Top 5 Myths on Atlassian Cloud Security, Compliance and Data Residency Demystified

Myths Vs. Facts Atlassian Cloud Security & Compliance
Atlassian experts engage in a stimulating fact-checking webinar, where they debunk persistent myths around Atlassian cloud security, compliance and adoption.

What do you think is the most cloud-antagonistic belief you have come across?

According to Gartner, persistent cloud misconceptions can slow enterprises down, impede innovation and stoke fear. Concerns around security in the Atlassian cloud have led to a number of myths becoming mainstream beliefs today. This has left CIOs, Security Heads, Compliance officers and software development teams confused about what to believe.

However, the good news is that most myths are just that—myths!

In our recent webinar, How Secure is the Atlassian Cloud? Busting Common Cloud Security Myths, Corptec invited experts from Atlassian and HYCU Inc. to set the record straight about 5 of the most prevalent myths and fears that plague Atlassian customers today. Read on to know what these myths are and whether they pass muster with our experts.

Myth 1: My data and apps will be safer and under my control if I keep them on-premises rather than on the cloud

When Atlassian customers think of data control and privacy, they immediately think of on-premise environments. This is not surprising, considering that the cloud is often perceived as ‘public’ (with good reason!). Highly regulated industries are especially sceptical, where privacy concerns often topple plans to migrate critical projects or instances to the Atlassian cloud. The perception is that since data has to be “handed over” to the cloud provider, the company will lose their ownership and control over sensitive information.

Says Asigen Dan, our Atlassian expert, in the webinar, “It is true that in an on-premise environment, customers will have greater control over their data and application landscape and feel comforted by the fact that everything is within their own network.”

“However,” he adds, “there is a trade-off. With this greater sense of control comes significant investments in time, money and technical expertise to effectively run and maintain this environment. This often puts tremendous pressure on IT teams that are already working over-capacity, and are, therefore, reactive towards identifying and responding to security threats.”

He maintains that there is a solution with the Atlassian cloud.

“With the Atlassian cloud, you will have access to a dedicated team that handles upgrades, security, maintenance and compliance requirements. This will enable your IT department to pro-actively focus more on business-critical issues. Moreover, the Atlassian cloud comes with state-of-the-art security, reliability and compliance. We have a range of programs in place (such as the Security Champions Program, Security Detection Programs and Bug Bounty Program, to name a few!) to ensure our approach to security remain wide-reaching. We also hold certifications for a variety of standards such as ISO27001, SOC2 and GDPR, and continue to invest heavily in cloud security—providing our customers with the peace of mind to operate on our platform.”

Myth 2: I cannot choose the location where my cloud data can be hosted

A common grievance among Atlassian cloud customers is that they are unaware of their data’s physical location. This puts their backs up against cloud computing and trusting cloud vendors with their data. To add fuel to fire, they feel that the cloud could be accessible to other companies using the same service, and this might compromise their data security.

Asigen remarks, “I’m not surprised. This is a common misconception among customers that are considering cloud migration. No doubt, data residency is a key consideration for our customers due to compliance and regulatory requirements—especially customers that operate in highly regulated industries, such as finance, healthcare, or the government. For them, as well as for others, the ability to control and gain visibility over where their data is hosted is critical.”

“However, Atlassian customers on Standard, Premium or Enterprise cloud subscriptions can definitely manage where their data is hosted. Not only can they control where their in-scope product data (for Jira, Confluence, JWM or JPD) is hosted but they can also pin data points, such as issues, boards/sprint data, attachments, comments, CON pages, etc. to a specific geographical location.”

As outlined on Atlassian’s Data Residency FAQ page, customers can choose to pin their data to the following locations—the United States, Europe, Australia, Germany, Singapore or Canada.

“Over the next few months, you’ll see Atlassian doubling down on this, as we are looking to enable data residency for Brazil, India, Japan, Switzerland, the U.K. and South Korea. We’re really leaning so that our customers in these regions can comply with local requirements”, remarks Asigen.

Our other guest speaker, Bogdan Viher, Global Channel Director at HYCU—the world’s leading data protection as-a-service provider—shares his perspective on this myth.

“A very common customer question we hear is, “Where are my backups going to be stored?”.

“HYCU is unique among Atlassian cloud backup solutions in that regard. It enables customers to plug in their own S3 storage into it, which HYCU will use for keeping backups. Therefore, copies of customer data will always be fully under their control. I sometimes call this approach data residency compliance by design!”

He adds, “Moreover, customers can further secure their backup copies by making them air-gapped and immutable. These are two security features that basically prevent ransomware access and backup corruption, thus ensuring successful recovery.”

Myth 3: Compliance is a given with the Atlassian cloud

It should be, right?

After all (most companies argue!), they have enough to manage, with hybrid cloud technologies and multi-cloud workflows becoming the norm in most industries. And as their business scales, companies find that they have new standards to comply with, making being compliant overwhelming. The least, therefore, they expect from their cloud provider, is to do the heavy-lifting!

“Of course,” says Asigen, “isn’t this one of the benefits of moving to the Atlassian cloud—to be able to leverage the certifications that we attained?”

“As you can imagine, being a cloud-first company, cloud security is critically important for Atlassian. To ensure that our customers can operate in a secure environment, Atlassian has invested heavily in attaining and remaining compliant with a range of different standards. Some of these include:

  • ISO/IEC 27001 – for industry standards and security management best practices
  • SOC2 – for achieving key compliance controls and objectives
  • GDPR – information privacy regulations for customers in the EMEA region
  • PCI DSS – network security and business best practices for payment card information
  • HIPAA – for the highly regulated healthcare industry
  • FedRAMP – security and risk assessment by US federal agencies 

For a full list of Atlassian compliance certifications, visit the Atlassian Compliance Resource Centre.

Asigen continues, “Atlassian’s certifications are ever-evolving. And by moving to the Atlassian cloud, we ensure that your systems and environments are compliant with the relevant standards listed before. However, we view this to be a partnership—so, it is up to you as our customers, to manage the data, the users and user accounts within your organisation, to ensure that you are using our products in a compliant manner.”

“Also, different industries and regions may have different compliance requirements. We therefore, recommend that our customers conduct their own due diligence to ensure that Atlassian has attained the certifications relevant to their purposes.”

Bogdan summarizes, “What do IT organisations typically need to be compliant?

  • Develop and maintain plans that include risk assessments, continuity strategies, and recovery procedures.  
  • Regularly test and update plans to keep them effective.  
  • Implement redundancy and backup solutions for critical IT systems and data.  
  • Train employees on relevant procedures and how they should act in a data loss incident.  
  • Document and report compliance efforts to regulatory bodies.”

Myth 4: I could risk losing important data while migrating my instances to the Atlassian cloud

That would be a total nightmare! A major fear that holds back businesses from adopting the cloud, despite its myriad benefits.

Of course, cloud storage providers would surely ensure that data is not lost during migration—as they would then end up losing both their customers and their reputation in the process.

But sometimes, data loss could be more complicated than that, and may not necessarily be due to cloud migration itself. Being aware of how and why data loss could occur is the first step any organisation worried about their data security should take.

Addressing this ‘data loss during cloud migration’ myth, Asigen says, “I can understand this being a point of concern for our customers moving into the cloud. Migrating to the Atlassian cloud can be complex—considering the sheer size of data being migrated, the large ecosystem of marketplace applications, and the addition of custom workflows or automation.”

“But to help ease the migration journey and alleviate customer concerns, Atlassian has developed several migration tools to provide visibility into the migration process. The most notable among these are:

Both JCMA and CCMA will enable customers to:

  • Assess their current marketplace app landscape  
  • Gain visibility into what data gets migrated, and how (all at once or selectively)  
  • Access pre-migration checks, reports and error logs  
  • Monitor the migration progress

We also advise customers to view cloud migration as a spring-cleaning opportunity for their environment. However, we do recommend working with Atlassian-approved partners such as Corptec, who will not only simplify the whole migration process and provide end-to-end hands-on support but will also help you avoid data loss or a cloud migration failure.”

Alert: Support for Atlassian server products will end on February 15, 2024! Atlassian and Marketplace Partners will no longer offer technical support, security updates, or bug fixes for vulnerabilities. Take Corptec’s support in migrating to the cloud today!

Easily migrate to the Atlassian cloud with Corptec Technology Partners

Myth 5: It is Atlassian’s responsibility to back up my cloud data and apps

As a valued Atlassian customer, shouldn’t Atlassian recover your data in case of a data loss incident?

You’re not alone in thinking that. An internal survey among our customers revealed that this was probably the biggest myth they accepted as fact, without a second thought.

In fact, most customers sincerely believed that there is no need to worry about backing up their data. “If data is deleted,” they say, “Atlassian will recover them for me!”

“It is easy to understand why,” remarks Bogdan. “Customers believe that if Atlassian is providing them the service and committing to 99.99% uptime, then why wouldn’t they back up or recover their data?”

“It’s a fair point,” Asigen agrees. “And Atlassian does operate a comprehensive backup program. However, these are system-level backups used for the purpose of disaster recovery and business continuity in the event of a major disruption that impacts the availability of our cloud products. As a result, when data is lost due to customer-initiated destructive changes (whether accidental or maliciously), Atlassian would not be able to recover said data.”

Bogdan shares, “The common misunderstanding is that Atlassian will perform system-level disaster recovery operations and backups in case of a hardware failure, ransomware attack, etc. But, it’s virtually impossible for Atlassian to perform granular restores of one of their tenants. In fact, this is plainly stated in their Shared Responsibility Model—’To avoid data loss, we recommend making regular backups’.

And this is where cloud data backup solutions come into the picture.”

He continues, “In essence—and we very often see this—most cloud vendors tend to offer a full export of customer’s data. On top of these exports, you can potentially develop a home-grown Atlassian Cloud Export solution. But such solutions will always have some inherent limitations. For example: 

  • Backup frequency: The backup cadence is limited (for instance, with Atlassian cloud export, it is once every 48 hours).
  • Recovery: The recovery operation is typically all or nothing. When you perform an import, you restore the state as it was at the time of the export and all changes that have been performed in the meantime are lost. 
  • Managing exports: You need to tag exported files and protect exported data against ransomware attacks.
  • Consistency: People need to perform exports regularly and verify whether they are working correctly every now and then. 
  • Completing exports: Some data you may not be able to export—a good example is Assets in JSM.”

Bogdan now shares an interesting perspective, “Now, if we look beyond Atlassian, another challenge with this approach is how do you protect 20 other business-critical SaaS applications? The above ‘one application at a time’ approach does not scale and is also not reliable and flexible enough!”

Asigen explains, “So this comes back to the ‘Shared Responsibilities Model’ Bogdan mentioned earlier, as it defines the responsibilities between SaaS vendors like Atlassian and their customers. Atlassian is responsible for ensuring the security, compliance and reliability of the applications, the systems they run on and the environment those systems are hosted within. And our customers are responsible for managing the data within our products and the users who can access them.”

He cites an example, “I was recently working with a public sector customer who is required by law to maintain records for 7 years. Atlassian has 250,000 customers worldwide, so maintaining backups for all our customers is not feasible. However, for this customer, they are able to export their data and manage its storage internally to mitigate the risk of destructive changes in production.”

Bogdan continues, “Organisations should be aware that they are responsible for everything—for the availability, performance and security of their business applications and data—whether on-premises or on the cloud. Therefore, deploying a data protection solution or backup is never a question—it is a mandatory practice.”

“With SaaS, although it is highly unlikely that a hardware failure will result in any data loss (due to built-in redundancy), other reasons such as accidental deletions, malicious users, scripting or add-on bugs as well as cyberattacks can cause data loss. So, to avoid lost productivity, downtime and reputational damage, a strong data protection solution needs to be put in place to enable quick and flexible recovery.”

Elaborating on how HYCU can ensure protection against data loss and enable restoration, Bogdan says, “HYCU addresses such data and SaaS backup challenges and enables many other use-cases. We can ensure:

  • Fully automated backups that run 24×7
  • Ransomware-proof backups
  • One-click granular restores across the Atlassian Cloud, as well as other SaaS apps
  • Simple integration with the company’s ITSM tool
  • Options for customer to plug their own storage into HYCU for backups, thus enabling data residency, long-term data retention and security compliance”

He continues, “HYCU is constantly exploring different data mobility use-cases across the entire data protection landscape that we cover with our solutions. For example, we can easily migrate VMs (virtual machines) from on-premises to the public cloud and back while maintaining consistency of hosted applications. This also helps us implement very interesting Disaster Recovery scenarios.”

Commenting on SaaS protection, Bogdan remarks, “Besides Atlassian Cloud apps, HYCU enables you to protect virtually any other SaaS application as well. And if you’re under the impression that your company does not use more than 3 SaaS applications, HYCU can discover and show you how many SaaS application your company is really using. You may be surprised!”

Busting Common Cloud Security Myths—A Corptec Webinar

“How Secure is the Atlassian Cloud? Busting Common Cloud Security Myths”—presented by Corptec Technology Partners, in association with Atlassian and HYCU Inc., went live on October 26, 2023. After listening to a staggering number of misconceptions that held many customers back from making a pro-cloud decision, we felt that there was a need to address such myths on a larger scale and separate fact from fiction once and for all.

And we are happy to note that the webinar was a resounding success! Our webinar audience included Atlassian customers from IT companies and from highly regulated industries, as well as those considering migrating to the Atlassian cloud.

Our experts endeavoured to devote sufficient time to address the top 5 myths around data protection and backup in the Atlassian cloud and allay the fears of those belonging to highly regulated industries about data residency and cloud compliance in Atlassian. The 45-minute webinar ended with a live Q&A session, where our speakers addressed audience questions on Atlassian cloud security, backup, migration, and performance.

Eager to tune in to the recorded session and find out what those questions were? Watch the webinar replay now: https://corptec.com.au/atlassian-cloud-security-webinar-thank-you/

Free Atlassian License Audit & Optimization

At Corptec, we recommend conducting the following licensing audits on a quarterly basis to help keep your Atlassian costs under control. A hygiene report is a detailed instance-by-instance audit of your organisation’s usage of Atlassian licenses, based on your projects and configurations. It helps you review your license usage by documenting the exact number of product licenses being used and analysing if there are redundant licenses being paid for.

Free Atlassian License Audit & Optimization Reports by Corptec

With these reports, you can identify issues or areas of improvement, and our consultants can provide suggestions for a clean-up activity after the audits. More importantly, with these audits, Corptec can help you save more on your Atlassian licenses.

In fact, we recently helped a Fintech giant reduce their expenses on their Jira subscription by a whopping 60%—from around USD 1.6 million down to only USD 600,000!

Would you like to explore similar savings with us? Request a free assessment today

About Corptec Technology Partners

As a certified Atlassian Gold Solution and Implementation Partner since 2018, Corptec Technology Partners has helped organizations across Australia move to the Atlassian cloud in a scalable and flexible way. We offer our customers a wide range of consulting services, training support, and customised solutions to help them extend the power of their Atlassian products. Our solution consultants come with extensive knowledge and experience dealing with Atlassian product suites, and can help you overcome any cloud challenge, regardless of the project size.

If you are interested in learning how Corptec can help you empower your business with Atlassian solutions, request a consultation today!

Share This Blog

Facebook
Twitter
LinkedIn
Email

About Corptec

We collaborate with businesses to use technology to manage and transform their operations. Our focus is to provide customized technology solutions that combine the latest advances in digital transformation with a deep understanding of your business goals.

Recent Posts

Trusted by Our Clients

Updates