How Slack stays secure in the new world of remote working

18 Dec 2020

Larkin Ryder. Image: Slack

Slack’s director of product security, Larkin Ryder, discusses the company’s latest security features and what the future holds for the infosec industry.

Larkin Ryder’s career has covered several areas from engineering to security, supporting Fortune 500 companies and millions of consumers around the world. She is now Slack’s director of product security, and previous employers include Twitter and Hewlett-Packard.

In her current role, Ryder ensures that Slack’s sensitive data is protected. Here, she talks about the company’s plans to make its communication platform more secure and how Covid-19 has altered the future of cybersecurity.

‘With bad actors targeting remote workforces … it’s never been more important to provide our customers with a more secure way to communicate’

What do you do at Slack?

Since joining the company in 2016 from Twitter’s enterprise security team, I have built Slack’s security risk and compliance programme, helping the company earn SOC2 attestations, various ISO certificates and compliance with HIPAA.

Along the way, I have also helped to manage and evolve the product security team at Slack so that all new product features and related infrastructure maintain Slack’s high standards for data confidentiality and user privacy.

Are you spearheading any major product or IT initiatives you can tell us about?

With bad actors targeting remote workforces and corporate systems at this time, it’s never been more important to provide our customers with a more secure way to communicate and collaborate. As organisations are adapting to a new way of work, we too are moving faster than ever before to innovate and stay ahead of cybersecurity threats.

So, to give more control, visibility and flexibility over users’ information, we’re currently continuing our roll-out of new security features, integrations and certifications that allow customers to securely collaborate from anywhere, one of which is an information barrier functionality.

These barriers can ultimately be used by admins to prevent specific user groups from messaging or calling other user groups. In practice, an investment bank could maintain one group in Slack for traders and another for investment bankers. The two groups could be configured so that they cannot communicate with each other but can still collaborate with others in the organisation. This level of granular control allows admins to meet rules and regulations without blocking organisation-wide collaboration.

We’re also super laser-focused on overseeing the success of Slack Connect, which is a more secure and productive way for organisations to communicate with others who sit outside their own business – whether it’s customers or partners. With it, admins can maintain control over their organisation’s data and monitor external access. And unlike email – which leaves users open to the risk of spam and phishing – when everyone works in channels, teams receive messages and files only from verified members.

How big is your team?

The security team at Slack is now more than 51 people, responsible for product security, risk and compliance, and security operations for both our production and enterprise infrastructure.

The product security team is uniquely structured as we have hired two sets of security specialists: one set who are trained to inspect and consult, and another set who are training to develop secure frameworks that can be leveraged by the developers within Slack. As we have found reading code and writing code to be two separate areas of passion and ability for these teams, we believe allowing our engineers to focus on one or the other gives better results.

Outsourcing is a careful choice. As we have many issues of scale and complexity that are unique to Slack, we’ve developed many of our own tools, some of which we make available to our industry peers as open source.

Like every security team, we know we don’t know everything and so we will often bring in outside experts to augment our work and understanding, particularly as we are getting up to speed with a new area of technology. We also engage independent penetration testers, which ensure that we have not missed any vulnerabilities in our service and clients.

What are your thoughts on digital transformation and how are you addressing it?

If I had to choose a single word to describe digital transformation right now as a result of the many changes we’re seeing in the world of work, it would be ‘accelerated’. We’re ultimately experiencing a head-snapping acceleration of the digital changes that were already in motion.

But, with the fact that more workforces are remote and organisations are adopting cloud solutions to keep their teams connected, security has never been more important. The rise of remote work has been taken advantage of by cyberattackers who are actively looking for new vectors to open up. We are helping to address this growing threat.

One way we’re doing this is by encouraging businesses to integrate their work stacks – this is all about joining up applications by using a channel-based messaging platform. This will not only speed up collaboration by allowing workers to ‘see into’ relevant apps without spending time switching between applications, but it will allow for different layers of security to be woven into the very fabric of the integrated work stack. If security is an afterthought, it will be too late.

What big tech trends do you believe are changing the world and your industry specifically?

Covid-19 has pushed rapid adoption of zero-trust networks and cloud computing to businesses all over the world. Where IT teams could previously rely on office networks to provide a secure perimeter and a chokepoint for monitoring and controlling employee traffic, now that responsibility must be pushed to the employee devices. Careful control and monitoring of those devices is now the linchpin for ensuring that attackers don’t get a foothold on your internal infrastructure.

While this is difficult for IT teams, it is also enabling. Once businesses make the transition to zero trust, cloud adoption can be easier. The cloud brings ease of administration and economies of scale to businesses that may be suffering from the global economic downturn precipitated by the pandemic.

In terms of security, what are your thoughts on how we can better protect data?

There are a number of ways to better protect data, two of which are avoiding email and using a second factor of authentication.

With email being an open protocol, it’s more difficult for individuals to validate who they’re working with, and as a result, data may get into the hands of bad actors. To tackle this and better protect data, I strongly believe that businesses need to use a shared collaboration environment wherever they can. As with these more closed and controlled environments, businesses can vet the people they’re interacting with and protect their employees from malicious actors.

Finally, authentication is key. Without it, businesses risk removing a protective barrier, which can prevent data getting in harm’s way. Once businesses get used to the tiny bit of cognitive friction that using the second factor of authentication adds to their operations, they will wonder why they didn’t do it sooner. The reward of protecting data definitely outweighs the effort.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.