[dstroot]

Umm... why do people always assume "hosting it yourself" is more secure and not less? Do you have Slack's security expertise and budget? In my experience when small to mid-size companies attempt to manage security themselves they do a passable job but are convinced they are doing an excellent job - until they get hacked.

Larger companies usually have the budget, tools and expertise. But even then there are lots big companies with mediocre security too.

[falcolas]

Corollary question: Why do you assume that Slack's security expertise and security budget is greater than your own?

All we can do is assume that Slack cares about security enough to be sufficient. Last I checked, they didn't have any form of compliance certification, yet HIPPA, PCI, etc. compliant clients use them without reservation.

[eropple]

> Why do you assume that Slack's security expertise and security budget is greater than your own?

I don't assume it. I know it for a fact; I've met some of their team and I know others by reputation. And I'm not exactly a slouch when it comes to this stuff (I don't eat and sleep crypto but a large part of my business is building secure infrastructure/consulting on the systems running on that infrastructure for regulated as well as non-regulated environments).

[count]

Slack has, publicly, a multi-member security team! That's entirely focused on the chat system that I don't have to put any of my teams time towards.

[fweespeech]

I'm curious...

Which is more secure?

A) Slack.

B) Open source software on a LAN accessible only through physical entry, SSH, and/or a VPN.

[type0]

I would say that Patchwork which runs on SSB protocol is more secure than Slack (if used on your LAN) and it's written in a freaking javascript.

[count]

I'd vote slack.

[fweespeech]

> I'd vote slack.

Then I suggest you put more effort into securing your LAN situation because that is a vote indicating your belief your workstations are insecure.

[count]

You should look again:

https://slack.com/security

[falcolas]

OK: Slack is not currently a PCI-certified Service Provider.

I was also a bit surprised what they consider out of scope for their bug bounty program: https://hackerone.com/slack

[count]

I can't begin to fathom a use case for slack where you would put card data in the system...

[fweespeech]

You've never met a call center.

They've sent bug reports with credit card data they've typed in during a phone call through a variety of insecure methods.

They've also written people's credit card info on sticky notes.

Trust me, the horror that is card data and a call center is scary.

[falcolas]

How about a bug report screen shot? Lots of non-security conscious users don't understand why this could be bad. It's your (making the assumption that "you" in this case is a Slack Administrator) job to protect them from themselves.

[bogomipz]

The use case is user error. I have also seen no shortage accidentally people paste passwords into Slack as well

[oneplane]

HIPPA, PCI, etc. compliancy doesn't actually mean you are secure, it just means you are compliant. Take ransomware attacks for example, most of the bigger companies that get hit and have no working plan to continue their business are compliant to all sorts of things, hell complete governments are in that category...

Compliancy only tells a story about management and how many MBA's you have, it doesn't actually mean you have good security. Only being compliant isn't going to help you not get data leaks or data loss!

[falcolas]

You're correct - it doesn't mean you're secure. It does, however, point out that you're putting some thought and effort into security. PCI requires remediation plans or justifications to pass, as does HIPPA.

And, for better or worse, you need your service providers, including chat, to be compliant. If your company were to leak PII via Slack, your company would be in pretty hot water for putting PII on a non-certified service provider.

At least if it were certified, you could say "we've done our due diligence to protect people's PII". Perhaps only important to leadership and lawyers, but still important.

[oneplane]

In this case, however, Slack is certified.

[nzoschke]

I happen to know a few people on the Slack security team from a prior job. SalesForce, another SaaS business people trust to manage all their data.

There's no question that Slack's budget is greater than my own. They have a large, full-time security team. I have a bit of attention from myself or a colleague when setting a system up.

There's also no question their expertise is better. These are life long security professionals with direct experience at other SaaS companies.

[etchalon]

I think both options have tradeoffs.

If you use a service, you're outsourcing your security to perhaps more competent people, but you're making yourself a larger target.

Self-hosting makes you a smaller target, but you're taking all the risk on yourself.

Neither is a panacea.

[KekDemaga]

I agree the answer is shades of gray. Personally I prefer self host because I am able to get more visibility on my threat model that way. If you aren't equipped to use that information then I see little benefit to it.

[fweespeech]

> Umm... why do people always assume "hosting it yourself" is more secure and not less? Do you have Slack's security expertise and budget? In my experience when small to mid-size companies attempt to manage security themselves they do a passable job but are convinced they are doing an excellent job - until they get hacked.

I'm not exposing it to the WAN, just the LAN. :\

I don't think people really appreciate how massive of a security difference that is. It doesn't matter how big your budget is if you sit on the WAN all day. Someone will _always_ tag you eventually.

LAN with hardened VPN/SSH setups are virtually impossible to get into in a software-is-at-fault kind of way. And even if they did, they'd then have to launch the attack from someone's workstation at which point you've already been compromised anyway.

Oh, and then to get to the chat service they'd still need to break the security of an open source chat service which is non-trivial.

[tatersolid]

Your LAN is protected Only if you know that no workstation which connects via VPN, WiFi, or cable can ever be compromised elsewhere and then connect. Which is clearly not possible unless your workstations are air-gapped and immobile, with no USB ports, etc.

The majority of non-trivial breaches involve some sort of pivot or lateral movement inside the "protected" LAN. These often originate from a workstation.

[misterrobot]

Because when you host it yourself, it can be off of the public internet.

[masom]

That's not very useful for your CEO/CTO/CFO/sales/etc when they are offsite or traveling.

[KekDemaga]

A VPN resolves this issue and provides encryption and authentication.

[actsasbuffoon]

A VPN is non-trivial to set up correctly. Have you set up an internal DNS to prevent leaking the domains from requests? How about IPv6 leaks? There are many things to consider, and I wouldn't trust a random programmer to do it correctly.

[theossuary]

I wouldn't trust your programmer much at all if they couldn't configure OpenVPN with correct DNS settings, given some time.

[KekDemaga]

Many good resources exist: https://www.linode.com/docs/networking/vpn/set-up-a-hardened...

[sgehly]

and what about if your network is compromised? For most small-medium businesses, that's more likely than Slack being compromised.

[linkregister]

Slack already had a public compromise. Most small businesses haven't been publicly compromised.

I'm not saying it's safer to self-host. There are a ton of foot-guns with operating your own IRC server.

[sgehly]

It mostly depends on if you're a target. I must have missed when Slack was compromised, but I'm willing to take the risk of Slack being hacked, as I'm not a target. Im a fan of the methodology that bigger company = more secure, although that's obviously not always the case.

[fao_]

That said, you bypass a ton of those foot-guns if you just stick everything behind a corporate VPN with 2FA and the appropriate security. As long as the VPN is secure, everything behind it is secure.

[fweespeech]

> and what about if your network is compromised? For most small-medium businesses, that's more likely than Slack being compromised.

If your network and/or workstations are compromised, it is _over anyway_ because they have all your data. This is one of those situations where you are saying "What if they decapitated me? Slack might still be secure."

I mean, technically, you are correct but it isn't relevant because you are dead.

If you think such a business can survive a pentest from an employee workstation...XD