3) Implement appropriate access control policies based on user role, device, and location

While cloud-based collaboration services like Slack help make employees more productive by giving them access to critical resources from anywhere, at any time, using any device, they also present security risks where sensitive data could be exposed through unmanaged or unsecure device, untrusted location, or through non-compliant sharing.

Enterprises need to enforce context-aware access controls based on whether the device is managed or unmanaged, if the IP is blacklisted or safe, or whether the traffic originates from a trusted or untrusted location. In addition, enterprises should look to force additional authentication steps if certain predefined risk thresholds are met.

4) Capture a complete audit trail of all user and administrator activity

One of the more critical security requirements for Slack is the need to capture a comprehensive audit trail of activities performed by users and administrators. This will not only help identify anomalous or inappropriate user behavior (see below), but having an audit trail will also support and accelerate post-incident forensic investigations as part of an incident response workflow. The Slack API provides a complete feed of all user events, which can be imported into third-party security solutions to analyze this activity.

5) Detect activities indicative of insider threats and compromised accounts

There are myriad of threats that arise in the cloud. The average organization experiences 23.2 cloud-related security incidents each month, which includes insider threats (accidental and malicious), compromised accounts, and attacks that use the cloud as a vector to exfiltrate data.

According to Verizon’s 2016 Data Breach Investigations Report, 63% of known data breaches involved compromising a weak, default, or stolen user password. Moreover, some of the most damaging data breaches in recent years have been due to a compromised account attack (eBay, DNC, Anthem, etc.). It’s imperative for an enterprise to have security controls put in place that can rapidly detect and remediate unauthorized access to Slack user accounts.

And while external threats to data in Slack merits concern, enterprises also need to look within to identify and mitigate internal threats. According to a 2015 report by Intel Security, 43% of data loss incidents were traced to internal employees (half malicious, half accidental). Insider threats may come in the form of a well-intentioned Slack user uploading or sharing sensitive data in a non-compliant manner or a privileged user accessing and stealing data for financial gain. For these reasons, organizations must implement security controls that will identify anomalous user behavior that may be indicative of an insider threat.

6) Implement a uniform set of security policies across Slack and other cloud services

The security controls offered by cloud providers vary widely. Enterprises should strive to apply the same set of controls to Slack as they would to other popular cloud applications like SharePoint Online, Box, Salesforce, and Dropbox. In practice, this means the same DLP policy that identifies and protects Social Security numbers should apply to all cloud services. Likewise, any access control or threat protection capability should be enforced in a cross-cloud manner. There are couple of reasons why this is a best practice.

First, it is significantly easier and more efficient to manage policies from a single console. Furthermore, enforcing security policies from a single control point ensures there is a single place to review and remediate all cloud incidents, rather than a separate dashboard for each cloud service. Lastly, many cloud threats span multiple cloud services. For example, a rogue insider who logs into Slack and downloads sensitive data before uploading it to an unsanctioned cloud storage service, requires a view of both services in order to detect the threat.