Can external access compromise internal information?

We have JIRA Software and ServiceDesk running in one instance, we use Software heavily for internal projects which has a considerable amount of sensitive information related to our business, products and services. Our Service & Support team want to open ServiceDesk to allow external customers access to log and monitor their cases/requests including access to Confluence for a Knowledge Base which we use for internal documentation as well.

 

I was wondering if anyone else has a similar scenario and what the risks of an external customer gaining access to internal data would be using this method or are we better off separating the two services and having a dedicated JIRA ServiceDesk instance for our external customers?

2 answers

This widget could not be displayed.

You can run JIRA and Confluence on ssl.

This widget could not be displayed.

As long as you think through your access permissions properly, then you should be fine.  Although the defaults for JIRA are quite open, it is still designed to enable you to separate out information and only allow people to see what they should.  Service Desk is explicitly designed to do that too, and does it by default - it was effectively built for the obvious case of "Internal users see JIRA, Customers only see what they need".

I'd agree 100% with @Noam Dahan on the SSL, (but I instinctively wouldn't run anything other than a read-only public knowledge/information system without SSL nowadays)

Thanks - we are already on SSL. I personally think this goes without saying now days, there is no excuse. 

The current permissions is what concerns me, they imported contacts using a third party plugin which has little to no integrity or structure in the data, it created circa 800 groups on the import and all sorts of nastiness hence the concerns over our security on the instance with people potentially getting access to internal information.

Ugh, that's a horrid place to land in.  I would indeed be worried about the usage of the groups and what they allow access to, but I'd have a look at what the add-on does with them.  If it's just creating the groups, then there's little to worry about, but if it plonks them into permissions or roles, you're really going to have to slog through all of the projects to check and remove them.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

169 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you