
How 18F handles information security and third party applications - gboone42
https://18f.gsa.gov/2016/05/13/how-18f-handles-information-security-and-third-party-applications/
======
tyre
This does not address the core complaint from the breach[1]:

> 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s
> Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order
> allows information technologies to be approved for use in the GSA IT
> environment if they comply with GSA’s security, legal, and accessibility
> requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in
> the GSA IT standards profile.

> ...

> The OIG makes the following recommendations:

> 1\. GSA should cease using Slack and OAuth 2.0 until and unless they are
> approved for use in the IT Standards Profile.

> 2\. GSA should ensure that 18F complies with GSA Order CIO P 2160.1E.

Is 18F no longer using Slack or any other OAuth 2.0 integrations? That would
be a shame. Are they working with GSA and the Office of Inspections and
Forensic Auditing to clear Slack/OAuth 2.0?

[1]: [https://www.gsaig.gov/sites/default/files/ipa-
reports/Alert%...](https://www.gsaig.gov/sites/default/files/ipa-
reports/Alert%20Report-GSA%20Data%20Breach%205.12.16.pdf)

~~~
rajivm
I would imagine this is not so much that OAuth 2.0 is a problem so much as
granting the "Drive" scope via OAuth 2.0 grants access to ALL Google Drive
files the user has access to.

~~~
untog
Well, no, OAuth 2.0 _is_ the problem, but only because it hasn't been
government certified.

------
tmorton
Here's an important difference.

The 18F post says:

"we reviewed all Google Drive files shared between Slack and Drive, just to be
sure nothing was shared that shouldn't have been. Our review indicated no
personal health information (PHI), personally identifiable information (PII),
trade secrets, or intellectual property was shared."

While the OIG report says:

"[the integration] permitted full access to over 100 GSA Google Drives,
resulting in a data breach."

~~~
wslack
(I work at 18F but am speaking personally). I would point out this FedScoop
article that discusses how the OIG defines "data breach:"
[http://fedscoop.com/18f-slack-gsa-ig-oauth-20](http://fedscoop.com/18f-slack-
gsa-ig-oauth-20)

> situations where persons other than authorized users with an authorized
> purpose have access _or potential access to PII_

------
dsl
One of the huge risks of using multiple cloud services is that you can't
firewall between them effectively. If Slack and Google Docs were in-house
applications, they never would have been allowed to talk to each-other without
an explicit review and firewall rule.

We are giving up defense in depth for ease of use SaaS.

------
tootie
The world needs a self-hosted Slack.

~~~
bmogilefsky
Check out Mattermost. Sadly missing some enterprise-friendly features like
SAML auth as yet.

~~~
vvanders
+1 on Mattermost, pretty easy to get setup. It's not quite a slick on the
integration side but still pretty solid.

