The big news in the tech world this week is that Microsoft unleashed it’s “Slack killer” enterprise team messaging application, appropriately named, Microsoft Teams. Slack, which in just a few short years has grown to over 4 million daily active users, more than 1 million paid users, and a staggering $4 billion valuation, was quick to respond to the announcement with a full page ad in the New York Times “welcoming” Microsoft to the fray. With all of the hype and media coverage surrounding this new battleground, it can be hard to find the real story around security for these two apps. Look no further than this blog post, because we’ve done the hard work for you.
Here are some of the key areas of concern and how each messaging app addresses them:
- Sensitive data leakage – the same collaborative benefits that employees love from these apps can be a major headache for security and compliance teams. Preventing data leakage is a must have when controlling risk with Slack and Teams.
- Slack – Slack offers no built-in data leakage prevention capabilities for identifying and controlling access or sharing of sensitive data.
- Teams – While Microsoft Office 365 offers some rudimentary data leakage prevention capabilities, the jury is still out on whether these capabilities will make their way into Teams.
- Advantage – Neither. Organizations in regulated industries will need to look outside of Slack or Teams if they wish to detect and protect sensitive data from leakage.
- Account compromise – leveraging identity best practices, including single sign-on and multifactor authentication is a must have for any enterprise cloud application.
- Slack – Slack supports two factor authentication natively, and SAML SSO can be enabled for “Plus” accounts for integration with a third party identity system such as a CASB or an IDaaS. Unfortunately, Slack also has a checkered past with respect to their ability to protect customer account data.
- Teams – Microsoft offers similar capabilities including two factor authentication and SSO via AD or SAML.
- Advantage – Microsoft Teams.
- Data encryption in-transit and at-rest – encryption, properly implemented, can allow an organization to use cloud apps while maintaining the security of a locked down, premises environment.
- Slack – Slack states that all data is encrypted at-rest and in-transit using, “the latest recommended cipher suites and protocols.” While that’s a little vague for our taste, we’ll count it – partially. The challenge for enterprises is that this encryption (and the corresponding keys) is fully controlled by Slack, not by the enterprise.
- Teams – As with Slack, Microsoft has promised data-at-rest and in-transit encryption for Teams. Unfortunately, this scheme suffers from the same limitations as Slack’s approach to encryption
- Advantage – Neither. Enterprises concerned about data-at-rest protection should look to third party security technologies like CASBs.
- External users – collaboration with external business partners can be a dangerous proposition if left unchecked. Getting a handle on who can join these messaging applications is critical to preventing data leakage.
- Slack – allows external users, but those users can only be added by Team Owners and Administrators, providing centralized control over third party access.
- Teams – Microsoft doesn’t allow any external users to access Teams, for now. It’s highly likely that this is a short-term limitation that the Microsoft development team is already working on.
- Advantage – Microsoft (until they catch-up on this feature and lose the advantage).
- Third party apps & integrations – great for users, a nightmare for admins – third party apps allow users to create new integrations at the click of a button, often without IT intervention.
- Slack – Slack boasts a directory of more than 750 integrated applications.
- Teams – Microsoft claims more than 150 external connectors at launch, with many more to come.
- Advantage – Neither. In both cases, it’s easy to connect potentially insecure apps with broad permissions that create uncertainty around control.
- Compliance and security audits – by now, most organizations that have adopted cloud apps have a list of must have audits and regulatory compliance checkboxes. Let’s take a look at how these two apps stack up.
- Slack – Slack has undergone a SOC 2 audit, but does not make any claims around compliance under PCI-DSS, HIPAA, or a range of other industry specific regulatory mandates. Because Slack is deployed on Amazon Web Services, the environment on which Slack is operated has ISO 27001 certification.
- Teams – Microsoft has stated that Teams will be Office 365 Tier C Compliant at launch. This means SOC I and 2, ISO 27001, HIPAA and EU Model Clauses.
- Advantage – Microsoft, especially if you are in a regulated industry like retail or healthcare and need your cloud provider to abide by the corresponding regulations.
As you can see, there are pros and cons for each app, and it’s not our place to call a clear winner one way or the other.