Guides

5 Slack Security Practices that Simplify Managing Guest Accounts

by
Michael Osakwe
,
December 9, 2019
5 Slack Security Practices that Simplify Managing Guest Accounts5 Slack Security Practices that Simplify Managing Guest Accounts
Michael Osakwe
December 9, 2019
Icon - Time needed to read this article

As many teams already know, Slack is a powerful productivity tool that makes it easy for organizations to share information with both internal and external stakeholders. Alongside Slack’s communication features are access management controls that admins use to limit where information is shared in a Slack workplace. We’ll be looking at two of these — guest accounts and shared channels — and how they work well with other important Slack security practices.

What are Slack guest accounts?

Guests are one of two non-administrative roles that exist within Slack with the other being standard member accounts. Unlike member accounts, guest accounts can only be created within paid versions of Slack. Although external collaborators can be invited to a Slack workspace as standard members, in many cases, it might make more sense to provide them with a guest account instead. With guest accounts, you can choose to limit an individual’s workspace access to a specific Slack channel or a group of channels relevant to their work. This prevents them from having access to information that’s either privileged or simply not relevant to them. Additionally, guest account access can be automatically revoked after a set time limit has passed.

Slack distinguishes between guests who have access to a single channel and guests who’ve been granted access to a specific group of channels with the terms “single-channel” and “multi-channel.” Both types of guests share some overlap in what permissions they have, save for the number of channels they can access. Each account has similar viewing and posting permissions within the channel(s) they’ve been granted access to, for example. Multi-channel guests do have additional permissions in the form of creating private channels and being able to receive and accept channel invites. For a full list of Slack permissions across different roles, see this list.

How to Manage Slack Guest Account Security

Slack guest accounts are a powerful security option available to admins, but to get the most out of this feature, you should consider adopting the following best practices within Slack. Doing so will create a secure environment that will increase the security benefits that guest accounts can provide:

1. Enforce a consistent channel creation process that compliments business objectives and security policies

Channels play a central part in Slack communications. As such, they are going to be where much of your organization’s information will be shared within Slack. Ensuring that there’s a clear and consistent process in place for when and why channels will be created can front-load a lot of the work required for improving your Slack workspace security.

When developing your organization’s channel creation policies, you should make sure that channels are clearly named using a standard naming convention. Additionally, you should make sure that channels serve a distinct and dedicated business purpose so that there is little overlap between information shared across channels. Finally, channels where sensitive information is shared should be made private, and channels no longer in use should be archived or deleted if you don’t need to retain the information. Collectively, practices like these serve to clearly delineate content within channels, prevent the duplication of information across Slack, and reduce the likelihood of sensitive data being viewed by the wrong parties.

2. Use shared channels to manage larger groups of external collaborators

This year, Slack unveiled a new feature, dubbed shared channels. This feature allows for a single channel to be shared between workspaces in separate organizations. The settings of shared channels can be adjusted by admins from either of the two workspaces using them. These settings will apply only to the workspace that made them, however. For example, Organization A can make a shared channel private on their workspace while Organization B can keep the channel public on theirs.

Shared channels create an easy alternative for admins looking to provide limited workspace access to a large number of external collaborators from the same organization. Like with guest accounts, members of shared channels cannot post or view content in other channels on your workspace that they’ve not been given access to. You can learn more about all of the features of shared channels here.

3. Streamline Slack security with automated features

Slack makes it easy for admins to create automated policies for core features like guest accounts and message retention. As mentioned above, guests can be provided with an account that expires after a set time limit. This feature is great for cooperating with external collaborators who are working on a determined and temporary basis, and using it guarantees that no one will have access to sensitive information after they no longer need to. Similarly, messages and files in Slack channels or entire workspaces can be automatically deleted after a specified time limit. As is the case with guest accounts, using this feature can ensure that data isn’t available on Slack long after it’s no longer needed. Assuming your compliance policies allow for it, this could be a great feature to consider using.

4. Identify engaged stakeholders who will serve as Slack admins 

Within all versions of Slack, there are three administrative roles:

  • Workspace Primary Owner: Single person with the highest permissions. Only this person can transfer ownership of the workspace.                                    
  • Workspace Owners: Hold the same level of permissions as the Primary Workspace Owner, except they can’t transfer ownership of the workspace.
  • Workspace Admins: They help manage members, channels, and other administrative tasks.

Slack Enterprise Grid adds three additional roles that serve above Workspace Owners and admins: 

  • Primary Org Owner: Only this person can transfer ownership of the org.
  • Org Owners: Hold the same level of permissions as the Primary Org Owner, except they can’t transfer ownership of the org.
  • Org Admins: They help manage org-level administrative tasks.

Slack goes into detail about roles here.

The purpose of admins at both the org and workspace levels is to manage workspaces by doing things like provisioning the appropriate channel access and permissions for members and guests. Admins can also close out old accounts and channels and enforce login standards. Within orgs, Org Owners delegate Org Admins to manage workspaces. For non-enterprise users, Workspace Owners delegate Workspace Admins to manage the workspace. Having Org Owners and Workspace Owners identify individuals with a solid understanding of basic cybersecurity principles to actively moderate Slack as either Org Admins or Workspace Admins is a good best practice that will make it easier to implement many of the other practices discussed in this post.

5. Consider data loss prevention (DLP) to help ensure that guests and members maintain best practices

Slack allows for the integration of third-party services like Nightfall that aid with data loss prevention (DLP). DLP tools allow you to have data visibility on applications like Slack, giving you the ability to filter through messages and files for specific types of sensitive information. With Nightfall specifically, you can create workflows that allow you to automatically detect the sharing of sensitive information in any channel and remove it from Slack. This is invaluable for making sure that sensitive information is only shared with whom it is intended in a channel designated for sharing such information.

If you’re interested in learning more about Nightfall for Slack, you can view our guide or schedule a brief demo with our team.

On this page
Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo