If you operate in Europe, it’s not easy to live up to all regulatory requirements around your data. And it becomes even more complex when you add all these great new SaaS solutions. Where should you store your data?

Do you become a pioneer in cloud transformation, or do you put your foot down and restrict the use of public clouds altogether? Alright, we understand that it’s not as simple as picking one of the two options. 

In this blog post we will focus on Atlassian Cloud, and walk you through: 

  1. The security aspects you need to know about
  2. What compliance issues you as an Atlassian Cloud customer are responsible for
  3. Some actions you can take right away to make sure you are compliant

Gartner believes that 90% of organizations will erroneously share sensitive data by 2025, if they don’t have a strategy for managing public clouds. And 99% of security-related incidents will be the customer’s own fault. So let’s get to it:

Is your Atlassian Cloud data GDPR compliant?

GDPR is a critical factor when it comes to cloud instances. Some doubt if Atlassian Cloud is even a good choice when it comes to GDPR. Let’s have a look.

Usually, the question is: where is the information stored, and can Atlassian really guarantee the information stays where you want it to be?  

The answer to this question is a little complex. When it comes to SaaS services we talk about data in two phases: 

  • data at rest
  • data in transit 

Data at rest means the location where the data is stored when it is not being used. In this case, Atlassian can specify where your data is located with the assistance of "Data Residency". When data is not being used, it is encrypted on disc using AES-256 encryption. 

It is when data is in motion, "In transit", that things become complicated.

Data needs to be moved when it is processed because that is how SaaS products work. When a user requests information or performs an action, the information is sent in a call to a central function that then returns a response. That means Atlassian cannot guarantee that your data stays in a single area, because the environment is based on many functions that are spread worldwide. 

When you make your call, it may involve a service that is operated by Atlassian's data center in the US. But even though Atlassian cannot guarantee that your data is always in the same location, they ensure that the information is secure during transit by using TLS 1.2 and PFS (Perfect Forward Secrecy).

So, is your Atlassian product GDPR compatible? Yes, it is. 

Atlassian has built in many functions that give you full administrator control to erase user data on request. However, please note that this only concerns user data. For example, if you have a service desk where sensitive data is processed in cases, this information must be deleted manually. This means you are responsible for the type of information managed in your Jira instance. 

Let’s have a closer look at these responsibilities: 

What you are responsible for, to keep your Atlassian products GDPR-compliant

Atlassian talks about shared responsibilities, because you as a customer are responsible for how you use the platform. It is important to understand each party's responsibility. 

Atlassian takes responsibility for the security, availability, and performance of their applications, the systems, and the environments they exist in. In practice, this means that the actual administration of the applications is handled by you, the customer. 

Your customer responsibilities can be divided into four areas: users, policy and compliance, third-party apps, and information and data management. Let’s look at each of them.

Users

We’re essentially talking about user management here. Because this can be handled in so many ways, there are many security threats associated with it. 

Make sure you focus on building a good strategy for how you want your users to gain access to the system. Either automatically by user provisioning, or by adding users manually. What is right for you depends on how well-structured your catalog service is today. If you can add an AD connection, we strongly recommend you do that.

Policy and compliance

It is important to understand that different sectors have different regulators and, accordingly, different obligations under the law. Make sure you understand how you may act and, thus, how Atlassian's cloud service can be applied in the sector in which you work. 

Study your risk profile to understand the sensitivity of your data, and build a better understanding of these matters in your company. 

Third-party apps

If you are an experienced on-prem/self-managed user of Atlassian's tools, you might already have a number of applications. These apps, which are currently isolated on an on-premises installation, will instead be operated on their own platforms. That means that the data you manage in your Jira environment may be sent to the other side of the world for processing before they are returned to you.

There are many excellent apps in Atlassian's Marketplace, which provide endless opportunities in your environment. But pay attention to which apps you use. As a customer, it is your responsibility to ensure that each app complies with your and your sector's specific requirements. 

We recommend that you look for the following indications in the Marketplace: 

  • User reviews 
  • "Staff Pick” label
  • Cloud Security Participant
  • Bug Bounty Program 

All this information is available in Marketplace, and the more you can tick off, the better conditions you have. So be picky, and only choose serious actors.

Information and data management

If there is a place where things frequently go wrong, it is when users handle sensitive data in an un secure way. Have clear policies about the data classification that matches the tool, and make sure your teams get a proper onboarding before they start using the tools.

Strictly speaking, this point is about you guaranteeing that the right data ends up in the right place. Do not create any projects with sensitive information, such as an HR service desk, if you are not certain that your company is OK with the information being there. If it is OK, make sure you secure the project with issue security, so only the necessary personnel can see the information.

7 actions points that will take you far toward compliance

Understandably, cloud data and compliance is a large and complex matter. We can’t include all the important aspects. But below is a list of seven key considerations. If you pay attention to them you will have come a long way toward compliance. 

  1. Verify your domain and claim all Atlassian accounts that are covered by the domain. Then you have control over the users’ password requirements and sessions.
  2. Secure centrally by installing Atlassian Access. With this product, you have the option to use SSO via SAML. Switch on user provisioning via SCIM to create and synchronize users automatically in a controlled way.
  3. If you have manual user management, this should be handled with care. Consider a more sustainable solution eventually!
  4. Review global rights and ensure that unauthorized people cannot access your data. In addition, check that it's not possible for everybody to create an account on your site.
  5. Review all apps in your environment and place requirements on the app producers. Make sure they live up to your standard instead of you dropping to theirs.
  6. Limit the tools to a reasonable classification level. Find out what information is suitable in the tool and reinforce it internally.
  7. Establish a plan for administrating and helping new employees. Make sure they understand how they have to use the product and what is permitted.

There you have it. Now you know a bit more about how Atlassian approaches compliance, what are your responsibilities as a customer, and what you can do today to become compliant. Hope it helps.

Published: Jun 10, 2022

Atlassian