Atlassian touts that it is 'baking' trust into its technology

It comes as more customers move into the cloud and leave on-premise behind.
Written by Aimee Chanthadavong, Contributor

As Atlassian continues to help customers transition to the cloud, it has made its own internal commitment to ensure the products it delivers to market have trust "baked" into them.  

"Our philosophy is that there's no point your data should be accessed other than by your users in the context of your application, and that you should have an understanding of what's happening," Atlassian CISO Adrian Ludwig said on Tuesday during Atlassian Open 2019 in Sydney.

"It shouldn't be accessed by tech support [or] by engineers. There's a whole list of potential things that you might be thinking about … [and] they're the kind of things we think about. How do we bake operational environment into a trust model?"

While the company has made certain efforts over the years, such as by launching its public bug bounty program and an incident response hub for software and information technology teams called Jira Ops, Ludwig admitted there's still a lot of work to do.

"We have an internal commitment -- that we're making more and more explicit -- to have our entire security program, our control framework, what metrics we use, and how we're tracking them, to make much of that as we possibly can public. Over time we've been expanding it. But we think we can make it completely public and there's no reason why we can't do that," he said.

"The worse that can be said is, 'Hey you're making a mistake here', and we just improve it, which is really what we're hoping for.

"We're investing a lot in enhancing our controls and we're constantly hiring, which is the form of enhancement that we're making. We're also trying to understand more and more of the types of use cases that exist out there."

He added how the company has also been working on gaining greater third-party security validations, with works currently underway to achieve Federal Risk and Authorisation Management Program (FedRAMP) compliance for a subset of Atlassian services.

"It's not enough to just build a good system if nobody trusts it. If customers don't realise those features exist, the customers aren't confident they have implemented it correctly and done the work to validate it correctly," he said.

One of Atlassian's motivations to build trust, according to Ludwig, follows on from seeing more customers understanding that cloud is now more secure than on-premise.

"Cloud is one of the most underappreciated forms of simplification because it takes away a lot of complexity," he said.

"You don't have to worry about what box is on. You don't have to worry about making sure what operating system it is. You don't have to worry about patching. There's all of this complexity associated with managing your own application that ultimately cloud makes goes away.

"It ends up being a huge improvement in security and in improving that complexity by moving to the cloud."

These commitments come off the back of Atlassian falling victim to some recent attacks. 

In May, Trend Micro uncovered a security vulnerability that was present in Confluence Server and Confluence Data Center. The bug enabled Confluence systems to be exploited in a campaign that focused on mining Monero.

Meanwhile, last year a bug found in Atlassian's software, including Jira and Confluence, which resulted in the exposure of private server keys of major companies, such as a TV network, a UK cell giant, and one US government agency. 

Related Coverage

Editorial standards