5

Our company is contemplating the benefits of switching from Slack to Mattermost.

One of the arguments is that the 'sensitive information should be more secure because it is stored on our servers'.

But is it so?

Mattermost is open-source and vulnerabilities can be found and exploited any time. Even though Slack stores information on their servers, the probability of attacker exploiting exactly your data is smaller, since they would have to find it, assess it and deem it useful. And in an event of a Slack-wide server hack it would be known and there would be time left to do damage control.

Also Slack has all the incentives to keep security top level to ensure their business success and reputation.

Whereas a private Mattermost server could be less protected and fall pray to a targeted attack in which case the attacker would be able to exploit the information immediately and leave no time for damage control.

P.S. This is not a duplicate per se of the Open Source vs Closed Source Systems question. Quoting from top answer on the said 'duplicate' question: "To reason about this you must limit the discussion to a specific project.". This is a question about two specific projects.

Community
  • 1
Harijs Deksnis
  • 169
  • 1
  • 1
  • 6
  • This is a specific question comparing two alternatives. You are referring to a broader and more generic question. – Harijs Deksnis Jul 05 '16 at 20:21
  • 3
    If not based on open v closed source, how would you like us to answer? By its very nature, we can't know details about a proprietary system like Slack – Neil Smithline Jul 05 '16 at 21:12
  • Isn't slack just a fancy web-client for an IRC server? –  Jul 05 '16 at 22:06
  • 2
    @Zymus IRC plus advanced searching, tagging, mobile notifications, REST API, integration with other services and file repository. – André Borie Jul 06 '16 at 00:44
  • 1
    Quoting from top answer on the said 'duplicate' question: "To reason about this you must limit the discussion to a specific project.". – Harijs Deksnis Jul 06 '16 at 12:40
  • 2
    "If not based on open v closed source, how would you like us to answer?" - based on whatever information you might have available. Network activity data, best guesses, expert opinion or any other information available on the internet that might be of value. Basically from the perspective of decision making and choosing the most secure option... – Harijs Deksnis Jul 06 '16 at 12:45
  • 1
    Unfortunately, we can't do product security reviews. – schroeder Jul 06 '16 at 14:31

1 Answers1

3

There are some additional points that are worth mentioning:

Cons

  • You have to trust Slack team because they have access to all your messages and conversations
  • You need to check that former employees or third people don't have access to your Slack chats (you need an additional robot)
  • Slack servers are available from any device including those security settings of which you can't control (for example, devices out of MDM). You can't use additional protection in this place (corporate VPN etc.)
  • In case of Slack you can't enforce password strength and rotation policy, can't link Slack with, for example, your corporate Active Directory authentication system. In case your data is compromised, it will be hard to investigate the incident as you don't have any logs etc.
  • There is no Slack Enterprise version available at the moment

Pros

  • Slack can be cheaper to set up and maintain
  • There is a guarantee that new versions will appear and developers won't drop support for the project (sometimes it happens in open source world)
  • You'll have technical support from Slack team
  • There is a chance that Enterprise version will appear and will have some enterprise security features

In my opinion Slack is better for small teams and startups, but in case of big companies you'd better choose something you have control on. Anyway, it's up to you - just evaluate the risks and find out what you can and can't accept in your situation.

Update: As it's noticed in comments, point 2 of Pros is quite arguable - just recall the story around Google Reader.

Community
  • 1
CaptainRR
  • 379
  • 2
  • 10
  • 3
    *"There is a guarantee that new versions will appear and developers won't drop support for the project (sometimes it happens in open source world)"* Eh, **what?!** More likely, you would be entirely at the mercy of the company offering the service to continue offering the service. Remember [Google Reader](https://en.wikipedia.org/wiki/Google_Reader#Discontinuation)? If you want something with guaranteed ability to keep using it, you *have* to use something local. Even more so, with the source code available, you can always hire or contract someone (anyone) to fix a problem if it bothers you. – user Jul 06 '16 at 14:37
  • Yeah, you're right! Google Reader is an excellent example! Thanks! – CaptainRR Jul 06 '16 at 14:45