Atlassian, Blog

The paradox of shared responsibility

Atlassian Cloud security – a shared responsibility

While using cloud services, you essentially agree to the concept of shared responsibility. Atlassian assumes responsibility for the hard values, such as the hosting infrastructure of which the apps are running, and you naturally struggle to contain the soft values while keeping your staff at bay with a code of conduct.

In this blog post, we aim to understand better the expectations from you as a customer of Atlassian and what kind of responsibility Atlassian themselves have towards you. By the end of this post, we hope to have given you a better understanding of:

  • What responsibility is on you versus Atlassian
  • What you need to be aware of to mitigate potential risks
  • What Atlassian is doing to deliver secure services in the public cloud

Atlassian’s view on shared responsibility

Atlassian believes that your data on their systems is a joint responsibility, meaning that you are expected to assume responsibility for the things you can control. We’re talking about the soft values mentioned earlier, which roughly translates to the handling of data. When using the applications, you are responsible for ensuring your business is meeting your compliance obligations. An excellent step to ensure this is by being informed of the different aspects of the Atlassian tool stack.

Image source (download pdf): Atlassian

Responsibility of user management and Privacy & Compliance

Kicking things off, we’ll be looking at the aspect of users and what you can do with the tools given to you to mitigate risks associated do user management. There is only one hands-on way forward on this subject: verify your domain, claim your Atlassian users and install Atlassian Access as a security measure in your organisation. We’ve previously written a blog article about this which you can read more about on this link.

Besides taking measurements to secure the tools themselves, you should start formulating a policy on platform usage that correlates to your business compliance obligations. Also, ensure that the employees understand these policies and sign off on them before working with the tools. And there you go – a fault-free environment.

Well, in reality, it’s not that simple. Compliance demands should be part of an organisations DNA, and in the best of worlds, users are fully aware of the classification of the information they put on public platforms such as Atlassian Cloud. Even so, human error occurs, and it’s bound to happen at one point or another. That’s why your organisation must do what you can to mitigate the risks and use the tools given to you.

If you haven’t got one, your best bet is to develop an internal approach closely aligned with your applications. The policy could contain guidelines on how to use each tool, and as such, you should specify what type of data is allowed to store in the application.

Responsibility of Marketplace Apps and Information

Another critical aspect of security is the Marketplace apps. Many Atlassian customers are seemingly unaware of the implications of installing an application, and thus, we feel it’s only natural to highlight the potential risks of using third-party vendors in public could environment.

First and foremost, Atlassian does not take responsibility for Third-party services to which you give access to your information and the ability to integrate with Atlassian products. It’s important to mention that any Third-party can essentially build, host and publish their applications in the Atlassian Marketplace. Typically a formal “vetting” takes place when you submit an app for approval, but Atlassian does not take formal responsibility for the app vendors legitim status and actions.

It falls on you to make sure that the app is legitimate. There are several ways of doing this:

  • Staff Pick: Check if the vendor has the “Staff pick” label, this is the highest level of recognition, and you can be sure that the app vendor is serious.
  • Reviews: A clear indicator of how well the app works and marks the vendor’s legitimacy. Keep an eye on the number of reviews and how long the app has been around.
  • Marketplace trust program: The most significant factor you should look for is the trust program. Fortified apps live up to the most extensive security measures.
    • All Cloud Apps: The app vendor lives up to the minimum requirement to be a marketplace vendor.
    • Cloud Security Participant: The app vendor takes extra measures to ensure security in their apps by being part of the bug bounty program.
    • Cloud Fortified: The most secure apps wear the label of Cloud Fortified. These app vendors are sure to take all measures to ensure a safe operation while handling your data.

Regarding information, the last subject on shared responsibilities, Atlassian, means the data stored in the products. You are responsible for ensuring that all data uploaded and handled in your instance is according to compliance and regulations. Do not host sensitive data in your Jira instance unless necessary. All other security precautions do not matter if you fail to control this aspect.

Your users control the security

“Through 2025, 99% of cloud security failures will be the customer’s fault.” – Source: Gartner: Is the cloud secure?

What we’re saying with this article is that you should keep your eyes peeled on your users – the biggest weakness of enterprise-grade software, and human error is inevitable at one point or another. There are several ways for unauthorised forces to compromise your data; Atlassian identifies these aspects:

  • Credential guessing
  • Credential re-use
  • Man-in-the-middle attacks
  • Endpoint compromise
  • Malicious Marketplace Apps
  • Phishing or fake sites

You may wonder how you’re supposed to control all of these aspects. The simple answer is that you can never mitigate all risks, but you can certainly make things a lot more secure by using the tools and knowledge Atlassian have provided you.

The sum of all aspects

There’s no specific way forward in terms of tips or tricks. All organisations naturally have different positions in their mindset around security as a whole. You might be able to benefit from already developed guidelines within your company, or you’re less fortunate and have to re-invent the wheel. Either way, you need to get started if you lack control today. Our approach would look something like this.

Hotfixes

  • Verify your domain and claim your Atlassian accounts.
  • Install Atlassian Access and configure SSO (if you can); otherwise, turn on 2FA as soon as possible.
  • Set up authentication policies for different types of accounts.

Long term

  • Audit your projects and close potential loopholes.
  • Get your usage policy in order. Embed it in your onboarding routine and get people to sign off on usage.

If you manage to solve the hotfixes, you’re already well on your way to a secure environment. Policy and compliance are long term initiatives that require more work to secure.

We hope you’ve had some good insights from this blog post. Feel free to reach out to us in case you’d like assistance in securing your Atlassian Cloud strategy!

Share this post