We are Jira and Confluence cloud users and are evaluating migrating from an on-premise Git hosting solution to BitBucket cloud. Atlassian's Security practices page states "Bitbucket does not offer encryption at rest for repositories at this time." Competing platforms github.com and gitlab.com have both added encryption at rest to their platforms within the past two years.
We could be fine with no encryption at rest provided there are compensating controls to assure the confidentiality and integrity of our data. Can anyone provide specific information about compensating controls that Atlassian follows to ensure that:
Thanks for your help with our evaluation.
Hi Kyle,
I also struggled with these asks from CISO & Compliance.
The compensation controls can by found in SOC 2 & 3 reports, in addition to Cloud Security Alliance, Self-assessment filed by Atlassian. here>>
Interestingly while searching for these, i also went through github's self assessment
This is what github says, Row 90 in the self assessment
"Repository backup data is encrypted in storage; data is encrypted with github keys and then stored. Data in Production environment is not encrypted at rest "
Dont know what to make of it, given this is opposite of what is stated publicly
but it was sufficient to make this an equalizer for this specific security requirement.
Hope this was helpful.