Well if you ask Adaptavist's Matt Doar (linkedin), a lot of sites are full of stuff that you might start to think this way. I recently watched this excellent session with Matt on the YouTube channel of prominent Jira thought-leader, Alex Ortiz. I was so taken by the chat that I decided to do two things - to send Matt an email and to see if I could run a webinar with him on this topic (we are waiting for the go-ahead on this) and to write up an article and provide some of my own insights to this very important topic.
That last bit is what you are reading here.
"All of this personal information that you've seen added to a Confluence page, customer's credit card numbers - that shouldn't be there"
Matt Doar
The core of the discussion centered on what Matt referred to as "scary data" – sensitive information that inadvertently gets stored in Atlassian tools. Examples ranged from customer credit card numbers and company secrets to legal case details and security vulnerabilities. The concern is that these pieces of information, if not properly managed, can lead to significant security breaches and privacy violations.
Matt shared real-world scenarios that vividly illustrated the risks:
These examples underscore the importance of understanding and managing the types of data being stored in collaborative tools. The consequences of mishandling such data can be severe, ranging from privacy breaches to national security risks.
The discussion also touched on possible solutions and best practices:
A major theme was the future direction of data security in Atlassian tools. The introduction of more granular admin permissions by Atlassian is a promising development, but it needs to be coupled with robust auditing and monitoring processes. The discussion on FedRAMP and cloud security highlighted the ongoing concerns about admin access and the need for better controls to protect sensitive information.
Matt emphasized the importance of user training and awareness. Proper training can prevent many of the issues related to the inappropriate storage of sensitive data. Additionally, tools that detect and warn about sensitive data can play a crucial role in maintaining data security.
Ethical considerations were another critical point. Admins and users alike need to have a high ethical standard to manage sensitive data responsibly. Companies should invest in creating and enforcing policies that define what constitutes sensitive data and how it should be handled.
Attending this session reinforced several of my views on data security in collaborative environments. The examples provided by Matt are a stark reminder of the risks involved in using powerful tools like Jira and Confluence without proper oversight and controls. While Atlassian's efforts to improve security are commendable, there is a clear need for continuous improvement and vigilance.
The balance between security and usability is a delicate one. Too much focus on security can hamper usability, while insufficient security can lead to disastrous consequences. It is crucial for organizations to find a middle ground where tools remain user-friendly but also secure enough to protect sensitive data.
In my opinion, the emphasis on user training cannot be overstated. Users are often the weakest link in the security chain, and proper training can mitigate many risks. Additionally, ethical considerations should be at the forefront of any discussion on data security. Trustworthy and well-trained employees are essential to maintaining a secure environment.
Here are two areas not covered in this interview that I think deserve to be talked about;
Only a month ago, I interviewed the fascinating Darin La Framboise who has started an Atlassian Marketplace App called OpusGuard. They exist specifically to delete data from the cloud in order to protect the interests of their clients from legal risk scenarios such as legal discovery.
We all spend a lot of time protecting and securing data and Darin is a leader in an industry that is, by design, destroying data.
In enterprise IT land, we've all spent a great deal of time over the past decade or so navigating the sovereignty of the data from the perspective of where is it kept (data residency) and who owns what (terms and conditions). But who within your organization should 'own' the data?
Historically, and like so many other things, the responsibility of the data has been that of the IT people, The challenge with this is that IT people go to university to study how data moves as electrons between microscopic wafers of silicon and gold wire, networking through fiber-optic cables and stored in massive arrays of solid stage storage and RAM.
We do NOT learn much about the legal ramifications, the compliance ramifications and the brand ramifications of the wrong data ending up in the wrong place.
Like so many things in the world of cloud computing and how human's interact with it and store your data, I don't think that this one has a definitive conclusion. Matt and Alex raised some great points and my feeling is that we should be talking about these points within our own companies and communities.