Cybersecurity and data protection are among the main business issues today. In view of the recent events, it is easy to understand why: Atlassian last year experienced the biggest outage that lasted for almost two weeks, and more than 700 companies were cut off for a long time. How much time, nerves, and resources did they waste? A lot. Though the question we would like to raise in this article today is the Atlassian Shared Responsibility Model, as both Bitbucket and Jira are products of Atlassian. And the aforementioned model specifies which responsibilities are the responsibility of a code repository service, as a SaaS provider, and which are the responsibility of the customer.
Atlassian relies on postulates of “four pillars” of trust (it is their top priority), which include: reliability, security, privacy and compliance. They are compliant with ISO/IEC 27001, SOC 2, SOC 3, FedRAMP, PCI DSS and VPAT which guarantee their reliability and sustainability.
What is the Atlassian Cloud Shared Responsibility Model?
Usually, all SaaS providers operate according to the rules which are more or less the same and, mainly, this so-called “Shared Responsibility Model” assumes both a provider, and a customer has some responsibilities to use the service. The provider is responsible for the security of the service and infrastructure, while the customer is responsible for the security in the service – his account and data. Hence, both a provider and a customer have to know their obligations according to this model.
In a word: under this model Atlassian is responsible for the system, hosting and application focusing on their own business and integrity, and the user has to think how to protect his data because account-level protection and recovery is not included in the provider’s responsibilities and competence.
Source: Atlassian Cloud Security Shared Responsibilities
To sum up, they are responsible for the security of the application, the system they work on and the environments the systems are hosted within. The rest is shared responsibility, basically laying on the shoulders of their customers. What exactly and how much responsibilities? Actually, a lot. So, let’s see. Users will have to manage the data within their own accounts and have control over user access to the account and data. Moreover, the user is responsible for the apps which he installs and trusts. In short: if a customer’s information is damaged, it is up to the customer to deal with what to do and how to restore it. Sounds not good.
That’s why, many providers advise to use a third-party backup solution, like GitProtect.io – the most PRO Bitbucket Backup and Jira Backup (including Jira Software, Jira Work Management and Jira Service Management) – to protect their entire environment with all the repos, wikis, issues, branches and other for Bitbucket and Bitbucket DC, and issues, projects and project roles, workflows, etc. for Jira. In this case customers can share the described “Shared Responsibility Model” with another party and greatly reduce the tense.
Step by step: What IT and security teams should know about their responsibilities to protect their data
Atlassian is a pro-user service, which is guided by the strong principles of fast support and security. Thus, their Cloud Security Model covers such areas as: Policy and compliance, User accounts, Information and Applications the customer uses.
Policy and compliance
Under this point Atlassian, as a provider, has to value all the risks and vulnerabilities which happen to the platform and inform their customers about it. Moreover, they can restore the entire platform with all the accounts, but the data in those accounts belong to the customer, so it is his obligation to keep copies of it and restore when he needs it.
User accounts
According to its Shared Responsibility Model, Atlassian is responsible for testing their entire platform for bad or malicious use. It means that if they notice some malware activity on the entire platform, they will definitely inform their customers about it. Moreover, they are always developing their security controls, so that their customers can manage their users, tasks and projects more efficiently. On the other hand, it is the user’s responsibility to take care of his passwords and access, which is obvious, and, most importantly, monitor his company user accounts for malware activity. Thus, if something happens to the customer’s data, such as Issues, Projects, Projects Roles, Workflow, Users, Comments, Attachments, Boards, Versions, Fields (Custom fields, Layouts, Screens), Votes, Audit logs, Notifications, it is an absolute user’s duty to take care of it.
Information
Atlassian is able to inform you on any bad actor activity they can notice. What is more, they can maintain system-level back-ups, which means that they will only provide you with fast replication backups, something like snapshots. On the other hand, customers should think about versioning and performing full, incremental and differential backups of their data, encryption, replication between storages and more. So, Atlassian itself suggests its customers to use a third-party backup solution.
Applications
In accordance with Atlassian Cloud Shared Responsibility Model, the Atlassian Marketplace should receive and manage all vulnerability reports which are related to its applications. And a customer should have access to any Marketplace Apps he wants. But just like with all data, when installing add-ons to their Jira and Bitbucket accounts, the user should be aware that he is responsible for the data processed within these applications.
Can my Shared Responsibilities be reduced?
We have already mentioned that even Atlassian advises to use a third-party backup & recovery solution to protect your data within Jira and Bitbucket. For example, GitProtect.io can take almost all the customers responsibilities connected to data security and protection.
First of all, with the help of the third-party, you should forget about manual backups, because you will get an automated backup with the implementation of the most recommended backup rule – 3-2-1. It means that you will get three backup copies which are kept in two different places (local or cloud – it’s up to your choice) and one of the copies is kept off site. So, if anything happens to your data, for example, an outage, you can always run your backup copy – on your local machine, another vendor (GitHub or GitLab) or local Bitbucket instance.
Next, it’s worth mentioning retention. Atlassian usually retains deleted data for 30 days for free plans, 15 days for evaluation licenses and Standard and Premium plans permit to retain the data for 60 days. When you share this responsibility you can be sure that even the deleted data can be restored. Why? Because unlimited, enterprise-grade retention permits to restore the project which were frozen and deleted, let’s say, 3 years ago.
Then, there is encryption. According to Atlassian policy, they encrypt their data at-rest – which is perfectly fine considering the specificity of their product. But your backup solution should provide you with strong encryption (AES-preferably) both ar rest but also in-flight to make backups protected on every stage – both in transfer and at repository.
And, finally, restore. We’ve already mentioned that Atlassian can restore the entire platform, though, the data restore is on the shoulders of a customer. The professional backup solution should enable you an instant granular restore work every-day operations and advanced Disaster Recovery technologies to eliminate any downtime and ensure business continuity in case of entire infrastructure failure.
Learn how to turn on the best data protection with our popular blog posts: Jira Backup Best Practices and Bitbucket Backup Best Practices.
Takeaway
Source code is a “treasure” of every IT company. That is why understanding your responsibilities according to the Atlassian Cloud Shared Responsibility Model is crucial for your Jira and Bitbucket environments. In this article we have mentioned all the security “pillars” Atlassian follows and what duties each of the parties have.
We have proved that you, as a user, should think about all the necessary measures to take to secure your critical data for guaranteeing your business continuity and having peace of mind. Backup of your Atlassian tools is one of those aspects that can help you with it. If you want to learn more about security of Atlassian tools, read our blog post: Atlassian Security Best Practices.
Top comments (0)