Slack, the popular collaboration tool, got more than its
share of media attention last month. All this Slack buzz gives us an
opportunity to share how we use Slack here at Code42. We’ve thoroughly vetted
Slack, and rather than banning it as a security risk, we actually use the tool
to enhance our security capabilities.
Why Code42 uses Slack
So, what about those security concerns? Any tool that
facilitates the sharing of information brings some risk of user abuse or error ,
such as oversharing, mis-sharing, etc. That’s true for Slack, just as it’s true
for Google Docs, Dropbox — and even, yes, Microsoft Teams. Just like our
approach to data loss protection, our internal security strategy takes an
honest look at risk mitigation that focuses on the biggest risks — without
unnecessarily impeding productivity, collaboration and innovation. Like all our
third-party vendors, we hold Slack to our rigorous vendor security standard,
which includes an annual vendor security risk reassessment process. Moreover,
we’ve put security controls in place that balance the need to mitigate the
inherent risks of information-sharing with the productivity and innovation
value of the tool itself.
How we use Slack
At Code42, nearly every employee uses Slack every day for
real-time direct messaging, increasing productivity and helping us deliver on
one of our core company values: Get it Done, Do it Right. The Code42 security
team, in particular, leverages Slack in unique and powerful ways. Here are a couple ways we have integrated Slack
functionality to improve our internal security program:
- Security alert notifications: Slack’s Incoming WebHooks allow you to connect applications and services to your Enterprise Slack. We use this capability to implement security notifications tied to activities in our security applications, which are then posted in a corresponding Slack channel. This provides our security analysts and partners across the business with real-time alerts right in the application where they are already communicating and collaborating throughout the day, helping them take appropriate and timely action.
For instance, we have created private channels to alert on critical events within different environments, such as alerts from Capital One’s Cloud Custodian. The alerts are based on policy violations that we define in YAML policy files. Cloud Custodian then alerts our team — and takes action when needed. For example, if Cloud Custodian sees an S3 bucket configured as public, it will make it private by changing permissions in the access control lists (ACLs) and bucket policies — and then notify our teams of the change via Slack as depicted below.
Screenshot of Slack’s Incoming WebHooks tool:
- Security news and updates: Our security team also created a public channel (open to everyone at Code42) as a collaborative workspace for all users. The public channel enables staff to crowdsource and share security knowledge, and to have discussions around the latest security news. Anyone can post security articles, whitepapers, podcasts, blogs or news — highlighting interesting ideas — and weighing in on each other’s responses. This channel acts as a security news feed, delivering just-in-time security-related information to employees to keep them aware of the latest security threats and trends. Code42 employees also often post what they are seeing in their own news feeds as they become more security savvy.
Walking the Talk
At Code42, we talk a lot about the fundamental paradox of enterprise information security: Information-sharing is both the key to success — and the biggest risk — in organizations. The smart approach focuses on controlling the risk, so you can unlock that value. We’ve vetted Slack and put security controls in place, so we can leverage its capabilities to fuel collaboration, enhance productivity and improve our internal security capabilities. Slack integrates with our security tools for real-time alerting and allows us to quickly disseminate security knowledge throughout the organization. Our internal use of Slack demonstrates how we walk the talk in our own approach to information security.