Confluence Security

This is a general question regarding the security of Confluence.  We already use Confluence extensively for both internal projects as well as for sharing general documents and information with customers.  Now one of our teams would like to use it for securely transmitting very sensitive documents with a user physically located outside of the company LAN.  Our Confluence instance is already accessible outside of the LAN (since we share info with customers).  We keep Confluence up-to-date and keep the server it is located on firewalled off so that only what needs to get through can get through.  However, some of our management team has expressed some concerns about the security of Confluence.  Is Confluence generally considered secure enough for sharing very sensitive documents?  Are there any additional steps we should take before sharing those documents?  Does anyone have any example use cases of companies doing anything similar?

1 answer

1 accepted

Security is never absolute.  It is a question of what barriers you put in the way. 

Like building a house - you put doors and windows for access, but you put locks on them, and if you are extra concerned/wise you use dead locks, and then if you are extra concerned you put a break in alarm and if you are extra concerned that alarm is remotely monitored by a security firm and if you are extra concerned you add video surveillance and if you are extra concerned you employ a security guard to drive by occasionally and if you are extra concerned you employ the guard permanently on site ....

so it is not the house that determines the security, it is what you implement around the house.

Confluence's inherent base level security is the two factor authentication of a personal username and a personal password (gets you the deadlocked doors)

You could consider "https" URL but with the trade off that can also just slow things down

But then it is all the things outside of Confluence that matter like firewalls etc

.. but why not ask the US Dept of Defence? or NASA?

Confluence users are listed here https://www.atlassian.com/customers?page=4&sortParam=date_created%20desc&productsUsed=Confluence

Hard to improve on Rodney's answer here (well done mate!).

When we want the ultimate security on documents (security guard full-time with alarm and deadlocks..) we employ tools like Box that employ encryption, watermarking and so forth. However, we still like to utilize linking or embedding folders on Confluence pages to give the folders and files context. For us, the mashup option is great 'when we need it'.

Thanks for your quick reply.  I hadn't seen the list of users, so that will be good to pass along to those who expressed concerns.  We also already have Apache enforcing the use of HTTPS to access Confluence and haven't had any issues with slow downs.  As for Two-Factor Authentication, my understanding is that Two-Factor involves something beyond username/password, but that Confluence doesn't really support that yet (https://jira.atlassian.com/browse/CONF-24322).

To continue with your house analogy, do you have examples of what the alarm system and security firm for Confluence?

Oh I forgot the final part of the analogy - once someone gets inside the house, you can still lock individual rooms ... or specifically for Confluence:

a) you can have multiple Spaces which have different User groups - only the allowed Users to the Space know the Space exists (although someone could email a  link to someone else)

b) different Users can be granted different types of Permissions for pages, attachments, comments, blogs ... create/edit/delete

c) you can then set pages to be View Restricted so only those specifically nominated can see the page - this is automatically inherited by the Child pages

d) you can set Edit Restrictions - independent of View - on a page-by-page basis i.e. it is not inherited

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,927 views 27 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you