Atlassian Cybersecurity: Keeping your Data Assets Safe
Managing the threat of cybersecurity breaches has skyrocketed up the priority list for many organisations, both corporate and private, following two major attacks in Australia in the late part of 2022. They’re right to be vigilant, too: data is precious. On one hand, organisations can’t operate without it and when used correctly, it can be a major factor in their success. On the other hand, its value makes it vulnerable to exploitation which can endanger an organisation’s very existence, not to mention people’s lives.
It’s understandable then, that in recent times, the team at DI has been having more and more conversations about information security with clients who are either already operating on the Atlassian cloud or are considering migrating soon. With cloud migration on the horizon and heightened media attention, the team at DI want to offer you an overview of how DI approaches information security internally and for our clients, and how Atlassian protects its customers.
Need a clearer picture of your Atlassian licensing set-up? Worried your team don’t have the tools they need? We can help!
How the threat to information security has grown
Cybersecurity was always going to be a threat, from the first time we allowed people to connect with each other and share information over the internet more than two decades ago. We believe that we are seeing this threat, and consequently, our security measures, grow exponentially for a few reasons:
- Data has become mission-critical as organisations move the bulk of their operations online. This means that the consequences of something going wrong – like a data breach or system outage – are becoming increasingly severe: financial security, business viability, reputation, jobs and even mental health are all on the line.
- Our digital operating environments are becoming increasingly complex. We’re using more tools and plugging them together – and while this can increase productivity, it also increases risk. Put it this way, if security is a big fence around the building, every time we add a new app, plugin, or platform we have to put more holes in the fence so we can talk to the people next door. It opens more opportunities, but it also allows more people to see inside.
- Large-scale research reports, monitoring and media coverage have made us more aware of, and more diligent about, cybersecurity. We frequently read about reports from large research firms like McKinsey, Gartner and Ipsos, warnings from international economic bodies like the World Economic Forum and our own governments. This heightened awareness has forced us to improve how and when we collect, store, use and give out information.
- Hackers are getting more sophisticated, and living more of our lives online has increased our exposure. As we raise new generations of digitally savvy individuals working, shopping and socialising online, there will naturally be more people capable of, and willing to, break the system. And there’s more incentive – more data is available, and it’s so valuable that hackers are now requesting millions in ransom for customer data.
- Different countries and industries have different standards, requirements and laws around information security. This allows third-party data sales and poor data security measures to continue to happen in many parts of the world.
- Shadow HR – decentralised IT, company credit cards and ungoverned purchasing – has allowed employees to create their own personal tech stacks. While this flexibility to purchase the applications, plugins and platforms they need can be empowering for employees, it reduces the control and visibility of what data is being shared from an organisation thereby heightening the risk of data theft and privacy breaches.
How DI approaches cybersecurity
Our background has influenced our approach
DI has been in the digital space for 20 years. Cyber security and data protection have always been top of mind for us, from our first projects in e-commerce where we worked within the first iterations of the PCI DSS (Payment Card Industry Data Security Standard) which sets out policies and procedures for protecting debit, credit and cash card transactions and personal data.
Both data security and DI have come a long way since then – hackers have become more sophisticated and our client’s organisations have become bigger and more complex. These changes have placed greater demands on us in terms of our ability to comply with both industry-mandated and internal security requirements and standards.
We recognised the importance of getting it right early on and engaged with a cybersecurity expert to help us put in place an actionable information security policy and framework which we regularly refer to, abide by and update in line with increasing threats and new legal requirements.
Comprehensive policies and processes protect us and our clients
DI’s Information Security Policy guides our actions across all of our business activities with the aim of:
- Reducing risk to our clients;
- Reducing risk to the reputation of Design Industries;
- Reducing unforeseen costs due to information security incidents;
- Utilising best practices with industry standards such as PCI DSS, OWASP, ITIL;
- Complying with legislation such as the Privacy Act;
- Complying with contractual obligations to protect the information entrusted to us by our clients;
- Ensuring business continuity.
Held on Confluence and accessible to all staff, the document sets out our objectives, the scope of application, roles and responsibilities, the escalation process for violation, and a revision schedule. The policy contains 19 sub-policies, each of which has been created as its own Jira issue to make updates simple and to facilitate recurring activities that support implementation and compliance. These sub-policies include:
- Acceptable Usage Policy
- Authentication Policy
- BYOD Policy
- Change Management Policy
- Communications Security Policy
- Cryptographic Controls Policy
- Hardware and Software Configuration Standards for Remote Access to Networks Policy
- IT Acceptable Usage Policy
- IT Access Control Policy
- IT Business Continuity Policy
- IT Operational Security Policy
- Information Security Incident Management Policy
- Information Security Risk Management Policy
- Information and IT Asset Management Policy
- Password Policy
- Personnel Security Policy
- Physical Security Policy
- Remote Access Policy
- Third Party Management Policy
This isn’t a checkbox exercise either: we conduct regular security awareness briefings and refresher sessions to keep everyone across the policies and ensure they are being actioned.
Our comprehensive policy document allows us to comply with vendor information security assessments and demonstrate to our clients that we have an active commitment to information security. We see vendor information security assessments as a positive thing: they force us to reflect internally on our own practices and to make sure we have the policies, procedures, and processes to be able to deliver above and beyond minimum industry standards and legal requirements.
With regards to data collection and use, we keep the bare minimum about on our clients.
Atlassian’s security measures to keep your business safe
Atlassian recognised the need for investing in products and services with the highest possible levels of data security many years ago when crafting their strategy for a cloud-based platform. They knew that top-tier organisations in defense, finance, health, and the government needed to be able to trust them to keep their mission-critical data safe.
As has been the case for many software developers, Atlassian does find low-level problems and issues security alerts in relation to their products, however, their extensive in-house team is able to quickly resolve issues. If anything, these incidents strengthen their monitoring and response capabilities, with high-speed notifications and resolutions now the norm.
Atlassian also involves staff and external researchers in proactive efforts to safeguard their data, and that of their customers, through their ‘Bug Bounty‘ program which incentivises employees to find weaknesses and bring them to the company’s attention.
In their own words: “Security is built into the fabric of our cloud products, infrastructure, and processes, so you can rest assured that your data is safeguarded.”
Discover how to migrate to Atlassian Cloud without the hassle
They do this through:
Security operations and best practice standards:
Atlassian uses industry best practices and aligns with a common controls framework that utilises a number of international control standards that are applicable to their product development and operations environments. The primary environment where they apply these standards is the cloud-hosting platform and you can find a single view of these here.
Atlassian holds industry-accepted certifications and complies with current industry standards and regulations such as PCI DSS, SOC, ISO 27001, CSA, GDPR, VPAT and FedRAMP.
Platform and network security:
Atlassian performs rigorous security testing including threat modeling, automated scanning, and third-party audits. Their security incident response practices ensure issues are resolved quickly and keep customers informed with real-time system status updates.
Availability and continuity:
Atlassian is well-prepared for a natural disaster or illegal security incident. They use multiple highly-secure, geographically-dispersed data centres and operate robust Disaster Recovery and Business Continuity programs.
Product-specific online safety and data security measures:
Atlassian also builds specific measures into each cloud product. You can find out what security measures are in place for the products you use – including Jira, Confluence, Bitbucket and Opsgenie here.
Finally, Atlassian helps you protect your company with:
- An easily accessible security philosophy and practices guide
- Downloadable responses to standardised vendor risk questionnaires including the Cloud Security Alliance (CSA) – Consensus Assessment Initiative Questionnaire (CAIQ), Whistic and Cyber GRX to make vendor risk management assessments easier.
- The ability to report a vulnerability if you are concerned – security researchers are also invited to find and report issues.
- Weekly security advisories, published online
- The Atlassian Access product which allows you to add enterprise-grade identity and access management (IAM) features to your central admin console.
- An invitation to join their Trust and Security Community
- Blog posts, whitepapers, reports, and administration guides to inform you of developments in cybersecurity (the latest are posted on this page).
You’ve got a secure Atlassian platform, what now?
There are two sides to the information security coin: system defenses and sensible data collection.
- Choose software vendors and consultants who comply with the highest-possible information security standards and have robust policies and processes in place. Ask for a copy of these before you sign the contract.
- Create and enforce your own robust information security policy. Regularly review the policy, train your staff, and have actionable tasks to keep everyone accountable.
- Tighten user access to ensure people only have access to applications and information that is essential to their role. Make sure your offboarding process includes removing permissions for all applications as well.
- Restrict third-party access to data by centralising software licensing and purchasing and keeping a register of every tool in your tech stack. Even if an application is free, ensure staff let IT or the central IT licensing holder know that they are signing up for an account.
- Data collection: Assess what data you collect and store and determine if it’s really critical to your business operations. If it’s highly valuable to a hacker, and you don’t need it, don’t collect or store it! Wiping that data and evaluating your data collection methods is the safest thing to do and reduces your vulnerability to a cyber attack.
A word of advice: take action – no matter how small your business is.
Being a smaller company doesn’t necessarily protect you from information security breaches: no matter what size your organisation is, the requirements and the risk are the same. We recommend that you pay a cybersecurity expert to ensure your security measures are as comprehensive as possible – the cost to your business of a breach will be far more than their consultation fee.
How DI helps clients with their online security requirements
You’ve probably gathered that we are process people at DI, so our approach to helping clients is based on getting workflows and automation established to take the possibility of forgotten administration tasks that jeopardise information security off the table.
We can help you by:
- Tightening governance processes around user access:
- The first step is cleaning your data. This means auditing your Atlassian environment and seeing who has access, what access they have, and what they should have (user tiers). You’ll also need to clean out employees, contractors and suppliers who no longer work for you.
- We’ll then look at your HR processes for onboarding and offboarding and create a workflow in Jira or Jira Workforce.
- We can then help you install and set up Atlassian Access – this is an identity management and single sign-on (SSO) tool that connects with all of the other tools in your Atlassian environment. It allows you to manage an ‘identity’s’ (employee’s) permissions for each product in one place. You can then automate onboarding and offboarding – for example, if HR advises that an employee has left or a contractor has finished their job, you can automatically lock them out of the system or reduce their access across all tools at once. It also allows you to enforce two-factor authentication and customise multiple authentication requirements.
- Assessing licensing – having multiple instances of the same tool, unused tools, or expired or duplicate licenses increases your security risk by having data in unnecessary places. And its expensive. We can conduct an audit of your licensing arrangements, consolidate them where necessary and procure new cost-efficient licensing arrangements for you
- Being transparent about our internal privacy and data security policies to facilitate a smooth vendor risk management assessment process.
Contact our team to discuss how we can work together to build a secure, productive Atlassian environment for your team.