Security At Slack

1m ago
370.05 KB
10 Pages
Last View : 1d ago
Last Download : n/a
Upload by : Dahlia Ryals

Securityat Slack

IntroductionSlack’s mission is to make people’s working lives simpler, morepleasant, and more productive. We believe that we need tomake your data secure, and that protecting it is one of ourmost important responsibilities. We’re committed to beingtransparent about our security practices and helping youunderstand our approach.Organizational SecuritySlack’s industry-leading security program is based on the concept ofdefense in depth: securing our organization, and your data, at everylayer. Our security program is aligned with ISO 27000, AICPA TrustService Principles, and NIST standards, and is constantly evolving withupdated guidance and new industry best practices. You can see all ourcertificates here.Slack’s security team, led by our Chief Security Officer (CSO), isresponsible for the implementation and management of our securityprogram. The CSO is supported by the members of Slack’s SecurityTeam, who focus on Security Architecture, Product Security, SecurityEngineering and Operations, Detection and Response, and Riskand Compliance.2

Protecting Customer DataThe focus of Slack’s security program is to prevent unauthorizedaccess to customer data. To this end, our team of dedicated securitypractitioners, working in partnership with peers across the company,take exhaustive steps to identify and mitigate risks, implement bestpractices, and constantly develop ways to improve.Secure By DesignSlack’s product security team has built a robust secure developmentlifecycle, which primarily leverages our open-sourced tool: goSDL.You can read more about this process in-depth in our blog post here.While we strive to catch all vulnerabilities in the design and testingphases, we realize that sometimes mistakes happen. With this inmind, we have created a public bug bounty program (located here)to facilitate responsible disclosure of potential security vulnerabilities.All identified vulnerabilities are validated for accuracy, triaged, andtracked to resolution.Encryption Data in transitAll data transmitted between Slack clients and the Slack serviceis done so using strong encryption protocols. Slack supports thelatest recommended secure cipher suites to encrypt all traffic intransit, including use of TLS 1.2 protocols, AES256 encryption, andSHA2 signatures, whenever supported by the clients.3

Data at restData at rest in Slack’s production network is encrypted using FIPS140-2 compliant encryption standards, which applies to all typesof data at rest within Slack’s systems—relational databases, filestores, database backups, etc. All encryption keys are stored in asecure server on a segregated network with very limited access.Slack has implemented appropriate safeguards to protect thecreation, storage, retrieval, and destruction of secrets such asencryption keys and service account credentials.Each Slack customer’s data is hosted in our shared infrastructure andlogically separated from other customers’ data. We use a combinationof storage technologies to ensure customer data is protected fromhardware failures and returns quickly when requested. The Slackservice is hosted in data centers maintained by industry-leading serviceproviders, offering state-of-the-art physical protection for the serversand infrastructure that comprise the Slack operating environment.Network Security and server hardeningSlack divides its systems into separate networks to better protectsensitive data. Systems supporting testing and development activitiesare hosted in a separate network from systems supporting Slack’sproduction infrastructure. All servers within our production fleetare hardened (e.g. disabling unnecessary ports, removing defaultpasswords, etc.) and have a base configuration image applied toensure consistency across the environment.Network access to Slack’s production environment from open, publicnetworks (the Internet) is restricted, with only a small number ofproduction servers accessible from the Internet. Only those network4

protocols essential for delivery of Slack’s service to its users are openat our perimeter and there are mitigations against distributed denial ofservice (DDoS) attacks deployed at the network perimeter. Additionally,for host-based intrusion detection and prevention activities, Slacklogs, monitors, and audits all system calls and has alerting in place forsystem calls that indicate a potential intrusion.Endpoint SecurityAll workstations issued to Slack personnel are configured by Slack tocomply with our standards for security. These standards require allworkstations to be properly configured, updated, and be tracked andmonitored by Slack’s endpoint management solutions. Slack’s defaultconfiguration sets up workstations to encrypt data at rest, have strongpasswords, and lock when idle. Workstations run up-to-date monitoringsoftware to report potential malware, unauthorized software, andmobile storage devices. Mobile devices that are used to engage incompany business are required to be enrolled in the appropriate mobiledevice management system, to ensure they meet Slack’s securitystandards.Access Control ProvisioningTo minimize the risk of data exposure, Slack adheres to theprinciples of least privilege and role-based permissions whenprovisioning access—workers are only authorized to accessdata that they reasonably must handle in order to fulfill theircurrent job responsibilities. All production access is reviewedat least quarterly.5

AuthenticationTo further reduce the risk of unauthorized access to data, Slackemploys multi-factor authentication for all access to systems withhighly classified data, including our production environment, whichhouses our customer data. Where possible and appropriate, Slackuses private keys for authentication, in addition to the previouslymentioned multi-factor authentication on a separate device. Password ManagementSlack requires personnel to use an approved password manager.Password managers generate, store, and enter unique andcomplex passwords to avoid password reuse, phishing, and otherpassword-related risks.System Monitoring, Logging, and AlertingSlack monitors servers, workstations and mobile devices to retain andanalyze a comprehensive view of the security state of its corporateand production infrastructure. Administrative access, use of privilegedcommands, and system calls on all servers in Slack’s productionnetwork are logged and retained for at least two years. Analysis oflogs is automated to the extent practical to detect potential issues andalert responsible personnel. All production logs are stored in a separatenetwork that is restricted to only the relevant security personnel.Data retention and disposalCustomer data is removed immediately upon deletion by the end useror upon expiration of message retention as configured by the customeradministrator. Slack hard deletes all information from currently runningproduction systems (excluding team and channel names, and search6

terms embedded in URLs in web server access logs) and backups aredestroyed within 14 days.Slack’s hosting providers are responsible for ensuring removal of datafrom disks is performed in a responsible manner before theyare repurposed.Disaster Recovery and Business Continuity PlanSlack utilizes services deployed by its hosting provider to distributeproduction operations across four separate physical locations.These four locations are within one geographic region, but protectSlack’s service from loss of connectivity, power infrastructure, andother common location-specific failures. Production transactions arereplicated among these discrete operating environments to protectthe availability of Slack’s service in the event of a location-specificcatastrophic event. Slack also retains a full backup copy of productiondata in a remote location significantly distant from the location ofthe primary operating environment. Full backups are saved to thisremote location at least once per day and transactions are savedcontinuously. Slack tests backups at least quarterly to ensure they canbe successfully restored.Responding to Security IncidentsSlack has established policies and procedures (also known asrunbooks) for responding to potential security incidents. All securityincidents are managed by Slack’s dedicated Detection and ResponseTeam. The runbooks define the types of events that must be managedvia the incident response process and classifies them based on severity.In the event of an incident, affected customers will be informed7

via email from our customer experience team. Incident responseprocedures are tested and updated at least annually.Vendor ManagementTo run efficiently, Slack relies on sub-service organizations. Wherethose sub-service organizations may impact the security of Slack’sproduction environment, we take appropriate steps to ensure oursecurity posture is maintained by establishing agreements that requireservice organizations to adhere to confidentiality commitmentswe have made to users. Slack monitors the effective operation ofthe organization’s safeguards by conducting reviews of all serviceorganizations’ controls before use and at least annually. Please viewour sub-service organizations here.External Validation Security Compliance AuditsSlack is continuously monitoring, auditing, and improving thedesign and operating effectiveness of our security controls. Theseactivities are regularly performed by both third-party credentialedassessors and Slack’s internal risk and compliance team. Auditresults are shared with senior management and all findings aretracked to resolution in a timely manner. Please view our suite ofcertificates here. Penetration TestingIn addition to our compliance audits, Slack engages independententities to conduct application-level and infrastructure-levelpenetration tests at least annually. Results of these tests areshared with senior management and are triaged, prioritized, andremediated in a timely manner. Customers may receive executive8

summaries of these activities by requesting them from theiraccount executive. Customer Driven Audits and Penetration TestsOur customers are welcomed to perform either security controlsassessments or penetration testing on Slack’s environment.Please contact your account executive to learn about options forscheduling either of these activities.ConclusionWe have an existential interest in protecting your data. Every person,team, and organization deserves and expects their data to be secureand confidential. Safeguarding this data is a critical responsibility wehave to our customers, and we continue to work hard to maintain thattrust. Please contact your account executive if you have any questionsor concerns.9

[email protected]

Slack’s security team, led by our Chief Security Officer (CSO), is responsible for the implementation and management of our security program. The CSO is supported by the members of Slack’s Security Team, who focus on Security Architecture, Product Security, Security Engineering and Opera