Why is Atlassian promoting Shadow IT? Or Accidental IT?
Why is Atlassian promoting Shadow IT?
So, in their documentation, Atlassian warns about the dangers of Shadow IT and even talks about how Atlassian can be part of this problem:
So then, surely Atlassian must provide some tools to IT administrators to manage shadow IT? And why yes, yes they do, as described in Discover products your users administer. Oooh, what's this: Manage your users' requests for products?
Wow, you mean I can choose to prevent MY USERS from creating these problematic "shadow" instances of Atlassian products? That sounds EXACTLY what I need!
Oh, but sad trombone we don't have Enterprise Cloud.
How much would Enterprise Cloud cost?
So our smallest instance is a JSM of 300 agents. Enterprise would cost $48,000 more per year. Is this worth the extra hours I spend having to delete instances? Hm....
Oh but wait, reading the screenshot above "update your request settings for each Enterprise product" (emphasis mine). Ok, that'd be $148,000/yr more for Confluence (5000 users) and $236,000/yr more for Jira (6000 users).
Ah well. I guess we should just hire an intern then.
Hrm.... I see this has been discussed before, ad nauseum. Or perhaps just ad nauseating:
- Cloud Enterprise admins can now proactively manage product requests
- CLOUD-10325 - Allow non-Enterprise administrators to control managed users' associated sites and products
- ACCESS-1651 - Premium organisation admins ability to approve or deny the creation of new sites
- ACCESS-1272 - Allow to block non-administrators from creating new organizations
And the OG ticket, closed after 1600+ votes after they "fixed" it, but only if you pay for Enterprise:
- ACCESS-1468 - Allow Administrators to control managed users' associated sites and products
Some highlights:
--mattpatenaude comment - 06/Oct/2023 9:28 AM the day Atlassian "resolved" the issue
Not Shadow IT, but Accidental IT
Here's the thing though. We migrated about to Atlassian Cloud about a month ago - Jira, Confluence, JSM. Users want to use it. (Well, they don't have a choice.)
But users… get confused. In the nearly one month since we migrated, we've had nearly a dozen new instances created by mistake.
How does this keep happening?
Users don't remember that our servers that used to be named jira.COMPANYNAME.com or confluence.COMPANYNAME.com are now COMPANYNAME.atlassian.NET. (.NET? Really? Ahem, CLOUD-6999)
So they Google it. Or type it into their browser bar, which… Googles it.
And they end up here:
Big Blue Buttons
And so, they click on Confluence. Which takes them here, with two very big, friendly, blue buttons, and one very tiny "Sign in" link.
Now, those of us who are Atlassian Admins know that you're not supposed to hit those blue buttons, but instead click on the very tiny "Sign in" link:
Sign up/Login? What's the difference?
But I'm guessing that 11 people at my company did not. Instead they clicked one of the blue buttons, and oh look, it's what kind of looks like a login page. Oh and we just migrated to Confluence Cloud, so perhaps this will give them some kind of tutorial. It does say "Get started with Confluence":
Now because me and my team have done the work to connect Atlassian Access Guard to our IdP, Confluence happily recognizes that user's account. They may have even been redirected to our Azure AD page and done their whole SAML login. Very secure! And now they're back.
Go team go!
Huh. "roku-team-...." that sounds right. I work for Roku. I'm on a Team. Let's go hit another friendly blue button.
And that… is why I now have an Excel sheet tracking "shadow" Atlassian Cloud sites created by mistake, including emails addresses of the users who mistakenly created them (who have ALL indicated they did this on accident), when I cancelled the sites, and assuming the cancellation actually goes through (which it often DOES NOT), when I have deleted the Organizations that were also set up for each site.
I guess this is a huge win to Atlassian's Sales Team who have designed a very efficient "funnel" to get users to sign up for new Atlassian Cloud sites. (Assuming they only measure sign-ups, and not cancellations by irate Atlassian administrators.)
12 answers
Ugh yeah, it's infuriating that without Guard, you can't do anything about these sites.
And these emails that notify you about them without actually TELLING who created it or what the site URL is are infuriating.
It's does feel a bit like a hostage/blackmail situation:
TAKEN (ADVANTAGE OF)
based on true events
FADE IN:
OFFICE BREAK ROOM
People are enjoying coffee and bagels, chatting about how great RTO is.
So much synergy is happening.
CLOSE-UP COMPUTER SCREEN
Ominous music starts playing. Ding of a new mail. (Picture below)
From: "Atlassian <noreply-ofcourse>".
Subject: 1 product created outside YOUR COMPANY.
VOICEOVER (Liam Neeson-like actor):
So... someone in your domain, which you've gone to the
trouble of verifying, so we know you care about such things...
they've created a site that where they can:
-
Invite other users in your company to access
-
Invite people outside of your company to access
-
Make the pages/spaces/projects/issues visible to the world, without any login
-
Share PII, PHI, HIPAA, proprietary, top secret data without ANY REVIEW, again, using accounts with YOURCOMPANY domain."
If you ever want to see these sites, or know who created them,
you need to pay us $4/user. We accept credit cards and of course
can issue a quote for your billing department to issue a purchase order.
Remember: Until you pay us the ransom, any of your users can
create a huge security headache for you!
We'll be waiting.
So not an answer, but even worse news:
Another Community Leader tells me that even with Enterprise, he's still seeing rogue sites show up, and he suspects it's because Atlassian's "Product Requests" feature doesn't cover/block requests from folks on their mobile devices.
That is... not great, considering that for many users (ahem, YOUNGSTERS), they spend more time on their phones than in front of computers.
As previously mentioned, we're not on Enterprise, but I just checked, and the path to accidentally creating a site via mobile is MUCH MUCH easier. Oof:
So then, play in 1 act:
Customers: Hey, can you stop letting our managed users create new sites?
Atlassian: Sure, give us that Enterpri$e Money$
Customers: Grrr, ok here.
Atlassian: Haha, did you think it would also prevent mobile users from creating new sites? $ucker! For that feature you'll need to pony up for Enterpri$e Plu$!
To be clear, my example above is if you have previously logged in on your phone to your company's Atlassian site (which I assume my users must've done once before), but shows up even if you have logged out.
If you not ever logged in (or clear all Atlassian cookies from your browser, which, can you even do that on a phone?), you will see this screen:
(Screenshot from an Incognito session)
From there typing your email (if your company has claimed your domain) and clicking "Sign up" will take you to your company's SSO. OR, since we are on Azure, some users will click [Microsoft].
In any case, once authenticated, users will end up on the "Welcome back" page. Actually trying from Incognito just now, I'm seeing this page is even more streamlined:
It's kind of a bummer that if they're Welcoming me back, they're not showing me https://start.atlassian.com/ (which I guess now is https://team.atlassian.com/)
So over in https://jira.atlassian.com/browse/CLOUD-10325 (where I might be banned?) @brian_g wrote:
I just recieved a potential ray of hope
.
It was suggested that we could create a firewall rule in our corporate network/VPN to restrict network access to the following addresses:
so users could not create Atlassian organizations themselves and could not open the pages that allow them to start their own site subscriptions.
Please note that such network rule will not block you from adding additional products/sites to your current organization, but will be a blocker should you legitimately require to create another cloud site for your company in a separate Atlassian organization.
Hrm. I guess I could ask our network team if they can redirect those URLs to a proper login page. Or to a Confluence page asking if the users were trying to create a new site.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.