Did You Know Admins and End-Users Could Do These Four Things on Slack?
The messaging app known as “Slack” is going places. Forbes referred to it as the quickest growing software used by workplaces. The app’s daily users total towards the 6 million range, and is worth over $5 billion.
Although the app’s ability to minimize emails and increase collaborations have gotten a lot of attention, a number of Slack security incidents quietly made some headlines, too.
18F, a team of tech consultants inside the Gen. Services Admin team, shared several documents from their Google Drive account using Slack in 2016. Innocuous as it may sound, by linking those two apps, 18F exposed over 100 GSA accounts and Google Drive (and did so for six months).
Network World was inclined to say that it the fault leans more towards the employees than the technology, since they are usually unfamiliar with the system and are not at all experts in matters of compliance, regulations and security
In other words, it wasn’t the fault of the employees, and Slack wasn’t liable, either. SaaS remains fairly new, and most IT professionals haven’t encountered data protection problems like these before. There aren’t any best practices that exist for this industry quite yet. While SaaS apps provide end-users with plenty of control and freedom, they also allow them to do things IT professionals may not know about. Blind spots can ensue, which can be problematic if IT cannot access these areas.
The Slack app allows admins and end-users to see and do several things that may surprise you. Keep reading to discover four different blind spots to be mindful of:
Linking to Files Publicly Is Something End-Users Are Able to Do
An end-user has the ability to create a public link to any file of their choosing shared on the app.
When the link is created and made public, anybody online can access the file, as well as download it. It isn’t very hard for users to do. In fact, it can be done in about three clicks:
End-users may have good intentions for doing this (for instance, collaboration facilitation and Slack compliance protocols). However, they might be oblivious to the ramifications of such actions. If confidential or sensitive files can be publicly accessed, you’ll have a data exposure problem to deal with without even realizing it.
As far as this blind spot is concerned, if users create public links to files shared on Slack, is there any way to be notified about it? After all, there is no alert built into the software for this particular action. It makes you wonder just how many company files have been publicly linked to before. Was sensitive information leaked? The admin console on Slack wasn’t developed to provide such information, nor was it created for IT.
Quite precariously, this is a default setting. That means you will have to manually disable it on the app’s Settings/Permission page. If you don’t, users will be able to create links to private files that are publicly accessible.
A Lot of Power Can Be Given to an End-User by an Admin
Slack admins have the ability to provide end-users with much more power and control than they realize. This may be helpful (for instance, end-users will be able to handle administrative tasks without IT dependence, and they don’t need to be an admin to do so). However, Slack security risks will be posed if you aren’t mindful of those settings. Everybody in the app – as opposed to just users with specific roles or departments – would potentially have the ability to delete, modify, manage, and create things.
Let’s use user management as a “for instance.” Slack Workspace Owners and Admins, by default, can manage and create user groups. However, all admins have the power to change those types of settings through drop-down menus. By doing so, they can:
· Let everybody create, remove, and archive channel members.
· Let everybody (with the exception of guests) send Slack invitations to new members.
· Let everybody in the organization (with the exception of guests) disable, create, and modify user groups.
Review your settings by visiting the Settings/Permissions page. Ensure that you are content with provisions end-users currently have.
Admins Have the Ability to Do and See Much More Than You Realize, and Most of It Cannot Be Reversed
It is easy to grant admin roles to people on Slack and assign elevated privileges to them. This is actually helpful, as it minimizes administrative burdens on IT.
On average, enterprise customers of ours gave admin roles to over 50 users in their individual environments.
With that said, admins on Slack can do and see plenty of things you might be oblivious to. A lot of actions can’t be reversed. For instance, people with admin roles can do the following:
· Export files and messages on a workspace. Export options are contingent on the type of Slack plan you have.
· View files shared on public channels.
Grid Plan Options: Enterprise, Plus, Standard, and Free
Workspace Admins and Owners have the ability to download and export data on public channels, which includes file links and messages, no matter what plan they have.
Plus plan: access to an export tool can be requested by Owners, allowing them to download data from workspaces. This includes private and public channel content, as well as direct messages.
· Multi and single-channel guests can be invited to private channels.
This happens to be an IT blind spot. Are you aware of who each guest and external user is? Is data being accessed after such users are no longer under contract? 15% of mid-market Slack customers, on average, are multi-and single-channel guests.
· Promote another member as an Admin and/or Owner (in several instances, you will be able to demote them).
· Make public channels private (this can be reversed).
· Delete a channel (this cannot be reversed).
· Invite guests to all public channels.
It is prudent to keep admin numbers low. If nothing else, be mindful of everything an admin can see and do. Determine if existing Workspace admins really need such power.
Users Have the Ability to Install Slack Bots or Third-Party Applications That Request Numerous Permissions
Several apps that Slack integrates with will request permissions, some of which may seem excessive. It isn’t uncommon to come across questions such as the one below:
What makes this an issue? Third-party accessibility (like permissive bots and malicious apps) come with risks involving data exfiltration. As pointed out by Network World, not all third-party companies are great “stewards” as far as accessibility to data is concerned. Expecting users to know about technological risks associated with connecting technologies isn’t a sound strategy.
As an admin on Slack, you must be aware of third-party applications that users install, as well as the types of permissions those apps request. Obviously, this is one more blind spot to be mindful of.
Only Workspace Owners on Slack can:
· determine who approves integrations or apps,
· limit installations strictly to the ones listed in their App Directory, or
· approve specific apps members can install.
Are you content knowing that existing Owners have such permission levels?
Conclusion
Being aware of a platform’s blind spots or loopholes has to be a reason to take preventive measures before it’s too late.
Most of these issues come from the good intentions of software providers wanting to give more features without always calculating their risks.
Therefore, it is best to tackle issues like this with tools that can block, monitor and assign granular permissions for the sake of keeping businesses safe and compliant.
At AGAT Software, we have developed SphereShield for Slack. A complete suite of security and compliance tools for Slack that was engineered to provide real technical solutions to companies that understand the risk of Unified Communications Platforms like Slack.
