Skip to main content
Illustration about data security in Atlassian Cloud

Security practices in Atlassian Cloud

Alice Bakhoff

Cloud product security relies on Atlassian’s internal environments  

Atlassian practices a layered approach to secure their networks. Controls are implemented at each layer of their cloud environments, dividing infrastructure by zones, environments, and services. 


Environments are separated to limit connectivity between production and non-production environments, and production data is not replicated outside of production environments.


Services are explicitly authorized to communicate with other services through an authentication allowlist.


Access to sensitive networks is controlled through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking, with all connections into those networks encrypted. 


Certificates and Atlassian Trust Management System

Atlassian has acquired many security compliance certificates: PCI DSS, SOC, ISO/IEC 27018, ISO/IEC 27001, VPAT, FedRAMP


Based on the ISO27001 Information Security Management System standard, Atlassian Trust Management System (ATMS) explains how concepts of different certificates are implemented into security practices.


The basis of the ATMS is a strategy that covers best practices from both the ISO27001 standard as well as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). 


In order to continuously evaluate potential risks to Atlassian’s environments and products, the company is performing on-going risk assessments based on ISO27005 or ISO31010 Risk Management methodologies.  


In many cases, especially in the case of their products, these are performed as technical risk assessments or code reviews. However, Atlassian also evaluates each of their entire product stack or a portion of organization to uncover higher level business risks. 


A structured Trust Management Forum includes representatives from every pillars of Atlassian’s Trust program to ensure they apply not only security controls but also reliability, privacy and compliance controls and how to manage risks across each of these pillars.


Configuring product security - how to minimize possible risks yourself?

In essence, Atlassian Cloud security policies are build on Zero Trust concept. 


Zero Trust is a framework in which an organization forgoes one large perimeter in favor of protection at every endpoint and for every user and/or device within a company. 


Every tools acts as an independent unit that does not grant access to next tool.


You can implement identity authentication mechanisms (such as SSO, SCIM, and 2-factor authentication) across your Atlassian Cloud products with Atlassian Access. 


Devices on different service access tiers can be authenticated according to its certificate with Duo.  

Seoseid kirjeldav skeem, kuidas Atlassianis seadmete ja kasutajate autentimisloogikat rakendatakse

User and device authentication logic implemented in Atlassian. 


Atlassian assumes responsibility for security, availability and performance of the applications they provide, the systems they run on, and the environments within which those systems are hosted.  


However, security is a joint responsibility between Atlassian and customers.


Atlassian Cloud turvalisusega seotud vastutusalasid (jagatud ja mitte) kirjeldav illustratsioon

Responsibility distribution across Atlassian Cloud products. 


 Built in and optional security features in Atlassian Cloud products

  • data encryption - encryption in transit and at rest. Included in every Cloud plan (Jira Software, Jira Service Management, Confluence); 
  • backups - automated daily backups that are retained for 30 days. Included in every Cloud plan;
  • data residency - data residency for United States and European Union. Available on Standard, Premium and Enterprise plans; 
  • audit logging - organization-level audit logging available via Atlassian Access (Jira Software, Confluence), product-level audit logs (Jira Software, Confluence); 
  • device security - mobile device management support (Jira Software, Confluence, Jira Service Management);
  • content security - IP whitelisting for Premium and Enterprise (Jira Software, Jira Service Management, Confluence) and web session duration management; 
  • API and app security - API token controls (Jira Software, Jira Service Management, Confluence).



Atlassian Marketplace security programs

Atlassian implements several programs and frameworks to minimize risks regarding plugins:  


Marketplace bug bounty program 

The program aims to give partners the tools to facilitate post-production vulnerability discovery in a cost-efficient way. If you are looking to start or extend your security story.


Security self assessment program 

The program involves an annual security self-assessment that Atlassian reviews and approves. During the review process, Atlassian works with the partner to pinpoint vulnerabilities and identify improvements. 


Vulnerability disclosure program 

The Vulnerability Disclosure Program(VDP) for all third party Marketplace cloud apps provides a framework for Atlassian to securely accept and triage vulnerabilities submitted by Atlassian customers and security researchers, and then report those vulnerabilities to partners to remediate.


The Ecoscanner platform is a platform used for performing security checks against all Marketplace cloud apps on an ongoing basis.


Security bug fix policy 

The policy describes how and when Atlassian expects their Atlassian Marketplace partners to resolve security bugs in their apps listed in the Marketplace.


Cloud Fortified apps program 

Cloud Fortified Apps is the program for a new designation of apps designed to serve largest customers and those with more business-critical operating requirements when it comes to apps: 

  • security program participation: Marketplace Security Bug Bounty Program and Security Self-Assessment Program;
  • reliability program participation: core capability SLOs + tests, and incident management;
  • support program participation: provide a support point of contact, and respond to T1 support tickets within 1 day (24 hours).



If you need help implementing Atlassian Cloud

Do not hesitate to contact us – we provide consultations and can help with everything regarding Atlassian products and plugins.  



Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.