This is a general question regarding the security of Confluence. We already use Confluence extensively for both internal projects as well as for sharing general documents and information with customers. Now one of our teams would like to use it for securely transmitting very sensitive documents with a user physically located outside of the company LAN. Our Confluence instance is already accessible outside of the LAN (since we share info with customers). We keep Confluence up-to-date and keep the server it is located on firewalled off so that only what needs to get through can get through. However, some of our management team has expressed some concerns about the security of Confluence. Is Confluence generally considered secure enough for sharing very sensitive documents? Are there any additional steps we should take before sharing those documents? Does anyone have any example use cases of companies doing anything similar?
Security is never absolute. It is a question of what barriers you put in the way.
Like building a house - you put doors and windows for access, but you put locks on them, and if you are extra concerned/wise you use dead locks, and then if you are extra concerned you put a break in alarm and if you are extra concerned that alarm is remotely monitored by a security firm and if you are extra concerned you add video surveillance and if you are extra concerned you employ a security guard to drive by occasionally and if you are extra concerned you employ the guard permanently on site ....
so it is not the house that determines the security, it is what you implement around the house.
Confluence's inherent base level security is the two factor authentication of a personal username and a personal password (gets you the deadlocked doors)
You could consider "https" URL but with the trade off that can also just slow things down
But then it is all the things outside of Confluence that matter like firewalls etc
.. but why not ask the US Dept of Defence? or NASA?
Confluence users are listed here https://www.atlassian.com/customers?page=4&sortParam=date_created%20desc&productsUsed=Confluence
Hard to improve on Rodney's answer here (well done mate!).
When we want the ultimate security on documents (security guard full-time with alarm and deadlocks..) we employ tools like Box that employ encryption, watermarking and so forth. However, we still like to utilize linking or embedding folders on Confluence pages to give the folders and files context. For us, the mashup option is great 'when we need it'.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your quick reply. I hadn't seen the list of users, so that will be good to pass along to those who expressed concerns. We also already have Apache enforcing the use of HTTPS to access Confluence and haven't had any issues with slow downs. As for Two-Factor Authentication, my understanding is that Two-Factor involves something beyond username/password, but that Confluence doesn't really support that yet (https://jira.atlassian.com/browse/CONF-24322).
To continue with your house analogy, do you have examples of what the alarm system and security firm for Confluence?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Oh I forgot the final part of the analogy - once someone gets inside the house, you can still lock individual rooms ... or specifically for Confluence:
a) you can have multiple Spaces which have different User groups - only the allowed Users to the Space know the Space exists (although someone could email a link to someone else)
b) different Users can be granted different types of Permissions for pages, attachments, comments, blogs ... create/edit/delete
c) you can then set pages to be View Restricted so only those specifically nominated can see the page - this is automatically inherited by the Child pages
d) you can set Edit Restrictions - independent of View - on a page-by-page basis i.e. it is not inherited
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.