Security in Mattermost software is continually reviewed by developers, IT administrators and security researchers accountable for deploying the software in their organizations.
Multiple rounds of penetration testing and security analysis, in addition to internal reviews, have produced a long list of safeguards, processes, policies, and compliance features, please see:
To expand on each:
Mattermost offers a host of features to help keep your private cloud communications secure.
- Mattermost can run entirely behind your firewall as a single Linux binary with MySQL or PostgreSQL
- Mattermost mobile apps can be deployed to an internal Enterprise App Store by using source code available for Mattermost mobile apps and push notification service. Optionally VPN clients on PC and mobile devices can be used outside your private network.
- Optionally, Mattermost mobile apps can run without a VPN by opening standard ports on your Mattermost server, such as 80 or 443. In this configuration, you have the option of using compiled iOS and Android applications in iTunes and Google Play provided by Mattermost, Inc. (E10, E20), as well as enabling multi-factor authentication (E10, E20).
- User sessions across web, PC and mobile can be remotely revoked through account settings, or via the System Console by deactivating accounts.
- Mattermost apps can be packaged into leading Enterprise Mobility Management solutions including AirWatch and Blackberry through AppDome.
- Manage users, teams, access control and system settings in a web-based System Console user interface.
- Mattermost supports TLS encryption using AES-256 with 2048-bit RSA on all data transmissions between Mattermost client applications and the Mattermost server across both LAN and internet.
- Connections to Active Directory/LDAP can be optionally secured with TLS or stunnel (E10).
- Encryption-at-rest is available for messages via hardware and software disk encryption solutions applied to the Mattermost database, which resides on its own server within your infrastructure. To enable end user search and compliance reporting of message histories, Mattermost does not offer encryption within the database.
- Encryption-at-rest is available for files stored via hardware and software disk encryption solutions applied to the server used for local storage or storage via Minio.
- Encryption-at-rest is available for files stored in Amazon’s proprietary S3 system using server-side encryption with Amazon S3-managed keys (E20) when users choose not to use open source options.
- Option to exclude message contents from push notifications to comply with strict compliance policies, such as US HIPAA standards.
- Ability to exclude or include the contents of messages in push notifications to avoid disclosure on locked mobile screens, and via relay servers from Apple and Google when sending notifications to iOS or Android mobile apps (relevant to compliance standards such as HIPAA)
- By default, Mattermost stores a complete history of messages, including edits and deletes, along with all files uploaded. User interface actions for “deleting” messages and channels remove the data only from the user interface; the data is retained within your database. If your compliance guidelines require it, you can turn off users’ ability to edit and delete their messages after they are posted.
- Custom data retention policies on messages and file uploads is available (E20). A daily data deletion job can be scheduled that deletes messages from the database and user interface, and file uploads from local file storage or Amazon S3, which exceed the specified retention period.
- The output and archives of server logs can be saved to a directory of your choice. Mattermost server logs plus logs from your web proxy can provide an end-to-end history of system usage.
- Ad hoc compliance reports of messaging by user, date range, and keyword, including edited and deleted messages are available (E20). To protect against unauthorized use, all ad hoc report requests are logged.
- Daily compliance reports compatible with 3rd party compliance solutions such as Global Relay are also available (E20).
- To protect against brute force attacks, you can set rate limiting on APIs, varied by query frequency, memory store size, remote address and headers.
- Session length, session cache and idle timeout can be configured according to your internal policies, automatically forcing a user to re-login after a specified period of time.
- Remotely revoke user sessions across web, mobile devices and native desktop apps.
- Remotely reset user passwords via the System Console or via the command line.
- Mattermost supports integrated authentication with Active Directory and LDAP (E10) as well as SAML 2.0 SSO integration with providers including Active Directory Federation Services, Okta, among others (E20).
- The ability to require multi-factor authentication is also available (E10).
- Limit communications to specific users, private channels, or team-wide public channels
- Increase system security by restricting email-based account creation to email addresses from a list of specific domains, e.g. “corp.mattermost.com”, “mattermost.org”, etc.”
- Choose whether to restrict or enable cross-origin requests.
- If sharing of public links for account creation or sharing of files and images are enabled, links can be invalidated via the System Console by regenerating salts.
- Optionally add advanced passwords requirements with minimum numbers of symbols, numbers, and lower and uppercase letters.
- Optionally restrict creation, renaming, archiving of channels, private channels and integrations to team admins, system admins or end users (E10)
- Optionally restrict sending team invites to team admins, system admins or end users (E10)
Security updates address newly discovered attacks reported to Mattermost, Inc. by the security research community. Disclosures are made confidentially, under the Mattermost responsible disclosure policy, allowing for Mattermost, Inc. to provide security updates to the community prior to public disclosure.
For more information, please see:
For information on internal security policies, development guidelines, business continuity plans and common security-related questions from enterprises, please see our Security Policies documentation.
Deploying Mattermost as part of a HIPAA-compliant IT infrastructure requires a deployment team trained on HIPAA-compliance requirements and standards.
Mattermost offers HIPAA-relevant Technincal Safeguards including:
HIPAA-compliant deployments commonly consider the following:
Omitting the contents of messages from mobile push and email notifications:
- If your Push Notifications Contents option is set to
Send full message snippetthere is a chance Personal Health Information (PHI) contained in messages could be displayed on a user’s locked phone as a notification. To avoid this, set the option to
Send generic description with user and channel namesor
Send generic description with only sender name.
- Similarly, setting Email Notifications Contents to
Send generic description with only sender namewill only send the team name and name of the person who sent the message, with no information about channel name or message contents included in email notifications.
- If your Push Notifications Contents option is set to
Beyond Technical Safeguards, HIPAA compliance deployments also require:
- Administrative Safeguards
- Physical Safeguards
- Organizational requirements and other standards.
To learn more, please review HIPAA requirements from the US Department of Health and Human Services.