Blog: Spotlight on Atlassian Cloud Security
As you contemplate a move to Atlassian Cloud, no doubt security is top of mind. That’s not only understandable but vital in today’s environment. Nearly four thousand successful data breaches impacted hundreds of millions of people worldwide in 2020 alone. And the projections for future wide scale cybersecurity threats are even more dire as hackers continue to escalate the speed and scope of their attacks.
This is the first of a three-part series we are publishing to cover important considerations for organizations moving to Atlassian Cloud. These articles will cover:
- The security features and supporting principles that are already baked into Atlassian Cloud to keep your data secure.
- The client’s role in maintaining a secure cloud environment through proper governance, configuration, and auditing.
- Compliance requirements and how they can be addressed with the security features in Atlassian Cloud.
Atlassian’s internal security processes
The infrastructure and security features in Atlassian’s Cloud products can only be as effective and reliable as the security processes the company adheres to internally. We can confirm Atlassian’s principles and processes are of the highest caliber.
For a full rundown, we recommend reviewing Atlassian’s Security Guide in its entirety. But, here are a few highlights of note:
- Atlassian’s Common Controls Framework supports its compliance with ten different international standards for security.
- Its Security Detections Program and Security Incident Management process ensure fast identification and mitigation of security threats.
- Training and development practices across the organization stress security at every level and at all times, which supports industry-standard operational practices.
- Atlassian incentivizes both employees and users to actively seek out and bring attention to security concerns utilizing the Security Champions and Bug Bounty programs.
The power of ZeroTrust
ZeroTrust is a philosophy behind security protocols that can be summarized in the axiom, “Never trust, always verify.” In other words, Atlassian’s corporate and cloud security infrastructures are based around a commitment to never sacrificing security for convenience.
In practice, this ensures that cloud resources are effectively protected and compartmentalized based on the relative criticality and sensitivity of the data they contain. In addition to standard user-based permissions, resources, applications, and features can be cordoned off selectively based on location, device, and authentication. This makes access decisions dynamic and granular enough to fully support the combination of remote and on-prem workers, as well as enterprise-owned and personal devices.
The practical result of this philosophy and commitment is a host of security features baked directly into the Atlassian Cloud solutions and ecosystem:
-
- User provisioning based on SCIM 2.0 protocols
- SAML for SSO through a long list of identity providers
- Enforced two-step authentication verification
- Audit logs to review activity
- End to end encryption in transit using TLS 1.2+ with Perfect Forward Secrecy (PFS) and industry-standard AES-256 encryption at rest
- AWS Key Management Service
- CASB integration with McAfee MVISION Cloud
- Ecoscanner protecting Atlassian marketplace apps
And there are many more technical tidbits to explore as they relate to specific applications and situations.
Don’t forget about Atlassian Access
It’s important to note that several of the above security tools and resources are only available with a subscription to Atlassian Access. This overarching security upgrade does not come automatically with every cloud subscription but can be added to all of them. And, considering the cybersecurity situation businesses face today, we feel it’s an investment worth making.
In the next two articles, we’ll be diving deeper into your side of the joint responsibility for the security of your Atlassian Cloud applications and the data they contain. They will include highlights around configuration, governance, auditing, and compliance.
If you’d like to see how your organization is doing right now in your journey toward Atlassian Cloud readiness, consider Cprime’s Cloud Readiness Assessment, which includes a thorough review of your existing security posture.
In the next article in this series, we’ll cover the shared responsibility between you and Atlassian to keep data safe and meet all of your requirements.