If you’re building and selling software for businesses, moving up-market and to enterprise is a question of when, not if. Most of the most successful SaaS IPOs of the past few years – Zoom, PagerDuty, Dropbox, Elastic, to name a few – can trace their success to nailing the art of the big deal. A great example is Slack: after building a strong base of SMB support, they extended to the enterprise and locked down deals with Oracle, IBM, Target, and ETrade.
This post looks at how features like SAML SSO, EKM, and audit logs help Slack be enterprise-ready and close those deals.
If you want to successfully and repeatably close enterprise deals, there’s a lot to get done across the entire company stack, especially hiring: you’ll need account execs, success staff, and support engineers who know how to build and maintain a new type of relationship. But everything starts with your product, and if it’s not up to spec, you’ll have a bunch of highly paid people just sitting around drinking La Croix.
Enterprise-ready product work isn’t cool and shiny, and it’s not easy either. If you’re a developer, you’ll find yourself deep in XML parsing (I’m sorry) to configure SAML, repeatedly debugging event payloads in audit logs, and integrating with 18 different AWS services you’ve never heard of. But it’s work that pays off if you do it well.
Slack has done it well. They’ve built enterprise-ready functionality into the app across the stack:
If some of these acronyms scare you, don’t worry. We’re going to dive into each of these, explore why they’re important for being enterprise-ready, and look at how Slack implements and uses them to its advantage.
The first layer of an enterprise-ready product suite is authentication: the entry point to your application needs to be secure and integrated with enterprise-grade identity providers. Enterprises will almost always use an external identity provider like Okta, and many are literally not allowed to sign deals with vendors that use plain old email and password. Adding Single Sign On (SSO) to your application lets you outsource authentication to an enterprise's provider and integrate with their existing systems.
Slack supports SAML-based SSO (SAML is the most popular protocol for enterprise SSO, and stands for Security Assertion Markup Language) for 10+ different identity providers (Okta, OneLogin, and Auth0, among others). You can configure SSO for natively supported providers, or even build a custom SAML connection yourself.
Another critical part of enterprise identity management is directory integration – managing user identities and groups across your organization’s applications. A popular standard is SCIM – short for System for Cross-domain Identity Management – and Slack provides an API for working with it natively. You can add new users and groups, manage their information, and de-provision them automatically, among other things.
Slack’s support for SAML based SSO and for SCIM is a standard piece of the enterprise-ready toolkit that allowed them to move up-market, and building great docs around their APIs helped turn a requirement into a selling point.
Enterprises will not work with vendors who aren’t secure, end of story. And while that’s pretty obvious, how you actually achieve and maintain the security standards required by large buyers is not. As part of the procurement process, enterprises are going to ask for custom work, pen test results, and even in some cases which open source software you’re using. One way to get ahead of the curve is certifications that verify your adherence to security best practices.
Slack is a poster child for having all of the badges: ISO, SOC 2 and 3, Privacy Shield, you name it. They’re all clearly laid out on the company’s dedicated security page.
Slack can also be configured for HIPAA and FINRA compliance, too. Actually achieving compliance for these standards isn’t always easy, but they’re critical pieces in communicating security to larger buyers.
Another area where Slack shines in enterprise-ready security is EKM – encryption key management. Slack’s EKM feature lets enterprise users integrate their AWS KMS accounts with Slack to granularly manage and control their encryption keys, as well as the scopes for encryption (messages that disappear after an hour, etc.).
Slack’s landing page for EKM has a good quote from IDC that helps contextualize why EKM is important:
Technology like Slack Enterprise Key Management is rapidly becoming a core requirement for enterprises of all sizes that need enhanced security of their collaboration environment. It becomes more important for enterprises to retain control of their encryption keys.”
It’s a bit market-y, but the point stands. After shipping this feature, the engineering team who worked on EKM at Slack wrote a post about how they built it and how it helps them be enterprise-ready here. Long story short: it’s another bargaining piece on top of existing enterprise compliance that gives Slack even more leverage for larger deals.
Audit logs give organizations a complete history of what’s happened in the applications they’re using: user actions, permission changes, downloads, and whatever else you configure. These kinds of logs are key for enterprise security requirements: they give administrators full visibility of logins, access points, and anything relevant to their workflows.
Slack provides audit logs as a read-only REST API. It lets developers query pretty much any user activity with a semi-standard schema for each event. To make this a bit more concrete, take a look at some of the events that Slack includes: workspace_created, emoji_added, pref.allow_calls, and ekm_key_added are good examples (emojis are key). If you’ve instrumented app events for analytics before, this will look familiar. Here’s an example payload from Slack’s docs:
Another key enterprise-ready feature Slack supports is RBAC, or role based access controls. In normal person language we’d call this permissions, and it’s how Slack enables admins to choose which users have access to which channels, workspaces, and actions. If you’ve worked with AWS, you’re probably familiar with their IAM system that lets admins allocate permissions to resources across their organization; this is that.
Most SaaS products have some sort of admin functionality, but to be enterprise-ready, your access controls need to be wide ranging and granular. On Slack’s enterprise grid plan, there are 5 different user roles – org owner, org admin, workspace owner, workspace admin, and member – and each have unique permission levels for activity across the app. Enterprise users can also customize permissions at each role.
A big part of a successfully enterprise-ready product is communication. Slack does a great job effectively communicating the suite of enterprise features they’ve built, and optimize their site for enterprise conversion by giving enterprise content a front row seat. Exhibit A: a special landing page for enterprises that walks through security and enterprise features. It’s even a link in the site’s navbar:
Slack brands their enterprise tier as “Enterprise Grid” (which sounds Very Official) and p uts in a call to action to “contact sales” instead of “getting started” like the other three tiers on their pricing page. The Enterprise Grid bullet points are catered to winning over “extra large businesses” and focus on the features that make Slack enterprise-ready.
There’s also a dedicated landing page for security with a list of certifications, as well as a data sheet with more granular information on Slack’s architecture and security compliance. Slack also built a landing page for EKM,ran a webinar about it, and wrote a blog post about it in 5 different languages. Beyond investing in enterprise-ready product, they’re investing in communicating that product and growing it organically.
If all of these features and communication seem like a lot of work to you, that’s because they are. Getting your company ready to close larger deals and move upmarket doesn’t translate to well defined checkboxes - it’s a commitment to a way of building your product specifics. And those specifics - especially SSO and SAML - are complex, manual, and tedious to build. If you’re looking for APIs to help, WorkOS gives you SSO/SAML, Magic Link, SCIM, and more out of the box.