Slack tells enterprises to bring their encryption keys to lock up their channels

Slack tells enterprises to bring their encryption keys to lock up their channels

Slack has tightened up the controls it offers its enterprise customers, by allowing them to use their own encryption keys to the chat platform.

The Slack Enterprise Key Management (Slack EKM) tool was first trailed last year, and is now available as an add-on to the chat outfits Enterprise Grid plan.

Slack’s security supremo, Geoff Belknap, said in a prepared Q/A that security-minded organisations, “especially in highly regulated markets—such as financial services, health care and government—are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs.”

He said that Slack customers’ data was already encrypted in transit and at rest but, he continued, “Slack EKM basically adds an extra layer of protection so that customers—especially those in regulated industries—can share conversations, data and files on Slack, all while still meeting their own risk mitigation requirements.

He said the keys would be managed in AWS KMS, and that allowing customers to impose their own encryption, meant customers would have “a lot more control and visibility over their most sensitive data.”

Customers would be able to revoke access “in a very granular, highly targeted manner”, in the case of an incident, he said. “That granular revocation ensures that teams continue working while admins suss out any risks.”

So, rather than pulling the plug on the entire Slack service within an organisation, admins can cut access to data at certain times, or in certain channels.

Firing up a dedicated Slack channel is often high on a company’s to-do list when dealing with a crisis.

Belknap added, “apart from being able to control access very granularly, you can also see how your data is being used. Detailed activity logs in Amazon’s AWS KMS tell you exactly when and where your data is being accessed.”

The announcement comes hard on the heels of the company revealing it will go public via an unusual direct listing.

The two may or may not be related, but tipping a hat to the needs of the financial sector presumably isn’t going to hurt its reputation, while the same goes for reducing its potential exposure security-wise.