Revisiting Team Messaging Security

In my last No Jitter post, I discussed some of the challenges related to team messaging security, setting the stage for my session discussion last week at Enterprise Connect 2019 and foreshadowing Slack’s announcement that it now supports enterprise key management (EKM) to allow access control to team messaging data.

Slack EKM provides the same basic functionality already available from competitors including ArmorText, Cisco, and Symphony. Through EKM, customers manage their own encryption keys, meaning that they are in full control of their data and can lock data stores as necessary to address security issues such as breaches or data leakage. Slack customers, through the Amazon Web Services (AWS) key management server, are able to revoke access to individual channels, teams, or the entire customer instance of Enterprise Grid. Participants in our 2018-19 Team Collaboration study cited encryption and customer-held keys as important requirements in evaluating team collaboration platforms.

The move to cloud collaboration has been tempered in recent years over concerns that enterprises potentially lose or reduce control of their data as it moves into the cloud provider’s data center. That view toward security is evolving, with nearly half of participants in our 2017 UC study saying that they felt cloud security was better than what they could provide on their own, and 18% of participants in our 2018 study saying that security is a primary driver for moving to cloud unified communications and collaboration applications. As IT leaders struggle to keep up with constantly changing security threats, and as security spend continues to grow, cloud is increasingly seen as a means of protecting enterprise data cost effectively.

The ability to manage encryption keys should alleviate enterprise concerns related to potential loss of control over data stored on the cloud provider’s servers. By giving enterprise customers control over encryption, EKM arguably provides the same level of data security that an organization maintains when keeping its data within its own data centers on its own encrypted servers. EKM should especially appeal to companies within regulated industries that in many cases have been unable to move data to the cloud for fear of exposure of sensitive customer or corporate information.

The topic of key management was a big part of our “Securing Your Team Messaging Data” session last week at Enterprise Connect. Panelists from Cisco, Oracle, Ribbon, Slack, and Symphony noted that encryption was key to an effective security strategy. They also provided the following recommendations as part of a broad security strategy:

• Determine a Governance Strategy -- Managing data within a large enterprise messaging system may require a mix of centralized and decentralized strategies, potentially implementing key management, data loss prevention, and single sign-on controls companywide, while leaving administration of specific workspaces, channels, and team members to department or workgroup administrators
• Integrate Enterprise Mobility Management (EMM) -- With mobility being a major driver of interest in team collaboration applications, organizations should ensure that their team collaboration applications work in conjunction with their EMM providers, ensuring control of corporate data across mobile devices
• Evaluate Security Certifications -- Nemertes research participants cite a vendor’s security certifications as the most important criteria they evaluate when selecting a team collaboration provider. Look for common certifications like SOX, ISO/IEC 27001, HIPAA, and FedRAMP, and ensure that your providers can support regional regulatory requirements like GDPR
• Keep It Simple -- Security policies and approaches that make it difficult for people to use applications to collaborate will only drive workers to seek easier-to-use solutions, often that aren’t company-approved. It’s not easy balancing security needs and usability, however it’s imperative that buyers ensure that security controls don’t impact ease of use
• Federate -- Guest accounts are still the norm for allowing outside people to participate in team spaces. However, guest accounts are difficult to manage, and when employees use guest accounts on outside services, they eliminate the ability of an organization to control file and data sharing. Instead, consider federation options, whether that be native capabilities provided by team collaboration vendors or third-party federation services like Mio, which won the 2019 Best of Enterprise Connect Award for innovation in collaboration, and NextPlane. If you must support guest accounts, consider whitelists to control access (e.g., only allowing guests from approved e-mail domains)

Team messaging security capabilities continue to evolve, and improve. Be sure to conduct regular review of your provider’s capabilities to ensure that it’s able to meet your present, and future, requirements.