Maintain your Atlassian Government organization
This page reflects additional customer responsibilities influenced by the requirements of FedRAMP Moderate. Make sure to make these tasks part of your regular maintenance of Atlassian Government products.
Evaluate how data leaves the environment
Each time you share data with another system or service, make sure that you know where the data is going and how it will be used. Do this for each of the following:
Marketplace apps
Marketplace apps may not meet FedRAMP compliance standards, which means that they could send or receive data outside the Atlassian Government environment. When evaluating which apps your organization needs, contact the app vendor partner to conduct an assessment based on your organization’s security requirements. When looking at an app on the Atlassian Marketplace, select the Support tab to find vendor contact details.Product integrations
Products use integrations to connect to other applications and products that you use at your organization. Before you can add an integration, Atlassian needs to evaluate the integration’s FedRAMP compliance status and security posture. We conduct evaluations on a based on the business use case. To request a certain intergration, reach out to Carahsoft or your Atlassian sales contact.Webhook URLs
Webhooks allow your products to send data when triggered by a certain activity. When you configure a webhook, you specify the URL where you want to send data. This means that if you configure a URL outside your organization, you will share data outside the Atlassian Government environment. We remind you to assess the security of a URL when you configure a webhook.Data security policies
A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content such as Confluence pages and Jira issues. Create a data security policy to reduce the risk of data leaving products.
Monitor the audit log
The audit log tracks key activities that occur within Atlassian organization.
Pay attention to non-ordinary events
Regularly monitor the audit log to diagnose problems and be aware of security-sensitive events. Pay attention to events related to user details, product access, managed accounts, and organization settings. How to find the audit logDeactivate inactive user accounts
The audit log also tracks user-created activity within Atlassian products. User-created activity refers to actions users take, like viewing or creating a Confluence page. Track user-created activity to determine if a user no longer needs product access.
Remove product access from your identity provider based on the user activity:
If a user has been inactive on one product for over 90 days, remove their access to that one product. To do this, remove them from the product group in your identity provider.
If a user is inactive for 90 days on all products, deactivate their account. To do this, deactivate their connection to or unassign them from Atlassian in your identity provider.
Monitor uses of the Atlassian API
The Atlassian API allow you to access Atlassian products and services remotely. You may want to limit who can use and access the API.
Audit the use of admin API keys
You use an organization API key to build your own integrations with the admin API. Integrations can help you automate tasks or integrate with other alerting or monitoring systems. When building these integrations, make sure that you’re only sharing data with secure systems. Regularly monitor your API keys and revoke any keys that were accessible to former admins.Revoke users' API tokens
A user API token is tied to a user’s Atlassian account and can run product functions, such as script authentication. Users generate the token from their Atlassian account and copy it to the script they’re running. As an organization admin, you can revoke these API tokens to prevent users from sharing data in this way.
この内容はお役に立ちましたか?