As Slack makes its way deeper into the enterprise, it needs to layer on more sophisticated security measures like the encryption key management feature it released last year. Today, the company published a blog post outlining its latest security strategy, and while it still doesn’t include end-to-end encryption of Slack messaging, it is a step forward.
What it does include is a new administrative panel that can detect and shut down use on jail broken phones as well as force upgrades to remote users/devices. The other big feature is the ability to block downloads from devices outside of an approved list of IP addresses; this update is set to come later this year.
Read the story from Tech Crunch.
Analyst Take: The new security announcements from slack are a good evolution in the company’s efforts to become a more secure and robust solution that enterprises can count on. Slack has long faced scrutiny from many analysts, including myself for their sometimes lax attitude about security, which has been validated by a few significant vulnerabilities.
I’m happy to see more controls being developed for admin’s to be able to remotely deal with rogue users, devices and downloads that could pose a threat to unexpected users. However, I still feel the reluctance to offer end-to-end (E2E) message encryption to handle sensitive content being transferred, it feels like there is a weak point in the solution; one that competitors like Cisco Webex and Microsoft Teams have addressed. This feature has also made WhatsApp a popular communication tool between enterprise executives as well as organization to organization communication sought to be treated with E2E.
Just consider that for a moment, a solution that is owned by Facebook is seen as a better option for secure communications than Slack.
Now, Slack leadership claimed once again around these announcements that the company just isn’t seeing that much demand for E2E and that is why they have continued to steer from offering it. I tend to think it has more to do with trying to be “Enterprise Friendly” that the company has steered away. Key encryption, which is a security measure the company is offering, allows encryption, but does less to guarantee that unintended recipients can’t gain access to data; especially through malicious attacks that could gain access to stored archives of Slack conversation.
From my perspective, Slack could benefit greatly by offering an E2E option that users could set up; especially for 1:1 conversations. A good example lives in media where a source and a journalist are communicating. Another may be an executive communicating with HR over some type of harassment matter. As of now, ensuring security and limited visibility between two persons is more difficult without E2E. And Slack could make it work without every conversation utilizing it; as well as limiting or blocking it from being used in groups or certain groups.
While I stand by my comments that I believe Slack is doing better, I also believe that Slack is being somewhat naive to think that users don’t want E2E. Sure, IT may want all the files, but by not offering it you don’t eliminate private conversations, it just opens the organization and its employees to using WhatsApp or other 3rd party apps instead. Which defeats the whole purpose of it not being offered in the first place.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
More analysis from Futurum Research: