Security news that informs and inspires

Slack Adds Key Management for Enterprises


As more and more of the Internet gets encrypted by default, some organizations would prefer to use their own encryption keys to protect their data. Slack is offering its enterprise customers the ability to use their own keys to protect their Slack workspaces.

“You, the customer, are in full control over your own encryption keys and when or if you want to revoke them,” said Geoff Belknap, Slack’s chief security office.

Slack already encrypts data in transit and at rest, but Slack Enterprise Key Management (Slack EKM) gives organizations with strict data protection requirements the ability to use their own key instead of Slack’s. The ability to bring their keys was a frequently-requested feature by organizations in regulated industries, such as financial services, health care, and government, Slack said.

“Markets like financial services, healthcare and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs,” Belknap said.

If there’s a concern, you don't have to just hit a button and shut down Slack completely.

For Slack administrators, the biggest benefit with Slack EKM would be the ability to be deliberate about what gets revoked after a security incident, instead of just shutting down the entire Slack workspace. Revocation can be as specific as the time of day, channels, and users. Administrators can even target the time of day in specific channels. The rest of the team can keep working while the administrators investigate and address the issue.

This ability can be particularly useful for managing third-party users in the organization’s workspace, such as contractors, partners or vendors. For example, if the contractor posted a sensitive file in the wrong channel, administrators can pull the file without having to shut down the entire channel.

“[If] there’s a concern, you don't have to just hit a button and shut down Slack completely, blocking all your different teams and departments from accessing the tool,” Belknap wrote.

Detailed Access Logs

Slack is not getting in the key management business business—keys will be stored and managed by Amazon Web Services (AWS) via its Key Management Service (KMS). Administrators will be able to see exactly when and where data is being accessed through detailed activity logs in AWS KMS.

Slack EKM is an add-on feature to Slack Enterprise Grid, which makes sense as Enterprise Grid is where Slack keeps business-focused administrative controls and security integrations. Enterprise Grid offers the Audit Logs API, which provides detailed information about how the Slack workspace is being accessed. The API can be used by security information and event management (SIEM) tools to uncover inappropriate behaviors such as if any of the API keys have been exposed or if users log in from new IP addresses.

If the administrator finds suspicious activity through the API, then the administrator can revoke access right away.

Slack initially announced Slack EKM at its Frontiers developer conference in San Francisco in September. At the time, head of product April Underwood said Slack EKM “provides all of the security of an on-premise solution, with all the benefits of a cloud tool.”

EKM, Not E2E

Many messaging platforms are beginning to adopt end-to-end encryption, but it appears that Slack decided against going down that path at this time. “Architecturally, this isn’t ideal.” Belknap wrote in a conversation thread on Twitter last fall about why Slack doesn’t offer e2e encryption. As part of that same conversation, Dan Kaminsky, chief scientist at WhiteOps Security, noted that there are structural difficulties to consider, such as being able to let users read conversations they weren’t part of. It would also limit search functionality and third-party integration.

It’s also “not something we’ve had much demand for [sic] from customers, especially compared to EKM+BYOK,” Belknap wrote at the time.

Solve the Right Problem

Just because Slack now has a bring-your-own-key scheme doesn’t mean all organizations need to be thinking about switching to Slack EKM. Being able to use their own keys is something that only some organizations really need to do—most don’t need this level of control. There are many ways to make a mistake with key management, and most organizations would be just fine letting the cloud service provider handle the job of encrypting data in transit or at rest.