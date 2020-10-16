Since more than half of the CAC40 companies are Slack customers, data security plays a central role, at least when it comes to industrial espionage.

ISO / IEC 27001 for information security management systems, ISO / IEC 27017 for security controls for the administration and use of cloud services, ISO / IEC 27018 for the protection of personal information, Cloud Security Alliance, operational and compliance controls … Slack doesn’t skimp international standards to demonstrate its security expertise.

By default, Slack encrypts data for all customers, whether it’s being transferred or stored. Depending on the plans, protection can be increased. This is the case with the Enterprise Grid package, which enables personalized data encryption using the customer’s own keys.

Data storage in Europe is not systematic

Slack data is hosted in the Amazon Cloud AWS. Of course, all data hosted on AWS is encrypted. In the event that Amazon wanted to consult them, it would have to decipher them first, which would be complex but not impossible. However, having Amazon display the data would be absolutely not in the interests of Jeff Bezos’ company, which sells the guarantee of data protection through its cloud service.

An Enterprise Grid or Plus plan is required to choose where to store the data. In addition, it is the customer’s responsibility to submit the data residence configuration request to the sales department. Without this request, they are automatically hosted in the US. If a customer wishes to change their data store location, only new ones will be hosted in the selected region. Existing data will remain in the USA.

A Slack-controlled data migration option and a new additional security program are expected to hit the market in 2021. This program should enable an ergonomic visualization of the security of the application.

Loosen up as close as possible to your customer

Slack offers certifications for implementing and developing applications within its platform. In general, Slack certifications are designed to help companies operate efficiently. In particular, they enable the functions and parameters of Slack to be adapted to defined requirements. Slack also assists its customers in developing their applications to be integrated into its messaging service. These paid certifications can be obtained from any country and therefore from France.

In May 2020, Slack made a seemingly innocuous change to uploaded photos – location metadata was removed. However, the goal is easy to understand. If the location metadata is no longer available, it can no longer be transferred. So if a Slack customer is investigated and the police or other entity requests access to the data, Slack can respond in good faith with “no”. This vision of security is meant to be very reassuring to customers, but it does raise serious questions about the sovereignty of the institutions.

The challenge of ensuring security while offering application integration

All requests for Slack must meet the courier company’s terms. Third-party applications only access data sent in Slack when they need to work. To ensure good data security, every app in the Slack Store is subjected to a basic evaluation. This includes, among other things, a careful reading of the general terms and conditions and a security review of the program. The websockets protocol also enables an organization to bypass firewalls for secure application integration. Thanks to an API, anyone can use socket mode.

On the other hand, Slack occasionally runs “security tests” to more thoroughly control the security of an application. “Not all applications are tested, only the riskiest ones,” said Larkin Ryder, Slack chief security officer. Security tests particularly affect applications that read data, e.g. B. a weather application has no priority over this control.

Some apps in the Slack Store can be used to improve security instead. In an article, Le Monde Informatique recommends 10 security applications for Slack. The Avanan application is particularly effective against malware. Avanan filters URLs and blocks content from a website that violates Slack’s guidelines. In terms of privacy, the same article recommends McAfee Skyhigh for Slack. The CEO of Slack doesn’t recommend a specific application, she believes that “it really matters [des besoins] “.