On January 26th and 27th, we hosted a webinar featuring Product Managers and leaders from Atlassian's Marketplace Security and Ecosystem teams and Adaptavist CTO Jon Mort. The webinar was entitled Atlassian Cloud: Marketplace App Availability & Security and covered topics related to Marketplace cloud security, app availability, and enterprise readiness.
If you missed it, you can watch a recording here.
Here are a few questions we weren't able to get to in the webinar but want to make sure we address:
Q: How do you implement authentication to customer data? Do you use MFA? If a customer requests audit logs, will you provide those logs?
A: Within Atlassian, only authorized Atlassians have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections from Atlassian and internal data center locations. All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA.
Atlassian does utilize MFA to access all tier 1 systems.
Audit logs are available through the customer Admin Portal API. If you’d like a self-serve way of accessing audit logs, they can use the audit log functionality within Atlassian Access Organization audit log in Atlassian Access | Atlassian which shows a comprehensive log of admin activity across your Atlassian cloud organization. User activity logs are available with the Cloud Enterprise plan. There are also product audit logs available within Jira and Confluence (see this support page for details).
Q: Can customers provide you with their own encryption key?
A: In Q3-Q4 2022, Atlassian is planning to introduce a BYOK encryption EAP for Jira Issue Fields. This will allow customers to encrypt standard and custom issue field data with a key you manage in your own instance of AWS KMS. In 2023, Atlassian will extend this to Jira and Confluence product data. See Introducing bring-your-own-key encryption (BYOK) | Atlassian
Q: I understand that all customer data is hosted by a mutualized database. Could you elaborate on the security measures that Atlassian implements to prevent lateral movement?
A: See Tenant Separation here: Atlassian Cloud architecture and operational practices
Q: Are Atlassian Cloud instances protected by WAF?
A: We use a 3rd party HTTP proxy product for our cloud public edge and we've implemented L7 HTTP security rules on it
Q: You mention that, “an owner is assigned for each encryption key and is responsible for ensuring the appropriate level of security controls is enforced on keys.” Do you provide verification reports of this assignment and a list of owners?
A: No, we do not provide ownership of encryption key reports externally. This is handled inside of AWS Key Management Service: Atlassian Cloud architecture and operational practices
Q: Will Atlassian publish security evidences like Microsoft does?
A: We’re working on this. Currently available reports are posted to: Compliance Resource Center | Atlassian
Of course, if we didn't get to your questions during the webinar or if you have additional questions after watching the recording, please feel free to add them here!
We'll be keeping an eye on this discussion and try to answer questions as they are posted.