Here's an important difference.
The 18F post says:
"we reviewed all Google Drive files shared between Slack and Drive, just to be sure nothing was shared that shouldn't have been. Our review indicated no personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property was shared."
While the OIG report says:
"[the integration] permitted full access to over 100 GSA Google Drives, resulting in a data breach."
One of the huge risks of using multiple cloud services is that you can't firewall between them effectively. If Slack and Google Docs were in-house applications, they never would have been allowed to talk to each-other without an explicit review and firewall rule.
We are giving up defense in depth for ease of use SaaS.
The world needs a self-hosted Slack.
This does not address the core complaint from the breach[1]:
> 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile.
> ...
> The OIG makes the following recommendations:
> 1. GSA should cease using Slack and OAuth 2.0 until and unless they are approved for use in the IT Standards Profile.
> 2. GSA should ensure that 18F complies with GSA Order CIO P 2160.1E.
Is 18F no longer using Slack or any other OAuth 2.0 integrations? That would be a shame. Are they working with GSA and the Office of Inspections and Forensic Auditing to clear Slack/OAuth 2.0?
[1]: https://www.gsaig.gov/sites/default/files/ipa-reports/Alert%...