Why is Atlassian focusing on security enhancements?
In today's digitally-driven world, where cyber threats are becoming increasingly sophisticated, companies must acknowledge the paramount importance of prioritizing new security features in their products. The repercussions of neglecting product security can be dire, tarnishing a company's reputation, compromising customer trust, and incurring significant financial losses.
If you take a look at the Atlassian Roadmap at the moment, you’ll see a lot of security enhancements coming to the cloud platform. While it is always important to continue providing better security enhancements to the platform, the vast majority of users do not see these benefits and it can very quickly look like new functionality is being pushed to the wayside.
There is a very fine line that all companies need to have in regards to new functionality to please the masses vs providing the much needed platform improvements that companies rely on in order to even use the applications.
SO Why are Atlassian focusing on security improvements?
It is no surprise that Atlassian has been focusing on their cloud platform ever since the announcement of Servers end (and before in my eyes). But while a lot of us can make use of their SaaS application, there is still a lot of their customers that due to regulations or current security requirements cannot touch it, no matter how much Atlassian wish they could.
Why do a lot of businesses see it as a blocker?
Unfortunately in this day and age, security standards are a necessity to help keep both companies & individuals safe from exposure. The better the security of the application the more the company can trust and therefore use it.
With certain industries having higher requirements than others, businesses are not going to open themselves to legal action or possible attacks if the platform does not meet ALL components required.
This can be as simple as data residency or regulatory body compliance like HIPPA or FEDRAMP. Without these requirements met, the company just simply will not use the cloud product.
Governments and regulatory bodies across the globe have recognized the escalating risks of cyber threats, promulgating stringent regulations to protect consumers and their data. Companies that prioritize new security features in their products demonstrate a commitment to compliance and adherence to legal obligations, mitigating the risk of penalties and legal ramifications.
Who are they targeting with these updates?
With this in mind, Atlassian are doing everything they can to remove the barriers for entry to cloud. Atlassian is investing in the security features around data residency, regulatory body compliance and proactive functionality that helps reduce attack vectors.
Companies are always looking for better proactive measures over anything else. The more the company can do upfront to mitigate the open number or attack vectors the better.
While a lot of their current cloud users, including me, are looking forward to see the updates hit their sites, the bit target for them is those that just simply cannot use the platform without them. With the EOL of server fast approaching, Atlassian want to get these features in so migrations can happen before February 2024.
Where do I see this going?
Atlassian will continue to invest in security, not only for the necessity of the platform for customers to continue feeling the platform is security and reliable but in order to remove all barriers of entry for the cloud product.
It is incredibly clear Atlassian are a cloud first company. Almost all new functionality goes into the cloud product first. In order to continue increasing the customer base, Atlassian need to remove all barriers so all industries and companies can now use it.
What are the large security improvements coming?
API access restrictions
This new functionality will allow admins to block API request being made by certain Atlassian accounts. API tokens will be able to be made by managed accounts to and from certain products.
EXTERNAL USER SECURITY MANAGEMENT - just hit general availability
Currently, the only way of ensuring a level of security for your users is to manage them. However, we often find ourselves working with third parties on a regular basis and onboarding every single user is time consuming and not really a viable option. Luckily Atlassian did recognise this (after a lot of feedback). External user security now allows unmanaged users to still have controls like 2fa or soon, SSO capabilities enforced helping to keep company data safe. This will only launch at first with the 2fa control with SSO joining in the latter parts of 2023.
MORE DATA RESIDENCY LOCATIONS
Data residency is key to so many regulatory requirements and therefore a lot of businesses. Atlassian back in February (Unleash in Berlin) stated, “it was there mission to remove any and all barriers to moving to cloud”. With this in mind, further data residency locations were announced. Taking a look back on the roadmap we can see four additional locations:
Singapore
Canada
UK
Japan
I imagine this is not the last we have heard around data residency.
BRING YOUR OWN KEYS - SECURITY
Depending on your regulations, you may find yourself wishing for cloud, but because you don’t manage the encryption its kind of a no go. Well that is changing. Atlassian announced that the BYOK early access programme for Jira will be here very soon with Confluence following in the latter half of the year. We will have the ability to control the encryption key in your own AWS key storage so you feel more secure over who and how that data is seen and used.
DATA SECURITY POLICIES & Classifications COMING TO ATLASSIAN
The new data security policies allow us admins to restrict apps, anonymous users etc. from gaining access to specific content that we define. You first select the coverage for the rules. What spaces or projects etc. Then define what you want to do with this policy using the rules section. Atlassian also mentioned during this talk that this is JUST THE START for new DLP abilities. Coming in 2024, they want to expand the offering for full classifications of data. Admins will be able to set tags for different types of data (credit cards, passwords etc.) These will then display on the top of the page for all users to see the level being defined. These can be set manually by users or by third party DLP tools. Once set, additional controls can then be placed onto the page for additional security.
This has just started to come through into my own ecosystem at work. While at the moment it is limited, it is early days and this is something I am personally very excited for as an admin.
BEACON, THE NEW POINT-A PRODUCT INTO BETA
I have been lucky enough to be using Beacon since pre-Alpha. Essentially, it is Atlassian’s answer to the much needed, what is actually going on and do I need to be aware? Beacon is a proactive security scanning tool built for your Atlassian ecosystem. It provides security analysts and admins an opportunity to deal with any events that before would have gone under the radar. Today Beacon was announced as a Beta product through the Point-A programme. While this product is fairly new and I’m sure has a lot of growth to come, it is already showing huge potential in the available triggers and functionality once an alert has gone off.
In essence it is not surprising Atlassian is focusing on security improvements. Removing all barriers to the cloud ensures a large pool of customers and a more secure future for their company. The new security features coming however are incredibly exciting for companies and admins who are tasked with keeping their systems running the best they can.
