Confluence Security

Jonathan Klapel August 15, 2016

This is a general question regarding the security of Confluence.  We already use Confluence extensively for both internal projects as well as for sharing general documents and information with customers.  Now one of our teams would like to use it for securely transmitting very sensitive documents with a user physically located outside of the company LAN.  Our Confluence instance is already accessible outside of the LAN (since we share info with customers).  We keep Confluence up-to-date and keep the server it is located on firewalled off so that only what needs to get through can get through.  However, some of our management team has expressed some concerns about the security of Confluence.  Is Confluence generally considered secure enough for sharing very sensitive documents?  Are there any additional steps we should take before sharing those documents?  Does anyone have any example use cases of companies doing anything similar?

1 answer

1 accepted

1 vote
Answer accepted
Rodney Hughes
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 15, 2016

Security is never absolute.  It is a question of what barriers you put in the way. 

Like building a house - you put doors and windows for access, but you put locks on them, and if you are extra concerned/wise you use dead locks, and then if you are extra concerned you put a break in alarm and if you are extra concerned that alarm is remotely monitored by a security firm and if you are extra concerned you add video surveillance and if you are extra concerned you employ a security guard to drive by occasionally and if you are extra concerned you employ the guard permanently on site ....

so it is not the house that determines the security, it is what you implement around the house.

Confluence's inherent base level security is the two factor authentication of a personal username and a personal password (gets you the deadlocked doors)

You could consider "https" URL but with the trade off that can also just slow things down

But then it is all the things outside of Confluence that matter like firewalls etc

.. but why not ask the US Dept of Defence? or NASA?

Confluence users are listed here https://www.atlassian.com/customers?page=4&sortParam=date_created%20desc&productsUsed=Confluence

TomC
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 15, 2016

Hard to improve on Rodney's answer here (well done mate!).

When we want the ultimate security on documents (security guard full-time with alarm and deadlocks..) we employ tools like Box that employ encryption, watermarking and so forth. However, we still like to utilize linking or embedding folders on Confluence pages to give the folders and files context. For us, the mashup option is great 'when we need it'.

Jonathan Klapel August 15, 2016

Thanks for your quick reply.  I hadn't seen the list of users, so that will be good to pass along to those who expressed concerns.  We also already have Apache enforcing the use of HTTPS to access Confluence and haven't had any issues with slow downs.  As for Two-Factor Authentication, my understanding is that Two-Factor involves something beyond username/password, but that Confluence doesn't really support that yet (https://jira.atlassian.com/browse/CONF-24322).

To continue with your house analogy, do you have examples of what the alarm system and security firm for Confluence?

Rodney Hughes
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 15, 2016

Oh I forgot the final part of the analogy - once someone gets inside the house, you can still lock individual rooms ... or specifically for Confluence:

a) you can have multiple Spaces which have different User groups - only the allowed Users to the Space know the Space exists (although someone could email a  link to someone else)

b) different Users can be granted different types of Permissions for pages, attachments, comments, blogs ... create/edit/delete

c) you can then set pages to be View Restricted so only those specifically nominated can see the page - this is automatically inherited by the Child pages

d) you can set Edit Restrictions - independent of View - on a page-by-page basis i.e. it is not inherited

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events