There is no doubt that Jira is one of the most popular project management and issue-tracking tools that many organizations use. It provides a great number of benefits to teams including improved collaboration between technical and non-technical teams, increased visibility, enhanced productivity, better project planning, flexible customization, scalability, comprehensive reposting, agile methodology support, and, of course, easy compatibility with other Atlassian cloud products – Bitbucket and Confluence.
Though, what will your team do if something will go wrong with your Jira data? In this blog post we will have a deep dive into Jira security best practices, Yet, first, let’s have a quick tour of what security risks and threats your Jira data can face, and what security approaches Atlassian uses to protect your data against those threats.
Jira Security Risks
The year 2022 showed that protecting data should become one of the most important tasks for Security Leaders. If you don’t believe it, let me remind you about – the Atlassian outage in April 2022 that affected 775 customers who couldn’t access their Jira data for almost a week, or numerous vulnerabilities and security flaws tracked in Jira which cloud lead to lost credentials and data breaches.
However, not only vulnerabilities, outages, ransomware, and malware activity can threaten your Jira account data. To this why-protect-Jira-data list, you can easily add human mistakes, hardware and software errors, compliance with strict security audits, and Atlassian Cloud Shared Responsibility Model.
Atlassian security approaches & Shared Responsibility Model
Every service provider follows the Shared Responsibility Model, Atlassian here is not an exception. According to the Atlassian Cloud Shared Responsibility Model:
- the provider is concentrated on its infrastructure integrity and is responsible for the hosting, system, and application,
- the customer is in charge of protecting his Jira account data, as account-level protection isn’t included in Atlassian’s responsibilities and competence.
Though, to ensure that the Atlassian products are secure, the cloud service provider has built its security philosophy, which states that Atlassian is aimed at leading their users in cloud and product security exceeding all industry security standards and certification criteria as well as client requirements for cloud security and is honest about their programs, processes, and metrics.
Focusing on the fundamentals of security, the provider has a number of programs to certify that its approach to security is proactive and wide-reaching. These security programs include Security Champions Program, Security Detections Program, and Bug Bounty Program.
You can read more about Atlassian Security in our exhaustive blog post, which covers different levels of Atlassian safety, and the way Atlassian deals with identifying vulnerabilities.
Security in Jira: Atlassian’s new DevSecOps feature
Moreover, recently Atlassian introduced its new feature “Security in Jira” which permits Jira users to integrate popular security tools in the app’s Security tab. Suzie Prince, a head of product for DevOps at Atlassian, states: “Our goal with Security in Jira is to make security a native part of the agile planning rituals central to excellent software teams. With the Security tab, we’re shifting security left while increasing transparency across tools and teams so Jira Software’s more than 100,000 customers will now be able to more easily and effectively address vulnerabilities.”
Thus, the software provider is sure that the integration of security tools and Jira Software’s Security tab will better equip DevOps teams to simplify their processes and respond to vulnerabilities quickly.
Jira Security Best Practices
Following these security best practices you can build a solid foundation for safeguarding your company’s vital Jira data.
No. 1 Set up user access controls
Imagine a situation when a new user creates a password without paying a lot of attention to it and thinks that his birth date is suitable for that. Will it be an easy task for a threat actor to break into his Jira account? Probably, yes. That’s why it’s important that all your employees use strong user passwords.
Atlassian has its Password policies that define the requirements your password should have, your password strength, and expiry dates for reducing the risk of password-related compromises. Here are the tips Atlassian provides in its official documents:
Atlassian Password Policy: Tips for setting strong passwords
No. 2 Use organizations for central visibility and management
Atlassian has an outstanding feature for managing and controlling all the users who have access to not only Jira-related products, Jira Software, Jira Work Management, and Jira Service Management, but also other Atlassian products – Bitbucket and Confluence.
This feature is “organizations”, an administration layer that provides admins with a mechanism to enforce the appropriate security policies across the Atlassian accounts in their company. With it, admins have complete visibility and control over the company’s employees who use Jira regularly and can enforce security controls like SSO and automated user provisioning across the company by validating your corporate domain and managing all Atlassian accounts within the organization.
If you don’t intend to establish an organization and enforce security policies on your organization, then you will need to consider configuring your Atlassian infrastructure in a way that only some specific cloud sites, products, or repositories contain sensitive information within them. Moreover, you may need to limit the number of people who have access to those specified sites, products, or repositories.
No. 3 Update Jira regularly
Atlassian constantly monitors its security and detects vulnerabilities that can potentially threaten its environment (check our blog post: 2022 in a nutshell: Atlassian outages and vulnerabilities to learn more).
To deal with these threats effectively, the service provider regularly releases patches to its products. So, it’s critical to update your Jira to enhance security and withstand ever-appearing bugs.
No. 4 Implement network security measures
To protect your Jira environment and its data from unauthorized access, malware, and other cyber threats, you can implement network security measures, like:
- firewalls, which will block unauthorized access to the network and Jira system and will filter traffic to and from Jira preventing from malicious traffic entering the network.
- Intrusion Detection or Prevention Systems (IDS/IPS), which can monitor network traffic for any sign of malicious activity.
- Virtual private networks (VPNs), which you can use to create a secure, encrypted connection between remote users and your company’s Jira system.
- Network segmentation, which will help your company separate Jira from other parts of the network, and restrict access to Jira only to authorized users and systems.
- Two-step verification, which will serve as an extra layer to protect secure access to the Jira account by providing not only a password but also verification by phone or email (btw, Atlassian permits to enforce individual two-step verification as well as two-step authentication across your entire organization).
No. 5 Configure SSO with your identity provider
If you want to control your team’s account access you can enable Single sign-on (SSO) across all the SaaS applications your company uses. It will help to mitigate the security risks brought on by the company’s increasing usage of cloud applications and logins.
What benefits does the integration between your SSO and the Atlassian provider bring? It enables:
- centralized management of your authentication policies,
- just-in-time provisioning,
- an automatic lockout when you deactivate a user from your SSO.
Atlassian provides a few options for SSO. The first one goes with the subscription to Atlassian Access, which enables the connection of your cloud products and the identity provider of your choice – SAML SSO. And the other one is the SSO with G Suit, which is useful if you rely a lot on Google Workspace.
No. 6 Install automated provisioning and de-provisioning
How much time do you need to spend on creating new accounts or updating the accounts of other employees who, for example, transfer to another department? Yeap.. it takes time. However, if you have automated user provisioning, you can save time on this operation, as it allows for a direct synchronization between your identity provider and Jira. So, there is no need to manually create user accounts when a new employee joins your team.
Automated de-provisioning, on the other hand, removes access for those who leave your company without your interference. It can reduce the risk of information breaches due to forgetting to restrict access to ex-employees.
With Atlassian, you can use provisioning with G Suite (but here is one note: no group categorization is reflected in your organization), or provisioning with SCIM, which permits you to sync your identity provider with Jira.
No. 7 Conduct regular security assessments
It’s important to test and monitor your Jira security on a regular basis to identify and address any vulnerabilities or security weaknesses. For that reason, you can:
- review Jira audit logs, which will give you a wider view of which events and actions are logged in your Jira and your configuration options,
- regularly audit your Jira accounts even if you have SSO or two-step verification enabled,
- perform penetration testing, which will simulate a cyber attack on your Jira system and identify any weaknesses that could be exploited,
- conduct vulnerability assessments using some vulnerability scanning tools to identify potential vulnerabilities in your Jira environment.
No. 8 Educate your team with security procedures
It’s important to educate your team about security procedures, as sometimes even knowing something for sure, you can forget about it. So, as a Security Leader, you should remind your employees to create strong security passwords, enable two-step verification, enforce SSO, remind them to use API tokens for Jira REST API basic authentication and restrict access to pages or tickets that include sensitive information.
No. 9 Back up your Jira environment
Having regular backups of your Jira environment can give your product team assurance that nothing will interrupt their working process. They will be sure that even during an Atlassian outage or a ransomware attack, they will be able to recover their Jira backup for the company’s business continuity. Here are the Jira backup best practices you should follow to have your Jira data available and recoverable anytime:
- your backup solution should cover all your Jira data, including projects, workflows, users, attachments, etc.
- your backup provider should be a multi-storage system that permits you to back up your Jira data to a few destinations.
- you should have the possibility to follow the 3-2-1 backup rule, having at least 3 copies in no less than 2 storage instances, one of which is offsite.
- your backup should be ransomware-proof and have encryption in-flight and at rest with your own encryption key
- your backup should have a Jira restore and Disaster Recovery Technology permitting you to restore your data fast in any event of failure, including such features as restore to the same or new account, or to a free Jira account with no-user recovery option, point-in-time instant restore, Cloud2Cloud or Cloud2Local restore.
- your backup should permit you to schedule your Jira backups automatically.
- Central Monitoring Management, which will help you keep track of your Jira backup performance.
Of course, as a Security Leader, you can appoint certain members of your team to build scripts and carry out backups regularly as part of their everyday duties, but this might take time and distract them from their core tasks. On the contrary, you may utilize third-party software like GitProtect.io, guaranteeing your access to the data and its recovery at any time in the event of a disaster.
No. 10 Set up a mobile policy for your cloud applications
You can turn on the function of preventing copy-paste or screen recording for cloud mobile apps as an additional layer of protection. Using Atlassian Acces, it’s possible to configure a mobile (MAM) policy or configure your existing Mobile Device Management (MDM) solution using the AppConfig standard (supported by most MDM solutions, such as Microsoft Intune, VMware, JAMF, etc.).
Final thought – Has everything been mentioned?
Atlassian puts a lot of effort into securing its products, though you shouldn’t forget that the security of your Jira data is your responsibility. It’s important to adhere to the security best practices to be sure that your sensitive data is protected.
There is one more tip – only install apps and plugins from trusted sources, for example, Atlassian Marketplace, and review and remove any unused or unnecessary ones on a regular basis.
✍️ Subscribe to GitProtect DevSecOps X-Ray Newsletter – your guide to the latest DevOps & security insights
🚀 Ensure compliant DevOps backup and recovery with a 14-day free trial
📅 Let’s discuss your needs and see a live product tour
Top comments (0)