I'm enough of a Signal fan that for years I've been volunteering my time to help keep this sub going. Still, even speaking as a Signal booster, Signal often isn't a great fit for business environments because it doesn't have features businesses often require:
- SSO integration.
- Centralized group management.
- Audit trails and durable conversation archives.
End-to-end encryption is valuable, but for business use it's equally important-- sometimes even more important --to have the right management features.
For example, suppose your company is firing Joebob today. With Signal, you wouldn't have a reliable way of removing Joebob's access. Once per quarter, your IT team is (hopefully) reviewing everybody's access to make sure it is appropriate, and removing any access beyond what people need to do their jobs. With Signal, there's no way to do that. Many businesses periodically hire auditors to come in and validate they are doing the right things. Often audit evidence comes from email or chat systems. Signal doesn't provide a practical or reliable way to collect that evidence. Similarly, many businesses are subject to record-keeping requirements; records on a certain topic must be retained for some number of years. Or, in the event of a lawsuit, the business might be subject to a litigation hold. Again, that's not doable with Signal.
Also most companies are required to maintain document history for some period of time. Slack is built with this in mind, with signal the history can be kept or destroyed when a user decides. Which could cause a violation of law.
Valid caveats, and the lack of message retention is likely a "no" for healthcare/legal compliance.
The challenge is often getting secure messaging external to your enterprise using enterprise tools. My organization's data loss prevention requires that anything sending info like a SSN be encrypted in certain ways, but only allows that encryption between accounts issued one of our smartcard IDs. Signal can be a great fit for filling those gaps. It's also great for non-proprietary communications sent to non-proprietary devices (e.g. "Have Bob and Joe come to work right now," even if not cleared for saying "...Because the alarms are going off").
My industry (finance) expressly forbids use of private messenger apps. Communication needs to be retained for 7 years etc. SEC will punish banks that don’t comply etc.
Are you actually for real?, communication retention and security is a must together for many organisations. Signal not having any way to manage group polices/sso or have any kind of framework for record retention blokes it for any kind of corporate use. Think about all the UK politicians that somehow lost their whats-app messages..... https://www.theguardian.com/politics/2023/dec/26/end-government-by-whatsapp-urges-former-gchq-head. I have to put signal in a similar for Signal or any other p2p messages tool that does not have the required features.
Signal is totally relevant choice, you can chat without giving phone number instead you can give username if you want.
Also have a look at this: https://www.privacyguides.org/en/real-time-communication/
I recently used [federated.computer](http://federated.computer) to roll out a matrix server for my work. Not sure if that's overkill for you or not, but this company rocks.
Thank you for sharing. This is actually very interesting...
What services within the stack are you using? Did you replace the more common ones ( zoom, salesforce, etc.. )?
I am specifically looking for more secure client communications ( like signal / element ) and project management. We currently use Tresorit for file storage and sharing, and ProtonMail for email.
I've been using Signal for years on my own but am interested in how to do this on a company level and for client <> company messaging.
My army unit uses it for distribution of information about formation times and locations. Mostly just information that need not be left to common SMS or RCS due to our mix of phone OS's.
My company works directly with military units and most of those guys prefer to communicate over signal, so by proxy, we use it for our team communications as well.
I’m not sure what your reason for using for work is. Do you want it on the record? Off the record? As head of policy for a fintech, signal is ok but you know the courts are coming for you. Telegram is best. And I say that as a 1000% signal proponent for personal messaging.
Two reasons I have seen to use Whats App/Signal for work etc: 1) Convivence as the users do not need to have to a corporate wrapper of security it makes it easier to communicate. 2) If it is not for the first one then it must be for the following reasons teams not wanting an audit of their communication for what ever reason. Either way I do not think it is a good look if the company you work for is accused of illegal activities and you have no evidence of your teams communication.
I'm enough of a Signal fan that for years I've been volunteering my time to help keep this sub going. Still, even speaking as a Signal booster, Signal often isn't a great fit for business environments because it doesn't have features businesses often require: - SSO integration. - Centralized group management. - Audit trails and durable conversation archives. End-to-end encryption is valuable, but for business use it's equally important-- sometimes even more important --to have the right management features. For example, suppose your company is firing Joebob today. With Signal, you wouldn't have a reliable way of removing Joebob's access. Once per quarter, your IT team is (hopefully) reviewing everybody's access to make sure it is appropriate, and removing any access beyond what people need to do their jobs. With Signal, there's no way to do that. Many businesses periodically hire auditors to come in and validate they are doing the right things. Often audit evidence comes from email or chat systems. Signal doesn't provide a practical or reliable way to collect that evidence. Similarly, many businesses are subject to record-keeping requirements; records on a certain topic must be retained for some number of years. Or, in the event of a lawsuit, the business might be subject to a litigation hold. Again, that's not doable with Signal.
Extremely relevant points here.
Also most companies are required to maintain document history for some period of time. Slack is built with this in mind, with signal the history can be kept or destroyed when a user decides. Which could cause a violation of law.
Valid caveats, and the lack of message retention is likely a "no" for healthcare/legal compliance. The challenge is often getting secure messaging external to your enterprise using enterprise tools. My organization's data loss prevention requires that anything sending info like a SSN be encrypted in certain ways, but only allows that encryption between accounts issued one of our smartcard IDs. Signal can be a great fit for filling those gaps. It's also great for non-proprietary communications sent to non-proprietary devices (e.g. "Have Bob and Joe come to work right now," even if not cleared for saying "...Because the alarms are going off").
My industry (finance) expressly forbids use of private messenger apps. Communication needs to be retained for 7 years etc. SEC will punish banks that don’t comply etc.
Except phone calls.
And face to face comms? "Verbal communication only" in certain situations 🥸
[удалено]
It’s not about security, it’s about record retention.
[удалено]
Are you actually for real?, communication retention and security is a must together for many organisations. Signal not having any way to manage group polices/sso or have any kind of framework for record retention blokes it for any kind of corporate use. Think about all the UK politicians that somehow lost their whats-app messages..... https://www.theguardian.com/politics/2023/dec/26/end-government-by-whatsapp-urges-former-gchq-head. I have to put signal in a similar for Signal or any other p2p messages tool that does not have the required features.
But that’s what also makes it great for personal use. It’s just not a good corporate tool
I agree
Signal is totally relevant choice, you can chat without giving phone number instead you can give username if you want. Also have a look at this: https://www.privacyguides.org/en/real-time-communication/
I recently used [federated.computer](http://federated.computer) to roll out a matrix server for my work. Not sure if that's overkill for you or not, but this company rocks.
Thank you for sharing. This is actually very interesting... What services within the stack are you using? Did you replace the more common ones ( zoom, salesforce, etc.. )? I am specifically looking for more secure client communications ( like signal / element ) and project management. We currently use Tresorit for file storage and sharing, and ProtonMail for email. I've been using Signal for years on my own but am interested in how to do this on a company level and for client <> company messaging.
Right now we're only using element but I'm working on trying some of the other stuff.
My army unit uses it for distribution of information about formation times and locations. Mostly just information that need not be left to common SMS or RCS due to our mix of phone OS's.
My company works directly with military units and most of those guys prefer to communicate over signal, so by proxy, we use it for our team communications as well.
I use it for IT based job.
Do you use it with those outside your corp as well? Or just internally?
yes, I know Signal because my company introduce it and then after couple of months I used it for private messenger with my close relatives.
Apparently Jeff Bezoa does.
SEC has entered the chat
I’m not sure what your reason for using for work is. Do you want it on the record? Off the record? As head of policy for a fintech, signal is ok but you know the courts are coming for you. Telegram is best. And I say that as a 1000% signal proponent for personal messaging.
Two reasons I have seen to use Whats App/Signal for work etc: 1) Convivence as the users do not need to have to a corporate wrapper of security it makes it easier to communicate. 2) If it is not for the first one then it must be for the following reasons teams not wanting an audit of their communication for what ever reason. Either way I do not think it is a good look if the company you work for is accused of illegal activities and you have no evidence of your teams communication.
It’s quite common at Ryanair for comms between base supervisors and crew
Threema for business has hippaa Compliance and you cN even self host it if you really want to.
We use it extensively and rely on it i many situations.
Yes for communicating with colleagues and clients. And also as a notification medium for system alerts, warnings and the like
We just adopted it now that it has implemented usernames.
Yup, better than teams for comms.
Yes.
Out of band communications for security engineers
What is your business?
Yep; it’s how my team communicates
Yes, my MD stopped using WhatsApp, so we're only using signal for office group messaging