How secure is Confluence?

Charitha Veeragandham August 3, 2018

My company wants to use Confluence. And we want to add some confidential documents in it. Is it safe to do so?

4 comments

Danyal Iqbal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2018

Confluence does not have any "known" security bugs but that does not mean every confluence installation is inpenetrable. A vigilant adminsitrator and a decent security framework ensures security, not confluence.

Considering HTTPS is the industry standard for any production grade instance, i assume that you mean "how difficult would it be for a confluence user A to bypass the permission scheme and access your confidential documents?" .

-This is unlikely to happen.

Confluence is a very configurable product. You can implement any level of security ranging from Hardware security dongles to signin to anonymous access for confluence pages.

Study the IT security standard in your industry and take your pick. Confluence should be able to work with your chosen security standard.

Like masykurm likes this
Charitha Veeragandham August 7, 2018

Thank you!

Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2018

Hi @Charitha Veeragandham,

  Your content is only as safe as how you grant access to Confluence, secure your spaces, and restrict pages.

Our company locks down anything compensation related, so I would consider the application pretty safe if you know what you are doing.

Example: If a parent page has view access for only a certain group, then no one else will be able to see that parent page or the pages underneath it.

Check out the following permissions documentation from Atlassian:

Note: If your company loves to hold onto their data, check out getting Confluence Server. If housing the data is not a concern, then check out Confluence Cloud because then Atlassian can be your 'Sys admin'.

Hope this helps!

Like Charitha Veeragandham likes this
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2018

Note: Some companies feel "safer" if the application is behind their own firewall. If this is your case, then Confluence Server would be a good option.

Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2018

Other things to consider would be that you are only as secure as your user's security competency. In any organization these days your security folks should be educating users on how to spot phishing and social engineering attacks. Also, don't let your users off with weak passwords. Make them make it strong and don't bow to the upper management folks who complain because it is not friendly enough now. If you really want to take it to the next level require two factor authentication for all your users. That step alone takes your risk way down as the attacker would not only need the user's password but also their second factor. Google recently announced that last year they did not have a single case of an employee's credentials being used successfully in an attack because they require two factor authentication company-wide. There are marketplace add-ons that provide two factor authentication for the self hosted Confluence and the Cloud offering offers it as well.

Beyond user controls it is important to fully understand how to setup Space permissions to lock down the content that is sensitive. You could very easily open it up for anonymous access or add in users that should not have access if you are not making sure to use the principal of least privileges.

SSL is a must. And make sure that it isn't just turned on as an option. If the user tries to access the site over http make sure they get redirected to https.

If you trust your IT folks and have confidence in their security practices (firewall rules, anti-virus, log monitoring, etc) I personally think having your data on premises is better. I know the trend these days is throw everything into the cloud and the their people manage security. "After all they are better able to handle that and it's cheaper." Except that I see stories every day about BIG companies getting breached that have folks dedicated to security and yet they still get hacked. And I would argue strenuously that it is indeed cheaper. I've not seen a cloud hosted solution yet that I believe is cheaper than having competent local IT folks. Not only that cloud offerings are a big target these days simply because there is LOTS of data there to get. "Lots of data" = "lots of reward" for them. Attackers will typically go after the easy, high-profile targets first. If you maintain a low profile you mitigate some risk there. Remember, the tallest blade of grass is the first to get cut.

Anyway, those are my thoughts. Confluence certainly can be a secure product but you have to make it such. It doesn't just come secure and risk free ... no product does.

Like Charitha Veeragandham likes this
Charitha Veeragandham August 7, 2018

Thank you

Robert August 19, 2019

All the answers here are about how the users/admin of confluence can set permissions within Confluence.  One came close with you feel more secure with sensitive data hosted on your own site.  The real question these days is how is the data/content in Confluence stored from a system hack standpoint.  What restricts access the data/content from a path other than through confluence and also by system users and admins. 

Example.  I am making a  list for our Development Team of endpoints they need to severs and databases they will need to connect to.  I will restrict access to a list of individual Confluence users on a need to access basis no problem. I may break even the Development servers from the production servers.  The production serves have access and store a fair amount of private financial data. So the addresses are at least sensitive. Usernames more so.  Passwords not on your life unless encrypted in an image that is encypted

But these are stored on some server(s) somewhere.  Accessible by some users.

Is there any guide to how it is stored and who has access? Any security rating of your system?

Like # people like this

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events