Blog: Atlassian Cloud Security and Compliance

Atlassian Cloud offers a robust suite of features—backed by stringent internal protocols—to help keep your data secure as you move your Atlassian tech stack to the cloud. As noted in the previous article in this series, though, the responsibility to keep data safe and meet all of your requirements doesn’t rest squarely on Atlassian’s shoulders. Your organization needs to take on that responsibility as well.

A key area many companies need to consider is compliance with legal or company/industry standards. The more highly regulated the industry, the more complex these requirements are. There are practical and common-sense reasons to do what these regulations require. But, being realistic, companies want and need to remain compliant to avoid becoming a headline. Compliance protects you from having to pay incredibly costly penalties and the even costlier fallout that potentially comes from low public opinion and damage to your professional reputation.

It’s important to realize that Atlassian’s security features do not guarantee your data or security arrangements will remain compliant with your company’s regulatory requirements. Neither can a vendor (like Cprime), although we can certainly assist you in making sure you’re set up for success.

However, the tools at your disposal, combined with the governance, configuration management, and audit practices covered in the previous article, should allow you to help ensure your compliance.

Access Management is Often the Key

Most compliance requirements center around ensuring that data—mainly information that can be linked to a particular individual, often called protected personal information (PPI) or protected health information (PHI)—cannot be accessed by anyone without the appropriate and documented credentials.

Examples of these sorts of regulations include:

• HIPPA – specific to PPI and PHI in healthcare and related industries
• ISO/IEC – covering generalized protection of PPI in cloud environments
• PCI/DSS – specific to PPI used for card processing and similar financial services

In practice, ensuring compliance with these regulations comes down largely to how your cloud instances are configured and maintained, specifically regarding access management. As noted in the previous article, Atlassian Cloud solutions like Jira and Confluence offer out-of-the-box access management that may suffice to meet regulatory requirements. Additionally, tools like Atlassian Access provide access management with greater flexibility and enhanced granularity, and integration with SSO providers to optimize your security procedures around access.

Different cloud subscription tiers offer various features and automation options, so we strongly encourage further investigation to determine which combination best suits your compliance needs. We’re happy to help in that area as well.

Data encryption and physical security

Many relevant regulations also include requirements around data encryption and physical security at data centers and access points. One far-reaching example is SOX (Sarbanes-Oxley), which mainly focuses on financial reporting and includes an important section around data encryption within the law. Other examples include:

• SOC 2 and SOC 3 – independent third-party reports confirming data security standards are being met
• CSA/STAR – certification from the Cloud Security Alliance to show adherence to best practices around data security
• GDPR – a wide-ranging set of privacy protection regulations for users across Europe

Again, it’s important to remember that Atlassian’s role in obtaining and maintaining the above and other security certifications does not guarantee that your organization will remain compliant when using Atlassian Cloud. But, it does mean you have everything you need to maintain your own compliance with most regulations.

To dig deeper into all that Atlassian Cloud has to offer to support your compliance needs, explore their Compliance Resource Center. And, if you’d like help reviewing your options and making vital configuration decisions, contact Cprime experts for a Cloud Readiness Assessment.

Brandon Huff, VP, Technology