Many companies have recognized the benefits of a flexible and scalable infrastructure in the cloud. However, while the cloud undoubtedly offers numerous efficiency gains and cost savings, there is often a widespread misconception: the assumption that the responsibility for security, backup, and recovery automatically falls on the cloud provider. The Shared Responsibility Model is at the heart of this misunderstanding and is crucial for understanding the security landscape in the cloud. It defines the shared responsibility between SaaS providers and their customers for data security and protection in the cloud.
In this article, we take a closer look at the Shared Responsibility Model. This concept is applied by all SaaS providers, including Telekom, Microsoft, and AWS. We will specifically address the role of Atlassian and its customers and highlight best practices that can help meet the respective responsibilities.
What is the Shared Responsibility Model?
Atlassian has made the security, compliance, and reliability of its applications and underlying systems and their hosting environment a top priority in its Cloud products. This focus supports the mission to be a leader in cloud security, meet all customer cloud security requirements, and exceed all industry security standards and certifications.
Nevertheless, additional security and privacy measures are needed – on the part of the customers. In this context, the term Shared Responsibility Model plays an important role.
The Shared Responsibility Model refers to the concept that both the SaaS provider and the customer share responsibility for the security of data and systems in the cloud environment. It defines the respective responsibilities and duties regarding security, privacy, and compliance. Thus, it forms the backbone for a trustworthy collaboration.
Contrary to the widespread belief that SaaS providers bear sole responsibility, both sides – customer and provider – are responsible for working together to ensure the confidentiality, integrity, and availability of data in their SaaS environments.
In summary, the provider – in our case, Atlassian – is responsible for the security of the infrastructure, the physical security of the data centers, and the availability of the services. On the other hand, the customer is responsible for the security of their data, compliance with standards, and control over access to the systems.
By understanding and fulfilling their roles, both Atlassian and its cloud customers can minimize the risk of security incidents and data loss. Shared responsibility allows both parties to focus on ensuring the secure and reliable use of SaaS services.
Atlassian's responsibilities under the Shared Responsibility Model
According to the Shared Responsibility Model, Atlassian, as a SaaS provider, is committed to providing a secure and trusted platform where customers can store and manage their data. Atlassian is responsible for the infrastructure's security, service availability, and implementing security measures to protect customer data.
Atlassian's responsibilities under the Shared Responsibility Model include:
1. Provision of secure infrastructure
Atlassian is responsible for providing a robust and highly available infrastructure that meets data protection and security standards. This includes implementing firewalls, encryption technologies, and other security measures to protect against unauthorized access and data loss.
2. Regular security updates and maintenance
Atlassian performs regular security updates and maintenance to ensure its platforms are protected against known vulnerabilities and weaknesses. This includes monitoring and analyzing security incidents and responding promptly to potential threats.
3. Compliance with privacy and compliance standards
Atlassian commits to complying with applicable data protection laws and compliance guidelines – including ISO 27001/27018, SOC2, GDPR, PCI DSS, DSGVO, and BaFin – to ensure the confidentiality of customer data. This also includes supporting compliance with industry-specific regulations and standards.
4. Transparency and customer communication
Atlassian informs its customers transparently about security incidents, privacy policies, and platform changes. Customers receive regular updates and reports on security measures as well as recommendations for improving their data security.
All of Atlassian's responsibilities, roles, and obligations can be found in the Cloud Security Shared Responsibility Model.
Customer responsibilities under the Shared Responsibility Model
Atlassian Cloud customers also bear several responsibilities under the Shared Responsibility Model to ensure that their data and the use of the products are secure and protected.
These include:
1. Security configuration and access control
Customers are responsible for securely configuring their Atlassian instances and controlling access to sensitive data and functions. This includes implementing strong password policies, managing user permissions, and monitoring access to their systems.
2. Data protection and compliance
Customers must ensure that their use of Atlassian products complies with applicable data protection laws and compliance standards. This includes adhering to policies like the General Data Protection Regulation (GDPR) and industry-specific regulations when processing personal data.
3. Regular security reviews and audits
It is recommended to conduct regular security reviews and audits to identify and address potential security gaps. This includes reviewing system configurations, analyzing logs, and conducting penetration tests to ensure resilience against attacks.
4. User training and awareness
Customers should inform their users about best security practices and policies and conduct training on the secure use of Atlassian products. This helps minimize the risk of security incidents due to human error.
Best practices for effective shared responsibility
To ensure effective collaboration according to the Shared Responsibility Model and ensure the security and integrity of data in Atlassian products, customers and providers should implement best practices. Here are some proven methods:
1. Evaluate the suitability of the SaaS solution
Before choosing to use cloud-based platforms, customers should evaluate whether their SaaS applications are the right solution for their business based on the information provided by the provider.
2. Regular data backups
Regular backups can protect businesses' data from unforeseen events such as hardware failures, human errors, or ransomware attacks, and other cyber threats, maintaining their daily operations. If data is lost or damaged, it can be quickly restored from backups. Many industries and regulations require companies to retain and protect data for a certain period. For comprehensive and automated data backup, we recommend the following apps from our partners:
- Data Manager for Jira by Revyz: allows manual exports and scripts with automated daily backups for reliable Jira data recovery.
- Backups for Jira Cloud by GitProtect.io by Xopero Software: Optimizes and automates data protection and recovery of Jira data to ensure uninterrupted project management.
- Backups for Jira or Confluence by Rewind: allows automated backups and flexible recovery of Jira and Confluence data in the cloud.
- HYCU for Jira, Jira Service Management, or Confluence: provides automated backups and granular recovery, security, and compliance, as well as ransomware protection.
3. Clear communication and agreements
Customers and providers should establish clear communication channels and agreements that clearly define their respective responsibilities and expectations. This includes defining Service Level Agreements (SLAs), escalation processes, and points of contact for security issues. For example, Atlassian offers a financially backed SLA for 99.9% availability in its Jira and Confluence Premium plans, while the Enterprise plans include a financially backed SLA for 99.95% availability.
4. Regular review and update of policies
Customers should regularly review and update their security policies and procedures to keep pace with changing compliance requirements. This also includes reviewing and adjusting access controls and permissions.
5. Training and awareness
Customers should regularly train and raise awareness among their employees to ensure they understand the importance of security and follow best practices. The training should cover recognizing phishing attacks, secure password procedures, and handling sensitive data.
6. Implementation of security measures
It’s best for customers to proactively implement security measures to protect their Atlassian instances. They should use multi-factor authentication, encrypt data at rest and in transit, and monitor system behavior for anomalies.
7. Collaboration and partnership
Customers and providers should work closely together and act as partners to identify, investigate, and resolve security incidents. This includes jointly analyzing security events, collaborating on creating security patches, and continuously improving security practices.
Summary
In the Shared Responsibility Model, both SaaS providers like Atlassian and SaaS customers share responsibility for the security and protection of data stored in the products. Atlassian provides the platform and infrastructure where the data is hosted. The software vendor continuously invests in the security of its platforms and implements security measures to protect its customers' data. At the same time, customers are encouraged to implement and maintain best practices for securing their data. They are responsible for secure configuration, access protection, and data management.
Or, as Atlassian puts it: "When it comes to reliability, security, privacy and compliance of the Atlassian Cloud, we are on the same team, and we both have important roles to play. We bring our strong team of security professionals working day and night to ensure security is built into our products, to monitor for potential risks and attacks, and to respond rapidly when they’re identified. We need you to help by establishing the effectiveness of your user access management, being conscious of the information you enter, making sure your endpoints are well managed, and verifying all Marketplace apps are appropriate and trustworthy.”
Useful Links on Data Security
For additional information on security and shared responsibility, we recommend the following pages:
