Security Overview¶
Security in Mattermost software is continually reviewed by developers, IT administrators and security researchers accountable for deploying the software in their organizations.
Multiple rounds of penetration testing and security analysis, in addition to internal reviews, have produced a long list of safeguards, processes and policies. Please see:
- Security Features - Recommended features to enhance security on the Mattermost platform.
- Security Updates - Upgrades addressing newly discovered attacks confidentially disclosed to Mattermost, Inc.
- Security Policies - Internal security policies, development guidelines, business continuity plans and common security-related questions from enterprises.
To expand on each:
Security Features¶
Mattermost offers a host of features to help keep your private cloud communications secure.
Private Cloud Deployment with Secure Mobile Apps¶
- Mattermost can run entirely behind your firewall as a single Linux binary with MySQL or PostgreSQL
- Mattermost mobile apps can be deployed to an internal Enterprise App Store by using source code available for Mattermost mobile apps and push notification service. Optionally VPN clients on PC and mobile devices can be used outside your private network.
- Optionally, Mattermost mobile apps can run without a VPN by opening standard ports on your Mattermost server, such as 80 or 443. In this configuration, you have the option of using compiled iOS and Android applications in iTunes and Google Play provided by Mattermost, Inc. (E10, E20), as well as enabling multi-factor authentication (E10, E20).
- User sessions across web, PC and mobile can be remotely revoked through account settings, or via the System Console by deactivating accounts.
Centralized Security and Administration¶
- Manage users, teams, access control and system settings in a web-based System Console user interface.
Transmission Security¶
- Mattermost supports TLS encryption using AES-256 with 2048-bit RSA on all data transmissions across both LAN and internet.
- Connections to Active Directory/LDAP can be optionally secured with TLS or stunnel (E10).
- Encryption-at-rest is available through hardware and software disk encryption solutions applied to the Mattermost database, which can reside on its own server within your infrastructure.
- Option to exclude message contents from push notifications to comply with strict compliance policies, such as US HIPAA standards.
- Ability to exclude or include the contents of messages in push notifications to avoid disclosure on locked mobile screens, and via relay servers from Apple and Google when sending notifications to iOS or Android mobile apps (relevant to compliance standards such as HIPAA)
Integrity & Audit Controls¶
- By default, Mattermost stores a complete history of messages, including edits and deletes, along with all files uploaded. User interface actions for “deleting” messages, channels and private groups only remove the data from the user interface, the data is retained within your database.
- The output and archives of server logs can be saved to a directory of your choice. Mattermost server logs plus logs from your web proxy can provide an end-to-end history of system usage.
- Ad hoc compliance reports of messaging by user, date range, and keyword, including edited and deleted messages are available (E20). To protect against unauthorized use, all ad hoc report requests are logged.
- Daily compliance reports compatible with 3rd compliance solutions such as Global Relay are also available (E20).
Authentication Safeguards¶
- To protect against brute force attacks, you can set rate limiting on APIs, varied by query frequency, memory store size, remote address and headers.
- Session length and session cache can be configured according to your internal policies.
- Remotely revoke user sessions across web, mobile devices and native desktop apps.
- Mattermost supports integrated authentication with Active Directory and LDAP (E10) as well as Active Directory Federation Services and Okta via SAML 2.0 (E20)
- The ability to require multi-factor authentication is also available (E10)
Access Control Policy¶
- Limit communications to specific users, private groups, or team-wide public channels
- Increase system security by restricting email-based account creation to email addresses from a list of specific domains, e.g. “corp.mattermost.com”, “mattermost.org”, etc.”
- Choose whether to restrict or enable cross-origin requests.
- If sharing of public links for account creation or sharing of files and images are enabled, links can be invalidated via the System Console by regenerating salts.
- Optionally restrict creation, renaming, archiving of channels, private groups and integrations to team admins, system admins or end users (E10)
- Optionally restrict sending team invites to team admins, system admins or end users (E10)
- Optionally add advanced passwords requirements with minimum numbers of symbols, numbers, and lower and uppercase letters (E10).
Security Updates¶
Security updates address newly discovered attacks reported to Mattermost, Inc. by the security research community. Disclosures are made confidentially, under the Mattermost responsible disclosure policy, allowing for Mattermost, Inc. to provide security updates to the community prior to public disclosure.
For more information, please see:
- Mattermost Security Updates Disclosures
- A summary of security updates made based on past and on-going security analysis and penetration testing.
- Mattermost Responsible Disclosure Policy
- An overview of how security issues are confidentially reported to and address by Mattermost, Inc.
Security Policies¶
For information on internal security policies, development guidelines, business continuity plans and common security-related questions from enterprises, please see our Security Policies documentation.
HIPAA compliance¶
Deploying Mattermost as part of a HIPAA-compliant IT infrastructure requires a deployment team trained on HIPAA-compliance requirements and standards.
Mattermost offers HIPAA-relevant Technincal Safeguards including:
HIPAA-compliant deployments commonly consider the following:
Omitting the contents of messages from mobile push notifications:
- If your Push Notifications Contents option is set to
Send full message snippetthere is a chance Personal Health Information (PHI) contained in messages could be displayed on a user’s locked phone as a notification. To avoid this, set the option toSend generic description with user and channel names.
- If your Push Notifications Contents option is set to
Beyond Technical Safeguards, HIPAA compliance deployments also require:
- Administrative Safeguards
- Physical Safeguards
- Organizational requirements and other standards.
To learn more, please review HIPAA requirements from the US Department of Health and Human Services.
