
Slack’s enterprise key management solution gives enterprises greater control over encryption keys, but the platform still seems to operate off a legacy security model.
Given the increasingly complex threat landscape, it’s not surprising that software vendors are busy adding new security features and functions to their products. In 2019, Slack announced the general availability of its enterprise key management (EKM) feature, which aims to grant enterprise customers greater control over how they protect their sensitive data in the platform. However, while this is undoubtedly good news amid a rising tide of data breaches and growing regulatory demands, firms operating in regulated industries like finance and healthcare must ask themselves whether it’s enough?
How secure is Slack, and what makes it vulnerable?
One of the major concerns around security for Slack is that, unlike many consumer-grade messaging platforms, it does not support end-to-end encryption. The reason for this is that corporate executives typically need to retain complete visibility into their business communications for the purposes of regulatory compliance. For example, financial regulators like the US Securities and Exchange Commission (SEC) require financial services firms to retain meticulous records of their engagements with clients, but that can’t be done if businesses don’t have control and visibility over their communications.
Slack’s lack of support for end-to-end encryption is something of a double-edged sword. While it allows for compliance with federal record-keeping laws, it also means the platform is more vulnerable to hackers. As a result, several major data breaches in recent years have exploited security flaws in Slack. For example, video game publisher and developer Electronic Arts had 780 GB of proprietary data stolen from its private Slack workspaces. Slack itself suffered a major breach in 2021 when its Android app was compromised, potentially affecting every business using the platform – an estimated 750,000 organizations.
How does enterprise key management protect your data?
Software vendors that offer end-to-end encryption with their products often handle encryption keys themselves. The encryption keys are stored on their servers, which means they could, if needed, gain access to your data. This typically happens if a software vendor receives a court order to provide the authorities data on a particular customer. Furthermore, having all encryption keys handled by the same vendor using the same servers and infrastructure is also a classic example of a single point of failure. If the vendor were to suffer a severe data breach, then all encryption keys belonging to all their end users could be exposed.
Enterprise key management, or EKM, aims to alleviate these concerns by giving organizations greater control over their encryption keys. With Slack’s EKM feature, enterprises use their own encryption keys and store them in Amazon’s Key Management Service (AWS KMS). This lets administrators revoke access rights on a granular level, as opposed to having to disable entire workgroups or block access to all data to a given user should a threat arise.
What are the limitations of Slack’s enterprise key management?
While EKM is certainly a welcome addition to Slack’s security offering, it is no replacement for true end-to-end encryption. Moreover, the keys are still managed off-site, and the fact they’re still loaded onto the cloud can indirectly expose user data to potential attackers. These cloud servers are the ones threat actors are most likely to target. As such, the only real-world security benefit that Slack EKM brings to organizations is that it allows administrators to cancel their encryption keys following a security incident. In other words, Slack’s security architecture is largely reactive in nature, with security features largely bolted on and doing little to address the underlying issues and limitations.
While these shortcomings might be enough to make security leaders think twice about using Slack for conducting sensitive business communications, the truth is there are proven ways to reinforce the platform to bring it up to the level of security maturity today’s organizations need. For example, third-party solutions like Worldr can encrypt messages on-premises and in real time before they’re even transmitted through Slack’s servers, all the while giving you complete control and ownership over your encryption keys.
Worldr for Slack helps you protect your most sensitive business communications against third-party breaches with zero trust security. Get started today to see how it works.