I think the key is to make sure that developers and other employees understand the tradeoffs. This applies not just to Slack, but also to email, Github, cloud storage tools, and even browser extensions.
Apart from easy setup and good ux, these tools provide ideal integration points for third party plugins that can do all kinds of amazing things for productivity, sales, business processes, code intelligence, etc. etc.
In my view, this is all well and good, and we shouldn't be looking to axe these benefits by demanding self-hosting or end-to-end encryption for everything.
Instead, people need to understand what they are and aren't appropriate for. If your browser has 20 extensions installed with access to every page's data... that's cool--I'm sure they all do useful things, but would you sign in to your bank's website with 20 strangers looking over your shoulder?
Same deal with Gmail, Slack, and Github. They all have their place, but they were not designed to store e.g. application secrets securely--especially if you're also using third party integrations (which, why wouldn't you?--it's a big part of the value they offer). None of this is a problem if you just draw the line in the right place.
Quick plug: this issue is exactly why I started EnvKey[1], a 1Password-like service that keeps application secrets securely in sync across development and server environments so that developers aren't tempted to share them over third party channels in plain text. If your secrets management strategy involves exposure to any third party, you should probably re-evaluate what you're doing. EnvKey offers a very quick, hosted, end-to-end encrypted approach to getting you on the right track.
Apart from easy setup and good ux, these tools provide ideal integration points for third party plugins that can do all kinds of amazing things for productivity, sales, business processes, code intelligence, etc. etc.
In my view, this is all well and good, and we shouldn't be looking to axe these benefits by demanding self-hosting or end-to-end encryption for everything.
Instead, people need to understand what they are and aren't appropriate for. If your browser has 20 extensions installed with access to every page's data... that's cool--I'm sure they all do useful things, but would you sign in to your bank's website with 20 strangers looking over your shoulder?
Same deal with Gmail, Slack, and Github. They all have their place, but they were not designed to store e.g. application secrets securely--especially if you're also using third party integrations (which, why wouldn't you?--it's a big part of the value they offer). None of this is a problem if you just draw the line in the right place.
Quick plug: this issue is exactly why I started EnvKey[1], a 1Password-like service that keeps application secrets securely in sync across development and server environments so that developers aren't tempted to share them over third party channels in plain text. If your secrets management strategy involves exposure to any third party, you should probably re-evaluate what you're doing. EnvKey offers a very quick, hosted, end-to-end encrypted approach to getting you on the right track.
1 - https://www.envkey.com