How 18F handles information security and third party applications (opens in new tab)

(18f.gsa.gov)

39 pointsgboone429y ago14 comments

14 comments

tyre9y ago

This does not address the core complaint from the breach[1]:

> 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile.

> ...

> The OIG makes the following recommendations:

> 1. GSA should cease using Slack and OAuth 2.0 until and unless they are approved for use in the IT Standards Profile.

> 2. GSA should ensure that 18F complies with GSA Order CIO P 2160.1E.

Is 18F no longer using Slack or any other OAuth 2.0 integrations? That would be a shame. Are they working with GSA and the Office of Inspections and Forensic Auditing to clear Slack/OAuth 2.0?

[1]: https://www.gsaig.gov/sites/default/files/ipa-reports/Alert%...

rajivm9y ago

I would imagine this is not so much that OAuth 2.0 is a problem so much as granting the "Drive" scope via OAuth 2.0 grants access to ALL Google Drive files the user has access to.

untog9y ago

Well, no, OAuth 2.0 is the problem, but only because it hasn't been government certified.

dsl9y ago

From what I have seen the government has approved and prefers SAML over OAuth intentionally.

tmorton9y ago

Here's an important difference.

The 18F post says:

"we reviewed all Google Drive files shared between Slack and Drive, just to be sure nothing was shared that shouldn't have been. Our review indicated no personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property was shared."

While the OIG report says:

"[the integration] permitted full access to over 100 GSA Google Drives, resulting in a data breach."

wslack9y ago

(I work at 18F but am speaking personally). I would point out this FedScoop article that discusses how the OIG defines "data breach:" http://fedscoop.com/18f-slack-gsa-ig-oauth-20

> situations where persons other than authorized users with an authorized purpose have access or potential access to PII

untog9y ago

There's a difference in emphasis, but not of fact. Full access to over 100 drives does not mean they were actually accessed.

dsl9y ago

One of the huge risks of using multiple cloud services is that you can't firewall between them effectively. If Slack and Google Docs were in-house applications, they never would have been allowed to talk to each-other without an explicit review and firewall rule.

We are giving up defense in depth for ease of use SaaS.

tootie9y ago

The world needs a self-hosted Slack.

bmogilefsky9y ago

Check out Mattermost. Sadly missing some enterprise-friendly features like SAML auth as yet.

vvanders9y ago

+1 on Mattermost, pretty easy to get setup. It's not quite a slick on the integration side but still pretty solid.

engelgabriel9y ago

Rocket.Chat comes with SAML out of the box, and it is not an enterprise only feature.

scient9y ago

The world needs less Slack-fanboism.

engelgabriel9y ago

Have you tried Rocket.Chat?

j / k navigate · click thread line to collapse

14 comments

tyre9y ago

This does not address the core complaint from the breach[1]:

> ...

> The OIG makes the following recommendations:

> 1. GSA should cease using Slack and OAuth 2.0 until and unless they are approved for use in the IT Standards Profile.

> 2. GSA should ensure that 18F complies with GSA Order CIO P 2160.1E.

Is 18F no longer using Slack or any other OAuth 2.0 integrations? That would be a shame. Are they working with GSA and the Office of Inspections and Forensic Auditing to clear Slack/OAuth 2.0?

[1]: https://www.gsaig.gov/sites/default/files/ipa-reports/Alert%...

rajivm9y ago

I would imagine this is not so much that OAuth 2.0 is a problem so much as granting the "Drive" scope via OAuth 2.0 grants access to ALL Google Drive files the user has access to.

untog9y ago

Well, no, OAuth 2.0 is the problem, but only because it hasn't been government certified.

dsl9y ago

From what I have seen the government has approved and prefers SAML over OAuth intentionally.

tmorton9y ago

Here's an important difference.

The 18F post says:

While the OIG report says:

"[the integration] permitted full access to over 100 GSA Google Drives, resulting in a data breach."

wslack9y ago

(I work at 18F but am speaking personally). I would point out this FedScoop article that discusses how the OIG defines "data breach:" http://fedscoop.com/18f-slack-gsa-ig-oauth-20

> situations where persons other than authorized users with an authorized purpose have access or potential access to PII

untog9y ago

There's a difference in emphasis, but not of fact. Full access to over 100 drives does not mean they were actually accessed.

dsl9y ago

We are giving up defense in depth for ease of use SaaS.

tootie9y ago

The world needs a self-hosted Slack.

bmogilefsky9y ago

Check out Mattermost. Sadly missing some enterprise-friendly features like SAML auth as yet.

vvanders9y ago

+1 on Mattermost, pretty easy to get setup. It's not quite a slick on the integration side but still pretty solid.

engelgabriel9y ago

Rocket.Chat comes with SAML out of the box, and it is not an enterprise only feature.

scient9y ago

The world needs less Slack-fanboism.

engelgabriel9y ago

Have you tried Rocket.Chat?

j / k navigate · click thread line to collapse