The hidden security challenges posed by Slack and Teams

Corporations have been quick to adopt collaboration/communications applications – specifically Slack and Teams – which were further accelerated by the shift to hybrid and remote workforces due to the pandemic. If your company is using these SaaS solutions, be aware that there are SaaS security concerns that are not easily addressed with the native security features these applications provide. You’ll face significant challenges trying to shut down access to corporate files and data that may be inadvertently shared through Slack or Teams. Here’s a closer look at the issue and a possible solution:

The sudden rise and hidden dangers of Slack and Teams 

Most likely your company, like so many others, needed to find new ways to communicate and collaborate with internal and external partners when Covid-19 scattered workers from their offices to their homes. Benefiting greatly from this shift were Slack (42% growth in paying customers from one year to the next) and Microsoft’s Teams (from 32 million to 145 million daily active users in a year). 

Companies found themselves sharing files and data via these SaaS applications with not only internal employees, but with consultants, external agencies, freelance workers, suppliers and whomever else they needed to partner with to get the work done. New channels were added, as well, to funnel information to specific parties – all with minimal-to-no oversight by security and IT teams.

Of course, there’s good reason to encourage collaboration; it’s a mainstay of doing business now. But the problem is that too many businesses fail to see the risks they run when relying heavily on SaaS applications such as Slack and Teams.

The avenues to sensitive data opened by collaboration applications

SaaS data exposure risks arise from seemingly benign activities: 

• Sensitive data assets shared in channels available to your entire company: You may inadvertently let unwanted parties see sensitive information, by using public channels to collaborate internally where anyone can simply join these channels and view information they shouldn’t have access to. For example finance, marketing, or engineering shouldn’t see each other's data but sometimes employees share files in public channels, anyone who joins those channels can access and download the data. Financial documents, legal agreements, business unit budgets, engineering documentation – all of these and more become visible and downloadable when shared in this manner.
• Production credentials and private encryption keys shared in channels anyone can join: Your development teams look for ways to be efficient so they often share files with encryption keys and production credentials, but sometimes they do this through a publicly available channel in Slack or Teams where people outside the team can see and exfiltrate these sensitive items.‍
• Information shared in external channels with multiple collaborators: Here, too, you may be allowing sensitive documents to be accessed by those outside your company who should be fenced off from such information.‍
• Ongoing access by former collaborators via channels that should be closed: While users are quick to create channels to share, they are often less than diligent in closing them off when no longer needed, thus providing lingering access to outsiders that could lead to harm.‍
• External files stored in other apps and shared to anyone in the company, now also shared in public Slack/Teams channels: Users can quickly share links to data assets through Slack and Teams channels in order to get files to the correct people, but if that channel is public or might be a broader channel than is required to see that shared asset, you have exposed that asset to increased risk.
  

Guarding against such SaaS data access risks 

While both Slack and Teams have security features built in to protect the applications, themselves, from external threats, they are not well-equipped to straighten out the dangers posed by the common sharing actions just described. No native tools exist to help the IT or security team determine the answers to a variety of practical questions:

• How many files have been shared within each application?
• Which internal users have provided access to files in public channels?
• How many files are stored in each channel and for how long?
• Which employees have shared the most data assets?
• What channels and users are still active and should remain open or are inactive and should be closed?
• Do assets / files in these channels contain PII

Teams does offer some ability to address these issues through native security features. But as we discussed in our blog about the unrealistic manual effort needed to secure multiple SaaS applications, your team likely will still have to find a way to control data access provided by any number of other SaaS apps besides those produced by Microsoft.

And even so, it takes significant effort to shut down access because there’s very little automation for the actions required. In short, the IT/security teams would need to review each channel and user manually to determine what needs to be closed. More perniciously, sharing provided through a user will remain in Slack or Teams, even when the user has been deleted.

 An automated solution through DoControl’s centralized platform

 With DoControl, all the manual work that would be required to shut off unwanted or outdated access gained through Slack and Teams can be automated. You can quickly determine which channels no longer should be open, which files and data access points remaining after a user has left should be shut down, and what other vulnerabilities you’re facing. And even better, all can be addressed with automated processes that will save considerable time and effort and help keep your company safe.

To learn more about how DoControl can save you time and costs in shutting down unwanted access in not just Slack and Teams but all major SaaS applications, get in touch with us.