When a company buys an Atlassian product, they’re not typically signing up for just one tool. With a growing ecosystem of over 5,300 apps and more than 1,600 partners, installing Jira, Confluence, or any Atlassian product means unlocking a universe of workflows, templates, tools, and automations to help teams work better together. It’s no wonder 60% of Atlassian customers use apps to customize and extend Atlassian products.
Customers who rely on apps from Atlassian’s Marketplace need to be able to trust that the apps they’re deploying are as secure and reliable as the Atlassian products they’re built on. This is especially true for enterprise organizations pursuing migration to our cloud products who want to ensure their apps meet cloud security standards.
As more and more customers decide to migrate to cloud, it’s paramount they have access to an industry-leading enterprise SaaS ecosystem that addresses these needs. Atlassian is constantly working to ensure our marketplace is leading the way for cloud security, and now we’re kicking off a new program – and a new chapter – for the Marketplace: Cloud Fortified. With the Cloud Fortified program and badge, we’re making it easy for customers to identify enterprise-ready cloud apps with additional security, reliability, and support.
Cloud Fortified represents a giant step toward ensuring a world-class SaaS ecosystem for current and future cloud customers, but it’s important to understand exactly how the Cloud Fortified badge helps us achieve this.
What does a Cloud Fortified badge signify?
Cloud Fortified apps not only demonstrate their own commitment to cloud security based on Atlassian’s programs and standards, but also meet Atlassian-aligned performance and reliability requirements and abide by strict support SLAs for an excellent cloud experience at scale.
Maximum security and continuous monitoring
We know that security is a top concern when customers are considering a migration to cloud. In fact, 40% of survyed IT managers said security and compliance are among the biggest concerns about on-prem-to-cloud migration. This is often the first myth we contend with when helping customers migrate to Atlassian cloud.
To address these concerns for our Marketplace apps, we’re constantly coming up with new and unique ways to further incentivize cloud security best practices among our Marketplace Partners. Over the past year, we’ve released several programs and requirements to proactively promote cloud app security among all apps and added a badge to make it easy for customers to find apps that have made their own additional investments in cloud security.
Now, Cloud Fortified takes this a step further by requiring that apps participate in our four general security programs and also participate in not one, but two, opt-in programs.
That means Cloud Fortified apps are subject to the following four initiatives, which identify vulnerabilities at scale and verify that partners fix those vulnerabilities while guiding all cloud apps to adopt a security baseline:
- Ecoscanner: Atlassian’s Ecoscanner platform continuously monitors all Marketplace cloud apps for common security vulnerabilities.
- Vulnerability Disclosure Program: Through this program, customers and security researchers can report cloud app vulnerabilities to Atlassian and Marketplace Partners. Atlassian runs this program and defines the parameters for all cloud apps.
- Cloud App Security Requirements: Atlassian has defined a minimum set of mandatory requirements that all Marketplace cloud apps must meet to ensure security best practices across our ecosystem.
- Security Bug Fix Policy: All Marketplace Partners are expected to meet Security Bug Fix SLAs to ensure cloud app vulnerabilities are addressed promptly.
These initiatives improve the security of cloud apps across our Marketplace broadly. To get a Cloud Fortified badge, Marketplace apps need to be scanned by Ecoscanner, subject to Vulnerability Disclosures, and meet security requirements and bug-fix SLAs, and also demonstrate their own active investment in security by participating in two additional programs:
- Marketplace Bug Bounty Program: Through this program, Marketplace Partners can proactively combat security risks before they arise by incentivizing security researchers to find vulnerabilities (read this post from a participating partner to learn more).
- Security Self-Assessment Program: Marketplace Partners who participate in this program complete an annual security assessment that Atlassian reviews and approves.
Ultimately, we want to ensure that your cloud apps are doing everything possible to keep your data safe. As Atlassian Ecosystem Security Leader Hariram Balasundaram puts it:
At Atlassian, we want to build trust with our customers and that extends to apps in our Marketplace as well. That’s why we perform security activities like vulnerability scanning, pentesting, bug bounties, etc., to continuously monitor all cloud apps in our Marketplace for security vulnerabilities. We also empower our partners to regularly audit their apps and invest in security if they want to participate and receive recognition through badging programs in the marketplace.
Reliability at scale
The number of apps a company uses increases with company size, meaning enterprise companies often rely on four or more apps to complete daily work. In an enterprise environment, these apps can be just as mission-critical as the products they run on. We know when an app is down it can have a real impact on your team’s workflow. So, we’ve upped reliability standards for Cloud Fortified apps.
Cloud Fortified apps undergo additional checks for service reliability and performance at scale. The core capabilities of Cloud Fortified apps are measured and monitored through service level indicators and objectives. App creators proactively check to ensure future compatibility with host product changes to avoid disruptions, so they’re less likely to break when host products like Jira or Confluence update.
These cloud apps are operated by Marketplace Partners with an incident and change management process that is integrated with Atlassian’s to allow for faster recovery time and continuous improvement. That means in the case of an incident there is a verified process to get back online fast.
When a problem arises with an app, you can’t wait a long time for someone to respond. Cloud Fortified apps abide by stricter support SLAs than other apps. If your Cloud Fortified app has a problem that prevents you from using it, you can rest easy knowing the Marketplace Partner will get back to you within 24 hours, 5 days a week during local business hours.
Our commitment to a trustworthy cloud Marketplace
When you install an Atlassian app to help your team work better together, you’re trusting it will perform consistently and protect your data; we’re fully committed to a secure, reliable cloud marketplace.
While the current requirements of Cloud Fortified provide a baseline for the high level of security and reliability you expect from Atlassian, we are committed to continuously adapting and improving our development platform and Marketplace programs to ensure they meet the needs of new and existing cloud customers. Cloud Fortified requirements will likely evolve to include additional standards over time to continuously reflect the needs of enterprise customers and other customers who rely on business-critical apps.
We’re proud to support our Marketplace Partners who have gone above and beyond to provide an enterprise-grade app experience for businesses of all sizes. So, if you’re using Atlassian Cloud products or starting to migrate, look to Cloud Fortified for enterprise-ready cloud security, reliability, and support.