How do you set up your Atlassian products to be secure? What are your biggest challenges?

lauren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 1, 2019

Not too long ago, @Bill Marriott shared some tips for keeping your Atlassian cloud products secure.

How do you manage users and maintain security for your Atlassian products? What are some of your biggest challenges? 

3 comments

Comment

Log in or Sign up to comment
Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 4, 2019

In general, I'd rate Atlassian products as more secure than most. The security team does a steady job of tracking problems and communicating them to the community.

However one major challenge is the lack of information within the products about which users are doing what with the product. For example, who is running long queries. Some of the info is available in logs but that's requires a separate step to access.

A few other challenges I see:

Authentication - lack of support for load balanced Active Directory servers in Jira

Authorization - no support for Teams and hierarchies in standard Server Jira

Accounting - audit log feature has poor search capability and does not record all admin changes

Like # people like this
lauren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 8, 2019

@Matt Doar - thank you for the feedback! cc @Jess Seitz @Shana 

Brian Hill April 16, 2019

+1 from me on @Matt Doar comments, esp the audit logs granularity and change tracking. Whilst its possible to use AddOns that provide a more granular and extensive AuditLog, security support would be enhanced by having this as a better baseline standard.

Opher Lichter June 20, 2019

Hi - I'm a newb to the community. As an introduction, I'm the least technical member of the team, but I manage some really smart people who live in the tools all day every day, supporting a large environment for a complicated enterprise.

In general, my overall feedback is that it's just too hard to administer these tools - and there doesn't seem to be an "easy" button for enterprises out there looking to ensure security.

a couple of other challenges in keeping the Atlassian products (Jira and Confluence Data Center/Server) secure:

* encryption at rest - seems unsupported, or at least poorly supported by Atlassian. When we've looked (and asked for help), we've not seen decent documentation as to whether doing this is supported - only comments by people that it causes performance problems...

* Antivirus / Anti-malware - there is no "application friendly" AV or anti-malware protection out there, with one notable exception that we've been able to find in the shape of a single add-on. We found that add-on poorly documented and had to uninstall within a day of installing it. after pressing the issue, we were at least able to get a suggestion as to a path we would need to chase ourselves offline to Confluence or Jira. 

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 20, 2019

" it's just too hard to administer these tools" - no harder than many tools I'm afraid

There is no "make it secure" button in any app, just many ways to end up insecure.

Encryption at rest would be good in the long term I agree

Antivirus - do you mean the content uploaded to issues and pages?

Dan Ivory _Orah Apps_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
June 21, 2019

Hi @Opher Lichter 

Our app Encryption for Jira should be able to help you with some of this. Specifically encryption at rest for attachments. 

If you need any help setting up the app please let us know via our Support Portal and one of the team will be able to help.

Thanks,
Dan

Opher Lichter June 21, 2019

Thanks @Dan Ivory _Orah Apps_ - we'll look into it. 

Like Dan Ivory _Orah Apps_ likes this
Opher Lichter June 21, 2019

@Matt Doar yes, I mean for infected attachments. Someone can upload an infected attachment to Jira, then a second person can download that attachment, spreading the infection to their own systems.

Alexander Pappert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 8, 2019

How do you manage users and maintain security for your Atlassian products?

  • In my company, we use jira Server
  • we also use Active Directory
  • The jira data is hosted on our Servers and not in a Cloud
  • jira is only accsessible via intranet
  • I use different unsergroups for the jira projects, so everyone can only see their relevant data
Like lauren likes this
TAGS
AUG Leaders

Atlassian Community Events