The Atlassian Cloud suite of collaborative tools is becoming the central nervous system for many organizations. Along with the multiple benefits in productivity, innovation, and collaboration that Atlassian Cloud brings, it also introduces new considerations and challenges in securing the organization’s data, mitigating security risks, and avoiding a potentially damaging breach.
In this webinar, you will learn about native security features and configuration elements to reduce your security risks in Atlassian cloud. We will cover key permissions and access controls, governance process and structure, and how to audit your usage.
Join Cprime’s Brandon Huff, VP of Technology, and Lisa Barton, Director of Delivery Services-Atlassian, for a deeper dive into the fascinating world of Atlassian Cloud security.
We will explore:
- Atlassian Security features to reduce your risk
- Configuration that supports access and data management
- The importance and structure around Atlassian governance
- Auditing and compliance features
3. HOUSEKEEPING ITEMS
Audio is streamed through
your computer speakers, so
make sure your audio is on
and turned up.
The recording and slides will
be sent to everyone via email
within 24-48 hours after the
webinar concludes.
Submit questions any time
during this presentation via
the Q&A box on the bottom
panel of your screen.
7. SaaS as an offering from outset
Experiencing significant growth and expansion
Substantial investment in Cloud Infrastructure
Microservices, performance, security, pricing structure, etc.
Accessibility of Cloud
ABOUT ATLASSIAN CLOUD
8. BENEFITS OF ATLASSIAN CLOUD
SaaS Model Availability/Scalability
Latest Releases
User Management
Security
Apps & Extensibility
Performance
TCO
9. THINGS TO CONSIDER
Backend Access
Latest Releases
Functionality
System Admin
Data Residency
Support / SLAs
Compliance
11. • Lead peers in cloud and product security
• Meet all customer requirements for cloud security and exceed
requirements for industry security standards and certifications
• Be open and transparent about our programs, processes, and metrics
ATLASSIAN CLOUD SECURITY GOALS
12. ATLASSIAN CLOUD SECURITY COMMITMENT
Atlassian’s Common Controls Framework supports its compliance with eight
different international standards for security
Its Security Detections Program and Security Incident Management process
ensures fast identification and mitigation of security threats
Training and development practices across the organization stress security at
every level and at all times, which supports industry-standard operational
practices
Atlassian incentivizes both employees and users to actively seek out and bring
attention to security concerns utilizing the Security Champions and Bug Bounty
programs
13. ATLASSIAN SECURITY PROGRAMS
• Security Champions/Leads within all products and service teams assume responsibility for
delivering on key security initiatives among their peers on an ongoing basis and keeping
communication with our central security team as open as possible.
Security Champions Program
• Security detection programs compliment Atlassian’s incident response processes.
Embedded within our standard incident management process, we have a separate program to
proactively create searches and alerts for not only the incident types we face today, but those
we will face in the threat landscape of the future.
Security Detections Program
• Our Bug Bounty Program has consistently been recognized as one of the best in the industry,
and enables us to leverage a trusted community of tens of thousands of researchers to test
our products constantly and report any vulnerabilities they find.
Bug Bounty Program
14. ATLASSIAN CLOUD SECURITY COMPLIANCE
Compliance Area Atlassian Products Details
ISO 27001
ISO 27018
Jira Cloud Jira Service Management Cloud
Jira Align Confluence Cloud
Bitbucket Cloud Opsgenie
Statuspage Trello
The basis of ISO 27001 is the development and implementation of an Information Security Management System (ISMS),
and then implementing and managing a suite of controls covered under ‘ISO 27001: Annex A’ through that ISMS.
ISO/IEC 27018 is a code of practice which provides additional implementation guidance for applicable ISO/IEC 27002
controls for the protection of Personally Identifiable Information (PII) in cloud environments.
PCI-DSS
Jira Cloud Jira Service Management Cloud
Jira Align Confluence Cloud
Bitbucket Cloud Opsgenie
Statuspage Trello
Halp
When you pay with your credit card for Atlassian products or services, you can rest assured that we handle the security
of that transaction with appropriate attention. Atlassian is a PCI-DSS compliant merchant.
CSA CCM / STAR
Jira Cloud Jira Service Management Cloud
Jira Align Confluence Cloud
Bitbucket Cloud Opsgenie
Statuspage Trello
Halp
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security
controls provided by various cloud computing offerings. The CSA STAR Level 1 Questionnaire for Atlassian is available
for download on the Cloud Security Alliance’s STAR Registry.
SOC2 and SOC3
Jira Cloud Jira Service Management Cloud
Jira Align Confluence Cloud
Bitbucket Cloud Opsgenie
Statuspage Trello
These reports help our customers and their auditors understand the controls established to support operations and
compliance at Atlassian. Atlassian has achieved SOC2 certifications for many of our products.
FedRAMP Cloud Enterprise Trello
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products
and services.
16. ATLASSIAN CLOUD SECURITY CONFIGURATION APPROACH
Ensure adherence
company has security
policies that help
mitigate risk
1
Leverage configuration
that will ensure
security policies are
followed
2
Audit the configuration
and access
management regularly
3
Ensure Governance is
in place around your
instance to enable
auditing and
configuration
management
4
17. PROVISIONING
17
SECURITY RISK BEST PRACTICE
• Management overhead and
complexity to manage access to
each Atlassian application
• User creation in Atlassian
provides permissions and initial
access
• Bad provisioning can expose
sensitive data to new users who
should not have that access
• Clear group-based permissions,
roles, and provisioning enable
clear application of needed
permissions
• Leverage access management
application to ensure consistent
provisioning is applied (Atlassian
Access, Active Directory, etc.)
and reduce human error
18. SINGLE SIGN-ON (SSO)
18
• No way to enforce password
changes or policies
• Unsafe passwords with
infrequent changes increase
risk
• High password-related calls to
IT increasing cost of support
• Leverage access management
application to centrally manage
access to Atlassian (through
Atlassian Access, Active
Directory, etc) and reduce
human error
SECURITY RISK BEST PRACTICE
19. USER MANAGEMENT & CLEAN UP
19
• Users have access they don’t
need or shouldn’t need
• User don’t have access they
need
• Users are no longer at the
company but still have an
account
• May be paying for licensing for
users not longer at the company
• Clear group-based permissions,
roles, and de-provisioning
enable appropriate permissions
• Leverage access management
application to ensure consistent
de-provisioning, changes, and
deprovisioning is applied
(through Atlassian Access,
Active Directory, etc)
SECURITY RISK BEST PRACTICE
20. IP WHITELISTING*
20
• People outside of the company
may be able to access
applications in your network
• Unable to separate intended
users from potential threats by
IP address
• Enable security policies that
ensure only appropriate users
have access to your network
• Leverage IP whitelisting
functionality to allow specific IP
addresses or domains
* Atlassian Access is required for this functionality
SECURITY RISK BEST PRACTICE
21. PERMISSIONS
21
• Users have access to sensitive
projects and/or data through
applied permissions
• Unclear ability to fix access
issues due to lack of
permissions architecture or
documentation
• Leverage permissions groups
and roles to set highest level
permissions which minimize
risky project level permission
changes
• Leverage access management
application to ensure consistent
provisioning, deprovisioning,
and permissions changes are
applied (through Atlassian
Access, Active Directory, etc)
SECURITY RISK BEST PRACTICE
22. CONNECTORS & INTEGRATIONS
22
• Insecure or poorly configured
connectors or integrations can
expose system data
• Lack of review process to
ensure connectors or
integrations can inadvertently
create a data security breach
• Ensure you are using Cloud
Fortified connectors from the
Atlassian Marketplace that meet
the all Atlassian security
requirements
• Review all application
connectors with intended
connected internal systems to
ensure data is passing as
planned
SECURITY RISK BEST PRACTICE
23. AUDIT LOG
23
• Changes to your configuration
have introduced security risks
that you are unable to
troubleshoot
• Unclear what configuration
changes have been made to
ensure security policies have
been followed
• Use the Organization audit log in
Atlassian Access to view
configuration changes, timing,
and who did them across all
Atlassian applications
• Leverage marketplace
applications to provide a
consolidated view of changes
• Use a governance process to
review and mitigate all changes
that may impact to your security
SECURITY RISK BEST PRACTICE
24. CHANGE MANAGEMENT
24
• Unclear policies make
requested changes hard to
evaluate for security risks
• Changes may be implemented
that don’t meet security
standards introducing security
risks
• Implement a governance
process that supports effective
change evaluation, tracking,
reporting, approval and
communication
SECURITY RISK BEST PRACTICE
26. WHY GOVERNANCE MATTERS
There’s a lot at stake – strong governance practices help:
• Mitigate risk and maintain compliance
• Ensure data integrity and improve data quality
• Set, maintain, and implement standards and best practices
• Evaluate the impact and manage changes to the Atlassian tools ecosystem
(like clean up and optimization)
• Maintain the health and long-term continuity of the Atlassian tools
ecosystem
• Ensure your users can leverage the features and benefits of the Atlassian
platform for your organization
32. ENSURE COMPLIANCE
Maintaining Your Atlassian Ecosystem
Regular updates to Policies and Standards
Custom dashboards and reports to identify Compliance risks
Clean up and maintain your instances
(Leverage admin insights, scheduled releases, and project archiving)
Manage human risk
(Training, enablement, imbedded Governance Team Members)
33. CHANGE MANAGEMENT
• Formal Intake Process
• Formal Committee Discussion
• Within vs Outside of Policy Limits
• Formal Committee Vote
• Objection vs Non-Objection Vote
• Documentation
• Decision vs Recommendation
• Communication
Change Management Process Elements
Intake
Communication
Action
Decision
34. Atlassian has built in features, policies, and programs
to ensure the Cloud applications have the highest
levels of security
Leverage best practice configurations that ensure
good change management, permissions, and access
management
Ensure governance practices are in place to evaluate,
approve, and manage configuration changes
Visit the Atlassian Trust security site for details on all
aspects of Atlassian Cloud security
KEY TAKEAWAYS
35. KEEP THE CONVERSATION GOING…
Connect with our
speakers on LinkedIn
Check out Cprime
upcoming webinars,
read our blog,
download
whitepapers/case
studies & more:
cprime.com/resources
Share with us what
topics you are
interested in, ask us
questions or give us
feedback!
learn@cprime.com
36. FOLLOW US ON SOCIAL MEDIA
Share in the conversation & keep updated on
thought leadership, events & more!
on LinkedIn, Twitter, Facebook, & YouTube