Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Communications

Slack Hands Over Control of Encryption Keys To Regulated Customers (techcrunch.com) 32

Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said.
Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.
This discussion has been archived. No new comments can be posted.

Slack Hands Over Control of Encryption Keys To Regulated Customers

Comments Filter:
  • by prunus.avium ( 4301083 ) on Monday March 18, 2019 @10:52AM (#58292570)

    It was one of the selling points for enterprise customers. The BlackBerry Enterprise Server (BES) maintained the keys and was owned by the customer.

    • Heck, IRC had this years ago.

    • The RCMP have backdoor access to Blackberry. https://www.ctvnews.ca/canada/... [ctvnews.ca]

      • From TFA:

        All three experts pointed out that the key could not be used on the BlackBerry Enterprise Server phones which are typically used by corporations and governments.

        The BlackBerry Internet Service (BIS) ran through BB's own server so they had to have the keys. The BES keys were never held by BB.

  • by Anonymous Coward

    Slack is used at work and the company SHOULD be in control of those keys.

    This has nothing to do with personal privacy of anyone working or not working there, and nothing to do with the government's shortsighted effort to get all our encryption keys.

  • so amazon owns the keys?

    In my experience, keys are generated by a computer that has never been connected to the internet and transferred by sneakernet.

    How can a middleman possibly have your keys? Then they are you.?!?!

  • I've only seen slack at smaller type shops.

    I wonder if this will scratch the security itches to get it approved at the larger firms.

    Wishful thinking?
    • by Anonymous Coward

      Just what I need, yet another communication and "productivity" application to allow people to pester me incessantly and waste bandwidth with cat pictures.

      But it has persistent conversations! Ya, so does fucking email.

    • by brunes69 ( 86786 )

      Thats far from true. A number of Fortune 100 companies use Slack. In fact I know of a Fortune 50 company with over 300,000 employees who uses Slack company-wide.

    • Why would that excite you. I don't know why people get so excited by slack, can you sell me?

  • If it's not your keys, then it's not your content. In other words, unless you created the keys yourself using your own gear and method, then you cannot guarantee that Slack cannot decrypt your communications without your knowledge. Having Slack generate your keys is ridiculous and is akin to security theater.

    What you're getting with this "announcement" is security for data in transit and in storage, but there's no guarantee of confidentiality.

He who has but four and spends five has no need for a wallet.

Working...