Can external access compromise internal information?

We have JIRA Software and ServiceDesk running in one instance, we use Software heavily for internal projects which has a considerable amount of sensitive information related to our business, products and services. Our Service & Support team want to open ServiceDesk to allow external customers access to log and monitor their cases/requests including access to Confluence for a Knowledge Base which we use for internal documentation as well.

 

I was wondering if anyone else has a similar scenario and what the risks of an external customer gaining access to internal data would be using this method or are we better off separating the two services and having a dedicated JIRA ServiceDesk instance for our external customers?

2 answers

You can run JIRA and Confluence on ssl.

0 vote

As long as you think through your access permissions properly, then you should be fine.  Although the defaults for JIRA are quite open, it is still designed to enable you to separate out information and only allow people to see what they should.  Service Desk is explicitly designed to do that too, and does it by default - it was effectively built for the obvious case of "Internal users see JIRA, Customers only see what they need".

I'd agree 100% with @Noam Dahan on the SSL, (but I instinctively wouldn't run anything other than a read-only public knowledge/information system without SSL nowadays)

Thanks - we are already on SSL. I personally think this goes without saying now days, there is no excuse. 

The current permissions is what concerns me, they imported contacts using a third party plugin which has little to no integrity or structure in the data, it created circa 800 groups on the import and all sorts of nastiness hence the concerns over our security on the instance with people potentially getting access to internal information.

Ugh, that's a horrid place to land in.  I would indeed be worried about the usage of the groups and what they allow access to, but I'd have a look at what the add-on does with them.  If it's just creating the groups, then there's little to worry about, but if it plonks them into permissions or roles, you're really going to have to slog through all of the projects to check and remove them.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,301 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot