The New Way of Corporate Communication
Although email still dominates communication between organizations, the tides have turned for internal communication in many companies. Whether it is Slack, Microsoft Teams, HipChat, Discord, or some other SaaS communication tool, odds are that some sort of SaaS chat tool is in use in most organizations. Slack was one of the first to bring SaaS-based IM/collaboration to the enterprise world. Instant Messaging (IM) has become the primary correspondence of many companies. An IDC research paper sponsored by Slack claims, on average, a 32% in emails and a 23% reduction in meetings by its users. With time savings like these, it is quite clear why IM collaboration platforms are embraced by companies of all sizes.
With the introduction of this convenient mechanism to share anything from random thoughts to GIFs to sensitive documents, the potential for data loss and exposure has grown exponentially. While Slack has done a good job of obtaining many compliance certifications and regulations they still adhere to the shared responsibility model, like other SaaS providers.
The shared responsibility model translates to something like this: Slack will handle the physical security of the data centers, infrastructure that the software runs on, and the software itself — but the subscribing organization is responsible for their users and the data they place in Slack.
While this sounds simple, it is anything but simple without the right tools. A few scenarios that an organization’s InfoSec team now have to worry about are:
- Users now can access data placed in any channel they have access to, on any device (desktop, web, mobile, home, kiosk, etc), from anywhere. Slack has no restrictions on access.
- Users can install the Slack app on their personal computer or access via the web, and can download any file containing corporate intellectual property to a personal device.
- Users can access all of their data from anywhere on any machine (for example, a hotel kiosk PC) that could be riddled with malware.
- With paid versions of Slack, users can invite guests, who can see any data posted in external channels.
Even though Slack is providing a secure platform, corporate data and compliance regarding that data is still a concern and a risk for the organization.
The Need for Security on Slack and How CASB+ Can Help
Risk with data on Slack needs to be addressed, and many organizations do not consider this when they implement Slack. Following is a description of some common risks, along with how a Cloud Access Security Broker (CASB) can help reduce the overall risk.
Users online tend to be more chatty than in real life or via email. Given Slack’s responsive interface and users’ ability to converse with a wide variety of users, messages tend to become more conversational than they would be over other means. This tendency could lead to employees oversharing or posting proprietary and confidential information to a channel. Many employees forget that they are on a cloud service and that topics they should not be discussing are being put on the cloud.
Many organizations have not educated their user base about the importance of not disclosing sensitive information via chat. Employees might believe they are being helpful to their colleagues by quickly sending them a document or posting something to a channel, without giving a second thought to what they are disclosing. Many are also still under the impression that the chats they post using tools like like Lync, Jabber, or Skype for Business remain in the organization.
While IM technologies are not new by any means, the persistent nature of conversations and data shared in channels brings new concerns to information security teams. A user can easily can drop any file, link, or data into a channel. Everyone in that channel can see this data until the message retention time is reached.
Previously, exposure of user email with sensitive data was limited to the recipients. The ability to invite guests from outside the organization to channels enables those guests to have access to the sensitive data.
How Did This Get Here?
Slack often comes into an organization through a grassroots movement without IT sanctioning it. This has happened at multiple CISOs that we have spoken to. Because Slack is available in a free version, a user can start a workspace and invite as many people as they like. Once employees learn how easy Slack is to use and that it can be accessed from anywhere, its use can spread through an organization quickly. Often, Slack comes into an organization from users looking for a platform that works for them.
Skype for Business and Lync clients are known to crash on Mac computers, so organizations who have Macs but are Microsoft based might not appreciate that once users get a taste for instant messaging and it doesn’t work, they will find something that does work. This is exactly what happened at one organization we spoke with. Two of their departments were heavy Mac users. The Macs were issued by the company, but they used Skype for Business as the corporate standard. Users in these departments were tired of tools that did not function all the time, so they got a free version of Slack and moved their departments to it, all while IT was unaware. One team member let IT know what was happening, and the organization purchased Slack licenses to use some of the advanced features. However, this process took almost a year, during which there were no controls or policies on anything that went on in Slack.
Thousands of Apps to See Your Data!
One of the powers of Slack is the ability to integrate apps and bots into your workspace. There are apps and bots to do just about any sort of automation or fun you can think of, from Giphy to Salesforce to ServiceNow to GDrive to replying to messages as a famous person. Once Slack takes hold in an organization, the power to perform a large number of tasks without leaving the application can be a huge timesaver. Slack has done a good job of creating APIs and SDKs so that creating bots and apps can be completed in minutes rather than days.
While the workflow automation and time savings is a boon for the employees, it does not come free from risk. Once a new app or bot is added to a channel, it has the potential to access all of the messages in that channel. Although it will respond only when it is called upon, that does not stop a bot writer from retaining all of those messages. Chat by loose-lipped employees about corporate goings-on could be seen by outsiders. While reputable companies that release apps and bots to further use of their own platforms are likely not storing them, not all bots out there are so polite and on the up and up. An organization should have a process for regular review review all app and bot integrations.
Gaining an understanding of when and where your users are accessing Slack can be eye opening for an organization. As with all other SaaS offerings it is good practice to monitor activities with a User and Entity Behavior Analytics (UEBA) platform to get a picture of what good looks like, and create policies to spot insider threats and hijacked accounts. By leveraging a CASB, all user activity, from login to file uploads to message deletes, is not available to the organization. Gathering this information can not only feed the UEBA but also help spot anomalous activity and provide additional insights into negligent users.
How CASB+ Can Help
Protect the Data
To address the risks posed by loose lips and bigger audiences, CASB+ can be implemented in either inline or API mode, and drastically minimize these risks. With CASB+ and the native DLP engine, organizations can detect sensitive and confidential messages posted to any channel on Slack. Once identified, messages can be removed or masked to protect the organization from accidental data exposure.
In addition to protecting messages in channels, the same protections can be applied to any file sent to a channel. For sensitive data, CASB+ can encrypt and apply DRM to the file to ensure that only those who are authorized to view the data can access it. If your organization uses Microsoft AIP, CASB+ can apply AIP protections to documents loaded in Slack.
CipherCloud is shipped with native DRM functionality, which does not require an additional license from another vendor, unlike others in the space. This encryption and DRM is applied to the file right in the Slack channel. CASB+ does not house your data — it always remains with you. CipherCloud takes a strong position about not retaining any of your data, which can extend the scope of an organization’s regulations to include the SaaS offerings.
If encryption or DRM are not required for files, CASB+ can delete the file, apply a watermark, tombstone, or quarantine action, or simply allow the file and log the violation. As with all actions, CASB+ can send a notification to the user for coaching or to anyone else in the organization to notify them of the violation.
Understand Who is Using Slack
Employees often migrate to a solution that works better for them or provides access from locations at which they feel like they aren’t being watched or controlled by corporate standards that they perceive as too restrictive. Getting a complete picture of what cloud services are in use at an organization can be a significant challenge. New cloud services seem to pop up daily, and with many offering “freemium” features, it can be extremely hard for an IT organization to know and track all SaaS that users are leveraging.
CipherCloud can help solve this problem with the Cloud Discovery functionality in CASB+. Cloud Discovery provides Shadow IT analysis and risk ratings through a comprehensive dashboard that can process log data from a variety of proxy and firewall systems. Shadow IT provides a clear picture of all cloud services being used, how much data they are transferring in and out of the cloud, and the risk levels of the clouds.
The CASB+ platform provides an ever-changing registry of 17,000 cloud services and risk assessment/scoring of each service. More than 60 attributes and sub-attributes are tracked for each cloud service. Risk attributes are grouped into four categories; security, privacy, environment, and compliance. CipherCloud uses an impact multiplier methodology to ensure all factors are reflected in the overall risk score.
If a cloud does not exist in the registry, a request can be submitted directly from the user interface, and the cloud can be added within two weeks. If a change needs to be made to a cloud service’s risk score due to an attribute changing, this change can be requested directly from the user interface as well.
After Cloud Discovery is implemented, an organization can easily export a report showing its overall cloud risk status. CipherCloud recommends reviewing this data regularly to understand the risk exposure of the organization and to determine if the user community is trying to circumvent the sanctioned SaaS services for either a business or productivity need. Regular reviews of cloud risk status allow IT organizations to better understand the user community and work with them.
A New Level of Visibility
Bringing in a CASB to an environment can add a whole new level of visibility that organizations have not had before. Before a CASB, organizations could see all of the activities that their user community was doing as they controlled all of the infrastructure and applications that the users used — but with migration to the cloud, users performing doing many activities outside of the organization. Enter CipherCloud CASB+, which allows organizations to see all of the activities that their users are performing, from uploading or downloading files to modifying documents to creating public shares, as well as login activities — with more context than an IdP provides.
All of this information is great, but if it is stored only in the CASB it creates yet another console the information security team has to monitor. For this reason, CipherCloud recommends that organizations send all cloud and user activity, along with any violations and anomalies, to a SIEM solution. Sending activity to the SIEM provides a single pane of glass approach that many organizations have tried to achieve with a SIEM.
Join us at 9am PST on December 18, 2019 for a live webinar discussion on how CipherCloud CASB+ enables adaptive security controls and continuous governance on Slack, ensuring end-to-end data protection and compliance.
*** This is a Security Bloggers Network syndicated blog from CipherCloud authored by CipherCloud. Read the original post at: https://www.ciphercloud.com/loose-lips-sink-ships-casb-and-slack-security/