Slack as a product is constantly expanding with new functionality and integrations. Slack Connect is among the most popular new features Slack introduced in the past year and is growing in popularity because it’s an easy way to stay connected with people you work with outside your organization — in real time with all the features that Slack offers.
As new improvements or upgrades for Slack are released, data security and compliance should be a top concern for your teams. Slack Connect can increase productivity and promote communication between your internal and external teams, but without proper guardrails to protect sensitive information from exposure, you could be adding risk to your Slack instance through Slack Connect as well.
Let’s take a closer look at the unique challenges that Slack Connect can pose to an organization, with an overview of where risk can come from and a quick guide on how to secure data.
Uncovering the potential security dangers of Slack Connect
Hosting users outside your organization isn’t a new concept for Slack. The guest user option allows anyone working with your teams to join the conversation in Slack. However, the guest option is very limited and adds maintenance work — guests can only DM members of the channel(s) that they’re in, and your admins must manually provision guest accounts one by one. Slack Connect channels allow users within the channel to DM or group DM anyone included in the shared channel, and once the channel is created, each team can invite others from their workspace to join as projects evolve and additional people need access.
Slack Connect basically allows any user you add from outside your organization to use all the functionality and features of Slack just as if they were part of your team. Here’s where the security risks can begin. Any existing risk vector in your Slack is in danger of even wider exposure without proper protection in place.
You may have proper policies for file sharing outlined in company handbooks or from cybersecurity training sessions, but have you also trained external users on these same protocols? If the answer is no, you could be introducing a whole new set of risk factors with Slack Connect. Watch the video below to get a deeper understanding of these risks.
Compliance is a compelling data loss prevention (DLP) use case for Slack Connect
Communicating securely with third party vendors and other external stakeholders is a new challenge for Slack Connect users. Compliance is one of the most important aspects of data security for SaaS apps, especially with Slack. The proper compliance regimes for your organization will vary based on different factors, like your industry, the types of information you need to protect, and your geographical location.
Here are a few of the most common compliance regimes and standards along with the types of data you’ll need to protect for each one:
- HIPAA: protected health information (PHI)
- PCI-DSS: financial personally identifiable information (PII)
- SOC 2: Any data type could fall under this compliance standard; SOC 2 concerns the security, availability, and processing integrity of the systems a service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
- Gramm-Leach-Bliley Act (GLBA): financial personally identifiable information (PII)
- Sarbanes-Oxley Act (SOX): financial personally identifiable information (PII)
Additionally, companies relying on frameworks like NIST, ISO27001, and HITRUST must also comply with a variety of data security standards when using features like Slack Connect. Fortunately, a data classification and cloud data protection solution like Nightfall can help manage your risk when using Slack Connect with automated scanning and machine learning trained detectors tuned for the information you must protect.
Nightfall for Slack Connect: Compliance done right
Current Slack Connect users can build on the security standards that the Slack platform provides by integrating Nightfall into Slack. Nightfall is the only cloud-native DLP platform that secures sensitive information in Slack with specific features for Slack Connect.
Here’s a few ways you can shore up your compliance requirements with Nightfall for Slack Connect:
- Filter policies by Slack Connect channels to find sensitive data that needs protecting and policy violations that need resolving according to your specific compliance requirements.
- Create an external sharing policy within your Slack Connect channels. You can configure each rule set separately and use multiple policies at once to ensure optimal control within your Slack environment.
- Gain visibility into what’s in your Slack Connect channels. Do you know who is connected to your organization through Slack Connect? Without a wider view into your Slack Connect messages, your attack surface can easily grow out of control. For data security standards like SOC 2, this may become a huge problem if unchecked.
- Prove you have the right compliance in place for audits. Some compliance regimes have open-ended requirements for passing audits. Implementing a DLP solution is a fast and easy step toward ensuring compliance requirements are met.
“Flatfile has been on a path of gaining compliances in many different fields this year. We're in the middle of completing our SOC 2 Type 1 and Type 2. We're looking to get ISO 27001. We have HIPAA. PCI Level One is coming up. Eventually, we need FedRAMP. A lot of these require a strong DLP solution. We engage Nightfall as a preparation for all of those compliance qualifications.”
— Robbie Trencheny, Head of Infrastructure at Flatfile
Talk to us about securing Slack Connect with Nightfall. Our detectors help you classify and protect data according to your industry and compliance needs. Get started by scheduling a demo with our sales team below.