AMA Recap: Data encryption, careers in Security, Australia’s Assistance and Access Act and more!

In case you missed it, last week I hosted an AMA (ask me anything) forum here on the Atlassian Community.

It was great to hear what topics are top-of-mind for the community, and I just wanted to say thank you to those that participated. We have a long road ahead of us for cloud security, and we want sure all of you have the information you need to feel confident using our products.

That being said, as we continue to improve and invest more in our security, we need your feedback!

While I’ve hired some incredibly talented people, they can’t read minds. I hope we continue this conversation in the Trust & Security group where my team will continue to provide updates and look for feedback from you.

For those that missed the AMA, here’s a quick recap:

1. Atlassian’s approach to security and compliance

• Compliance certifications: We are certified in SOC2, SOC3, ISO27001, ISO2701, and more. You can see more information and download our certificates on our compliance page. While we don’t currently have HIPAA, it’s something that we are investigating for our Jira Align and Jira Cloud roadmaps. See our Platform roadmap for more details.

• Atlassian’s security threat model for cloud products: Our threat model, at it’s highest level, considers every party that has access to our environment to be a potential threat. This includes all parties on the internet, all of our customers, and even Atlassians that have access to our infrastructure as as part of their job. We use that threat model to guide our product development, our security development lifecycle, and also our operating model for security. Specific to monitoring, we wrote a blog post on our security incident management process.

• Data Encryption for Atlassian cloud products: All data sent between our customers and our applications is encrypted-in-transit using (TLS) 1.2+ with (PFS). We also now offer encryption-at-rest for Jira, Jira Service Desk, and Confluence. This is currently available for any new sites created after 4/10/19. Encryption at rest for all sites created before 4/10/19 is in progress and will be coming soon. We will share an update in our Trust and Security group once encryption at rest for all existing sites is complete, so keep an eye out!

• On 3rd party Atlassian cloud product security reviews: We have a number of ongoing continuous security reviews and reports including the following:

  • We regularly conduct security reviews with third-party consultants and our internal security team. We will provide updates on those reviews in our Trust and Security group. You can also find more information on our public security questionnaires – check out those security questionnaires here.

  • We have an active bug bounty which provides continuous 3rd party testing of Atlassian products. You can also read more about our approach to security testing and download roll-up reports for our cloud products on our Security Testing page.

• On how Atlassian helps app vendors maintain the security of customer data: We are constantly looking to improve how well app vendors manage customer data. In December, we published a page for Security Guidelines for App Vendors to provide recs for how App Vendors can improve security practices and guidelines to help our App Vendors prepare for a security incident. Longer term, we are going to build security tools for App Vendors that are similar to the ones that we’ve built for our own teams.

What it’s like to be a CISO and how to prepare for a career in Security:

• The best piece of advice I’ve received that that helped me in my career:

  • Pick a field and role that challenges your and helps you learn: for me, the two most important things have been to always be working on something that I find challenging and that forces me to learn something new every day.

  • Consider and appreciate other roles: I spent several years working in product marketing – which opened up my eyes to the range of challenges that senior executives in a business face every day. And it reinforced my belief that what is most important is not the specific field that I’m in, but that I’m working on a challenging problem and learning.

• On how I manage security across such a large number of locations and development teams: At Atlassian we have a central security team that builds our security processes and infrastructure that is shared broadly across the company. Because many of our teams (including our security team) are spread across multiple locations, we rely on Jira, Confluence, and our other tools to collaborate and track our work. When to centralize or when to decentralize work – I’d say we tend to centralize when we think the same approach can be used across multiple products and we ask the product teams to take the lead where they have special skills or access that we can’t provide on the central team.

Current events and new regulations in security:

• On the ransomeware attack that affected Sourcetree and Bitbucket: We believe that this attempt at ransomware is a case of credential stuffing. Basically, that means these accounts were compromised when the account credentials were published or leaked in another location, and then an unauthorized person used those credentials gain access to Bitbucket (Gitlab, Gitlab, etc.) We don't believe that Sourcetree was involved in the compromise of credentials or accounts – Sourcetree was mentioned in some news reports because some legitimate users first noticed they had a problem when they used Sourcetree to connect to Bitbucket (or whichever service they are using to manage source code). We strongly recommend that users enable 2FA on BitBucket (and all of your Atlassian services) to help improve protection against Cred Stuffin attacks and phishing.

• On Australia’s Assistance and Access Act and what that means for Atlassian customers: The law was written in such a broad fashion that it effects all of the major cloud service providers – it’s not specific to Australian companies, nor companies that have employees that work in Australia. Our policy (both prior to and after the law passed) is very similar to that of all of the other major cloud service providers. We cooperate with law enforcement where we believe requests are lawful, and we will challenge the scope of the request where we believe it is overly broad. That policy is publicly available here.