Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Security Best Practices for Jira: Permissions, Workflows, and Third-Party Apps

Dimitris Sylligardakis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2024

Hello Atlassian Community!

Following our previous two posts, (What is Information Security? & Bridging the Gap: From Information Security to Compliance) the third topic in our Infosec & Compliance series will focus (as promised) on Security Best Practices for Jira: Permissions, Workflows, and Third-Party Apps.

Why is it crucial to pay attention to Jira security?

Jira often houses highly sensitive data—project details, customer information, development roadmaps, and even financial data. A security breach in your Jira instance can have far-reaching consequences, ranging from intellectual property theft to compliance violations. Proactive security measures are vital to maintain your organisation's integrity and protect sensitive information.

What are some core pillars of effective Jira security management?

Let's break down three key areas:

  • Permissions management: Controlled permissions are the foundation of a secure Jira environment. Think of them as gatekeepers that determine who can access and modify data. Implement the principle of least privilege—grant only the permissions absolutely necessary for users to perform their roles.

  • Secure workflows: Workflows define how issues move through your Jira projects. By incorporating security checkpoints into your workflows, you can ensure that sensitive data flows through the right channels and gets necessary approvals. For example, a workflow might require a security review before an issue containing confidential information can be transitioned to ‘Done’.

  • Issue-level security: Jira allows you to restrict visibility and editing controls on individual issues, providing granular control over sensitive data. Use this to safeguard confidential information accessible only to a select group of people.

How should I approach third-party apps in Jira with security in mind?

Third-party apps from the Atlassian Marketplace can significantly enhance Jira's functionality, but they introduce an element of risk. Here's how to balance the positive and negative:

  • The good: Third-party apps can streamline processes, automate tasks, and provide specialised features tailored to specific security needs.

  • The bad: Some apps might have vulnerabilities that attackers could exploit. Additionally, apps may request broad permissions that could unintentionally expose sensitive data.

What are some best practices for vetting and using third-party apps in Jira?

Here's your checklist:

  1. Choose reputable vendors: Look for apps from well-established developers with a history of solid security practices.

  2. Scrutinise permissions: Carefully review the permissions an app requests before installation. Ask yourself if the requested permissions are truly necessary for the app to function.

  3. Regular audits: Periodically review the list of your installed apps and revoke permissions for any that are no longer required or in use.

  4. Stay updated: Keep your Jira instance and its apps updated with the latest versions to benefit from security patches and fixes.

Any additional tips for maximising Jira security?

Absolutely! Remember to:

  • Enforce strong passwords: Implement a robust password policy and encourage users to create complex, unique passwords. Consider using a password manager tool.

  • Enable two-factor authentication (2FA): This extra layer of protection significantly reduces the risk of unauthorised account access.

  • Train your team: Conduct security awareness training for all Jira users to educate them on best practices and potential threats.

  • Regular security audits: Establish a regular cadence for reviewing your Jira security settings, permissions, and app configurations.

Upscale: Your partner for comprehensive Jira security

While the best practices discussed provide a solid foundation for securing your Jira instance, implementing and maintaining them effectively can be complex and time-consuming. This is where Upscale steps in to help streamline your Jira security management and your instance’s overall health.

Remember, Jira security is an ongoing process. By staying consistent and implementing these best practices, you can significantly reduce the risk of a security incident and safeguard your valuable data within Jira.

2 comments

Comment

Log in or Sign up to comment
Mario Coluzzi
Contributor
May 13, 2024

Hello @Dimitris Sylligardakis

The publication of this document is a significant step forward in raising awareness. I appreciate the effort put into it.

I want also to stress the importance of refraining organisations from granting Admin Privileges to users in Jira without valid SysAdmin reasons.

Throughout my decennial experience with Atlassian products, I have encountered several cases where regular users were granted Jira Admin Privileges.

Security concerns often stem not only from "non reputable vendors" but also from within the organization itself.

Example:

  • A webhook set up by a user with admin privileges may pose a security risk, as it could potentially be used as a backdoor for data exfiltration.
  • Conversely, granting admin privileges to a user may also lead to security issues, as they could modify system behaviour in unintended ways.

Atlassian admin privileges are intended for SysAdmins only, because an audit may prove to be too late in discovering data leaks or vulnerability issues.

Like # people like this
Dimitris Sylligardakis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 14, 2024

Hi  @Mario Coluzzi 

You are absolutely right and spot on! I completely agree. There needs to be an emphasis on how potentially dangerous granting Admin Privileges to users in Jira without valid SysAdmin reasons is.

As you mentioned, security concerns can arise not only from external sources but also from within the organization itself. Granting Admin Privileges to regular users can create vulnerabilities that could be exploited for malicious purposes.

It is crucial that organizations understand the risks associated with granting Admin Privileges and reserve them only for SysAdmins who have the necessary knowledge and experience to manage the system securely.

Thank you for sharing Mario! 

Like Mario Coluzzi likes this
Tomasz Prus
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 15, 2024

Hi @Dimitris Sylligardakis 


Great article! It's fantastic to see community members engaging in discussions about security. The recommendations you've shared are extremely relevant. 
I wanted to share that we’ve recently published a set of security recommendations for Data Center admins. I'd love your feedback.

Here's a link to the announcement: https://community.atlassian.com/t5/Data-Center-articles/Introducing-Data-Center-security-checklist-and-best-practices/ba-p/2692051
and to the document itself: https://confluence.atlassian.com/security/data-center-security-checklist-and-best-practices-1388158655.html
Cheers, 
Tomasz

Like # people like this
Dimitris Sylligardakis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 17, 2024

Hi @Tomasz Prus ,

Thank you! The Trust and Security community is large, and I think we would all benefit from engaging security topics where we can share opinions and highlight the problems we all come across.

I had a read of the security recommendations for Data Center admins. It was pleasantly detailed and addressed the step by step process which would make a lot of peoples lives easier but also raise awareness of probable "gaps". (I loved the tick-box option in the pdf). 

I'll be posting about "Understanding Third-Party App Security in the Atlassian Ecosystem" next, so stay tuned. 

Like Tomasz Prus likes this
TAGS
AUG Leaders

Atlassian Community Events