Is slack secure? Redact sensitive slack messages!

Is Slack Secure? No!

Slack is a cornerstone of many companies' workplace technology solutions. Particularly with more companies working in a remote or hybrid setting, or even companies working between multiple locations, Slack is indispensable to their daily operations. However, the more information companies put in a Slack workspace, the greater their risk in the event of a data breach. Think of the most recent Uber Data breach because an employee's slack credentials were compromised due to a phishing scam.

Common types of sensitive data shared very often in slack are:

1. Credit card numbers and confidential financial data
2. Customer sales data
3. Sensitive PHI (Protected Health Information)
4. Customer PII
5. API Keys
6. Confidential files in the forms of PDFs, Images, HARs, XLSX ,google docs and Word document

Low-Hanging Fruits in Slack Sensitive Data Security Features

One of the main concerns with using Slack is the risk of data breaches. Slack is a cloud-based service, which means that data is stored on remote servers. While Slack has implemented various security measures to protect data, including encryption and two-factor authentication, it is still vulnerable to cyber attacks.

1. Enable Two-Factor Authentication

‎As is recommended for all services, setting up two-factor authentication is a simple yet powerful way to protect against bad actors seeking to log in with your credentials. Slack supports most time-based, One-Time Password (TOTP) applications you may already be using, such as Duo Mobile, 1Password, Microsoft Authenticator, Google Authenticator, and more.

2. Making channels private

‎You can set permissions on an individual channel to further protect sensitive information. Making a channel "private" prohibits members from seeing the channel unless they are invited. This feature is great for channels in which sensitive information may be discussed. For example, a board of directors channel discussing high-level information may be best kept private.

3. Limit Access To Workspace

Security's best practice is to grant access to employees or guests only when they need to be part of a slack channel or workspace. It is best practice to revoke access once the business function is done.

Are There Any Security & Compliance Risks that are not Solved in Slack?

Even with solid security practices, like two-factor authentication and limiting access to who needs it, sharing customers' most sensitive information or businesses' confidential secrets/keys is still risky over Slack.

1. There is no way to prevent employees from sending sensitive data like Drivers licenses, identity pictures, SSNs, bank statements OR even API Keys/secrets/private keys. There is a massive risk of data loss exfiltration.
2. Slack has different channels: public, private, DM (Direct Message), and Group DM. These channels allow employees to share sensitive data making it harder for IT and Security auditors to oversee what information is shared.
3. There is no way for the business to implement GDPR or CCPA's Right To Delete control as data is all over the place for a customer.

Modern Data Loss Prevention (DLP) Solution

Strac's Data Loss Prevention (DLP) Solution for Slack Free, Pro, Business and Enterprise plans automatically detects and redacts (masks) sensitive data like PII (SSN, DL, Passport, etc.), PHI (patient data, dob, etc.), credit card numbers, bank account details, API keys, and more from Slack messages.

Below is a sample list of sensitive data elements that will be detected & redacted in Slack workspace:

• Identity: Drivers License, Passport, SSN (Social Security Number), National Identification Number, etc.
• PII: Name, Address, Email, Phone, DoB, Age, Gender, Ethnicity, etc.
• PHI: PII data, Medical Record Number (MRN), Insurance ID, Health Plan Beneficiary Number, Biometric, Medical Notes, etc.
• Payments: Bank Account, Routing Numbers, Credit Card, Debit Card, IBAN, etc.
• Secrets: API Keys, Passwords, Passphrases, etc.
• Vehicle: License Plate, Vehicle Identification Number (VIN), etc.
• Physical Network: IP Addresses, MAC Address, etc.
• Crypto Secrets: Seed Phrase, Bitcoin, Ethereum, Litecoin Addresses, etc.
• Profanity: Curse words, abuse words, etc.
• Custom: Create your own rules or use regex

Strac's Redactor is powered by its Machine Learning models that help businesses comply with PCI, HIPAA, SOC2 and various privacy laws by automatically redacting sensitive data. Strac also exposes REST APIs for redacting (or masking) any data.