Use these best practices to create a strong foundation for securing your company’s most important work.
Understand your Atlassian cloud landscape
Improving security across your Atlassian cloud products requires that you understand which products your company is using and the risk profile of the information stored within those products. Because your organization may have multiple teams running separate instances of Jira, Confluence, and Bitbucket Cloud, talk to your teams about their Atlassian cloud product usage. That way you can ensure those tools have the right security policies in place.
Create an organization for central visibility and management
To help you gain full visibility and control over users accessing Atlassian cloud products within your companies, we created organizations. An organization is a new global administration layer that provides corporate admins a way to assert the proper controls and security measures over the Atlassian accounts at their company. Organizations cover all user accounts across the cloud versions of Jira Software, Jira Core, Jira Service Management, Confluence, and Bitbucket.
As an organization admin, you can verify your corporate domain, manage all Atlassian accounts and products from within admin.atlassian.com, and enforce security controls like SSO and automated user provisioning (features of Atlassian Access) across users at your company. Learn more about organizations.
Set up your Atlassian products to reflect the risk-level of your information
If you don’t plan to create an organization and enforce security policies on your organization, you can set up your Atlassian infrastructure such that only certain cloud sites, products, or repositories have sensitive information within them. Additionally, you might only provide access to those designated sites, products, or repositories to a limited subset of users.
Leverage an identity provider
You can leverage an identity provider with one or both ways:
Configure single sign-on with your identity provider
Single sign-on (SSO) is a great solution for managing account access, allowing for a consistent login experience for users across your SaaS applications, and mitigating the security risks that are caused by the growing number of cloud applications and logins that a company uses. An integration between your SSO provider and Atlassian enables just-in-time provisioning, centralized management of authentication policies, and automatic lockout when a user is deactivated from your SSO provider. There are a few options for SSO:
SSO with G Suite - We also offer direct integration with G Suite.
Set up automated user provisioning and de-provisioning
Automated user provisioning allows for a direct sync between your identity provider and your Atlassian cloud products. This means you no longer need to manually create user accounts when someone joins the company or moves to a new team. Most importantly, automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. Since user accounts are automatically removed when people leave the company or a group, you’ll have tighter control over your bill. Here are your options for user provisioning:
Provisioning with SCIM - With a subscription to Atlassian Access, you can sync Atlassian cloud tools directly with your identity provider to enable automated provisioning and de-provisioning of your users and groups.
Provisioning with G Suite - You can sync Atlassian cloud tools with G Suite for provisioning. However, any group categorization will not be reflected in your organization.
Test configurations and security for different user sets with authentication policies
As part of configuring security for your organization you need:
Flexibility in customizing multiple authentication settings based on different user security needs
Ability to test functionality (e.g., SSO) to reduce risk before releasing to the whole company
We recommend using multiple authentication policies to test, build, and troubleshoot your security requirements.
Here are a few examples to get you started:
Exclude bot accounts from policies – Your organizations may have bot or service accounts. Bots and service accounts don’t need to use SSO or to reset a password. We recommend configuring a policy with no password expiration and no single sign-on for these accounts.
Designate policies to specific sets of users– Some of your organization’s users may need to access sensitive data and require a stricter security policy compared to other users. We recommend configuring a policy for a specific set of users.
Test authentication settings – You can test SSO or two-step verification on a smaller subset of users to ensure it’s set up correctly before rolling it out across your organization.
Troubleshoot security policies – You can have different policies for administrative accounts so you’re able to log in and troubleshoot your SSO policy or identity provider integration.
Learn more about authentication policies.
Implement good security protocols
Good security protocols require constant maintenance:
Set security policies for your organization to increase login security
If you’re not using single sign-on, there are a few alternatives to help you ensure that the right users are gaining access to your company’s tools.
Individual two-step verification - We recommend that users implement two-step verification for their Atlassian account, especially high-privilege accounts.
Routinely audit your activity logs
Review your product audit logs to help detect any suspicious activity or troubleshoot issues. Here are a few resources to help you get started with audit logging:
Confluence audit logs - Understand which events and actions are logged in Confluence and your configuration options.
Jira audit logs - Understand which events and actions are logged in Jira applications, your configuration options.
We will continue to add audit events in the future, including events for user security, product access, and admins permissions. We are always looking for ways to improve our audit logging capabilities and would appreciate your feedback on this survey.
Routinely audit your accounts and limit admin access
Even if you’re utilizing enhanced security methods like single sign-on, two-step verification, and password policies, it's a good idea to periodically audit the list of users with access to your data and remove access from anyone that shouldn’t have it.
Admins of Atlassian cloud products have special privileges when it comes to viewing and sharing information and granting access. You’ll want to make sure that admin privileges are granted only to those who absolutely require it.
Educate your team with security best practices
The responsibility of keeping company information secure doesn’t just fall upon admins, you can educate your users about risks and how to mitigate them with simple best practices. Here are a few things you can communicate to your users.
Remind users not to include credit card numbers in tickets, pages, etc.
Remind users to restrict access to pages or tickets that include customer or other sensitive information
If you don’t plan on enforcing SSO or a password policy, encourage employees to use strong passwords (including passphrases), never repeat them, and change them regularly
Recommend that users enable individual two-step verification for their Atlassian account
Remind your users that API tokens should be used for Jira and Confluence REST API basic authentication. Any users currently using their account password for basic authentication will soon be required to switch to an API token.
Learn how Atlassian protects your data
Security is our top priority. It’s built into the core foundation of our products and infrastructure. We continuously improve our software development and internal operational processes to ensure the protection of services and data. Within our cloud platform, we treat all customer data as equally sensitive and have implemented stringent controls governing your company data.
Read about our approach to cybersecurity and privacy on our Trust site, so you feel confident using our products for your organization.