Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
Use these best practices to create a strong foundation for securing your company’s most important work.
Improving security across your Atlassian cloud products requires that you understand which products your company is using and the risk profile of the information stored within those products. Because your organization may have multiple teams running separate instances of Jira, Confluence, and Bitbucket Cloud, talk to your teams about their Atlassian cloud product usage. That way you can ensure those tools have the right security policies in place.
To help you gain full visibility and control over users accessing Atlassian cloud products within your companies, we created organizations. An organization is a new global administration layer that provides corporate admins a way to assert the proper controls and security measures over the Atlassian accounts at their company. Organizations cover all user accounts across the cloud versions of Jira, Jira Service Management, Confluence, and Bitbucket.
As an organization admin, you can verify your corporate domain, manage all Atlassian accounts and products from within admin.atlassian.com, and enforce security controls like SSO and automated user provisioning (features of Atlassian Guard Standard) across users at your company. Learn more about organizations.
If you don’t plan to create an organization and enforce security policies on your organization, you can set up your Atlassian infrastructure such that only certain cloud sites, products, or repositories have sensitive information within them. Additionally, you might only provide access to those designated sites, products, or repositories to a limited subset of users.
You can leverage an identity provider with one or both ways:
Single sign-on (SSO) is a great solution for managing account access, allowing for a consistent login experience for users across your SaaS applications, and mitigating the security risks that are caused by the growing number of cloud applications and logins that a company uses. An integration between your SSO provider and Atlassian enables just-in-time provisioning, centralized management of authentication policies, and automatic lockout when a user is deactivated from your SSO provider. There are a few options for SSO:
SSO with SAML - With an Atlassian Guard Standard subscription, you can connect. your cloud products to the identity provider of your choice.
SSO with G Suite - We also offer direct integration with G Suite.
Automated user provisioning allows for a direct sync between your identity provider and your Atlassian cloud products. This means you no longer need to manually create user accounts when someone joins the company or moves to a new team. Most importantly, automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. Since user accounts are automatically removed when people leave the company or a group, you’ll have tighter control over your bill. Here are your options for user provisioning:
Provisioning with SCIM - With an Atlassian Guard Standard subscription, you can sync Atlassian cloud tools directly with your identity provider to enable automated provisioning and de-provisioning of your users and groups.
Provisioning with G Suite - You can sync Atlassian cloud tools with G Suite for provisioning. However, any group categorization will not be reflected in your organization.
As part of configuring security for your organization you need:
Flexibility in customizing multiple authentication settings based on different user security needs
Ability to test functionality (e.g., SSO) to reduce risk before releasing to the whole company
We recommend using multiple authentication policies to test, build, and troubleshoot your security requirements.
Here are a few examples to get you started:
Exclude bot accounts from policies – Your organizations may have bot or service accounts. Bots and service accounts don’t need to use SSO or to reset a password. We recommend configuring a policy with no password expiration and no single sign-on for these accounts.
Designate policies to specific sets of users – Some of your organization’s users may need to access sensitive data and require a stricter security policy compared to other users. We recommend configuring a policy for a specific set of users.
Test authentication settings – You can test SSO or two-step verification on a smaller subset of users to ensure it’s set up correctly before rolling it out across your organization.
Troubleshoot security policies – You can have different policies for administrative accounts so you’re able to log in and troubleshoot your SSO policy or identity provider integration.
Learn more about authentication policies.
Good security protocols require constant maintenance:
Set security policies for your organization to increase login security
Routinely audit your activity logs
Routinely audit your accounts and limit admin access
Educate your team with security best practices
Configure mobile policies for your cloud mobile apps
If you’re not using single sign-on, there are a few alternatives to help you ensure that the right users are gaining access to your company’s tools.
Individual two-step verification - We recommend that users implement two-step verification for their Atlassian account, especially high-privilege accounts.
Enforced two-step verification - With an Atlassian Guard Standard subscription, you can enforce two-step verification across your organization.
Block third-party account logins - You can set up an authentication policy to block logins from Google, Microsoft, Apple, and Slack accounts.
Password policies - You can set password strength requirements and expiry dates to reduce the risk of password-related compromises.
Review your product audit logs to help detect any suspicious activity or troubleshoot issues. Here are a few resources to help you get started with audit logging:
Confluence audit logs - Understand which events and actions are logged in Confluence and your configuration options.
Jira audit logs - Understand which events and actions are logged in Jira products, your configuration options.
We will continue to add audit events in the future, including events for user security, product access, and admins permissions. We are always looking for ways to improve our audit logging capabilities and would appreciate your feedback on this survey.
Even if you’re utilizing enhanced security methods like single sign-on, two-step verification, and password policies, it's a good idea to periodically audit the list of users with access to your data and remove access from anyone that shouldn’t have it.
Admins of Atlassian cloud products have special privileges when it comes to viewing and sharing information and granting access. You’ll want to make sure that admin privileges are granted only to those who absolutely require it.
The responsibility of keeping company information secure doesn’t just fall upon admins, you can educate your users about risks and how to mitigate them with simple best practices. Here are a few things you can communicate to your users.
Remind users not to include credit card numbers in tickets, pages, etc.
Remind users to restrict access to pages or tickets that include customer or other sensitive information
If you don’t plan on enforcing SSO or a password policy, encourage employees to use strong passwords (including passphrases), never repeat them, and change them regularly
Recommend that users enable individual two-step verification for their Atlassian account
Remind your users that API tokens should be used for Jira and Confluence REST API basic authentication. Any users currently using their account password for basic authentication will soon be required to switch to an API token.
Good data protection protocols help you safeguard your team’s mission critical work.
You can enhance your company’s security by configuring additional security controls – like preventing copy and paste or screen recording – for cloud mobile apps. There are two options, depending on your company’s needs:
Configure a mobile (MAM) policy - With an Atlassian Guard Standard subscription, you can enforce security controls for the Jira and Confluence cloud mobile apps.
Configure your existing Mobile Device Management (MDM) solution - We use the AppConfig standard, which is supported by most MDM solutions including Microsoft Intune, VMware, MobileIron, and JAMF.
Data classification is the process of identifying and categorizing information in an organization. It serves as the foundation of a data governance strategy in many organizations, particularly those that need to comply with government or other regulatory rules.
Data classification can be useful to help manage rules and expectations around how to create, store, manage, move, or delete data within or outside an organization.
Requires Atlassian Guard Premium.
A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content such as Confluence pages and Jira issues.
Data security policies take a content-based approach to governing how your data in Atlassian products can be used. This is different to a user-based approach that relies on giving or revoking specific permissions that allow users or apps to perform certain actions.
Not all rules and coverage types are available for every product. Some rules and coverage types require Atlassian Guard Standard or Atlassian Guard Premium.
Get alerts about suspicious user activity and potentially sensitive data in your Atlassian organization. These alerts aim to help you and your security team investigate, determine whether the behavior is indeed suspicious, then take any necessary remediation actions as quickly as possible.
Requires Atlassian Guard Premium.
Security is our top priority. It’s built into the core foundation of our products and infrastructure. We continuously improve our software development and internal operational processes to ensure the protection of services and data. Within our cloud platform, we treat all customer data as equally sensitive and have implemented stringent controls governing your company data.
Read about our approach to cybersecurity and privacy on our Trust site, so you feel confident using our products for your organization.
Was this helpful?