ENISA: European Network & Information Security Agency
Atlassian Outsourcing Guidelines
Disclaimer
The guidance provided below is solely for the purposes of assisting European cloud customers, as well as enterprise organisations considering outsourcing business functions to the cloud in their evaluation of Atlassian’s cloud products and associated services.
This report is intended solely for the information and guidance provided by Atlassian to its cloud customers on how we align with ENISA IAF. In parallel to this, we have a dedicated Shared Responsibilities white paper which discusses the shared responsibilities that both a Cloud Service Provider (“CSP”), like Atlassian, and its customers need to keep in mind when ensuring compliance with ENISA IAF. This shared responsibility model does not remove the accountability and risk from customers using Atlassian Cloud products, but it does help relieve our customer’s burdens in a number of ways, including by: managing and controlling system components and physical control of facilities; and shifting a portion of the cost of security and compliance onto Atlassian and away from our customers.
To learn more about our commitment to safeguard customer data, visit our Security Practices page.
| | ID | ENISA Guidance | Atlassian Response |
Introduction | |||
|
|
| The European Network and Information Security Agency (ENISA) is a center of network and information expertise. It works closely with EU member states and the private sector to provide advice and recommendations on good cybersecurity practices. ENISA also supports the development and implementation of EU policy and law relating to national information security. | Atlassian aligns to the IAF by way of Atlassian's adherence to the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM), which maps CCM domains and controls to IAF assurance criteria, as well as certification against ISO 27001.
The following guidance provides assurance criteria to assist organizations in choosing a cloud service provider. If you have any questions about specific details, please contact our Enterprise Sales Team at https://www.atlassian.com/enterprise/contact?formType=product-features. |
Information Assurance Framework (IAF) | |||
Personnel Security | |||
| | 6.01 | The majority of questions relating to personnel will be similar to those you would ask your own IT personnel or other personnel who are dealing with your IT. As with most assessments, there is a balance between the risk and cost. |
|
| 6.01. (a) | What policies and procedures do you have in place when hiring your IT administrators or others with system access? These should include:
| In accordance with the laws of their residence, new Atlassians are required to complete a background check. In accordance with the laws of their residence, newly hired employees as a result of an acquisition have a background check performed after the acquisition date. A criminal check is run on all new hires and independent contractors - education verification, employment verification, or credit checks are added in if the role or level of the position requires it. We perform full background checks for senior executive and accounting roles. | |
| 6.01. (b) | Are there different policies depending on where the data is stored or applications are run?
| Atlassian maintains restriction on the personnel that need access to our systems, applications and infrastructure for their job role and responsibilities on the basis of least privilege and this is enforced through our authentication processes. All access is through authenticated sessions, and based on established permissions. | |
| 6.01. (c) | What security education program do you run for all staff? | Atlassian provides information security training as an element of onboarding training ('Day 1') for new hires, and on an ongoing basis to all staff. | |
| 6.01. (d) | Is there a process of continuous evaluation?
| Atlassian has achieved SOC2, ISO27001 and ISO27018 certifications for our cloud services. We perform both internal / readiness audits as well as external audits at least annually. Atlassian is ISO certified across a number of products, which requires regular risk assessments and reviews of data practices. | |
Supply-Chain Assurance | |||
| | 6.02. | The following questions apply where the cloud provider subcontracts some operations that are key to the security of the operation to third parties (eg, a SaaS provider outsourcing the underling platform to a third party provider, a cloud provider outsourcing the security services to a managed security services provider, use of an external provider for identity management of operating systems, etc). It also includes third parties with physical or remote access to the cloud provider infrastructure. It is assumed that this entire questionnaire may be applied recursively to third (or nth) party cloud service providers. |
|
| 6.02. (a) | Define those services that are outsourced or subcontracted in your service delivery supply chain that are key to the security (including availability) of your operations. | Atlassian works with third party sub-contractors to provide website, application development, hosting, maintenance, back-up, storage, virtual infrastructure, payment processing, analysis, and other services. A list of sub-processors currently engaged by Atlassian and authorized by Customer are listed at https://www.atlassian.com/legal/sub-processors. | |
| 6.02. (b) | Detail the procedures used to assure third parties accessing your infrastructure (physical and/or logical).
| Our legal and procurement teams review contracts, SLAs, and vendor internal policies to manage risks associated with security, availability, and confidentiality. We also perform functional risk assessments as needed based on risk profile. Risk assessments are revisited as part of policy renewal and anytime the relationship with the supplier changes significantly. Our Supplier & Third Party Data Management Policy covers this process, of which an excerpt is available here: https://www.atlassian.com/trust/security/ismp-policies | |
| 6.02. (c) | Are any SLA provisions guaranteed by outsources lower than the SLAs you offer to your customers? If not, do you have supplier redundancy in place? | Depending on the license arrangement, our customer cloud terms should be reviewed either on Monthly subscription or Annual subscription renewal. Our legal and procurement teams review contracts, SLAs, and vendor internal policies to manage risks associated with security, availability, and confidentiality. Atlassian's Enterprise Risk Management (ERM) Program performs an annual risk assessment which incorporates likelihood and impact for all risk categories and is aligned with the COSO risk model. We also perform functional risk assessments as needed based on risk profile. Risk assessments are revisited as part of policy renewal and anytime the relationship with the supplier changes significantly. | |
| 6.02. (d) | What measures are taken to ensure third party service levels are met and maintained? | Our legal and procurement teams review contracts, SLAs, and vendor internal policies to manage risks associated with security, availability, and confidentiality. We also perform functional risk assessments as needed based on risk profile. Risk assessments are revisited as part of policy renewal and anytime the relationship with the supplier changes significantly. Our Supplier & Third Party Data Management Policy covers this process, of which an excerpt is available here: https://www.atlassian.com/trust/security/ismp-policies | |
| 6.02. (e) | Can the cloud provider confirm that security policy and controls are applied (contractually) to their third party providers? | All systems and projects undergo an impact assessment as it relates to PII. Our Atlassian Third-Party Agreements include security and privacy provisions as applicable. New vendors to Atlassian are required to agree to our privacy and security policies in our contracts. | |
Operational Security | |||
| | 6.03. | It is expected that any commercial agreement with external providers will include service levels for all network services. However, in addition to the defined agreement, the end customer should still ensure that the provider employs appropriate controls to mitigate unauthorised disclosure. |
|
| | 6.03. (a) | Detail your change control procedure and policy. This should also include the process used to re-assess risks as a result of changes and clarify whether the outputs are available to end customers. | Atlassian has an Enterprise Risk Management (ERM) Program aligned with the COSO risk model and ISO 31000. The ERM Program implements a risk management framework and methodology across Atlassian, and performs annual risk assessments, periodic specific risk assessments of a product environment, and functional risk assessments as needed based on risk profile. |
| | 6.03. (b) | Define the remote access policy. | Remote access requirements are defined in the Access Management Policy and associated Standards. Customer data may be replicated onto employee workstations for support or migration purposes and with an active Customer Support Ticket. Strict firewall rules are in place thus limiting access to the production environment to our VPN network and authorized systems. Our VPN access requires multi-factor authentication. |
| | 6.03. (c) | Does the provider maintain documented operating procedures for information systems? | Atlassian's basic principles of operations security includes the development of standard operating procedure documents. We have also published excerpts of each of our high level policies with the tl:dr, which can be found at: https://www.atlassian.com/trust/security/ismp-policies |
| | 6.03. (d) | Is there a staged environment to reduce risk, e.g., development, test and operational environments, and are they separated? | Atlassian has information security policies prohibiting the use of production data in non-production environments, and any attempted data migration between the environments would be identified through the change management process. The code moves from centralized build system with unit testing first. Then into feature branch validation with additional test automation and gate reviews by PM, Dev, QA. Then into UAT, Security, and performance validation. Developers cannot promote code to production directly. Further details are available at https://www.atlassian.com/trust/security/security-practices#managing-changes-in-our-environment |
| | 6.03. (e) | Define the host and network controls employed to protect the systems hosting the applications and information for the end customer. These should include details of certification against external standards (e.g., ISO 27001/2). | Atlassian Network Engineering uses IPS technologies built into our cloud and office firewalls, and Atlassian has implemented IDS technologies in our office environments. Network threat protection is performed by AWS, including DDoS protection and some Web Application Firewall features. All data for our services is encrypted in transit using TLS to protect it from unauthorized disclosure or modification, whether over HTTPS or SMTPS. |
| | 6.03. (f) | Specify the controls used to protect against malicious code. | Atlassian has implemented Crowdstrike Falcon (https://www.crowdstrike.com/falcon-platform/) for our Windows and Mac fleet. We do not use anti-malware on our Linux machines. Anti-malware is included in our vulnerability management policy. |
|
| 6.03. (g) | Are secure configurations deployed to only allow the execution of authorised mobile code and authorised functionality (e.g., only execute specific commands)? | All servers are configured using our centralized puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function. |
|
| 6.03. (h) | Detail policies and procedures for backup. This should include procedures for the management of removable media and methods for securely destroying media no longer required. (Depending on his business requirements, the customer may wish to put in place an independent backup strategy. This is particularly relevant where time-critical access to back-up is required.) | We operate a comprehensive backup program at Atlassian. This includes our internal systems, where our backup measures are designed in line with system recovery requirements. With respect to our cloud products, and specifically referring to you and your application data, we also have extensive backup measures in place. We use the snapshot feature of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance. Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups. For Bitbucket, data is replicated to a different AWS region and independent backups are taken daily within each region. |
|
|
| Audit logs are used in the event of an incident required investigation as well as for troubleshooting. For these purposes, the end customer will need assurance that such information is available. |
|
|
| 6.03. (i) | Can the provider detail what information is recorded within audit logs?
| Key system logs are forwarded from each system to a centralized log platform, where logs are read-only. The Atlassian Security Team creates alerts on our Security Analytics Platform (Splunk) and monitors for indicators of compromise. Our SRE teams use the Platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. |
|
| 6.03. (j) | How are audit logs reviewed? What recorded events result in action being taken? | Key system logs are forwarded from each system to a centralized log platform, where logs are read-only. The Atlassian Security Team creates alerts on our Security Analytics Platform (Splunk) and monitors for indicators of compromise. Our SRE teams use the Platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. |
|
| 6.03. (k) | What time source is used to synchronise systems and provide accurate audit log time stamping? | Atlassian Cloud utilizes AWS Time Sync for all deployed instances. |
Software Assurance | |||
|
| 6.03.01. (a) | Define controls used to protect the integrity of the operating system and applications software used. Include any standards that are followed, e.g., OWASP, SANS Checklist, SAFECode. | Our team of security engineers continually do a rolling review of all source code in our products as part of our development cycle. Both automated and manual techniques are employed. We also utilize a mandatory dual peer review process, where multiple senior or lead developers review all commits to master. Agile workflows let us identify and fix any vulnerabilities quickly, especially for our cloud services. |
|
| 6.03.01. (b) | How do you validate that new releases are fit-for-purpose or do not have risks (backdoors, Trojans, etc)? Are these reviewed before use? | Our Atlassian Change Management process is slightly different than traditional change processes. We rely on a Peer Review and Green Build (PRGB) control on all changes, whether to code, application or infrastructure changes. Peer Review is configured in our CD tool, where critical branches must be designated to have multiple reviewers for each Pull Request. Commonly this is two developers and the Team Lead. The Green Build portion of the control means that the integration during the CI phase must pass all integration, functional, security and other tests that have been developed. If these tests fail (a Red Build), the code will not be merged and must be reviewed again and address the failures. Once a Green Build is successful, the binary is cryptographically signed and our production environment only runs binaries that are signed with our key. Our testing process includes both automated and manual assessment components. We love to blog about what we do well. Our approach to using 'Quality Assistance' (rather than traditional 'Quality Assurance') is something we are passionate about: https://www.atlassian.com/inside-atlassian/quality-assurance-vs-quality-assistance. |
|
| 6.03.01. (c) | What practices are followed to keep the applications safe? | Our applications require a Peer Review and Green Build (PRGB) after which the applications artifacts are cryptographically signed, automatically deployed by our CI/CD pipeline, and only Atlassian signed applications are able to be run in our Production Environment. |
|
| 6.03.01. (d) | Is a software release penetration tested to ensure it does not contain vulnerabilities? If vulnerabilities are discovered, what is the process for remedying these? | Atlassian performs secure development practices across all the phases of the development lifecycle. Please See: https://www.atlassian.com/trust/security/security-in-development for more information. |
Patch Management |
|
|
|
|
| 6.03.02. (a) | Provide details of the patch management procedure followed? | We maintain a Threat and Vulnerability Management Policy. Our Policy Management Program (PMP) has been defined and includes ownership, availability, review cycle and outlines our general objectives. Our policies are reviewed at least annually and approved by senior management. More information about our PMP can be found at: https://www.atlassian.com/trust/security/security-management-program |
|
| 6.03.02. (b) | Can you ensure that the patch management process covers all layers of the cloud delivery technologies - i.e., network (infrastructure components, routers and switches, etc), server operating systems, virtualisation software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc)? | System configuration changes are managed by an automates process which includes review of all changes before deployment to production. Atlassian Service Operations can deploy patches as soon as a significant risk is identified. We have internal criteria to determine how quickly to implement any patches, and can apply within 12 hours for all machines. An IDS system is in place which includes monitoring of system configuration files. |
Network Architecture Controls | |||
|
| 6.03.03. (a) | Define the controls used to mitigate DDoS (distributed denial-of-service) attacks.
| Network security requirements are defined in the Communication Security Policy, which is reviewed annually in line with our Policy Management Program (PMP). For more information on our PMP, see: https://www.atlassian.com/trust/security/security-management-program |
|
| 6.03.03. (b) | What levels of isolation are used?
| Atlassian is a multi-tenant SaaS application. Multi-tenancy is a key feature of Atlassian Cloud that enables multiple customers to share one instance of the Jira or Confluence application layer, while isolating each customer tenant’s application data. Atlassian Cloud accomplishes this through the Tenant Context Service (TCS). Every user ID is associated with exactly one tenant, which is then used to access the Atlassian Cloud applications. For more information, see : https://www.atlassian.com/trust/security/security-practices#tenant-isolation |
|
| 6.03.03. (c) | Does the architecture support continued operation from the cloud when the company is separated from the service provider and vice versa (e.g., is there a critical dependency on the customer LDAP system)? | A Business Continuity and Disaster Recovery policy and Business Continuity and Disaster Recovery Plan is in place and is reviewed on an annual basis by the Business Continuity / Disaster Recovery steering committee. For more information, see : https://www.atlassian.com/trust/security/security-practices#faq-d323ae61-59b8-4ddb-96d4-30716b603e3e and https://www.atlassian.com/trust/security/data-management. |
|
| 6.03.03. (d) | Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging 802.1q architecture) secured to vendor and/or best practice specific standards (e.g., are MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)? | Network security requirements are defined in the Communication Security Policy, which is reviewed annually in line with our Policy Management Program (PMP). For more information on our PMP, see: https://www.atlassian.com/trust/security/security-management-program |
Host Architecture | |||
|
| 6.03.04. (a) | Does the provider ensure virtual images are hardened by default? | All servers are configured using our centralized puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function. |
|
| 6.03.04. (b) | Is the hardened virtual image protected from unauthorised access? | All servers are configured using our centralized puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function. |
|
| 6.03.04. (c) | Can the provider confirm that the virtualized image does not contain the authentication credentials? | All servers are configured using our centralized puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function. |
|
| 6.03.04. (d) | Is the host firewall run with only the minimum ports necessary to support the services within the virtual instance? | All servers are configured using our centralized puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function. |
|
| 6.03.04. (e) | Can a host-based intrusion prevention service (IPS) be run in the virtual instance? | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
PaaS - Application Security | |||
|
| 6.03.05. | Generally speaking, PaaS service providers are responsible for the security of the platform software stack, and the recommendations throughout this document are a good foundation for ensuring a PaaS provider has considered security principles when designing and managing their PaaS platform. It is often difficult to obtain detailed information from PaaS providers on exactly how they secure their platforms - however the following questions, along with other sections within this document, should be of assistance in assessing their offerings. |
|
|
| 6.03.05. (a) | Request information on how multi-tenanted applications are isolated from each other - a high level description of containment and isolation measures is required. | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
|
| 6.03.05. (b) | What assurance can the PaaS provider give that access to your data is restricted to your enterprise users and to the applications you own? | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
|
| 6.03.05. (c) | The platform architecture should be classic 'sandbox' - does the provider ensure that the PaaS platform sandbox is monitored for new bugs and vulnerabilities? | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
|
| 6.03.05. (d) | PaaS providers should be able to offer a set of security features (re-usable amongst their clients) - do these include user authentication, single sign on, authorization (privilege management), and SSL/TLS (made available by an API)? | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
SaaS - Application Security | |||
|
| 6.03.06. | The SaaS model dictates that the provider manages the entire suite of applications delivered to end-users. Therefore SaaS providers are mainly responsible for securing these applications. Customers are normally responsible for operational security processes (user and access management). However the following questions, along with other sections within this document, should assist in assessing their offerings: |
|
|
| 6.03.06. (a) | What administration controls are provided and can these be used to assign read and write privileges to other users. | Customers of our Enterprise and Premium Cloud offerings have access to a centralized administration control panel. Your organization's admins can manage user access and permissions across all your product instances. See our blog post here: https://www.atlassian.com/blog/platform/cloud-enterprise-centralized-admin-controls. |
|
| 6.03.06. (b) | Is the SaaS access control fine grained and can it be customized to your organizations policy? | Customers of our Enterprise and Premium Cloud offerings have access to a centralized administration control panel. Your organization's admins can manage user access and permissions across all your product instances. See our blog post here: https://www.atlassian.com/blog/platform/cloud-enterprise-centralized-admin-controls. |
Resource Provisioning | |||
|
| 6.03.07. (a) | In the event of resource overload (processing, memory, storage, network)?
| Atlassian plans capacity 6-12 months ahead, with high level strategic planning going out 36 months. |
|
| 6.03.07. (b) | How much can you scale up? Does the provider offer guarantees on maximum available resources within a minimum period? | Atlassian plans capacity 6-12 months ahead, with high level strategic planning going out 36 months. |
|
| 6.03.07. (c) | How fast can you scale up? Does the provider offer guarantees on the availability of supplementary resources within a minimum period? | Atlassian plans capacity 6-12 months ahead, with high level strategic planning going out 36 months. |
|
| 6.03.07. (d) | What processes are in place for handling large-scale trends in resource usage (eg, seasonal effects)? | Atlassian plans capacity 6-12 months ahead, with high level strategic planning going out 36 months. |
Identity and Access Management | |||
Authorization | |||
|
| 6.04.01. | The following controls apply to the cloud provider's identity and access management systems (those under their control). |
|
|
| 6.04.01. (a) | Do any accounts have system-wide privileges for the entire cloud system and, if so, for what operations (read/write/delete)? | Our global support team maintains an account on all hosted systems and applications for the purposes of maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system. |
|
| 6.04.01. (b) | How are the accounts with the highest level of privilege authenticated and managed? | Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. All tier 1 systems are managed via Atlassian centralized single sign-on (SSO) and directory solution. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR management system. Atlassian utilizes MFA to access all tier 1 systems. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store. |
|
| 6.04.01. (c) | How are the most critical decisions (e.g., simultaneous de-provisioning of large resource blocks) authorised (single or dual, and by which roles within the organisation)? | Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. All tier 1 systems are managed via Atlassian centralized single sign-on (SSO) and directory solution. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR management system. Atlassian utilizes MFA to access all tier 1 systems. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store.
|
|
| 6.04.01. (d) | Are there any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules? | Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. All tier 1 systems are managed via Atlassian centralized single sign-on (SSO) and directory solution. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR management system. Atlassian utilizes MFA to access all tier 1 systems. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store.
|
|
| 6.04.01. (e) | Do you use role-based access control (RBAC)? Is the principle of least privilege followed? | Atlassian has an established workflow linking our HR management system and our access provisioning system. We use role based access control based on pre-defined user profiles. All user accounts must be approved by management prior to their access to data, applications, infrastructure or network components. |
|
| 6.04.01. (f) | What changes, if any, are made to administrator privileges and roles to allow for extraordinary access in the event of an emergency? | Our global support team maintains an account on all hosted systems and applications for the purposes of maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system. |
|
| 6.04.01. (g) | Is there an 'administrator' role for the customer? For example, does the customer administrator have a role in adding new users (but without allowing him to change the underlying storage!)? | Atlassian provides customers with the role of 'Organization Admin' who administers users and groups for the customer's products. For more information see: https://support.atlassian.com/user-management/docs/give-users-admin-permissions/ |
Identity Provisioning | |||
|
| 6.04.02. (a) | What checks are made on the identity of user accounts at registration? Are any standards followed? For example, the e-Government Interoperability Framework?
| New Atlassian's globally are required to complete a background check. Newly hired employees as a result of an acquisition have a background check performed after the acquisition date. A criminal check is run on all new hires and independent contractors - education verification, employment verification, or credit checks are added in if the role or level of position requires it. We perform full background checks for senior executive and accounting roles. |
|
| 6.04.02. (b) | What processes are in place for de-provisioning credentials? | Our de-provisioning process currently incorporates termination of employment, contract or agreement. Users who transfer internally will generally retain their access rights in order to enable ongoing engagement and support. In order to provide a highly responsive and flexible customer focused team, in line with our company values, our focus is on detecting unauthorized use of access rather than on restricting access which may slow down our responsiveness. |
|
| 6.04.02. (c) | Are credential provisioned and de-provisioned simultaneously throughout the cloud system, or are there any risks in de-provisioning them across multiple geographically distributed locations? | Atlassian has an established workflow linking our HR management system and our access provisioning system. We use role based access control based on pre-defined user profiles. All user accounts must be approved by management prior to their access to data, applications, infrastructure or network components. |
Management of Personal Data | |||
|
| 6.04.03. (a) | What data storage and protection controls apply to the user directory (eg, AD, LDAP) and access to it? | Data is classified and handled in line with our Information Lifecycle and Data Security Policy, and controls implemented based on that. For more information, see: https://www.atlassian.com/trust/security/security-practices |
|
| 6.04.03. (b) | Is user directory data exportable in an interoperable format? | Admins can export the directory of users from the admin panel. Guides are available on Atlassian's Support site here: https://support.atlassian.com/organization-administration/docs/export-users-from-a-site/ |
|
| 6.04.03. (c) | Is need-to-know the basis for access to customer data within the cloud provider? | Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. All tier 1 systems are managed via Atlassian centralized single sign-on (SSO) and directory solution. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR management system. Atlassian utilizes MFA to access all tier 1 systems. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store.
|
Key Management | |||
|
| 6.04.04. | For keys under the control of the cloud provider: |
|
|
| 6.04.04. (a) | Are security controls in place for reading and writing those keys? For example, strong password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication, direct shielded access to storage, short key lifetime, etc. | Atlassian maintains Encryption & Cryptography Policies and implementation guidelines. This policy is reviewed and updated annually in line with our Policy Management Program (PMP). For more information, see: https://www.atlassian.com/trust/security/security-management-program. |
|
| 6.04.04. (b) | Are security controls in place for using those keys to sign and encrypt data? | Atlassian maintains documented Key Management procedures for our Cloud Infrastructure. Encryption keys for Amazon attachments, stored in S3, are managed by Amazon KMS. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Master Keys within KMS, upon-creation, enable an auto-rotation to generate Master Key Material every 365 days (annually). |
|
| 6.04.04. (c) | Are procedures in place in the event of a key compromise? For example, key revocation lists. | Atlassian maintains documented Key Management procedures for our Cloud Infrastructure. Encryption keys for Amazon attachments, stored in S3, are managed by Amazon KMS. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Atlassian-managed keys are rotated upon relevant changes of roles or employment status. AWS KMS Service is SOC 1, SOC 2, SOC 3 Compliant. For more information, see: https://aws.amazon.com/kms/ |
|
| 6.04.04. (c) | Are procedures in place in the event of a key compromise? For example, key revocation lists. | Atlassian maintains documented Key Management procedures for our Cloud Infrastructure. Encryption keys for Amazon attachments, stored in S3, are managed by Amazon KMS. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Atlassian-managed keys are rotated upon relevant changes of roles or employment status. AWS KMS Service is SOC 1, SOC 2, SOC 3 Compliant. For more information, see: https://aws.amazon.com/kms/ |
|
| 6.04.04. (d) | Is key revocation able to deal with simultaneity issues for multiple sites? | Atlassian maintains documented Key Management procedures for our Cloud Infrastructure. Encryption keys for Amazon attachments, stored in S3, are managed by Amazon KMS. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Atlassian-managed keys are rotated upon relevant changes of roles or employment status. AWS KMS Service is SOC 1, SOC 2, SOC 3 Compliant. For more information, see: https://aws.amazon.com/kms/ |
|
| 6.04.04. (e) | Are customer system images protected or encrypted? | Atlassian uses industry standard Transport Layer Security (“TLS”) version 1.2 to create a secure connection using 256 bit Advanced Encryption Standard (“AES”) encryption. Servers holding user data will use full disk, industry-standard AES encryption. Tenant data is encrypted within the AWS RDS or RDS backups, and is also encrypted in long term storage (S3) as well as all attachments. For more information, see: https://www.atlassian.com/trust/security/security-practices#encryption-and-key-management |
Encryption | |||
| | 6.04.05. (a) | Encryption can be used in multiple places - where is it used?
| Atlassian maintains Encryption & Cryptography Policies and implementation guidelines. This policy is reviewed and updated annually in line with our Policy Management Program (PMP). For more information, see : https://www.atlassian.com/trust/security/security-management-program . |
|
| 6.04.05. (b) | Is there a well-defined policy for what should be encrypted and what should not be encrypted? | Atlassian maintains Encryption & Cryptography Policies and implementation guidelines. This policy is reviewed and updated annually in line with our Policy Management Program (PMP). For more information, see: https://www.atlassian.com/trust/security/security-management-program. |
|
| 6.04.05. (d) | Who holds the access keys? | Atlassian uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys. |
|
| 6.04.05. (e) | How are the keys protected? | Atlassian uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys. |
Authentication | |||
|
| 6.04.06. (a) | What forms of authentication are used for operations requiring high assurance? This may include login to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc.
| We follow the guidelines outlined in NIST Special Publication 800-63B. See : https://pages.nist.gov/800-63-3/sp800-63b.html |
Credential Compromise or Theft | |||
| | 6.04.07. (a) | Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behaviours)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc. | Our Atlassian Cloud Platform has very little surface area that is exposed through the firewalls. We review firewall rules on a periodic basis. We have deployed IDS at our office sites and our cloud hosting environment. For the Atlassian Cloud Platform, log forwarding integrates with a Security Analytics Platform. At the Cloud Platform container level, file integrity is maintained as the instances are non-modifiable. Atlassian Network Engineering uses IPS technologies that are built into our firewalls and we have implemented IDS technologies in our office and cloud environments. DDoS capabilities are provided by our Internet Service Provider / Carrier. |
|
| 6.04.07. (b) | What provisions exist in the event of the theft of a customer's credentials (detection, revocation, evidence for actions)? | In the context of Atlassian cloud services, our customers may be responsible for some or all aspects of access management for their service users under their control.
Under this policy, Atlassian maintains a Security Incident Response plan. For more information about our Security Incident Response process, see: https://www.atlassian.com/trust/security/security-incident-management |
Identity and Access Management Systems Offered to the Cloud Customer | |||
|
| 6.04.08. | The following questions apply to the identity and access management systems which are offered by the cloud provider for use and control by the cloud customer. |
|
Identity and Access Management Systems Offered to the Cloud Customer | |||
|
| 6.04.08.01. (a) | Does the system allow for a federated IDM infrastructure which is interoperable both for high assurance (OTP systems, where required) and low assurance (eg. Username and password)? | Atlassian Access supports identity federation standards across our Atlassian Products (Confluence, Jira, Jira Align, Bitbucket, etc). Atlassian Access can automatically sync your Active Directory to Atlassian with Okta, Azure AD, or OneLogin. For more information, see: https://www.atlassian.com/enterprise/cloud/access. Specific Product SSO Setup (Generic SAML v2.0, Google, Okta, OneLogin, PingIdentity, ADFS):
|
|
| 6.04.08.01. (b) | Is the cloud provider interoperable with third party identity providers? | Atlassian customers can use their chosen third party identity provider if supported by Atlassian. An Atlassian Support page details these features and how to connect your chosen identity provider, see: https://support.atlassian.com/provisioning-users/docs/supported-identity-providers/ |
|
| 6.04.08.01. (c) | Is there the ability to incorporate single sign-on? | Atlassian supports the use of Google, Microsoft, and Apple identities for the authentication of most products. We also support SAML for our Atlassian cloud services through Atlassian Access. See: https://www.atlassian.com/enterprise/cloud/access. |
Access Control | |||
|
| 6.04.08.02. (a) | Does the client credential system allow for the separation of roles and responsibilities and for multiple domains (or a single key for multiple domains, roles and responsibilities)? | Atlassian is a multi-tenant SaaS application. Multi-tenancy is a key feature of Atlassian Cloud that enables multiple customers to share one instance of the Jira or Confluence application layer, while isolating each customer tenant’s application data. Atlassian Cloud accomplishes this through the Tenant Context Service (TCS). Every user ID is associated with exactly one tenant, which is then used to access the Atlassian Cloud applications. For more information, see : https://www.atlassian.com/trust/security/security-practices#tenant-isolation |
|
| 6.04.08.02. (b) | How do you manage access to customer system images - and ensure that the authentication and cryptographic keys are not contained within in them? | Our global support team maintains an account on all hosted systems and applications for the purposes of maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system. |
Authentication | | | |
|
| 6.04.08.03. (a) | How does the cloud provider identity itself to the customer (ie, is there mutual authentication)?
| Atlassian utilizes mutual authentication to identify itself to the customer. Atlassian API documentation can be found at: https://developer.atlassian.com/cloud/. Atlassian Service Authentication Protocol (ASAP) is a service-to-service authentication protocol that utilizes access token implemented using JSON Web Token (JWT) and signed using a RSA keys from an Atlassian trusted authority. To learn more, see Atlassian Service Authentication Protocol. We don’t use traditional notions of ‘Service Accounts’, we do rely on Service-to-Service authentication and authorization. |
|
| 6.04.08.03. (b) | Do you support a federated mechanism for authentication? | Atlassian Access supports identity federation standards across our Atlassian Products (Confluence, Jira, Jira Align, Bitbucket, etc). Atlassian Access can automatically sync your Active Directory to Atlassian with Okta, Azure AD, or OneLogin. For more information, see: https://www.atlassian.com/enterprise/cloud/access. Specific Product SSO Setup (Generic SAML v2.0, Google, Okta, OneLogin, PingIdentity, ADFS):
|
Asset Management | |||
|
| 6.05. | It is important to ensure the provider maintains a current list of hardware and software (applications) assets under the cloud providers control. This enables checks that all systems have appropriate controls employed, and that systems cannot be used as a backdoor into the infrastructure. |
|
|
| 6.05. (a) | Does the provider have an automated means to inventory all assets, which facilitates their appropriate management? | Our production systems are located in infrastructure obtained through cloud service providers. These systems are not tracked at a hardware level due to the nature of the service. The underlying microservices that our products run on are tracked in a custom-built ‘Service’ database. This database is updated automatically when a service is deployed. |
|
| 6.05. (b) | Is there a list of assets that the customer has used over a specific period of time? | Atlassian is a multi-tenant SaaS application. Multi-tenancy is a key feature of Atlassian Cloud that enables multiple customers to share one instance of the Jira or Confluence application layer, while isolating each customer tenant’s application data. Atlassian Cloud accomplishes this through the Tenant Context Service (TCS). Every user ID is associated with exactly one tenant, which is then used to access the Atlassian Cloud applications. For more information, see: https://www.atlassian.com/trust/security/security-practices#tenant-isolation |
|
|
| The following questions are to be used where the end customer is deploying data that would require additional protection (i.e.. Deemed as sensitive). |
|
|
| 6.05. (c) | Are assets classified in terms of sensitivity and criticality?
| Atlassian maintains a 4-tier rating on our assets and services, with uptime, service level, and continuity requirements set per tier. For more information, see: https://www.atlassian.com/trust/security/data-management. |
Data and Services Portability | |||
|
| 6.06. | This set of questions should be considered in order to understand the risks related to vendor lock-in. |
|
|
| 6.06. (a) | Are there any documented procedures and APIs for exporting data from the cloud? | Customer data is available via Web App and API. Details for specific products are below.
|
|
| 6.06. (b) | Does the vendor provide interoperable export formats for all data stored within the cloud? | Atlassian facilitates customer requests to export their data, should it be hosted on Atlassian products. Robust data portability and data management tools for exporting product and user data is available. For more information on Atlassian Cloud data export, see our import and export documentation here: https://support.atlassian.com/security-and-access-policies/docs/track-storage-and-move-data-across-products/. |
|
| 6.06. (c) | In the case of SaaS, are the API interfaces used standardized? | Details on our Atlassian Cloud APIs can be found at: https://developer.atlassian.com/explore-the-apis/
|
|
| 6.06. (d) | Are there any provisions for exporting user-created applications in a standard format? | This is not applicable, as Atlassian operates a Software as a Service (SaaS) model. |
|
| 6.06. (e) | Are there processes for testing that data can be exported to another cloud provider - should the client wish to change provider, for example? | Atlassian facilitates customer requests to export their data, should it be hosted on Atlassian products. Robust data portability and data management tools for exporting product and user data is available. For more information on Atlassian Cloud data export, see our import and export documentation here: https://support.atlassian.com/security-and-access-policies/docs/track-storage-and-move-data-across-products/. |
|
| 6.06. (f) | Can the client perform their own data extraction to verify that the format is universal and is capable of being migrated to another cloud provider? | Atlassian facilitates customer requests to export their data, should it be hosted on Atlassian products. Robust data portability and data management tools for exporting product and user data is available. For more information on Atlassian Cloud data export, see our import and export documentation here: https://support.atlassian.com/security-and-access-policies/docs/track-storage-and-move-data-across-products/. |
Business Continuity Management | |||
|
| 6.07. | Providing continuity is important to an organization. Although it is possible to set service level agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations. |
|
|
| 6.07. (a) | Does the provider maintain a documented method that details the impact of a disruption?
| A Business Continuity and Disaster Recovery policy and Business Continuity and Disaster Recovery Plan is in place and is reviewed on an annual basis by the Business Continuity / Disaster Recovery steering committee. For more information (including in relation to RPOs, RTOs, and resiliency via the use of availability zones) see: https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management and https://www.atlassian.com/trust/security/data-management. |
|
| 6.07. (b) | Has the provider categorized the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW). | All mission-critical systems, processes, or services owners ensure proper business continuity and/or disaster recovery that aligns with the tolerance for disruption in case of a disaster. BCDR plans are tested quarterly and any issues identified are addresses. For more information, see: https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management and https://www.atlassian.com/trust/security/data-management. |
|
| 6.07. (c) | What dependencies relevant to the restoration process exist? Include suppliers and outsource partners. | Atlassian has a procedure for, and a log of, data restoration efforts. At high level, this is contained in our internal Backups Standard and Business Continuity and Disaster Recovery policy. However, for each Atlassian service, we have various internal documents which include runbooks, schedules and procedures for customer initiated restores and Atlassian initiated restores. |
|
| 6.07. (d) | In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? | Our partner data centers maintain multiple compliance certifications. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Access to the data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures include: on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures. AWS physical protection assurance information can be found at: http://aws.amazon.com/compliance/ |
Incident Management and Response | |||
|
| 6.07.01. | Incident management and response is a part of business continuity management. The goal of this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization.To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident, the following questions should be asked to a cloud provider: |
|
|
| 6.07.01. (a) | Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? | We have a documented Security Incident Response Policy and Plan, the key principles of which include:
Under this policy, Atlassian maintains a Security Incident Response plan. For more information about our Security Incident Response process, see: https://www.atlassian.com/trust/security/security-incident-management Key system logs are forwarded from each system to a centralized log platform, where logs are read-only. The Atlassian Security Team creates alerts on our Security Analytics Platform (Splunk) and monitors for indicators of compromise. Our SRE teams use the Platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. For more on our Detections Program, see: https://www.atlassian.com/trust/security/detections-program |
|
| 6.07.01. (b) | Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider's support organization is aware of the process and of their roles during incident handling (both during the incident and post analysis)? | For our Atlassian Cloud services, Business Continuity and Disaster Recovery plans are tested at least quarterly. Multiple region availability is monitored in real time. Automated region failover tests are performed each week on pre-production environment. Automated configuration data restoration tests are performed daily on Production. All of Atlassian services perform Availability Zone resiliency test on pre-production environment every quarter. For more information on our Business Continuity program, see: https://www.atlassian.com/trust/security/security-practices#faq-d323ae61-59b8-4ddb-96d4-30716b603e3e |
|
| 6.07.01. (c) | How are the detection capabilities structured?
| Our Atlassian Cloud Platform has very little surface area that is exposed through the firewalls. We review firewall rules on a periodic basis. We have deployed IDS at our office sites and our cloud hosting environment. For the Atlassian Cloud Platform, log forwarding integrates with a Security Analytics Platform. At the Cloud Platform container level, file integrity is maintained as the instances are non-modifiable. Atlassian Network Engineering uses IPS technologies that are built into our firewalls and we have implemented IDS technologies in our office and cloud environments. DDoS capabilities are provided by our Internet Service Provider / Carrier. For more on our Detections Program, see: https://www.atlassian.com/trust/security/detections-program Key system logs are forwarded from each system to a centralized log platform, where logs are read-only. The Atlassian Security Team creates alerts on our Security Analytics Platform (Splunk) and monitors for indicators of compromise. Our SRE teams use the Platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. Atlassian restricts ability to view and read audit logs to authorized personnel on our centralized logging platform. Atlassian maintains external reporting channels through which we may become aware of vulnerabilities or incidents, including through our Bug Bounty program, our customer support portal, and defined security email inboxes and phone numbers. Atlassian encourages customers to report any authorized access or malicious behavior. To see more: https://www.atlassian.com/trust/security/security-incident-management and https://www.atlassian.com/trust/security/security-incident-responsibilities. |
|
| 6.07.01. (d) | How are severity levels defined? | Atlassian uses Common Vulnerability Scoring System (CVSS) as a method of assessing security risk and prioritization for each discovered vulnerability. The security levels used are based on Atlassian's self-calculated CVSS score including:
For more details, including what score ranges determine severity, see: https://www.atlassian.com/trust/security/security-severity-levels. |
|
| 6.07.01. (e) | How are escalation procedures defined? When (if ever) is the cloud customer involved? | We have a documented Security Incident Response Policy and Plan, the key principles of which include:
Under this policy, Atlassian maintains a Security Incident Response plan. For more information about our Security Incident Response process, see: https://www.atlassian.com/trust/security/security-incident-management Atlassian understands how important it is for you to be notified promptly of any data breach. That is why Atlassian has built out an extensive cross-functional team and process to handle security incidents as described at: https://www.atlassian.com/trust/security/security-incident-management Atlassian has a strong track record of timely and proactive notification of incidents, and working with our customers on any necessary mitigations. Because it is critical that Atlassian's security incident response teams to immediately focus on triage and mitigation of an incident as it develops, we cannot agree to a 72 hour timeline. Instead, we offer customers notification 'without undue delay', which follows the legal requirement under GDPR for data processors, which meets the legal needs of most of our customers. Incidents can range from simple to incredibly complex, so while we can offer what is necessary under the law we cannot agree to a 'one-size fits all' timeline. |
|
| 6.07.01. (f) | How are incidents documented and evidence collected? | Jira tickets are created for tracking and remediation purposes, and due dates are assigned according to our SLO based on both severity and the source of the vulnerability. We have an on-going process to issue tickets for identified vulnerabilities to system owners, and our Security Management Team reviews any reported vulnerabilities and ensures action is taken against them. |
|
| 6.07.01. (g) | Besides authentication, accounting and audit, what other controls are in place to prevent (or minimise the impact of) malicious activity by insiders? | Atlassian has deployed IDS at our office sites and our cloud hosting environment. Log forwarding integrates with a Security Analytics Platform for the Atlassian Cloud Platform. Key system logs are forwarded from each system to a centralized log platform, where logs are read-only. The Atlassian Security Team creates alerts on our Security Analytics Platform (Splunk) and monitors for indicators of compromise. For more on our Detections Program, see: https://www.atlassian.com/trust/security/detections-program |
|
| 6.07.01. (h) | Does the provider collect incident metrics and indicators (ie,. Number of detected or reported incidents per months, number of incidents caused by the cloud provider's subcontractors and the total number of such incidents, average time to respond and to resolve, etc.)?
| At this time, we do not make our internal metrics public but we do share Post Incident Actions for Sev 0 or Sev 1 Operational Incidents on our Statuspage, see: https://status.atlassian.com/. |
|
| 6.07.01. (j) | How often does the provider test disaster recovery and business continuity plans? | For our Atlassian Cloud services, Business Continuity and Disaster Recovery plans are tested at least quarterly. Multiple region availability is monitored in real time. Automated region failover tests are performed each week on pre-production environment. Automated configuration data restoration tests are performed daily on Production. All of Atlassian services perform Availability Zone resiliency test on pre-production environment every quarter. For more information on our Business Continuity program, see: https://www.atlassian.com/trust/security/security-practices#faq-d323ae61-59b8-4ddb-96d4-30716b603e3e |
|
| 6.07.01. (k) | Does the provider collect data on the levels of satisfaction with SLAs? | We monitor all Cloud instances for performance and availability, but we do not currently offer a formal application availability SLA. Our support team provides an initial response time SLA, and while we have no official support resolution SLA our internal goal is to resolve all assigned cases within 48 hours. Atlassian displays statistics of our latest Cloud system status here: https:status.atlassian.com. |
|
| 6.07.01. (l) | Does the provider carry out help desk tests? For example:
| Atlassian provides information security training as an element of onboarding training ('Day 1') for new starters, and on an ongoing basis to all staff. |
|
| 6.07.01. (m) | Does the provider carry out penetration testing? How often? What are actually tested during the penetration test - for example, do they test the security isolation of each image to ensure it is not possible to 'break out' of one image into another and also gain access to the host infrastructure? The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems). | We maintain an internal Red Team that conducts ongoing penetration test operations of all our infrastructure, cloud services and people. |
|
| 6.07.01. (n) | Does the provider carry out vulnerability testing? How often? | Our Atlassian Security Team performs ongoing network vulnerability scans of both internal and external infrastructure using an industry-recognized vulnerability scanner on an on-going basis. For more information on our Vulnerability Management program, see: https://www.atlassian.com/trust/security/vulnerability-management. |
|
| 6.07.01. (o) | What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later versions of software, etc)? | Jira tickets are created for tracking and remediation purposes, and due dates are assigned according to our SLO based on both severity and the source of the vulnerability. We have an on-going process to issue tickets for identified vulnerabilities to system owners, and our Security Management Team reviews any reported vulnerabilities and ensures action is taken against them. |
Physical Security | |||
|
| 6.08. | As with personnel security, many of the potential issues arise because the IT infrastructure is under the control of a third party - like traditional outsourcing, the effect of a physical security breach can have an impact on multiple customers (organizations). |
|
|
| 6.08. (a) | What assurance you provide to the customer regarding the physical security of the location? Please provide examples, and any standards that are adhered to, eg,. Section 9 of ISO 27001/2. | Physical security controls in our offices are guided by our physical and environmental security policy which ensures robust physical security is implemented across our environments on premises and in the cloud. |
|
| 6.08. (a) (i) | Who, other than authorized IT personnel, has unescorted (physical) access to IT infrastructure?
| Our Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. We have published excerpts of all of our internal technology operations and security policies at: https://www.atlassian.com/trust/security/ismp-policies |
|
| 6.08. (a) (ii) | How often are access rights reviewed?
| Atlassian evaluates the performance and effectiveness of its ISMS using suitable metrics. We monitor the performance of the Atlassian Trust Management System (ATMS) and the relevant controls via internal and external audit reviews. The Atlassian Compliance Team manages both our Internal / Internal Readiness Audit schedule as well as our External Audit Schedule (which are documented internally on our Audit Roadmaps page). Internal audits focus on high risk areas across Atlassian and occur on a regular basis according to predetermined schedules and according to the Enterprise Audit Schedule agreed to between the Risk and Compliance Team and the Internal Audit Team. At this time, we do not make our internal metrics public. The ATMS is assessed on an annual basis by independent third parties, and also following any significant changes. Atlassian has achieved SOC 2, ISO27001 and ISO7018 certification for each of our major cloud services. Atlassian also monitors each of the pillars of the ATMS by periodic operational review meetings including specific metrics for each. This includes weekly compliance health reviews of the ATMS and other meetings which are documented internally on our ATMS: Compliance Health Review page and our ATMS Meeting Notes page. For more information please refer to https://www.atlassian.com/trust/compliance. |
|
| 6.08. (a) (iii) | Do you assess security risks and evaluate perimeters on a regular basis?
| Atlassian evaluates the performance and effectiveness of its ISMS using suitable metrics. We monitor the performance of the Atlassian Trust Management System (ATMS) and the relevant controls via internal and external audit reviews. The Atlassian Compliance Team manages both our Internal / Internal Readiness Audit schedule as well as our External Audit Schedule (which are documented internally on our Audit Roadmaps page). Internal audits focus on high risk areas across Atlassian and occur on a regular basis according to predetermined schedules and according to the Enterprise Audit Schedule agreed to between the Risk and Compliance Team and the Internal Audit Team. At this time, we do not make our internal metrics public. The ATMS is assessed on an annual basis by independent third parties, and also following any significant changes. Atlassian has achieved SOC 2, ISO27001 and ISO7018 certification for each of our major cloud services. Atlassian also monitors each of the pillars of the ATMS by periodic operational review meetings including specific metrics for each. This includes weekly compliance health reviews of the ATMS and other meetings which are documented internally on our ATMS: Compliance Health Review page and our ATMS Meeting Notes page. For more information please refer to https://www.atlassian.com/trust/compliance. |
|
| 6.08. (a) (iv) | Do you carry out regular risk assessments which include things such as neighboring buildings? | Atlassian evaluates the performance and effectiveness of its ISMS using suitable metrics. We monitor the performance of the Atlassian Trust Management System (ATMS) and the relevant controls via internal and external audit reviews. The Atlassian Compliance Team manages both our Internal / Internal Readiness Audit schedule as well as our External Audit Schedule (which are documented internally on our Audit Roadmaps page). Internal audits focus on high risk areas across Atlassian and occur on a regular basis according to predetermined schedules and according to the Enterprise Audit Schedule agreed to between the Risk and Compliance Team and the Internal Audit Team. At this time, we do not make our internal metrics public. The ATMS is assessed on an annual basis by independent third parties, and also following any significant changes. Atlassian has achieved SOC 2, ISO27001 and ISO7018 certification for each of our major cloud services. Atlassian also monitors each of the pillars of the ATMS by periodic operational review meetings including specific metrics for each. This includes weekly compliance health reviews of the ATMS and other meetings which are documented internally on our ATMS: Compliance Health Review page and our ATMS Meeting Notes page. For more information please refer to https://www.atlassian.com/trust/compliance. |
|
| 6.08. (a) (v) | Do you control or monitor personnel (including third parties) who access secure areas? | Our Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. We have published excerpts of all of our internal technology operations and security policies at: https://www.atlassian.com/trust/security/ismp-policies |
|
| 6.08. (a) (vi) | What policies or procedures do you have for loading, unloading and installing equipment? | At Atlassian office facilities, loading docks are isolated from working areas, and are monitored by CCTV and Building Staff at all times. Our data center hosting partners manage physical security, and we rely on their compliance certifications to validate the controls are effective. |
|
| 6.08. (a) (vii) | Are deliveries inspected for risks before installation? | At Atlassian office facilities, loading docks are isolated from working areas, and are monitored by CCTV and Building Staff at all times. Our data center hosting partners manage physical security, and we rely on their compliance certifications to validate the controls are effective. |
|
| 6.08. (a) (viii) | Is there an up-to-date physical inventory of items in the data center? | An excerpt of our Asset Management Policy is available in https://www.atlassian.com/trust/security/ismp-policies. Atlassian maintains an inventory of all production assets along with asset owners. All our systems are located in AWS-based data centers. Our AWS systems are not tracked at a hardware level due to the nature of the service. |
|
| 6.08. (a) (ix) | Do network cables run through public access areas?
| Our Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. We have published excerpts of all of our internal technology operations and security policies at: https://www.atlassian.com/trust/security/ismp-policies |
|
| 6.08. (a) (x) | Do you regularly survey premises to look for unauthorized equipment? | An excerpt of our Asset Management Policy is available in https://www.atlassian.com/trust/security/ismp-policies. Atlassian maintains an inventory of all production assets along with asset owners. All our systems are located in AWS-based data centers. Our AWS systems are not tracked at a hardware level due to the nature of the service. |
|
| 6.08. (a) (xi) | Is there any off-site equipment?
| An excerpt of our Asset Management Policy is available in https://www.atlassian.com/trust/security/ismp-policies. Atlassian maintains an inventory of all production assets along with asset owners. All our systems are located in AWS-based data centers. Our AWS systems are not tracked at a hardware level due to the nature of the service. |
|
| 6.08. (a) (xii) | Do your personnel use portable equipment (eg,. Laptops, smart phones) which can give access to the data center?
| Our partner data centers maintain multiple compliance certifications. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Access to the data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures include: on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures. AWS physical protection assurance information can be found at: http://aws.amazon.com/compliance/ |
|
| 6.08. (a) (xiii) | What measures are in place to control access cards? | Our Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. We have published excerpts of all of our internal technology operations and security policies at: https://www.atlassian.com/trust/security/ismp-policies |
|
| 6.08. (a) (xiv) | What processes or procedures are in place to destroy old media or systems when required to do so?
| Workplace Technology handles this process, equipment is sanitized and degaussed appropriately. Atlassian does not manage any physical media that supports our cloud products and services. |
|
| 6.08. (a) (xv) | What authorization processes are in place for the movement of equipment from one site to another?
| Atlassian's data center hosting partners (AWS) manage physical security, and we rely on their SOC2 to validate the controls are effective. |
|
| 6.08. (a) (xvi) | How often are equipment audits carried out to monitor for unauthorized equipment removal? | Atlassian's data center hosting partners (AWS) manage physical security, and we rely on their SOC2 to validate the controls are effective. |
|
| 6.08. (a) (xvii) | How often are checks made to ensure that the environment complies with the appropriate legal and regulatory requirements? | Our Atlassian Legal Team and Compliance Teams monitor our regulatory obligations. Please see https://www.atlassian.com/legal/ for our Legal Program. More information on our Compliance program can be found at: https://www.atlassian.com/trust/compliance. |
Environmental Controls | |||
|
| 6.09. (a) | What procedures or policies are in place to ensure that environmental issues do not cause an interruption to service? | Our Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. |
|
| 6.09. (b) | What methods do you use to prevent damage from a fire, flood, earthquake, etc?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (c) | Do you monitor the temperature and humidity in the data centre?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (d) | Do you protect your buildings from lightening strikes?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (e) | Do you have stand-alone generators in the event of a power failure?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (f) | Are all utilities (electricity, water, etc) capable of supporting your environment?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (g) | Is your air-conditioning capable of supporting your environment?
| Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (h) | Do you follow manufacturers recommended maintenance schedules? | Atlassian relies on our partner data hosting partners to validate their datacenter security and environmental controls. For AWS, see https://aws.amazon.com/compliance/programs. |
|
| 6.09. (i) | Do you only allow authorised maintenance or repair staff onto the site?
| Physical access to office facilities is protected by electronic badge access, business hours reception with mandatory sign-in for visitors, and CCTV at all building entry and exit points. Loading docks are monitored by CCTV and Building Staff at all times. Our data center hosting partners manage physical security, and we rely on their compliance certifications to validate the controls are effective. |
|
| 6.09. (j) | When equipment is sent away for repair, is the data cleaned from it first?
| Workplace Technology handles this process, equipment is sanitized and degaussed appropriately. Atlassian does not manage any physical media that supports our cloud products and services. |
Legal Requirements | |||
|
| 6.10. | Customers and potential customers of cloud provider services should have regard to their respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with. |
|
|
| 6.10. (a) | In what country is the cloud provider located? | Atlassian has 12 offices across 8 countries, including Sydney, Amsterdam, Ankara, Boston, Bengaluru, San Francisco, Mountain View, Austin Texas, NYC, Manila, Gdansk, and Japan. For more information, see: https://www.atlassian.com/company/contact. |
|
| 6.10. (b) | Is the cloud provider's infrastructure located in the same country or in different countries? | For Atlassian Cloud, we are currently hosted within redundant AWS availability zones. For information on specific regions, see: https://www.atlassian.com/trust/reliability/infrastructure. |
|
| 6.10. (c) | Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? | Atlassian cloud products and data are hosted on industry-leading cloud provider Amazon Web Services (AWS). Our products run on a platform as a service (PaaS) environment that is split into two main sets of infrastructure that we refer to as micros and non-micros. Jira, Confluence, Statuspage, Access, and Bitbucket run on the micros platform, while Opsgenie, and Trellow run on the non-micros platform. |
|
| 6.10. (d) | Where will the data be physically located? | Atlassian uses Amazon Web Services (AWS) in the US-Eat, US-West, Ireland, Frankfurt, Singapore, and Sydney regions (Confluence & Jira).
For more information about data residency, see: https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/. |
|
| 6.10. (e) | Will jurisdiction over the contract terms and over the data be divided? | The default governing law of Atlassian Customer Contract is California law. Please contract our Enterprise Sales Team for more details. |
|
| 6.10. (f) | Will any of the cloud provider's services be subcontracted out? | Atlassian works with third party sub-contractors to provide website, application development, hosting, maintenance, back-up, storage, virtual infrastructure, payment processing, analysis and other services. These service providers may have access to or process PII for the purpose of providing those services for us. |
|
| 6.10. (g) | Will any of the cloud provider's services be outsourced? | Where Atlassian engages any third-party suppliers we are intent on making sure those engagements do not in any way jeopardize our customers or their data. The Atlassian legal and procurement departments review contracts, SLAs, and vendor internal policies to determine whether the vendor meets requirements for security, availability, and confidentiality. For more information, see: https://www.atlassian.com/trust/security/security-practices#supplier-risk-management. |
|
| 6.10. (h) | How will the data provided by the customer and customer's customers, be collected, processed and transferred? | Atlassian processes information in a way that is compatible with the purposes for which it has been collected or subsequently authorized by the individual, and in particular, in accordance with the Atlassian External Privacy Policy. |
|
| 6.10. (i) | What happens to the data sent to the cloud provider upon termination of the contract? | Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. Data is classified in line with our Atlassian Data Security & Information Lifecycle Policy, and controls implemented based on that. For customer data, on termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to Atlassian will be removed within 14 days. The team’s data will remain in encrypted backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with our Atlassian data retention policy. In the event that a database restore is necessary within 90 days of a requested data deletion, the operations team will re-delete the data as soon as reasonably possible after the live production system is fully restored. For more information, see : https://support.atlassian.com/security-and-access-policies/docs/track-storage-and-move-data-across-products/ |