Security at Slack: How Slack Protects Your Data

Slack is committed to providing a secure and reliable work operating system for organisations of all sizes. Our layered security approach, robust features, and commitment to compliance give information security and IT professionals the peace of mind they need to focus on their core business objectives, knowing that their data is protected.

Our white paper, “Security at Slack” will help you stay up to date on how you can keep your data secure and compliant. This white paper offers a detailed look into how we maintain the security of Slack, along with security best practices for IT professionals. Read on for a quick rundown of what you’ll learn in the white paper.

Slack’s multi-layered security approach

Slack employs a multi-layered security approach in every aspect of our work operating system, from the underlying infrastructure to the features you and your employees love to use each day. Here’s a closer look at some of the security measures we have in place:

• Encryption: Slack encrypts data both in transit, using TLS 1.2 protocols, and at rest, using FIPS 140-2 compliant encryption standards, ensuring that your data is protected from unauthorised access.
• Network security: Slack restricts network access from public networks to the production environment and hardens the hosts therein according to industry standards.
• Secure development: A robust Secure Development Lifecycle (SDLC) with code reviews, continuous integration testing, and a public bug bounty program is used to identify and mitigate potential vulnerabilities.
• Access control: Multi-factor authentication is required for all administrative access, and access to privileged commands is restricted and logged.
• System monitoring: Slack continuously monitors its infrastructure for suspicious activity, with all production logs securely stored and accessible only by authorised security personnel.
• External audits: Independent third-party audits and penetration tests are conducted regularly to assess and continuously improve Slack’s security posture.

Ensuring companywide safety and compliance

Slack meets industry-leading security standards and has achieved numerous certifications and attestations to give customers peace of mind that Slack can help  meet their compliance requirements.

 

Reducing risk with Slack security features

Slack includes a robust set of security and data protection features that give you the control, visibility, and flexibility you need to protect your data with confidence, without compromising agility. These features include:

Identity and device management

• Single sign-on (SSO) and two-factor authentication (2FA) strengthen access security. Slack partners with the top SSO providers, including ADFS, Google Workspace (SAML), Okta, and more.
• Enterprise Mobility Management (EMM) and robust session management capabilities allow you to manage and secure devices accessing Slack.

Data protection

• Enterprise Key Management (EKM) is an additional layer of protection available to our Enterprise Grid customers, providing enhanced control over encryption keys.
• Data Loss Prevention (DLP) in Enterprise Grid as well as integrations with leading third-party DLP solutions can be used to prevent sensitive data from being shared in or leaving Slack.
• Audit logs provide insights into user activity and potential security events.
• Anomaly events are a special part of the Audit Logs API that help surface unexpected app and user behaviors that may be considered risky in your environment. The Audit Logs API allows easy integration with leading security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools so security teams can recognise indicators of compromise and quickly take action.

Information governance

• Data retention policies and eDiscovery capabilities help you meet regulatory and legal requirements.
• Customisable terms of service (TOS) ensure that users understand and adhere to your organisation’s security policies.

Slack AI: Secure by design

• Slack AI, Slack’s generative AI capability, is built with a security-first mindset. Slack AI uses self-hosted large-language models (LLMs) that sit within a secure virtual private cloud (VPC) to ensure that your data never leaves Slack and cannot be used to train external models.
• Slack AI uses Retrieval augmented generation (RAG) to append relevant Slack data to a prompt before running it through LLMs. This helps improve the quality of the LLM output without requiring additional training with customer data. RAG minimises hallucinations and allows the model to cite sources, a key tenant of our transparent design.

Proactive security measures

Slack also provides you with tools and resources to help you lead the way with proactive security measures at your organisation. You can:

• Activate and integrate Slack’s Audit Logs API with your security tools
• Set up two-factor authentication for all users
• If your company uses an identity provider, consider upgrading and configuring single sign-on for Slack
• Engage with the Salesforce Trailblazer community for more security resources and hands-on training that can further strengthen your security posture and minimise risks.
• Take advantage of Slack Professional Services. We’ll work with you to assess your current security posture and workspace design, provide actionable recommendations for how you can better protect your Slack environment, and help you execute on the remediation plan.

Our number one value is maintaining your trust

At Slack, our number one value is maintaining your trust, and we are committed to providing a reliable, secure platform to help make your teams more productive. To learn more about Slack’s security features and best practices, download our new white paper, ‘Security at Slack,’ and talk to the Slack team.