Secure communication inside a campaign is critical. Oftentimes, campaign staffers, and their vendors and consultants share highly sensitive data. Most campaigns use some form of information sharing and communication technology outside of traditional email or texting, and at DDC, we know that many campaigns use Slack. We had a great opportunity to ask some questions to Larkin Ryder, Slack’s Director of Product Security, and get some advice about how campaigns can more securely use Slack.
Campaigns have many communications tools available to them. What are the benefits of Slack or any tool that allows stronger team communications?
Slack provides rich features for securely optimizing the work you do every day. Slack helps keep teams organized by dividing the various components into channels focused on specific projects, goals, or team-members. Users have control over who has access to and what type of information is stored in each channel. We also recently launched Slack Connect, a communications environment that provides a secure and productive way for organizations to communicate and collaborate with external parties within a shared channel.
Slack integrates with other productivity and software tools that you may already be using for your campaign, reducing the overhead and risk of switching between apps. It will change the way you work, the speed at which your organization can meet its goals, and how you organize projects.
Additionally, it’s worth noting that the number one attack vector leading to data breaches is phishing via email. Email is like having a front door with no lock on it. As the Director of Product Security at Slack, I’m lucky that all of our communication and collaboration is done in Slack.
The people who you engage with in Slack are, for the most part, people with whom you already have a trusted relationship. This makes it easier to share information and to collaborate safely without the additional cognitive load of “should I click on this link?” and “am I okay to download this file?”
One of the issues we see in campaigns is that while they have many ways to communicate, they don’t always know which tool to use for which kind of communication. What advice do you have for campaigns around how Slack can fit with their overall communications practices and security practices?
I believe that you get the most benefit out of Slack the more you use it. Once you establish your Slack workspace (picking a team name and inviting members), you have a variety of communication conduits at the team’s disposal:
Public channels for topics of general interest and projects where anyone might need to contribute;
Private channels for projects and data only relevant to a subset of team members;
Direct messages (DMs) between two people or among a larger group for more transient and point-to-point conversations.
Slack lets you upload and share a variety of assets: files, images, code snippets, etc, in each of these conduits. Assets shared within a public channel are readable and searchable for every member of the Slack workspace. Assets shared within private channels or DMs are only visible to the members of those conversations.
If you are using GDrive, OneDrive, Box, etc, you can still use Slack to share links to these documents. Slack provides robust integrations with these file-sharing services, enabling access control and search indexing at your discretion.
For some file-sharing services, Slack’s robust integrations give you the option to adjust permissions on your file to share with channel members from within Slack. I love this feature! I can keep all the documents I create in GDrive locked down. Then, when I paste the document link into a Slack message, Slack will prompt me to adjust the permissions. With one click, I can enable document sharing ONLY with the people already in the channel. I don’t have to remember and type the email address of each person with whom I want to share the document. I can respond to incremental document access requests from within Slack, too. This is a great example of how well-designed product integrations that reduce overhead and friction can also improve security.
Not all software and platform providers secure their platforms the same way. What is Slack’s approach to protecting users and data?
This is a great question. Protecting the privacy and security of our customers' data is a top priority for Slack and independent agencies regularly certify that we meet the highest standards for information security management and protecting personal data in the cloud. Many government agencies, financial institutions, and other enterprise companies in regulated industries currently rely on Slack to keep their data secure and meet their compliance requirements. Slack provides extensive information on our website about our privacy and security practices. I’ll touch on a few highlights here, so you can get a sense of Slack’s extensive security program, but please visit https://slack.com/trust for a longer description of how Slack ensures the security and privacy of our service.
First and foremost, we spend a great deal of time evaluating the effectiveness of the security program itself. We engage world-class auditors to scrutinize our security program and we hire top-tier testers to try to break into our systems. We do this repeatedly and we encourage our customers to do it, too. We build our service using industry best practices for secure software development and constantly monitor our infrastructure for unexpected or suspicious activity.
Let’s talk a bit more about data encryption. While “end-to-end” encryption is often touted as the safest choice, “end-to-end” encryption essentially means that a user has to be in possession of a specific device in order to read the data (or to enable another device to read the data). While Slack’s service doesn’t require this (you can log in to Slack from any browser), Slack does encrypt all data in transit and at rest, meaning there are a number of protections already in place that help secure your data:
Users can enable two-factor authentication so that there’s an extra layer of security in addition to the password. This ties account access, and thus data access, to a device in the user’s control.
All communication between user devices and Slack’s servers is encrypted using strong encryption, meaning no plaintext data ever travels over internet connections.
All data is encrypted while at rest on Slack’s servers, meaning your data is protected even if an unauthorized person tries to access your information while in storage.
When an organization or campaign sets up a new platform like Slack they may be in a rush or not fully aware of all the settings available. What security features should all Slack teams enable?
There are a handful of Slack features you should use to make sure that any Slack workspace is safe. You may need to coordinate with the administrator of your Slack workspace to make sure these settings are in place:
Two-factor authentication (2FA) requires users to be in control of a physical device, usually a phone but sometimes a smart token, in order to complete a new login. You should use 2FA to log in to any web-based service that contains data you care about. Your Slack administrator can make 2FA mandatory for all users of your Slack workspace. It’s easy to set up. Here are the instructions: https://slack.com/help/articles/204509068-Set-up-two-factor-authentication
Admin app approvals prevent users from installing new app integrations on a Slack workspace that haven’t been reviewed and approved by an administrator. This ensures that no one outside your workspace can read your data unless you trust them. The Slack app directory has many amazing and useful tools from very security-conscious vendors (Salesforce, Google, ServiceNow, etc, etc), but there are small app vendors whose security capabilities may not yet align with your security risk tolerance. Admins should exercise appropriate diligence on behalf of their teams. This guide walks you through setting up your configuration and process for safely managing apps on your Slack workspace.
Access log reviews can be done by any user. If you visit https://my.slack.com/account/logs, you can see a record of each connection event to Slack. It’s not exciting reading, but it’s a good idea to review those access logs weekly. And if you see something unexpected, tell your Slack admin immediately!
Campaigns fluctuate in size quite a bit. What is Slack’s approach to user management? What advice do you have for campaigns to manage users?
Managing user membership in your Slack workspace conscientiously is one of the most important things you can do to protect the security of your Slack workspace. Generally, a good security practice is to adhere to something called the Principle of Least Privilege, wherein you strive to limit each user to the minimum set of capabilities necessary for them to do their job. This can be accomplished by periodically reviewing how your users’ responsibilities and relationships to your organization have changed.
Slack offers several different classes of users and it’s important to understand the differences.
Guests
Guest accounts are only available on paid plans and have limited availability. There are two types of guests:
Single-channel guest (or SCG) -- These users may only be invited to a single channel that the admin specifies. However, they can see profiles of and DM other users who are in the same channel.
Multi-channel guests (or MCG) -- These users may be invited to multiple channels. Any full member can invite the MCG to a new channel. MCGs cannot add themselves to channels or see any channels they are not invited to. They can see profiles of and DM other users who are in the same channels.
PRO TIP: Set an expiration date when you add a guest user to your Slack team. You can always extend it later or reactivate their account. This saves you from letting less trusted members of your organization overstay their welcome.
Full members - Full members can add or remove MCGs from channels, DM all other users in the workspace, post in and read from any public channel, etc. It is possible to give full members a wide variety of permissions or to reserve them for admins. For example, should full members be allowed to invite other users to your team, or should that ability be reserved for admins?
Admins -- Admins control the configuration of your Slack workspace (except in a very few cases that are reserved exclusively for owners). They control who else can take on admin tasks, including adding users, integrating apps from Slack’s app directory, managing channels and many other day-to-day administrative tasks.
Owners -- Owners have the ultimate authority over your Slack account and own the relationship between your organization and Slack. They control features like billing, authentication and access, security policies, etc. There can be only one Primary Owner, but the Primary Owner can transfer this responsibility to another user.
You can find more details on the permissions of each user role here.
On a related topic, campaigns—win or lose—shutdown after elections. Some may just be on hiatus until the next cycle. What are steps campaigns using Slack should take when they close or are in hibernation?
When you shutdown a campaign, you may wish to shutdown associated Slack workspaces. The workspace Owner can delete the workspace, which will remove all of the data from Slack’s backend.
If you want to maintain your team (maybe you’ll be working together again soon), you can keep it active. Depending on your payment terms, Slack will only bill you for the users who are using Slack, based on Slack’s Fair Billing policy.
From a security perspective, I recommend removing non-essential users from the team. The fewer people with access, the safer your data will be.
I also recommend reviewing any documents you might have shared. If you are using Slack Connect, shared channels can be disconnected. The channels freeze when disconnected and can’t be modified by either team, but the data is still readable. You can reconnect the channel again in the future, if needed.
Note that Slack’s retention policy will still operate! If you have a 30-day retention period for any channels or your workspace overall, your data will still disappear once it is 30 days old, regardless of whether or not you are using it.
What are one or two cool things you can do on Slack that most users don’t know?
This is the hardest question! Slack has so many cool features. Here are that handful I can’t live without:
Quick switcher (CTRL-K) is a command I hope everyone knows about, but just in case, I’m putting it here. This will allow you to navigate Slack, to find messages or files or channels or people and jump right to the place you need to be. Just type <CTRL-K><thing-you-want-to-get-to> and the search results popup showing the channels, people, files, or messages you are looking for.
Reacji channeler is a fun way to organize your messages. Reacjis are the use of “emoji reactions” to respond to a message as a way to confirm receipt, give feedback, and/or reinforce the company’s culture in a quick and efficient way. With reacji channeler, using reacji, you can send a message to another channel. Obviously, it’s good to use less common reacji for this feature.
Link pasting is so easy in Slack. Copy the link, highlight the text to “linkify” and paste. Voila! Your text is now linked and clickable.
Reminders are incredibly easy to set in Slack. Using /remind and simple phrases you can set up reminders for things you (and others) need to do later. Reminders can go to yourself, others, to a channel. Reminders can be one time only or recurring. You can use simple phrases. No need to remember complex syntax. For example,
/remind me to take out the trash tonight
/remind @johnsmith to call Stephanie for an update on 9/19/2020 at 2pm
/remind #proj-lexicon “it’s time to post your status report” every Thursday at 9am
Wow, that was a lot, but I hope it is useful information. The Slack Help Center is also a great resource. You can use your web browser to search on most any how-to question and get an easy to follow guide for Slack. Finally, our wonderful customer agents are also a terrific resource. In your Slack desktop application, just click the (?) icon to the right of the search box at the top to get more help. Thank you for all you do to keep our elections secure!