Security practices

Our team

We know most companies would say this, but we’re extremely proud of our security team. We believe we have recruited and grown a team that consists of some of the best and brightest in the industry. Our Security Team is headed up by our San Francisco based CISO and includes over 100 people based across our Sydney, Amsterdam, Bengaluru, Austin, Mountain View, San Francisco and New York offices with some remote team members. The team is continually growing in recognition of the priority Atlassian places on security. We have multiple sub-teams, including:

• Product security – responsible for the security of our products and platforms
• Ecosystem security – responsible for the security of our Marketplace and add-ons
• Detection and Response – responsible for detecting and responding to security incidents
• Red team - responsible for adversary emulation and exercising Detection and Response
• Security architecture – responsible for defining the security requirements of our products and platforms
• Corporate security – responsible for our internal security with respect to our corporate network and applications
• Trust - responsible for tracking and responding to customer expectations and provide transparency into our processes and practices
• Development and SRE – responsible for building and running tooling for the security team
• Awareness and training - responsible for ensuring our employees and partners know how to work securely

While our security team continues to expand, everyone at Atlassian is part of our mission to achieve better security and this is made clear to all of our staff throughout their time with us. We want have a goal to lead our peers in cloud security, meet all customer requirements for cloud security, exceed requirements for all industry security standards and certifications and be proud to publish details about how we protect customer data. Our goals and vision are made clear to all of our staff throughout their time here at Atlassian.

Additional programs we use to support security

While we focus on the fundamentals of security , we also have a range of programs in place to ensure our approach to security remains wide-reaching,  and proactive. These include:

Continually improving our security program

We are intent on ensuring our security program remains cutting edge and leading peers in the industry. We know to do that, we need to continually evaluate our current approach to security (including in comparison to our industry peers) identify opportunities for improvement.

To this end, we have undertaken (and will continue to undertake) numerous maturity assessments of our security program, using independent security consulting companies. In 2020, we also performed a peer assessment of our overall Trust and Security Program. We take the outputs from these processes, including key recommendations, and use them to address any gaps and opportunities for improvement.

We have also defined a series of programs across our various security – such as Product Security and Detection and Response – to guide our internal improvement. We have defined metrics to support each of these programs which we review through our Security Management Team. We use these metrics to identify and target areas for improvement across each of our core capabilities.

More information

While this paper will provide a broad overview of our approach to security, more detail regarding our security program is available on our Atlassian Trust Center. There’s also a range of dedicated web pages and whitepapers detailing different areas of our security program available, including:

• How Atlassian Manages Customer Data
• Our Approach to External Security Testing
• Our Approach to Managing Security Incidents
• Our Approach to Vulnerability Management
• Cloud Security Shared Responsibilities
• Our Atlassian Trust Management System
• Our Atlassian Security & Technology Policies

Securing access to our networks through ZeroTrust

Atlassian secures access to its corporate network, internal applications and cloud environments through a concept called ZeroTrust. Simply stated, the core tenet of ZeroTrust is: “never trust, always verify.”

ZeroTrust moves away from traditional approaches for network security that rely solely on authentication of a user to determine whether a user can access resources on our network. Such an approach introduces the risk of an untrusted and insecure device potentially compromising security. As a result, many organizations have begun moving to a model in which only trusted devices are able to access their network using approaches such as mobile device management technologies or restricting access at a network level to a list of known devices.

While useful, these approaches lack granularity. Atlassian’s approach to ZeroTrust effectively ensures that whether users are able to access resources and services on our networks is a decision based on not only their authentication credentials, but also involves a dynamic policy decision that takes into account a range of factors to deny or allow access at a per-resource level based on the security posture of the user’s device (regardless of their location).

In simple terms, we have created three tiers of resources (based on their relative criticality and sensitivity) on our network around which ZeroTrust works:

• Open tier – Any corporate user who successfully authenticates into our network can access these services
• Low tier – Access to these resources is available to an authenticated corporate user only if they are accessing our network from a trusted corporate device (devices that Atlassian owns and manages) or a managed BYOD (this is a personal device that has been enrolled into Atlassian’s MDM program)
• High tier – These resources are only available when accessed by an authenticated corporate user from an Atlassian issued corporate device. Access into our production services from our corporate network is only possible via a high-tier device and SAML authentication

Managing access to our systems and services securely

Atlassian has a well-defined process for provisioning (assigning or revoking) user access for all systems and services. We have an established workflow (8-hour sync) linking our HR management system and our access provisioning system. We use role-based access control based on predefined user profiles to ensure staff only have access appropriate to their job role. All user accounts must be approved by management prior to having access to data, applications, infrastructure or network components.

Supporting our ZeroTrust architecture, we control access to our corporate applications through a single-sign on platform. To access any of our applications, staff need to authenticate via this platform, including through the use of a second factor of authentication. Users need to authenticate either through U2F keys or via a mobile application authenticator provisioned to Atlassian employees – we have removed less secure authentication methods such as SMS and phone-based OTPs. Atlassian has adopted this approach to ensure our authentication process is highly resistant to phishing-based and man-in-the-middle attacks - any system that sends codes in a text message can be compromised by a skilled attacker.

Securing our endpoint devices

Atlassian uses a combination of endpoint management to deploy updates and patches to operating systems and key applications across our endpoint fleet. We have also implemented multiple endpoint protection solutions to protect against threats such as malware.

As part of our ZeroTrust approach, Atlassian staff who wish to access most of our services via their personal mobile devices need to enroll in our Mobile Device Management (MDM) Program. This enables us to make sure all mobile devices connecting to our network meet our minimum security requirements, covering aspects such as encryption, device locking, anti-malware software and OS versions.

All eligible staff who enroll in and maintain compliance with our MDM program receive a monthly allowance from Atlassian for their participation.

Any device identified as being not compliant will result in that staff member receiving an email notifying them of the non-compliance. Staff are given a 24- hour grace period to remediate the non-compliance before their access from that device is removed.

Managing configurations in our systems

We have a limited set of engineers and architects who are allowed to install software in our production environment. In most cases, software installation is not possible. Configuration management tools are utilised in our production environments to manage configurations and changes to servers. Direct changes made to those systems are set to be overwritten by the approved configuration pushed through those configuration management tools ensuring consistency. We rely on standard Amazon Machine Images (AMIs), all changes to either our AMIs or operating systems must be made via our standard change management process, we track and report on exception configurations, and we have implemented resource isolation so issues with services don’t impact other services. We also rely on our Peer Review / Green Build (PRGB) process to ensure multiple reviewers approve configuration changes pushed through configuration management tools. All builds are cryptographically signed and only signed builds are allowed to run in our production environment.

Making use of logs

We use a SIEM platform to aggregate logs from various sources, apply monitoring rules to those aggregated logs, and then flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Key system logs are forwarded from each system where logs are read-only. The Atlassian Security Team creates alerts on our security analytics platform and monitors for indicators of compromise. Our SRE teams use this platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup.

Key system logs are combined into both an internal log analysis system and an Intrusion Detection System.

Logs are a key component of our overall incident detection and response strategy which is covered in detail in ‘How we identify, protect against and respond to security threats’ section.

Business continuity and disaster recovery management

We care deeply about the resiliency of our products, not least because we – internally, in Atlassian – rely on the very same products. We appreciate that disruptions can happen. So we are determined to build-in processes to plan for disruptions, and handle disruption with minimal impact to our customers when they do occur. Our business continuity (BC) and disaster recovery (DR) programs capture the various activities done to meet those objectives.

Leadership involvement in BC and DR planning activities ensures the oversight required to make sure accountability for resiliency reaches all teams. Our BC and DR planning activities strive to achieve the right balance between cost, benefits and risk through an analysis of ‘recovery time objectives’ (RTO) and ‘recovery point objectives’ (RPO) of services. This analysis has led to us establishing a simple 4-tier system to help group services based on their respective recovery requirements – details of this approach can be found on our page on How Atlassian Manages Customer Data.

Our BC and (DR) programs involve the following activities:

1.   building-in redundancy measures to meet resiliency requirements

2.   testing and verifying those redundancy measures

3.   learning from tests to continuously keep improving BC and DR measures

We build our products to best utilise redundancy capabilities, such as availability zones and regions, offered by our cloud service providers.

We continuously monitor a wide range of metrics with the aim of detecting potential issues early. Based on those matrices, alerts are configured to notify site reliability engineers (SREs) or the relevant product engineering teams when thresholds are breached so that prompt action can be taken through our incident response process. SREs also play a key role in identifying gaps in the DR program, and work with our risk and compliance team to close those gaps. Each of our teams also include a DR champion to oversee and help manage disaster recovery aspects related to that team.

Our DR tests cover process and technology aspects, including relevant process documentation. The frequency of DR tests are done in line with the criticality tier of each service – for example, backup and recovery processes for key customer facing systems are tested quarterly. We conduct manual and ad-hoc failover tests on our systems. These tests range from less complicated tabletop simulation exercises to more complicated availability zone or regional failover tests. Regardless of the complexity of the test, we are diligent in capturing and documenting test results, analysing and identifying possible improvements or gaps, and then driving them to closure with the help of Jira tickets to ensure continuous improvement of the overall process.

We conduct annual Business Impact Assessments (BIAs) to assess the risks associated with critical services. The output of these BIAs assist in driving the strategy for DR and BC efforts. As a result, critical services are able to develop effective DR and BC plans.

Service availability

In addition to the above measures, we also publish our service availability status in real-time for our customers using our own Statuspage product. If there are any issues with any of our products, our customers will know as soon as we do.

Backups

We operate a comprehensive backup program at Atlassian. This includes our internal systems, where our backup measures are designed in line with system recovery requirements. With respect to our Atlassian Cloud offerings, and specifically referring to customer and application data, we also have extensive backup measures in place. Atlassian uses the snapshot feature of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance.

Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.

For Bitbucket, data is replicated to a different AWS region, and independent backups are taken daily within each region.

We do not use these backups to revert customer-initiated destructive changes, such as fields overwritten using scripts, or deleted issues, projects, or sites. To avoid data loss, we recommend making regular backups. Learn more about creating backups in the support documentation for your product.

Physical security

Physical security controls in our offices are guided by our physical and environmental security policy which ensures robust physical security is implemented across our environments on premises and in the cloud. This policy covers areas such as secure working areas, securing our IT equipment wherever it may be, restricting access to our buildings and offices to appropriate personnel, and monitoring physical ingress and egress points. Our physical security practices include reception attendance during work hours, requirements for visitors to register, badge access to all non-public areas, and we partner with our office building management for after hours access and video recording at ingress and egress points - both for main entrances as well as loading areas.

Our partner data centres are SOC-2 compliant, at a minimum. These certifications address a range of security controls including physical and environmental security and protection. Access to the data centres is limited to authorized personnel, and verified by biometric identity verification measures. Physical security measures include on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.

Encryption of data

Any customer data in Atlassian cloud products is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Data drives on servers holding customer data and attachments in Jira Software Cloud, Jira Service Management Cloud, Jira, Bitbucket Cloud, Confluence Cloud, Statuspage, Opsgenie, and Trello use full disk, industry-standard AES-256 encryption at rest. Please refer to the Atlassian Trust Roadmap to keep up to date with our platform updates.

Key management

Atlassian uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Tenant separation

While our customers share a common cloud-based IT infrastructure when using Atlassian’s products, we have measures in place to ensure they are logically separated so that the actions of one customer cannot compromise the data or service of other customers.

Atlassian’s approach to achieving this varies across our applications. In the case of Jira and Confluence cloud, we use a concept we refer to as the “tenant context” to achieve logical isolation of our customers. This is implemented both in the application code, and managed by something we have built called the “Tenant Context Service” (TCS). This concept ensures that:

• Each customer’s data is kept logically segregated from other tenants when at-rest
• Any requests that are processed by Jira or Confluence have a “tenantspecific” view so other tenants are not impacted

In broad terms, the TCS works by storing a "context" for individual customer tenants. The context for each tenant is associated with a unique ID stored centrally by the TCS, and includes a range of metadata associated with that tenant (such as which databases the tenant is in, what licenses the tenant has, what features they can access, and a range of other configuration information). When a customer accesses Jira or Confluence cloud, the TCS uses the tenant ID to collate that metadata, which is then linked with any operations the tenant undertakes in the application throughout their session.

The context provided by the TCS effectively acts as a ''lens'' through which any interactions with customer data occur – and this lens is always confined to one specific tenant. This ensures that one customer tenant does not access data of another tenant – nor for one tenant to affect the service of another tenant through their own actions.

More information about our cloud architecture is available as part of our cloud support resources.

Sharing the responsibility for managing customer data

Atlassian assumes responsibility for security, availability and performance of the applications we provide, the systems they run on, and the environments within which those systems are hosted. However, security is a joint responsibility between Atlassian and our customers with respect to four areas in particular:

Controlling access to customer data

We treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding process which covers the importance of and best practices for handling customer data.

Within Atlassian, only authorized Atlassians have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections from Atlassian and internal data center locations. All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA.

With stringent authentication and authorization controls in place, our global support team facilitates maintenance and support processes. Hosted applications and data are accessed for the purpose of application health monitoring and performing system or application maintenance, or upon customer request via our support system. Our customers are also provided with options regarding explicit consent as to which support engineers are appropriate to access their data through our consent control checker.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Retention and deletion of data

We have provisions in place so that we can respond to user requests to delete personal information, and we also help end users with Atlassian accounts delete their personal information. We also have import and export tools so that our customers can access, import and export their data using Atlassian’s tools.

Customer sites are deactivated 15 days after the end of a customer’s current subscription period. Atlassian retains data for deactivated sites for 15 days (for evaluation sites) or 60 days (for paid subscription sites) after the end of the customer’s current subscription period. Note that in the case of Jira, data will only be deleted if you unsubscribe from all Jira products you were previously subscribed to.

Additional information is available on our Security Practices page or on our Data Storage FAQ.