But while its ability to reduce email and boost collaboration has made headlines, a few security incidents have also made the headlines.
In 2016, employees at 18F (a tech consulting team within the General Services Administration) shared Google Drive documents through Slack. It sounds innocuous, but by connecting the two apps, they exposed more than 100 GSA Google Drive accounts for half a year.
But as Network World points out, “This is not a security flaw in Slack — instead, it is a risk exposed by the combination of unfamiliar systems being used and managed by business users who are not security specialists familiar with the many regulatory and compliance-related rules around data protection.”
Indeed, this was not the employees’ fault, nor was it Slack’s. SaaS is so new that many IT professionals have simply never encountered these data protection issues before. No industry best practices exist yet. And SaaS apps give end users plenty of freedom and control, allowing them to take actions that IT is unaware of. This leads to blind spots for IT—areas where they have no visibility.
In Slack, end users and admins can do (and view) some things that might surprise you. Here are five blind spots that you should be aware of:
1. End users can create public links to files
Many IT professionals aren’t aware that end users can create public links to any files shared in Slack.
By creating a public link, anyone on the internet can then access that file and download it. It’s very easy for a user to do. All it takes is three clicks:
An end user might do this with the best of intentions (e.g., to facilitate collaboration). They may not realize the full implications of their actions. But if sensitive or confidential files are publicly accessible, then you have data exposure problems on your hands—and you might never even be aware of it.
This is a blind spot for Slack admins. If or when a user creates a public link to a file in Slack, how would you know? There’s no built-in alert for this action. How many of your organization’s files have public sharing links? What kind of files are they? Do they contain sensitive information? Slack’s native admin console was not designed to deliver this kind of information; it was not purpose-built for IT.
What makes this even more precarious is that this setting is on by default. So unless you disable it in your Slack workspace’s Settings & Permissions page, your users are free to create public external links to files.
2. Admins can give end users the power to do a lot
Slack admins can give end users a lot of control and power. This can be useful (for example, end users can take care of their own administrative tasks in Slack without relying on IT and/or being made full admins). But it also poses security risks if you’re unaware of these settings. Everyone in the org—all end users, not just specific departments or roles—would be able to create/manage/modify/delete things.
Let’s take managing users as an example. By default, only Slack Workspace Admins and Owners can create and manage user groups. But any admin can change those settings in a drop-down menu and…
- Allow everyone in the company (except guests) to create, modify, and disable user groups:
- Allow everyone (except guests) to invite new members to your Slack instance:
- Allow everyone to create, archive, and remove members from channels:
It’s worth checking your settings on the Settings & Permissions page to make sure you’re comfortable with all the permissions that end users have.
3. Admins can see a lot and do a lot — some of which is irreversible
In Slack, it’s very easy to make people admins and give them elevated privileges. This can be beneficial because it reduces the administrative burden on IT.
As Slack points out on their website, “Promoting trusted members to Owner and Admin roles can help with managing your Slack workspace. With more Owners and Admins you can share day-to-day tasks like sending invitations and managing channels. You can have as many Owners and Admins on a workspace as you need.”
In fact, we’ve found that our enterprise customers have an average of 52 Slack admins in their environment.
However, Slack admins can see and do a lot of things that you might not be aware of. Some of these actions are irreversible. Do you feel comfortable knowing that all your admins can:
- View all the files that have been shared in public channels:
- Export all of a workspace’s messages and files. The export options depend on your Slack plan:
Free, Standard, Plus, and Enterprise Grid plans
On any plan, Workspace Owners and Admins can export and download all public channel data: messages and links to files included.
Workspace Owners can request access to a self-service export tool to download all data from their workspace. This includes content from public and private channels and direct messages.
- Invite Single- and Multi-Channel guests to a private channel
This is another important blind spot for IT. Do you know who all your guests (external users) are? Are they accessing data past their contract end date? On average, 15% of our midmarket customers’ Slack users are single- or multi-channel guests.
- Invite guests to any public channel
- Delete channels (this is irreversible)
- Make a public channel private (this is irreversible)
- Promote other members to Owner and/or Admin (in some cases, you cannot demote them)
Following the principle of least privilege is a best practice, so it’s a good idea to keep the number of admins to a minimum. At the very least, you should be aware of everything admins can do and see. Ask yourself: Do all my current Workspace Admins need to be admins, given that they can do and see all of this?
4. Users can install third-party apps or Slack bots that request many permissions
Some apps that integrate with Slack request permissions that might seem excessive. It’s not uncommon to see questions like the one posted below:
Why is this a problem? Because third-party access (like malicious apps and permissive bots) represents data exfiltration risks. As Network World points out, not every third party company is a “good steward” of the data they have access to. And relying on users to understand the technological risks around connecting technologies is not a strong strategy.
“The root problem is that many CISOs and CIOs have limited visibility into what third-party apps are even being used, and effectively no capabilities for removing them when in violation of internal security policy. While trusted applications can be a productivity boon, being able to detect and manage risks from apps and bots that fail to meet organizational standards is a critical security capability for these new ecosystems,” writes Network World.
CSO.com echoed these concerns. “Many Slack integrations also connect to other sensitive systems, such as Salesforce (CRM) and Workday (HR),” writes CSO.com. “A Slack integration could unwittingly give hackers access to an organization’s ‘crown jewels.’ To the untrained eye, applications may appear to be harmless platform integrations, but could really be malware. By tightening permissions on who can evaluate and control integrations, businesses can better prevent against malware attacks.”
As a Slack admin, do you know which third-party apps your users are installing and what kind of permissions these apps request? This represents yet another blind spot.
Only Slack Workspace Owners can decide who can approve apps or integrations, control which apps are approved for members to install, and restrict app installations to those only listed in Slack’s App Directory. Do you feel comfortable allowing your current Owners to have this level of permissions?
5. End users and admins can use Slack without two-factor authentication (2FA)
2FA, an extra layer of protection in the authentication process, is a security best practice.
According to CSO.com, “Only a measly 28 percent of Americans actually use 2FA on a regular basis.” The article notes that strong 2FA could have prevented nearly all of the internet’s recent high-profile password breaches.
By default, 2FA is not mandatory for Slack users. In Slack’s admin console, you can see who has 2FA enabled, which is useful but only to a certain degree.
Arguably, filtering for users who don’t have 2FA enabled is more valuable, but this is another blind spot for IT. You’d likely want to know who those people are, but you can’t natively receive alerts (via email, SMS, etc.) for non-2FA users. You also can’t automatically remediate those issues.
In the age of ransomware, phishing, and watering hole attacks, it’s easy to overlook the security risks that are right under our noses. By being aware of these blind spots in Slack, you can regain greater control over your environment, ensuring that your end users and admins don’t accidentally expose or leak data.
For more information on blind spots in SaaS applications (and how to fix them), download our free whitepaper, Fixing IT’s Blind Spots: 8 Critical Security and Management Policies to Implement in Your SaaS Environment.