The Atlassian ecosystem provides thousands of companies with the ability to collaborate remotely through powerful, feature-rich SaaS applications like Jira. As such tools become the norm across companies, big and small, the amount of sensitive information stored in these systems will increase. This means that organizations need to prioritize minimizing the risk of exposure within cloud environments.
Read this online guide, for free, to learn how project management applications like Jira, Confluence, and Asana can increase the exposure risk for sensitive data like PHI, PII, passwords, other secrets, and how you can mitigate this risk. You may also download this content here.
Why is Jira at risk for data leakage?
SaaS applications like Jira allow for collaboration between a multitude of users. However, this high volume of activity, combined with the always-on nature of SaaS systems, can increase the risk that data security best practices aren’t followed. This can result in PII, credentials, secrets, and other sensitive information being exposed to the wrong parties.
To better understand how these attributes of SaaS applications interact to impact data security risk, watch the following video.
Out-of-the-box, SaaS applications like Jira lack functionality to help address this issue, meaning:
- Organizations must rely on processes, policies, and procedures to regulate employee handling of sensitive information in their SaaS environments.
- Remediate instances of data exposure that has either already occurred (i.e. API key in plaintext), or identify incidents where sensitive data is being shared in real time.
- The only way to accomplish this is to maintain the appropriate level of visibility within your SaaS environments in order to keep track of where sensitive data might be and to prohibit employees from sharing it, intentionally or otherwise.
What data security risks does Jira introduce?
Issues, which are the central type of content within Jira, can contain sensitive information inside of text fields or file attachments.
- A given Jira instance may have hundreds of issues managed across dozens of projects, making it difficult to ensure that sensitive details like API keys in code, customer PII, or other business-critical data remain protected from inappropriate or unauthorized access.
- The need to identify sensitive data in Jira often arises from a business change, such as merging or separating business units, and the subsequent data cleanup.
- Security leaders should also be aware of their specific industry requirements for compliance, and ensure data security standards are met within Jira — for example, HIPAA compliance may require that protected health information (PHI) is secured within Jira.
What types of data are at risk of exposure in Jira issues?
Credentials & secrets are most frequently exposed in Jira, due to its common use in Agile development projects for product and engineering teams. However, other types of unexpected sensitive data have been identified in Jira by customers using Nightfall. These include:
- API keys & access tokens for third party services, e.g. AWS, Stripe, Twilio, etc.
- Cryptographic keys (SSH, PGP, etc.)
- Certificates (SSL, TLS, etc.)
- Passwords and login credentials
- Database credentials
- UUIDs, cookies, etc.
- Credit card numbers
- Customer PII
Examples of data exposure within Jira Cloud
Within the Atlassian ecosystem, the misconfiguration of sensitive content has led to it being viewable over the open internet. For example:
- In 2019, a researcher found hundreds of public facing Jira instances among Fortune 500 companies and government agencies.
- In a sample of 5,000 Jira Software Cloud sites, there were 273 Jira sites with publicly viewable issues and 1,214 Confluence sites with publicly viewable spaces.
What is data loss prevention in Jira?
Data loss prevention is an access control that ensures confidential information is
kept on a need-to-know basis. DLP does this by:
- Scanning for content within messages and files to determine whether an unauthorized disclosure of business-critical information has occurred.
- Providing automated remediation on the basis of your established data security policies.
- Providing alerts and analytics that help organizations understand risk and employee behavior over time.
How does DLP for Jira work?
DLP helps organizations:
- Discover sensitive data within designated environments.
- Classify data on the basis of predefined token types, like PHI, PII, and other industry standard sensitive data types.
- Protect data with manual or automated redaction, quarantine, or deletion of offending content.
Why is data loss prevention (DLP) essential for protecting data in Jira?
Aside from Nightfall, there are no mature cloud-native DLP products for Jira. Atlassian does not have a native DLP product, and many CASBs cannot support Atlassian apps. With Nightfall, users can:
- Flexibly configure multiple different DLP policies, and apply them to particular locations within Jira, leading to a prioritized and optimized DLP approach, with reduced false positives and noise.
- Create multiple detection rules that specify whether data is deemed sensitive in any instance, or whether it is deemed sensitive only in combination with other data. Providing granular control over the organization’s unique definition of what constitutes sensitive data, further reducing false positives and noisy alerts.
What is Nightfall DLP?
Nightfall is a platform to discover, classify and protect sensitive data across cloud SaaS & cloud infrastructure.
- Nightfall supports compliance efforts with a number of industry standards like PCI DSS, GDPR, HIPAA, CCPA, and much more.
- Nightfall works by continuously monitoring data flowing in and out of data silos and classifying that data with machine learning. Data marked as sensitive can be automatically quarantined, deleted, and redacted with workflows.
- Nightfall integrates with Jira via Oauth 2.0, meaning you can get started immediately. Integrate in seconds, then tell Nightfall which projects should be scanned in real-time for API keys, encryption keys, passwords, and more.
Watch a demo video of Nightfall for Jira.
What are the key features of Nightfall DLP for Jira?
- Setup in minutes. Quickly and easily connect Nightfall to your Jira in minutes with our out-of-the-box integration.
- Apply different detection rules to every Project. Discover sensitive data across all Jira projects. Different rules can be applied to different Jira projects, allowing you to have further control over when and where Nightfall detects specific types of sensitive data.
- Fully customize your scans. Configure granular Detection Rules and set confidence levels within the Nightfall dashboard to determine which data is considered sensitive, either standalone or in combination with other data. Build flexible data detection policies based on custom data detectors (e.g. regexes & word lists) and multiple policies to target your DLP scans to certain locations or timeframes.
- Detail-rich notifications. Context-rich notifications allow you to see exactly when and where violations occur. Receive notifications in Slack, email, or to a SIEM via webhook. From each alert you can manually redact or delete violations and notify offending users. Alternatively, leverage Nightfall workflows to automate remediation.
- Dozens of machine-learning detectors. Nightfall’s robust detection engine leverages dozens of detectors, including our proprietary machine-learning trained detectors to detect a wide range of sensitive content types such as standard PII (names, ID numbers, financial information, and addresses) credentials & secrets, custom regexes & word lists, and more.
Does DLP detect files too?
- Nightfall supports a broad set of file types including but not limited to xls/xlsx, doc/docx, csv, plain text, ppt/pptx, PDF, HTML, and more.