Slack Hands Over Control of Encryption Keys To Regulated Customers (techcrunch.com) 32
Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.
He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.
He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.
Re: hand control to their dongers (Score:1)
Foomp foomp foomp...here it comes foompfoompfoompfoomp...you ready? Foompfoompfoompfoompfoomp...
Kreygasm
Re: (Score:2)
or riot.im and if you want even more, install your own server and federate it
BlackBerry had this years ago. (Score:5, Informative)
It was one of the selling points for enterprise customers. The BlackBerry Enterprise Server (BES) maintained the keys and was owned by the customer.
Re: (Score:2)
Heck, IRC had this years ago.
Blackberry vs RCMP (Score:3)
The RCMP have backdoor access to Blackberry. https://www.ctvnews.ca/canada/... [ctvnews.ca]
Re: (Score:2)
Everyone praising BlackBerry's security was only speaking truths about BES.
Everyone mocking BlackBerry's security was only speaking truths about BIS.
This was extra amusing and/or annoying when people only using BIS would talk about how they had all this security on the platform (that really only existed with BES).
Re: (Score:3)
From TFA:
All three experts pointed out that the key could not be used on the BlackBerry Enterprise Server phones which are typically used by corporations and governments.
The BlackBerry Internet Service (BIS) ran through BB's own server so they had to have the keys. The BES keys were never held by BB.
Not news (Score:1)
Slack is used at work and the company SHOULD be in control of those keys.
This has nothing to do with personal privacy of anyone working or not working there, and nothing to do with the government's shortsighted effort to get all our encryption keys.
The keys are managed in the AWS KMS key management (Score:1)
so amazon owns the keys?
In my experience, keys are generated by a computer that has never been connected to the internet and transferred by sneakernet.
How can a middleman possibly have your keys? Then they are you.?!?!
will corporate jobs allow slack now? (Score:2)
I wonder if this will scratch the security itches to get it approved at the larger firms.
Wishful thinking?
Re: will corporate jobs allow slack now? (Score:1)
Just what I need, yet another communication and "productivity" application to allow people to pester me incessantly and waste bandwidth with cat pictures.
But it has persistent conversations! Ya, so does fucking email.
Re: (Score:2)
Thats far from true. A number of Fortune 100 companies use Slack. In fact I know of a Fortune 50 company with over 300,000 employees who uses Slack company-wide.
Re: (Score:2)
(Spoiler: IBM, NASA JPL, BBC, Lyft, PayPal, Capital One, etc.)
Re: (Score:3)
Why would that excite you. I don't know why people get so excited by slack, can you sell me?
Re: (Score:3)
While I agree that it is a "interrupt based productivity killing machine", most managers can't figure that out. I get a regular email that might take some time, then a manager showing up to as "did you see my email. Cool." With no further discussion.
This doesn't make sense to me because (Score:2)
If it's not your keys, then it's not your content. In other words, unless you created the keys yourself using your own gear and method, then you cannot guarantee that Slack cannot decrypt your communications without your knowledge. Having Slack generate your keys is ridiculous and is akin to security theater.
What you're getting with this "announcement" is security for data in transit and in storage, but there's no guarantee of confidentiality.