According to Logic Monitor, 83% of enterprise workloads will be in the cloud by 2020. There are a number of drivers towards this shift – digital transformation, greater IT agility, mobile workforces – as the benefits of cloud are numerous.
But as you move your data to the cloud, you must also take new and different measures to secure it. Being aware of the threats that exist and knowing what tools and processes to put in place to mitigate them is critical to a strong information security strategy.
We are going to break it down five different ways you can combat cloud software security threats:
Account hijackers use stolen credentials to gain access to your accounts, manipulate your data, and generally compromise the confidentiality of your information. Due to the recent increase in large-scale corporate data breaches, credential stuffing – where attackers steal massive sums of breached passwords from one service and try them on other, unrelated services – is one of the most common ways to hijack an account.
In the unfortunate case that credentials have been compromised, having a proper identity management system across your enterprise can help you detect suspicious logins (i.e., from unexpected devices or locations), enforce strong passwords, and, most importantly, require multiple factors of authentication (MFA). For your Atlassian cloud products, you can enable two-step verification directly or delegate authentication to your identity provider for SAML SSO across Jira Software, Confluence, and more.
Misconfigured permissions and access management can allow for data leakage in a variety of ways. According to Varonis, 19.3 percent of companies have over 1,000 sensitive folders open to all employees. And even beyond employees, users can accidentally leave data entirely open to the public internet with just a few permission settings. Additionally, improper off-boarding can leave sensitive company data accessible to ex-employees.
A well-defined plan around access management can help prevent many of these issues. Regularly review the information and files that are open to all employees (or public to the entire internet) to ensure that sensitive data isn’t shared unintentionally.
Stay organized with the users and group settings in your identity provider. For products like Jira and Confluence, make sure only the necessary individuals have access to databases, projects, and files. Finally, ensure that your off-boarding processes are automated. With Atlassian Access, you can connect your applications directly to your identity provider for seamless user lifecycle management – when an employee is removed from a group or from the identity provider completely, those changes are automatically reflected in your Atlassian cloud products.
Whenever a third-party vendor is introduced and given access, your data is put in another company’s hands. Make sure you understand the security of the companies with which you integrate. Do they have a transparent security policy? A security team? Even better, a security team you can reach out to if necessary? Are they actively reporting on and fixing security vulnerabilities? If not, it could be a sign that they have limited resources dedicated to security.
At Atlassian, we’re tackling third-party security in several ways. We’ve set up a dedicated team to focus specifically on ecosystem security. We’ve established a bug bounty program that incentivizes security researchers to find security gaps across our different app vendors. We even have an internal Red Team that leads attacks against Atlassian products with real-world threat actor techniques, mimicking the hackers that have compromised similar companies. All of these programs allow us to proactively find and fix security vulnerabilities, train our defenders with simulated incidents, and bring awareness to our employees by openly discussing the results of the operations and how we plan to improve security in response.
Finally, do your due diligence when it comes to integrations. Understand what permissions third-party apps ask for before granting access, monitor which apps are being used within your company, and monitor audit logs of app activity if possible.
When we talk about transparency as it relates to cloud software, we’re thinking about two main points – first, that the cloud software provider is transparent with their own security (from their practices, processes, bug fixes, etc), and second, that the cloud software provider offers customers visibility in the form of an activity or audit log in order to investigate any issues that arise.
To address the first point: the worst security breach is the one you have no idea happened. If a cloud provider isn’t transparent about their processes or security gaps they’ve discovered and fixed, then there’s likely an increased risk of breaches going undetected. Communication around security – even when it fails – is a sign that the company is actively working on the security of their products. Atlassian customers can easily gain access to details around our security processes, practices, advisories, roadmaps, and more. Read all about Atlassian’s security program.
And to address the second point: keeping track of occurrences that can impact security is critical for monitoring suspicious activity and investigating incidents. Audit logs are often a compliance requirement for good reason, so check to make sure your cloud vendors provide them. Atlassian Cloud products like Jira Software and Confluence include a product-specific audit log, but you can also get an enterprise-wide audit log through Atlassian Access. You’ll be able to view things like changes to groups, security setting changes, and more.
Application vulnerabilities are an unfortunate reality of any piece of software, whether in the cloud or behind a firewall, so you need to make sure your SaaS applications are implementing key measures to minimize them. When you’re evaluating cloud software vendors, check that they’re compliant with the widely accepted standards and regulations that pertain to your industry and business. You can check out Atlassian’s compliance program on our trust and security website.
Beyond compliance, a mature bug bounty program that incentivizes professional security researchers to find vulnerabilities means that security is tested and improved every day. Atlassian runs an award-winning bug bounty program that acts as an additional layer of protection for our products by incentivizing unique vulnerability research.