I'd asked this question a year or two ago with respect to Hipchat. We work in an environment with various regulatory and contractural security requirements; while we use Hipchat it's in a grey area and significant care needs to be taken to avoid violating our policies.
I've noticed a few people asking related questions - in particular, our plan was to use self-hosted HipChat at one point, before we realized that the multimedia elements are not self-hosted and so conversations and graphics aren't under the same controls as if we had the entire process end-to-end.
I also noticed someone already asked the question about self-hosting Stride.
While on some level I can advocate "trusting" Atlassian, I've have to deal with our customers auditors, as well as our own and it's harder to justify this class of service absent the checkboxes indicating strong policies, operational process, and external assessment. We were looking at replacing some of our use of WebEx, for example, with HipChat, but Cisco has invested in certifications that make it easier for us to use them. I might also add that Slack has done this as well.
We want to support services like Stride and HipChat, and we're also aware that these days often people will use whatever makes them productive regardless of what the central IT and security teams approve - but while it's a losing proposition (see: BYOD) to try to prevent people from using good tools, we train people to think carefully, and sometimes they decide the risk is too great.
So the bottom line question: what's Atlassian's plan here?
I don't have insight into Atlassian's plan as a whole, I can only speak for Stride. Right now we are cloud-only, as you know, and we are working to earn security certifications over time. Which ones are you most concerned about?
We have no plans to develop a self-hosted version of Stride. Hipchat Data Center would be your best option for a self-hosted product, although it sounds like it might not work for you either.
We understand that our products might not be the best solution for everyone, but we appreciate you taking the time to consider us anyways. As I'm sure you've seen, we take security seriously and are constantly working to improve our processes.
Thank you for taking the time to reach out, and please let us know if you have more specific security certification requests for Stride.
I appreciate the response; I'm happy to hear that this is a topic of conversation.
The primary regime that drives our process is PCI-DSS. We also have HIPAA concerns. I should that we're not particularly sensitive to a specific standard, as we do not and will not use HipChat for storage or transmission of "in-scope data" but our auditors look at the lack of evidence of compliance with an appropriate standard with some worry. I suspect that any of the well-established certifications with a known set of controls and assessments would be very helpful.
For example, Cisco indicates that WebEx has been certified ISO 27001, and has a SOC 2 "Type II" assessment - these just show that you have internal controls that have been externally examined, which is going to be useful when talking to the Risk Management team. Again, it's just evidence of an accepted baseline to start discussing the general case, which is where we are now.
Without any formal and verified effort, there a just too many questions. Sounds like you've started working on this, and that's good to know. That helps us plan for our requirements.
All good things come to an end - thanks to all our customers and partners who have been along the Hipchat and Stride journey with us. As of Feb 15th 2019, Hipchat Cloud and Stride have reached ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event