On December 12th the Vancouver Atlassian community welcomed Vish Reddy from Revyz who presenting "Shared Responsibilities & Data Protection" discussing what the "Shared Responsibility Model" means for all your SaaS data as well as what strategies you can adopt to protect your data.

1. SaaS Shared Responsibility Model
Strategies to Protect Your Cloud Data
Vish Reddy

2. Topics of Discussion
● Who is responsible for data in a SaaS application
● What is the shared responsibility model
● SaaS data protection strategies for Atlassian
● How can Revyz Help

3. Who is Responsible for Data in SaaS
I can’t be
responsible
for that!
It’s the cloud

4. SaaS Data Loss | Who is responsible?

5. SaaS Data Loss | Top Causes
1 Service outage / data corruption 22%
2 Accidental deletion 20%
3 External malicious deletion 19%
4 Inability to recover from current backups 12%
5 Misunderstanding of retention / deletion policies 9%
6 Account closure 8%
7 Internal Malicious deletion 6%
8 Don't know 4%
9 Other 1%
Greater than
of Data loss is
due to deletion of
data
ESG Research Report: Evolution of Data Protection Cloud Strategies
https://www.esg-global.com/hubfs/ESG-Infographic-DP-Cloud-Strategies.pdf
50%

6. SaaS Data Loss | Impact to You?
● What type of data do you have in your Atlassian Apps?
○ Software development
○ Product plans
○ Customer requests
○ Change management
○ Business HR / Legal / Finance
○ …
● What would be the impact if you lose any of the data?
Atlassian community posts

7. SaaS Data Loss | Impact
Loss in revenue &
reputation
An hour of downtime costs
$8,000 for a small company,
$74,000 for a medium
company and $700,000 for a
large enterprise1
1. The cost of downtime - Datto (https://www.datto.com/au/resources/the-cost-of-downtime)
2. Real costs of data loss - (https://www.backupify.com/blog/the-real-costs-of-data-loss)
Inability to meet audit &
compliance
Depending on the severity of
negligence, a HIPAA violation
can cost anywhere from $100
to $50,000 per record2
Productivity loss
Cost of productivity
$8,500 per hour2

8. On-Premises vs. SaaS
Courtesy - Checkpoint

9. Shared Responsibility Model | SaaS Industry
https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility https://www.veeam.com/blog/salesforce-shared-responsibility-model.html
Customer Responsible for Endpoint Security,
Access Management & Data Protection

10. Shared Responsibility Model | Atlassian Model
“We do not use these backups to revert
customer-initiated destructive changes, such
as fields overwritten using scripts, or deleted
issues, projects, or sites. To avoid data loss, we
recommend making regular backups.
Trust at Atlassian / Security @ Atlassian / Security Practices
https://www.atlassian.com/trust/security/security-practices#service-availability
Atlassian Cloud Security Shared Responsibilities
https://www.atlassian.com/whitepapers/cloud-security-shared-responsibilities

11. Shared Responsibility Model | Key Takeaways
01 Policy & Compliance
● Assess the suitability of Atlassian Cloud-based platforms based on the information
Atlassian provides
● Protect your endpoints through good security practices
02 Users
● Who accesses the Atlassian platform and what access they have to your data is
your responsibility
03 Information ● Create backups of your data
04 Marketplace Apps
● Assess the suitability of any Marketplace Apps you want to use
● Notify Atlassian of any malicious behavior identified in a Marketplace App

12. Types of Disasters & Ownership
Disaster Type
Data Center
Disaster
Data Center Data
Breach
Data
Breach
3rd Party
Errors
Malicious
Deletion
Data Import
Human
Error
Frequency of Occurrence Rare Occasional Frequent
Responsibility SaaS Vendor Customer
Increasing probability

13. Atlassian Jira | Data Protection Gaps
Customer tenant
Accidental
deletion
Bulk changes
Configuration
changes
Insider attack
Account
takeover
Data risks
60 days
Permanent data loss
● Only projects are sent to trash can
● Issues, attachments, comments, config
objects - deletion is immediate
Immediate
deletion
Projects
Only

14. Impact / Exposure
Motive 👉 Accidental
Malicious
Insider
Malicious
Outsider
Site Admin Entire Site
Project Admin Projects & Configuration*
User Based on Permissions Given
Automation Based on Permissions Given
*Configuration changes can have a bigger impact
Issue deletion in Jira is silent & permanent - no log of deletion available
SaaS Data Loss | Impact

15. Atlassian Data Protection Strategies
● Do nothing
● Access management controls
● CSV exports
● Database export
● Backup as a service
Alternate
Cloud
Backup
Restore

16. Atlassian | Data Protection Strategies
Process
Data
Management
Data Coverage
Export
Limits
Granular
Restore
Restore
data
loss
Restore
System
downtime
Data Loss
Risk
Do Nothing Extreme
Access Management Controls High
CSV Exports Manual
Manual
Hard to
Catalog
Limited Limited
Manual
Yes
None None High
Database Exports Manual
Manual
Hard to
Catalog
Comprehensive
48 Hr
Cycle
Not
Possible
Yes Yes Medium
Backup As A Service Automatic Automatic
Depends on
Service
None Yes None None Low
Notes:
● Database Exports could be automated with some scripting, scripts have to be maintained, high dependency on data set size for scripts to work
● Data Management= Storage, Cataloging, Policy & Governance
● Granular restore includes the ability to search and restore in targeted manner
● Restore data loss depends on how old the last backup was
● Complete restore of the database leads to data loss and downtime of the overall system

17. Revyz Jira Software Backup & Restore Service
Automatic backups and stress-free data recovery for your Jira
Software - Secure, Native and Compliant
CLOUD FORTIFIED
Atlassian Cloud
Backup
Restore
Revyz Cloud
Backed by:
● Automatic daily backups & On-demand
backups
● Easy, Granular data Restores
● End to End Native Atlassian Experience
● 1 yr data retention
● Unlimited backups & restores with upto
250GB in attachments

18. Thank You