The enterprise migration to cloud has been underway for years – it’s long been a matter of when, not if. But for security-minded enterprises, the more difficult question then becomes “How?”
Some workflows, like messaging and calendars, can be moved to cloud with little worry about their security. More sensitive tasks, such as those that deal with IP or customer data, will always merit scrutiny by security teams.
Atlassian is helping more enterprises move critical workflows to the cloud every day, and we field a wide variety of questions on ways to make the process secure and on our own security perspective. The most common among them are worthy of consideration by any business with cloud aspirations:
What is your security philosophy?
Discerning enterprises understand that ensuring security isn’t just a matter of checking a list of requirements. New threats develop more quickly than ever, and reducing risk requires a holistic approach to security that transcends a checklist. Organizations moving self-managed workflows to cloud should look for technology partners with a clear security philosophy that goes beyond industry certifications.
How do you secure your internal environment?
One of the most important factors in building secure technology is safeguarding the environment in which it is built. Vulnerabilities in the environment create an opportunity for vulnerabilities to end up in the product.
How do you secure day-to-day operations?
Security should be baked into all aspects of an enterprise technology provider’s day-to-day operational processes. When security practices are incorporated as an afterthought, they’re less likely to be adopted and to stick.
Atlassian Trust Analyst Jodie Vlassis explains, “We care deeply about the resiliency of our products, not least because we – internally, in Atlassian – rely on the very same products. We’re determined to build in processes to plan for disruptions and handle disruptions such that they result in minimal impact to our customers when they do occur.”
How do you secure customer data?
Perhaps more important even than the security of software itself is the security of the data that software creates, contains, or touches. An attack on a tool might take that that tool out of commission for a day or two, but a breach of customer data can create far-reaching ramifications for those customers.
How do you secure your own workers?
No one wants to be the weak link that exposes their organization to a security threat, but sometimes it takes more than good intentions to ensure the security of the workers who build and support technology. Enterprise technology providers should have programs in place not only to protect their workers, but to educate them on how they can protect themselves and their colleagues from threats like phishing and fraud. Atlassian’s own Trust team sets a great example:
“We’re intent on making sure all of our staff know how to do their work securely and are empowered to act accordingly. Embedding a security mindset is at the forefront of Atlassian’s culture,” Vlassis says. “We also maintain open channels of communication between our employees and the security team through instant messaging channels, blog posts, FAQs, etc., so the security team is as accessible as possible to all Atlassian staff.”
How do you ensure your applications are built securely?
This is the first question many enterprises ask of technology providers. If an application is not secure, it’s a nonstarter for most organizations. A secure product requires stringent security measures in the development cycle, as well as frequent maintenance and updates to ensure continued safety as it matures.
How do you identify and respond to security threats?
No matter how thorough and airtight the security measures of a technology provider are, there is always the risk that external forces will test the resiliency of your organization. Enterprises cannot assume their passive security measures will always be effective – they must proactively seek out potential threats and respond quickly to reduce risk.
How do you secure your ecosystem and partner technology?
In today’s enterprise technology environments, it’s rare that an application exists in a vacuum. Just about every piece of software needs to interface with other technologies, and many enterprises prefer to augment their tools with additional capabilities from the provider’s ecosystem. This can introduce significant complexity and create opportunities for threats to arise if a technology provider’s ecosystem of developers and partners aren’t securely integrated.
How do you meet compliance obligations?
Most enterprises don’t just prioritize security for security’s sake – they may operate in industries for which regulations compel them to meet security certification requirements. As large-scale security breaches have become more and more common, governments have taken notice. Technology providers must have a strong compliance strategy if they hope to serve enterprises in regulated industries.
These questions should be part of every enterprise’s process for assessing the security posture of a cloud provider, and are worth asking of existing technology partners as well as new ones.
If you’re interested in diving deeper into Atlassian’s approach to these questions, you can learn about our current security programs, as well as our roadmap for the future, at our Trust Center.