In the wake of the Covid-19 pandemic, digital transformation is happening at warp speed. The kind of widespread technological adaptation we expected to see years from now has been truncated to a matter of months as organizations adopt cloud solutions to keep their teams connected. And as more and more workplaces go fully remote, security has never been more paramount.
Cybersecurity threats, including phishing scams and spam, are spiking as bad actors take advantage of the pandemic to target remote workforces and corporate systems. In April, Google reported more than 18 million daily malware and phishing emails related to Covid-19 scams in just one week and more than 240 million daily spam messages. Security-sensitive industries, such as banking and health care, have been hit especially hard. A report by VMware Carbon Black found that attacks targeting the financial sector grew by 238% from February to April 2020.
As organizations, particularly those in regulated industries, turn to Slack to collaborate, we’ve set out to meet and exceed some of the most stringent security and compliance standards around. We built Slack from the start to give businesses a more secure way to communicate and collaborate, both internally and across organizational boundaries. Although we haven’t been around as long as some software suites built on legacy applications, our purpose-built platform allows us to stay focused and innovate swiftly to meet the needs of our customers—especially during times like these, when security is of the utmost importance. As a result, Slack continues to provide a secure, enterprise-grade collaboration solution.
Today we are introducing even more powerful layers of security. Here’s an in-depth look at our latest security and compliance offerings and a preview of what’s ahead.
Securely collaborate with external organizations, with Slack Connect
We recently launched Slack Connect, a more secure and productive way for organizations to communicate with each other. With Slack Connect, you can move your conversations with partners, suppliers, industry peers, customers and others out of email and into Slack. The benefits are big: faster communication, stronger relationships, more transparency and heightened security.
With Slack Connect, admins can maintain control over their organization’s data and monitor external access. And unlike email—which leaves users open to the risk of spam and phishing—when everyone works in channels, teams receive messages and files only from verified members. What’s more, all of Slack’s enterprise-grade security features and compliance standards extend to Slack Connect, including retention, support for data loss prevention and e-discovery and, soon, EKM.
Later this year, we’re also introducing a feature to help admins quickly vet external organizations before connecting, giving them the peace of mind that they’re working with trusted parties. All verified organizations will be identified with a badge, so admins approving external channels can determine at a glance whether a new organization is credible. The result? A faster, more secure process for setting up channels for admins and users alike.
As Slack Connect evolves, we’ll continue to invest in offerings that allow organizations to apply more of their security and compliance policies to the data they share with their external partners.
Meet industry and regional compliance standards with Slack
Slack is FedRAMP Moderate authorized
In April 2018, Slack met with the FedRAMP Program Management Office and, within six months, received FedRAMP Tailored authorization. While this certification was certainly a milestone, we were eager to reach the next level of security compliance.
With sponsorship from the U.S. Department of Veterans Affairs, we set out to become FedRAMP Moderate authorized. Our regulatory partners put our product to the test, with more than 300 rigorous security controls. On May 20, 2020, Slack achieved FedRAMP Agency Authority to Operate (ATO) at the Moderate impact level.
Slack’s FedRAMP Moderate authorization reflects our continued investment in and support for customers in the U.S. public sector. As more government agencies move to the cloud, IT administrators and security professionals can rest assured that Slack meets some of the most broadly recognized security standards and offers solutions to help public-sector teams address compliance requirements.
This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings benefit from the heightened security measures required to achieve a FedRAMP Moderate authorization.
Slack’s FedRamp Moderate authorization is only one part of our security program. Slack also certifies its service with:
- ISO 27001
- ISO 27017
- ISO 27018
- SOC 2 Type 2
- SOC 3
- Cloud Security Alliance
Slack also helps its customers remain compliant with the General Data Protection Regulation (GDPR), the Financial Industry Regulatory Authority (FINRA) and the Health Insurance Portability and Accountability Act (HIPAA).
More options for storing your data in regions outside the U.S.
Millions of people collaborate in Slack each day, but because data is primarily stored in the U.S., many teams remain on the sidelines. To bridge this gap and make Slack available to more teams, we offer data residency for Slack.
Data residency gives global teams more control over where their data is stored. With data residency for Slack, you have the option to store your data at rest outside the U.S., including in Sydney, Frankfurt, Paris, Tokyo, London—and now Montreal.
Keep user groups separated with information barriers
While we’re all in favor of information sharing, there are times when admins need to control the flow for security and compliance purposes. For some businesses, it’s important to establish communication firewalls between groups or departments to avoid conflicts of interest or safeguard sensitive information.
Later this year, Slack will offer information barrier functionality. These barriers can be used by admins to prevent specific user groups from messaging or calling other user groups.
In practice, an investment bank could maintain one group in Slack for traders and another for investment bankers. The two groups could be configured so that they cannot communicate with each other but can still collaborate with others in the organization. This level of granular control allows admins to meet rules and regulations without blocking organization-wide collaboration.
Webinar: Enterprise-grade security at Slack
Join our chief security officer for an in-depth walkthrough of Slack's security and compliance offerings.Register now
Gain increased visibility and control over your data
Keep your data protected with Slack Enterprise Key Management
Slack Enterprise Key Management (EKM) provides peace of mind for the most security-conscious and regulated organizations. The feature allows you to manage your own encryption keys using Amazon Key Management Service (KMS), giving you increased control and visibility over your messages and files in Slack.
“Enterprise collaboration leaders rate encryption and support for enterprise key management as critical business requirements,” says Irwin Lazar, the VP and service director for Nemertes Research, a research and advisory firm. “Slack’s ability to protect enterprise data both inside the enterprise and within federated workspaces gives organizations the ability to ensure the security of their data, as well as to meet regulatory and compliance requirements.”
Our EKM solution is uniquely designed to maintain all of Slack’s features and performance, while allowing administrators to revoke key access as needed. This ensures that teams can continue working securely and interruption-free in Slack.
New enhancements to our EKM solution will give you more precise control over existing Slack tools and features, including:
- Workflow Builder (currently available): The visual tool that allows Slack users to automate routine tasks without any coding just got more secure. Organizations can use their own encryption keys to encrypt workflows and form data.
- Data residency (coming soon): Customers already have the option to choose where their data is stored at rest with data residency for Slack. Soon businesses will be able to choose where they want their encryption keys kept too.
- Slack Connect (coming soon): The communications environment that lets you have conversations with external partners, clients and vendors will have an added EKM option in the coming months. Messages and files sent by your organization in channels shared with external organizations will be encryptable using your own keys.
Get a bird’s-eye view of your data with the Splunk app for Slack
With the new Splunk app for Slack, you’ll gain operational insights into your Slack data so that you can uncover trends, monitor suspicious behavior and take action.
The out-of-the box integration leverages our Audit Logs API to bring Slack activity data directly into Splunk. Users can visualize the data in pre-built dashboards showcasing logins, file actions, apps installed, permissions, channel activity and admin actions. With this data at their fingertips, security and operations teams have the ability to flag suspect activity and make swift data-based decisions.
Keeping personal information private and business data safe with Microsoft Intune
The bring-your-own-device approach to workplace technology puts admins and security teams in a tricky spot: Employees prefer to keep personal information private, and admins have an obligation to keep corporate data secure. Although admins don’t manage an employee’s personal device, they need enough access to wipe sensitive data clean if, say, the employee’s personal device is lost or stolen.
Fortunately, there are solutions. Later this year, Slack will offer support for Microsoft Intune mobile application management (MAM). Intune allows users to access corporate data from their personal mobile devices, including iOS, Android and Windows, without having these devices directly managed by the organization. At the organizational level, Intune enables admins to control how data is protected within the applications installed on the mobile device.
With Slack’s support for Intune, users can access all the features they expect from Slack’s mobile app, while admins have the tools to prevent data leakage. Both Intune managed and unmanaged devices will be covered. Users will also be able to copy and paste data between other Intune managed and secured applications.
We’re committed to innovating faster to keep you secure
The way teams work has changed dramatically over the past few months. Before the pandemic, organizations were already looking for ways to optimize collaboration among different teams and offices. Now that trend has accelerated. Major workplace shifts, such as remote work, underscore the need for secure collaboration solutions.
As a purpose-built platform, we’re innovating faster than ever to meet your security needs. That means we’re relentless about eliminating the top security risks that come with email: spam and phishing. And we’re committed to meeting compliance requirements and adding security features to keep your systems, operations and information secure. The pace of change has picked up, and so have we: We’re here for our customers.