Everything you need to know about Atlassian Cloud's Security Compliance
Running applications and storing data on the cloud is more secure than on-premises. That's a bold statement and may seem contrary to expectations, but the fact remains that reputable cloud hosting services like Atlassian Cloud provide a level of security that organizations cannot duplicate on-premises.
Data distributed to multiple centers for redundancy, server virtualization for data backup, segmentation from user workstations, and full-time teams dedicated to patching security flaws and issues: Atlassian Cloud offers these capabilities that most organizations could not replicate on their own without budget-breaking financial and staffing resources.
Let’s explain how Atlassian Cloud literally provides the highest level of security and compliance.
Military-Grade Encryption, Data Backup and Security Standards
Whether you’re using Jira Service Management, Confluence, or another Atlassian product, Atlassian Cloud uses military-grade encryption. In the rare case that an attacker obtains data from Atlassian Cloud servers, they won’t be able to read any of it because of this level of encryption.
Military-grade encryption is AES-256, which means Advanced Encryption Standard with 256-bit keys—the standard for information security set by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department. In the U.S. Government, AES-128 is used for unclassified information, which means a key size equal to greater than 128 bits. AES-256 is used for classified information.
This level of data encryption also applies to the backup system. Atlassian Cloud’s uses the snapshot of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance. Those snapshots are retained for 30 days with support for point-in-time recovery and encrypted with AES-256.
Backups are also replicated to multiple data centers within particular Amazon Web Services (AWS) regions, giving organizations confidence that their data is safe and can be restored in case of an unforeseen calamity.
Atlassian Cloud also meets security standards such as:
- System and Organization Controls (SOC) 2 and SOC 3: These are regularly refreshed third-party reports that focus on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
- FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- Cloud Security’s Alliance Security Trust Assurance and Risk (CSA STAR) Program: CSA STAR is designed to help customers assess a cloud service provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.
- European Union General Data Protection Regulation (GDPR): The GDPR is designed to give European Union citizens more control over their data and seeks to unify several privacy and security laws under one comprehensive law. The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
Protecting Personal and Health Information Through Regulatory Compliance
When customers share data with organizations, they do so with the implicit expectation that the organization does everything needed to protect their personal information, from medical records to credit card numbers. Atlassian Cloud meets several regulatory standards to protect your customers’ information.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA may be the public's most well-known regulation protecting information. Atlassian Cloud is HIPAA-compliant, so organizations that run and track clinical drug trials, develop mobile health apps or medical device software, and healthcare service providers can all run their apps and store their data with confidence.
- Payment Card Industry Data Security Standard (PCI DSS): This regulation applies to any organization that accepts, processes, stores or transmits credit care information such as cardholder data (CHD) or sensitive authentication data (SAD). This includes merchants, processors, acquirers, issuers, and service providers. PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
- International Organization for Standardization/International Electrotechnical Commission 27001: Atlassian Cloud also meets ISO/IEC 27001 specification, which is a specification for an information security management system (ISMS), the framework for an organization's information risk management processes.
Vigilant Guarding of Your Data
Beyond meeting these security standards and regulations, Atlassian physically protects your cloud data, too. Atlassian restricts access to buildings and offices to appropriate personnel and monitors all entrances and exists. Badge access is required to access any non-public area and security guards monitor in person and over closed-circuit video. Data centers require biometric identity verification measures.
Atlassian Cloud provides physical protection for your data, adherence to the highest levels of encryption and security standards, and complies with critical regulations for businesses of any type.
Not all licenses have the same security standards
It's important to start your journey by first understanding exatly what you need out of your Atlassina products. We recommend reading, "4 Questions Your Cloud Provider Should Ask Before Migrating" blog so that you know what to look for before making a decision.
Make the move to Atlassian Cloud
When you’re ready to make your move to the cloud, our team of migration experts offers complimentary migration assessments and will answer any questions you have about how your organization can gain the benefits of Atlassian Cloud security.