How to Securely Adopt SaaS tools like Slack amid the COVID-19 Pandemic
The current coronavirus pandemic has pushed many teams to quickly adopt SaaS collaborative platforms like Slack, Microsoft Teams, and G Suite. Although these tools will allow teams to be productive while remote, collaborative cloud platforms tend to create environments where data policies and security best practices can be difficult to enforce. This can cause organizations to not only fail to be compliant with data privacy regulation but also can make them more susceptible to the variety of security threats that can emerge when teams rapidly adopt SaaS applications. With this in mind, here are three best practices for adopting Slack without increasing your organization’s security risks.
1. Harden your Slack Workspace security
Right from the moment you set up a Slack workspace, whether you’re on a free or paid plan, there are things you can do to improve your security. First, you should enforce two-factor authentication (2FA) for all members of your workspace. This will serve to authenticate users and protect your workspace in the instance of potential device thefts or account compromises. 2FA, of course, isn’t foolproof but is a solid starting point for securing your workspace. Organizations on Plus or Enterprise plans have the option of managing Slack user provisioning and authentication through a service like Okta or other identity management service.
In addition to enforcing 2FA for your Slack workspace, here are other controls you might want to establish:
- Implement application approval. Slack provides workspace admins controls that lets them individually approve what apps Slack members can install.
- Maintain limited invitation permissions. Slack can help admins ensure that only they can send invitations to join a workspace, or that workspace signup is only permitted for members with addresses of a specific domain. This limits the likelihood of unauthorized individuals getting access to your workspace.
- Set your message and file retention policies. If you have a paid Slack plan (Stanard, plus, or Enterprise Grid) you can customize how long files and messages can remain on your workspace or a specific channel before being automatically deleted.
- Set default channels for new members. Slack also permits admins to determine what channels new members join by default, which ensures that they’re properly onboarded to the channels relevant to their roles.
2. Develop good etiquette and security hygiene within your Workspace(s)
In addition to hardening the security of your workspace, you’ll also want to develop good practices for managing your workspace to help limit the likelihood of potential security incidents. We cover some of these practices in our “5 Slack Security Practices that Simplify Managing Guest Accounts.” Though the post is geared towards admins running workspaces with guest accounts, many of the points also apply to most other workspaces. For example, enforcing a consistent channel creation process (point 1) with standard naming conventions that delineate a channel’s purpose can help cut down on clutter and prevent the likelihood of sensitive information being duplicated in Slack. We also maintain that identifying engaged stakeholders to serve as Slack admins (point 4) is critical to running any Slack workspace smoothly and securely. You can read the full post here.
3. Consider tools that give you better visibility into your Slack channels
Even with the suggestions in this post, it can be difficult to ensure that any data shared in Slack, especially sensitive data like personally identifiable information (PII) or personal health information (PHI) is identified and properly secured. For this purpose, many teams on Slack often turn to third-party data loss prevention providers like Nightfall, which allow teams to identify when sensitive data is being shared or used inappropriately. Nightfall integrates with Slack to identify, classify, and protect the data you need kept secure. The platform can detect 100+ types of sensitive data like addresses, names, passwords, credit card numbers, etc. and determine if they’re being shared in the wrong Slack channels. Nightfall lets you also build out automated workflows that can alert admins as well as users to these incidents and provide remediation options like deleting or quarantining the detected data. To learn more about Nightfall, you can sign up for our upcoming webinar on March 25 or schedule a demo below.