Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slack Hands Over Control of Encryption Keys To Regulated Customers (techcrunch.com)

Posted by msmash on from the interesting-moves dept.

Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.

16 of 32 comments (clear)

  1. BlackBerry had this years ago. by prunus.avium · · Score: 4, Informative

    It was one of the selling points for enterprise customers. The BlackBerry Enterprise Server (BES) maintained the keys and was owned by the customer.

    1. Re:BlackBerry had this years ago. by 93+Escort+Wagon · · Score: 1

      Heck, IRC had this years ago.

      --
      #DeleteChrome
  2. Re:Or just use your own secure IRC server by higuita · · Score: 1

    or riot.im and if you want even more, install your own server and federate it

    --
    Higuita
  3. Not news by Anonymous Coward · · Score: 1

    Slack is used at work and the company SHOULD be in control of those keys.

    This has nothing to do with personal privacy of anyone working or not working there, and nothing to do with the government's shortsighted effort to get all our encryption keys.

  4. The keys are managed in the AWS KMS key management by Anonymous Coward · · Score: 1

    so amazon owns the keys?

    In my experience, keys are generated by a computer that has never been connected to the internet and transferred by sneakernet.

    How can a middleman possibly have your keys? Then they are you.?!?!

  5. will corporate jobs allow slack now? by Micah+NC · · Score: 2

    I've only seen slack at smaller type shops.

    I wonder if this will scratch the security itches to get it approved at the larger firms.

    Wishful thinking?

    1. Re: will corporate jobs allow slack now? by Anonymous Coward · · Score: 1

      Just what I need, yet another communication and "productivity" application to allow people to pester me incessantly and waste bandwidth with cat pictures.

      But it has persistent conversations! Ya, so does fucking email.

    2. Re:will corporate jobs allow slack now? by brunes69 · · Score: 1

      Thats far from true. A number of Fortune 100 companies use Slack. In fact I know of a Fortune 50 company with over 300,000 employees who uses Slack company-wide.

    3. Re:will corporate jobs allow slack now? by Actually,+I+do+RTFA · · Score: 2

      Why would that excite you. I don't know why people get so excited by slack, can you sell me?

      --
      Your ad here. Ask me how!
    4. Re: will corporate jobs allow slack now? by jon3k · · Score: 1

      You only need one example to disprove an absolute. If only there were some way we could find out who was using it...

      (Spoiler: IBM, NASA JPL, BBC, Lyft, PayPal, Capital One, etc.)

  6. Blackberry vs RCMP by future+assassin · · Score: 2

    The RCMP have backdoor access to Blackberry. https://www.ctvnews.ca/canada/...

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re:Blackberry vs RCMP by prunus.avium · · Score: 2

      From TFA:

      All three experts pointed out that the key could not be used on the BlackBerry Enterprise Server phones which are typically used by corporations and governments.

      The BlackBerry Internet Service (BIS) ran through BB's own server so they had to have the keys. The BES keys were never held by BB.

    2. Re:Blackberry vs RCMP by Octorian · · Score: 1

      Everyone praising BlackBerry's security was only speaking truths about BES.
      Everyone mocking BlackBerry's security was only speaking truths about BIS.

      This was extra amusing and/or annoying when people only using BIS would talk about how they had all this security on the platform (that really only existed with BES).

  7. Re:Had Slack at 2 different jobs and not at 1 job by nitehawk214 · · Score: 2

    While I agree that it is a "interrupt based productivity killing machine", most managers can't figure that out. I get a regular email that might take some time, then a manager showing up to as "did you see my email. Cool." With no further discussion.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  8. Re: hand control to their dongers by Anonymous Coward · · Score: 1

    Foomp foomp foomp...here it comes foompfoompfoompfoomp...you ready? Foompfoompfoompfoompfoomp...
    Kreygasm

  9. This doesn't make sense to me because by golgotha007 · · Score: 1

    If it's not your keys, then it's not your content. In other words, unless you created the keys yourself using your own gear and method, then you cannot guarantee that Slack cannot decrypt your communications without your knowledge. Having Slack generate your keys is ridiculous and is akin to security theater.

    What you're getting with this "announcement" is security for data in transit and in storage, but there's no guarantee of confidentiality.