Microsoft headquarters sign
PHOTO: Wonderlane

Microsoft doesn’t want its employees to use Slack. At first glance, that’s not particularly surprising given that Microsoft launched its communication and collaboration tool Teams nearly two years ago and has been pushing it into enterprises that are already using its productivity suite Office 365. However, Microsoft’s problem with Slack is not about competition, it’s about security.

Microsoft’s Prohibited Apps

Slack was riding high on its stock market debut last week that valued the company at around $20 billion. Meanwhile, GeekWire uncovered a list of apps Microsoft has prohibited its employees from using in the workplace. In respect of Slack, the entry reads:

“Slack Free, Slack Standard and Slack Plus versions do not provide required controls to properly protect Microsoft Intellectual Property (IP). Existing users of these solutions should migrate chat history and files related to Microsoft business to Microsoft Teams, which offers the same features and integrated Office 365 apps, calling and meeting functionality…”

Amazon Web Services, Google Docs, PagerDuty and even the cloud version of GitHub, which Microsoft bought last year for $7.5 billion were also mentioned, albeit in the “discouraged” use category.

Is Microsoft’s response to these concerns proportionate? With Slack, individuals and teams can easily set up their own Slack workspaces without necessarily involving IT experts who can make sure they're fully secure. Slack provides a variety of security tools, but all it takes is one employee to copy and paste sensitive information that used to be buried in secure databases to make it available in casual Slack conversations.

This is not just about Microsoft and Slack, although this story has again focused enterprise leaders on the potential security problems inherent in instantaneous communications through a social network. A number of solutions have been proposed in recent times, in fact Mark Zuckerberg added to the discussion last March when he said that all data in all communication channels should be encrypted.

However, even this is open to abuse, he said. In a blog about privacy and the use of data he wrote: “Encryption is a powerful tool for privacy, but that includes the privacy of people doing bad things. When billions of people use a service to connect, some of them are going to misuse it for truly terrible things like child exploitation, terrorism and extortion.”

Clearly, this is not the case in an enterprise social network, but the principal is the same. All it takes is for one individual to post classified information in a social network deliberately or inadvertently and the enterprise in question has a major problem.

Related Article: Don't Know Which Microsoft Collaboration Tool to Use? You're Not Alone

Too Much Data Shared?

Rasmus Holst, chief revenue officer at Wire, which develops a secure collaboration platform used by both public and private companies worldwide, pointed out that while Slack benefits teams by the short bursts of communication its offers across workplaces worldwide, CEOs have increasingly become concerned about how much information is being shared by employees on Slack, given how fast and fluid conversations occur on the platform.

“The vast majority of corporate breaches are due to insiders (whether intentional or accidental), and using Slack can make it easy for people to access sensitive information — even long after they’ve left the company — and make it virtually impossible for organizations to lock down this data,” he said.

Slack is aware of the problem. In its filing to the SEC before the IPO the company noted, “Increasingly, companies are subject to a wide variety of attacks on their systems on an ongoing basis…Third parties may attempt to fraudulently induce employees, users, or organizations into disclosing sensitive information such as user names, passwords, or other information or otherwise compromise the security of our internal electronic systems, networks, and/or physical facilities in order to gain access to our data or the data of organization.”

Rasmus added: “It’s important to be aware of the security architecture of the tools their employees use, and whether they provide end-to-end encryption for every message, call and file sent, to minimize the potential for data breaches and cyber threats.

Related Article: Teams vs. Slack: Why Microsoft Will Win the Collaboration Wars

Casual Collaboration Risks

Former Skype for Business exec and Symphony’s CXO Jonathan Christensen added that while modern collaboration tools bring flexibility and productivity, taking a casual approach to workplace communications presents a major new security risk. As employees choose and use new cloud-based services IT must consider how to keep sensitive data secure. The right solution is a platform that supports end-to-end encryption, delegated key management and advanced compliance capabilities. “Slack lacks true end-to-end encryption, automation and workflows to get real work done and it’s viewed as a place for chit chat… not million-dollar deals,” he said.

Most collaboration platforms like Slack and even Microsoft’s Teams and others are not secure enough for highly sensitive information. Risks caused by trying to establish identity — whether based on phone number and email ids, or multi-factor authentication with 4 to 8 digit codes via SMS — all have vulnerabilities, said Aaron Turner, CEO of Hotshot. 

Security in these platforms is also compromised by a lack of enforceable enterprise control, which should be in place to ensure that collaboration is need-based and uses least privilege messaging and files access. On top of that, these large scale quasi-public forums open up a Pandora’s Box of issues relating to privacy laws like  ‘right to disconnect’ and ‘right to be forgotten’ and compliance regulations such as GDPR, CCPA and ITAR.”

Scott Gode, chief product marketing officer at Unify Square, a platform that manages workplace collaboration tools (Slack, Microsoft Teams, Zoom and others), said the newly surfaced Microsoft “no-fly” list has, in many ways, blown the Slack security issue way out of proportion. If an organization is serious about security and Slack, then Slack’s Enterprise Grid offering will provide substantial collaboration security coverage for most enterprises.

Having said that though, one of Slack’s key enticements is its freemium licensing model and Shadow IT-esque approach to user adoption. This is where the security risk creeps in. “Slack at its core is secure, but it can, and often is, used very insecurely. Fortunately, though, even for the free versions of Slack much of the security risk can still be easily mitigated through the combination of a formalized policy and specialty add-on software to help implement these policies and send alerts regarding improper usage,” he said.