Blog

Is Every Jira Site Full of Scary Data? | Revyz.io

Written by Stu Lees | Jul 12, 2024 4:27:55 AM

Is Every Jira Site Full of Scary Data?

 

Well if you ask Adaptavist's Matt Doar (linkedin), a lot of sites are full of stuff that you might start to think this way.  I recently watched this excellent session with Matt on the YouTube channel of prominent Jira thought-leader, Alex Ortiz. I was so taken by the chat that I decided to do two things - to send Matt an email and to see if I could run a webinar with him on this topic (we are waiting for the go-ahead on this) and to write up an article and provide some of my own insights to this very important topic. 

That last bit is what you are reading here.

"All of this personal information that you've seen added to a Confluence page, customer's credit card numbers - that shouldn't be there"
 Matt Doar

 

 

Scary Data in Atlassian Tools

The core of the discussion centered on what Matt referred to as "scary data" – sensitive information that inadvertently gets stored in Atlassian tools. Examples ranged from customer credit card numbers and company secrets to legal case details and security vulnerabilities. The concern is that these pieces of information, if not properly managed, can lead to significant security breaches and privacy violations.

Real-World Examples and Their Implications

Matt shared real-world scenarios that vividly illustrated the risks:

  1. HR Data Leakage: An instance where an HR project in Jira contained new joiners' salaries, which were accessible to all employees. This highlights the need for stricter access controls and better data classification.
  2. Abuse Tracking in Social Media: A social media company used Jira to track abuse reports, which included sensitive and disturbing content. The lack of proper security measures here exposed sensitive data to internal staff who should not have had access.
  3. VIP Visitor Tracking: A Silicon Valley company tracked VIP visits, including heads of state, in Jira. The potential for this information to be exposed raised significant national security concerns.

These examples underscore the importance of understanding and managing the types of data being stored in collaborative tools. The consequences of mishandling such data can be severe, ranging from privacy breaches to national security risks.

Solutions and Best Practices

The discussion also touched on possible solutions and best practices:

  • Issue-Level Security: While Jira offers issue-level security, the capability of admins to override permissions is a significant risk. This calls for a re-evaluation of admin roles and permissions.
  • Outsourcing Admin Roles: The risks associated with outsourcing admin roles were highlighted, especially when sensitive data is involved. Organizations need to be cautious about who has access to their data.
  • HIPAA Compliance: Atlassian's progress in HIPAA compliance is a step forward, but there are still challenges in ensuring all sensitive data is properly managed.

Future Directions and Concerns

A major theme was the future direction of data security in Atlassian tools. The introduction of more granular admin permissions by Atlassian is a promising development, but it needs to be coupled with robust auditing and monitoring processes. The discussion on FedRAMP and cloud security highlighted the ongoing concerns about admin access and the need for better controls to protect sensitive information.

Training and User Awareness

Matt emphasized the importance of user training and awareness. Proper training can prevent many of the issues related to the inappropriate storage of sensitive data. Additionally, tools that detect and warn about sensitive data can play a crucial role in maintaining data security.

Ethical Considerations and Company Policies

Ethical considerations were another critical point. Admins and users alike need to have a high ethical standard to manage sensitive data responsibly. Companies should invest in creating and enforcing policies that define what constitutes sensitive data and how it should be handled.

My Take

Attending this session reinforced several of my views on data security in collaborative environments. The examples provided by Matt are a stark reminder of the risks involved in using powerful tools like Jira and Confluence without proper oversight and controls. While Atlassian's efforts to improve security are commendable, there is a clear need for continuous improvement and vigilance.

The balance between security and usability is a delicate one. Too much focus on security can hamper usability, while insufficient security can lead to disastrous consequences. It is crucial for organizations to find a middle ground where tools remain user-friendly but also secure enough to protect sensitive data.

In my opinion, the emphasis on user training cannot be overstated. Users are often the weakest link in the security chain, and proper training can mitigate many risks. Additionally, ethical considerations should be at the forefront of any discussion on data security. Trustworthy and well-trained employees are essential to maintaining a secure environment.

Here are two areas not covered in this interview that I think deserve to be talked about;

Data Archiving Policies and Tools

Only a month ago, I interviewed the fascinating Darin La Framboise who has started an Atlassian Marketplace App called OpusGuard.  They exist specifically to delete data from the cloud in order to protect the interests of their clients from legal risk scenarios such as legal discovery.   

We all spend a lot of time protecting and securing data and Darin is a leader in an industry that is, by design, destroying data.  

 

 

Internal Data Sovereignty 

In enterprise IT land, we've all spent a great deal of time over the past decade or so navigating the sovereignty of the data from the perspective of where is it kept (data residency) and who owns what (terms and conditions).  But who within your organization should 'own' the data? 

Historically, and like so many other things, the responsibility of the data has been that of the IT people,  The challenge with this is that IT people go to university to study how data moves as electrons between microscopic wafers of silicon and gold wire, networking through fiber-optic cables and stored in massive arrays of solid stage storage and RAM. 

We do NOT learn much about the legal ramifications, the compliance ramifications and the brand ramifications of the wrong data ending up in the wrong place.

Conclusion

Like so many things in the world of cloud computing and how human's interact with it and store your data, I don't think that this one has a definitive conclusion.  Matt and Alex raised some great points and my feeling is that we should be talking about these points within our own companies and communities.