Implementing security best practices for your cloud products might feel like you’re playing a game of chess against a chess grandmaster. You think you need to know the most complex strategies and plan ten moves in advance, but in reality, you’re playing against a 3rd-grade checkers player.
While sophisticated security attacks do happen, it’s more likely that someone will break into your system using a simple phishing attack or they will crack one easy password and then figure out that people in your organization are using the same passwords over and over.
It’s not difficult to prevent the majority of security attacks using simple security hygiene and consistent maintenance and monitoring. Implementing these simple security measures will help keep your company data secure and protect it from unauthorized access, so you can rest easy knowing that your data is safeguarded (and that 3rd-grader isn’t taking your checkers).
1. Track access and usage across cloud providers
Of course, the first step in ensuring security across all your cloud products is knowing which products are currently being used, by whom, and for what. Your teams might use completely different cloud tools, depending on their function. Fully understanding how these teams across your org use cloud products will give you a clearer picture of the sources of potential security risks within your organization—so you can put the right security policies in place for each of your teams.
To give you full visibility and control over users accessing Atlassian cloud products within your organization, we created (the aptly named) Organizations. An Organization is a global administration layer that provides corporate admins a way to enforce the proper controls and security measures over the Atlassian accounts at their organization. Organizations cover all user accounts across the cloud versions of Jira Software, Jira Core, Jira Service Desk, Confluence, and Bitbucket.
As an Organization admin, you can verify your corporate domain, manage all Atlassian accounts and products (within admin.atlassian.com), and enforce security controls like SSO and automated user provisioning—features of Atlassian Guard—for all users at your organization. Learn how to create an Organization.
2. Manage access to sensitive data and routinely audit your accounts
Alternatively—if you don’t plan to create an Organization to enforce organization-wide security policies—you can set up your cloud stack so that only specified cloud sites, products, or repositories have sensitive information within them. This will allow you to separate your most sensitive company and customer data and more easily manage access.
In order to provide access to those designated sites, products, or repositories to a limited subset of users, you will need to setup granular permissions and access controls. While this is simple to set up initially, it’s easy to lose track of who should have access to what. It’s a good idea to periodically audit the list of users with access to your data and remove access from anyone that shouldn’t have it.
Admins of most cloud products have special privileges (Atlassian admins, included) when it comes to viewing and sharing information and granting access. You’ll want to make sure that admin privileges are granted only to those who absolutely require it.
3. Automate your user provisioning and de-provisioning
Automated user provisioning is the easiest way to save time while still maintaining security best practices. Rather than manually setting up user access and periodically auditing user accounts, automated user provisioning allows for a direct sync between your identity provider and your Atlassian cloud products. This means you no longer need to manually create user accounts when someone joins the organization or moves to a new team. Most importantly, automated de-provisioning reduces the risk of information breaches by removing access for those that leave your organization. Since user accounts are automatically removed when people leave the organization or a group, you’ll have tighter control over your cloud instances.
With Atlassian products, you have a couple options for user provisioning:
- Provisioning with SCIM – Sync your Atlassian cloud tools directly with your identity provider to enable automated provisioning and de-provisioning of your users and groups.
- Provisioning with G Suite – You can sync Atlassian cloud tools with G Suite for provisioning. However, any group categorization will not be reflected in your site.
4. Configure single sign-on with your identity provider
Single sign-on (SSO) is a great solution for consistently managing account access. SSO allows for a consistent login experience for users across your SaaS applications, so your users don’t have to remember a whole host of different user names and passwords. It also mitigates the security risks posed by a growing number of cloud applications and logins in your organization.
SSO does this by providing an access control layer between your cloud users and your cloud tools that enables just-in-time provisioning, centralized management of authentication and password policies, and automatic lockout when a user is deactivated from your SSO provider. In other words, your SSO provider automates much of the security setup that otherwise you would manually manage.
Should you choose to integrate your SSO provider with Atlassian cloud tools, there are a couple options to choose from:
- SSO with SAML – Connect your cloud products to the identity provider of your choice.
- SSO with G Suite – We also offer direct integration with G Suite.
5. Educate your team and set up login requirements
The responsibility of keeping your organization’s information secure doesn’t fall only on admins. You should also educate your users about risks and how to mitigate them with simple best practices. Here are a few of the most important security practices you can communicate to your users.
- Remind users not to include credit card numbers in cloud products, unless absolutely necessary.
- Remind users to restrict access to content that includes customer or other sensitive information.
- Set up password policies such as password strength requirements and expiration dates to reduce the risk of password-related compromises. If you don’t plan on enforcing a password policy, encourage employees to use strong passwords (including passphrases), never to reuse old passwords, and to change their passwords regularly.
- Recommend that users enable individual two-step verification for their account. Or better yet, require two-step verification for all users, especially high-privilege accounts, with enforced two-step verification.
- Remind your users that API tokens should be used for Jira and Confluence REST API basic authentication. Any users currently using their account password for basic authentication will soon be required to switch to an API token.
6. Routinely audit your activity logs
Activity logs provide a trail of actions taken on your cloud products. They are a means to examine what activities have occurred in your cloud products and are typically used to help detect any suspicious activity or troubleshoot performance issues. In other words, activity logs provide information both on what has happened and what is happening in a given cloud product. It’s a good idea to consistently audit your activity logs to help monitor unauthorized access to sensitive information.
Here are a few resources to help you get started with auditing activity logs in Atlassian products:
- Confluence audit logs – Understand which events and actions are logged in Confluence—and your configuration options.
- Jira audit logs – Understand which events and actions are logged in Jira applications—and your configuration options.
We’ll continue to add audit events in the future, including events for user security, product access, and admin permissions.
7. Familiarize yourself with your cloud provider’s security offerings
Security is a shared responsibility, so while we need your help monitoring the fish bowl and implementing these preventive measures to create the safest working environment for your organization, we also need to hold up our side of the bargain.
That’s why we’ve built security into the core foundation of our products and infrastructure and continuously work to improve our software development and internal operational processes to ensure the protection of services and data.
We encourage and expect you to verify security and operations of every cloud provider that your organization partners with, including Atlassian, which is why we’ve documented our security, privacy, reliability, and compliance information on our Trust site. We are transparent so that you can feel confident you’re making the right decisions for your organization.