Atlassian Cloud Security 101: Who’s Responsible for What

By
Kari Taylor
-
Atlassian Cloud security, shown with man with tablet and cartoon icons in background

Introduction

As organizations increasingly migrate to Atlassian Cloud products, one question becomes critical: Who’s responsible for keeping your data safe? The answer isn’t as simple as “it’s Atlassian’s job” or “it’s entirely on you.” Instead, cloud security operates on a partnership model where both parties play essential roles. This guide will clarify exactly who’s responsible for what in your Atlassian Cloud environment and provide actionable strategies to strengthen your security posture.

Table of contents

Understanding the Shared Responsibility Model

Atlassian Cloud Security screenshot

Definition

The shared responsibility model is a security framework that delineates which security tasks belong to the cloud service provider versus the customer. Think of it as a security partnership where both parties play crucial roles in maintaining a robust security posture.

In simple terms, Atlassian is responsible for securing the cloud infrastructure and services, while you’re responsible for how you use those services and protect your data within them.

Think of Atlassian Cloud security as a house you’re renting. The landlord (Atlassian) ensures the foundation is solid, the walls are sturdy, and the locks work properly. But you (the customer) are responsible for who gets keys, what you store inside, and installing additional security measures for your valuables.

What is Atlassian responsible for?

Atlassian takes extensive measures to ensure the security of its cloud infrastructure:

  • Application Security: Atlassian handles the security of the underlying cloud infrastructure, including servers, networks, and the core applications themselves.
  • Compliance Management: They maintain rigorous compliance with industry standards such as ISO27001, SOC2, and GDPR, undergoing regular third-party audits to verify their security controls.
  • Platform Reliability: Atlassian manages the availability and performance of its cloud services, with dedicated teams monitoring systems 24/7 and responding to incidents.
  • Vulnerability Management: They conduct regular security assessments, penetration testing, and code reviews to identify and remediate potential vulnerabilities before they can be exploited.

What is your Responsibility as a Customer?

As a customer, you retain significant security responsibilities:

  • Identity and Access Management: Controlling who has access to your Atlassian Cloud products and what they can do within them.
  • Data Classification and Protection: Determining the sensitivity of your data and implementing appropriate controls.
  • Configuration Management: Properly configuring security settings within Atlassian products to align with your organization’s security requirements.
  • Third-Party App Governance: Vetting and managing the security of marketplace apps and integrations you install.

Key Areas of Responsibility

Atlassian Cloud’s Responsibilities

  • Application Security

Atlassian handles the security of the underlying cloud infrastructure, including servers, networks, and the core applications themselves. This includes:

  • Implementing robust encryption for data at rest and in transit
  • Deploying intrusion detection and prevention systems
  • Adopting a “Zero Trust” approach to network security
  • Conducting regular security assessments and penetration testing
  • Maintaining secure development practices throughout their product lifecycle
  • Compliance

Atlassian Cloud maintains rigorous compliance with global industry standards to ensure their platform meets stringent security requirements:

  • ISO 27001 certification for information security management
  • SOC2 Type II attestations verifying security, availability, and confidentiality controls
  • GDPR compliance for European data protection requirements
  • PCI DSS compliance for payment card industry standards
  • Regular independent third-party audits to verify control effectiveness
  • Privacy

Protecting customer data is a cornerstone of Atlassian’s security approach:

  • Strict access controls for Atlassian personnel
  • Data residency options for specific geographic requirements
  • Transparent data handling practices
  • Comprehensive privacy policies and tools to support customer compliance efforts
  • Regular privacy impact assessments
  • Reliability

Atlassian invests heavily in platform reliability to ensure business continuity:

  • Redundant infrastructure across multiple regions
  • Comprehensive disaster recovery plans
  • Regular backup procedures for system components
  • Incident response teams available 24/7
  • Transparent status reporting and incident communication

Customer’s Responsibilities

  • User Management

Customers retain full control over who accesses their Atlassian products and what they can do:

  • Creating and managing user accounts
  • Implementing appropriate authentication mechanisms (passwords, 2FA, SSO)
  • Setting up and maintaining permission schemes and access controls
  • Promptly deprovisioning users when they leave the organization
  • Regularly auditing user access and permissions
  • Data Security

While Atlassian secures the platform, customers are responsible for securing their data within it:

  • Classifying data according to sensitivity levels
  • Implementing appropriate access controls for sensitive information
  • Avoiding public exposure of confidential data
  • Monitoring for unusual data access patterns
  • Ensuring proper data handling practices by users
  • Marketplace Apps

Third-party apps extend functionality but require careful security management:

  • Evaluating apps for security risks before installation
  • Understanding and limiting app permissions
  • Keep apps updated to address security vulnerabilities
  • Regularly reviewing installed apps and removing unused ones
  • Monitoring app behavior for potential security issues
  • Compliance Obligations

Customers must ensure their use of Atlassian products complies with their specific requirements:

  • Aligning Atlassian configurations with internal security policies
  • Meeting industry-specific regulatory requirements (HIPAA, FINRA, etc.)
  • Documenting compliance measures for audits
  • Taking regular backups and maintaining comprehensive logs for compliance evidence.
  • Implementing additional controls where necessary to meet specific compliance needs
  • Training users on compliance requirements relevant to their work

Best Practices for Securing Your Atlassian Cloud Environment

  • Centralized Access Management

Implement robust authentication measures:

  • Two-Factor Authentication (2FA): Require 2FA for all users, especially those with administrative privileges.
  • Single Sign-On (SSO): Integrate with your organization’s identity provider for centralized authentication.
  • Session Management: Configure appropriate session timeouts and device restrictions.
  • Regular Backups and Restoration

Data loss can occur even in the cloud, making backups essential:

  • Automated Backup Solutions: Implement solutions like Revyz to automatically back up your Atlassian data.
  • Restoration Testing: Regularly test your backup restoration process to ensure it works when needed for business Continuity.
  • Data Residency: Choose Backup partners that provide Data residency features.

Revyz simplifies this process by providing automated, reliable backups with easy restoration capabilities, ensuring business continuity even in the event of data loss.

  • Access Permissions

Fine-tune access controls to protect sensitive information:

  • Role-Based Access Control: Assign permissions based on job functions and responsibilities.
  • Regular Permission Audits: Review and update permissions regularly to prevent permission creep.
  • Public Access Restrictions: Be extremely cautious about granting public access to your Atlassian data.
  • Incident Response Planning

Prepare for security incidents before they occur:

  • Incident Response Plan: Develop and document procedures for responding to security breaches.
  • Team Responsibilities: Define clear roles using the RACI (Responsible, Accountable, Consulted, Informed) model.
  • Collaboration Protocols: Establish how you’ll work with Atlassian during security incidents.
  • Communication Templates: Create pre-approved messages for stakeholder communication.

Conclusion

Cloud security is a shared responsibility that requires vigilance and commitment from both Atlassian and its customers. By understanding where Atlassian’s security responsibilities end and yours begin, you can better protect your organization’s data and ensure compliance with relevant regulations.

Take time to evaluate your current security practices against the best practices outlined in this blog. Are there gaps that need to be addressed? Are you leveraging all available security features?

Consider implementing tools like Revyz to enhance your data protection strategy and ensure business continuity. Revyz is the first Jira native data protection application in the Atlassian Marketplace. 

Revyz Data Manager for Jira can store data securely and remotely, making it available for various recovery scenarios without having you roll back the entire site. It’s simple, reliable and useful. Revyz has launched the Revyz data manager for Jira(Bring Your Own Storage) for enterprises with critical compliance requirements. Explore the marketplace to know more about it.

Remember, security is not a one-time effort but an ongoing process of assessment, improvement, and adaptation to evolving threats. By embracing your security responsibilities and partnering effectively with Atlassian Cloud, you can enjoy the benefits of cloud collaboration while maintaining a strong security posture.

Additional Resources

For more information on Atlassian Cloud security:

Subscribe

* indicates required

RELATED ARTICLESMORE FROM AUTHOR