Collaboration and compliance in Atlassian – how data discovery tools protect sensitive data and IP in a dynamic work environment

The number of organisations using collaboration tools worldwide is steadily growing, and it is easy to see why. Collaboration tools provide a highly flexible environment where diverse teams from software development through to IT, HR and marketing are adapting it for their own use.  Creating and organising documentation, defining projects and collaborating in teams across the organisation.  Each company is using collaboration in its own specific way.

But, even with the best of intentions and security policies in place, companies are finding it harder to manage data security and handle data security requests when data is spread across the business in collaboration software.

Collaborative applications are helping to improve the productivity of companies worldwide but, at the same time, they also present a security challenge.  With the relentless rise in cyber security attacks, and the high financial and reputational damage that they can cause, protecting sensitive data has never been more important. But for IT teams and data protection officers, it is difficult to track and protect sensitive data in an unstructured collaborative environment, when the number of pages and spaces being set up can run into thousands (according to Atlassian, one company has 10,000,000+ pages on one instance, for example) and the types of sensitive information range from personally identifiable customer information, through to source code and security audits held in Atlassian Confluence, Jira and Bitbucket.

In this blog, we take a look at how data discovery tools can help reduce the burden of managing data security in a dynamic collaborative environment.  We’ll look at how data discovery tools can be used in different industries that have specific needs for protecting sensitive data and regulations that they need to adhere to. All are using Atlassian Suite solutions.

How data discovery tools can help 

In short, data discovery tools give you the ability to see and understand the sensitive and high value data you have (visualisation), so that you can build policies to secure the data and take necessary steps to secure it (remediation). These are basic steps that are needed for any company to be able to ensure compliance with data privacy regulations (such as GDPR, HIPAA, CCPA etc.), stop insider threats to data security (whether intentional or not), and, in general, improve employee knowledge of data security policies and awareness of how to handle sensitive data. Ensuring you have the right data discovery tools, with the power to track structured and unstructured data within collaborative solutions is a must.

Types of sensitive data that might be held in the Atlassian Confluence, Jira and Bitbucket

First of all, let’s take a look at some of the information that might be stored across your Atlassian products.  It isn’t just a case of customer data held in customer service applications alone.

Examples of the types of information held in Atlassian Confluence:

• Customer data and personally identifiable information (PII), patient or insured’s healthcare information. Sensitive data which needs to comply with regulations, such as – GDPR, HIPAA, PCI, SOX, CCPA etc.
• Legal documents or contracts.
• Confidential business information, such as strategic plans, internal policies and processes, and company records.
• Financial information including details about company finances, budgeting and billing information.
• Intellectual property, such as product design documents.

When project managing and tracking issues are being handled other types of sensitive information might be held in Atlassian Jira:

• Customer data, in support of customer service or support, queries and issues, which may contain sensitive information in the form of names, email addresses, phone numbers and other personal details of employees, customers or clients.
• Financial data for project budgeting and resource allocation.
• Intellectual Property, such as product development, design documents and proprietary algorithms.
• IT security information, such as vulnerability reports, security incidents and audit logs.

In Bitbucket, a web-based repository for source code and development projects, the key areas of concern around sensitive data are:

• Source code, which can be proprietary and contain intellectual property, making it highly sensitive.
• Credentials and API keys. Sometimes developers might inadvertently include these and other sensitive access tokens within source code or configuration files.
• Configuration files, containing sensitive information about the infrastructure setup and database configurations that could be exploited if exposed.
• Technical documentation including details of system architectures.
• PII which may have been used inadvertently as test data or examples embedded in the code or documentation might contain PII.
• Financial information if the repository is related to financial applications or systems, including code or data handling financial transactions or sensitive financial data.
• Security related information, such as security mechanisms, algorithms or vulnerabilities found and fixed in the code.
• Future development plans, features or innovative concepts.

Ensure sensitive data security across the Atlassian Suite with data discovery tools

A data discovery tool, like SecurEnvoy Data Discovery, will help you with the process of trawling through all those pages and documents using automation, rather than time-consuming manual processes.  You will be able to:

1. Identify and classify sensitive data accurately.
2. Develop a clear data classification policy.
3. Monitor use of sensitive data.
4. Set up an audit trail with alerts when sensitive data is detected
5. Track any changes to ensure remediation of sensitive data.

Data discovery tools are also a must when you are moving to the cloud.  If you are currently on Atlassian Server and will be making the move to the cloud in 2024, you can analyse all the sensitive data you hold before you make the transition. This will ensure that only the data you need to migrate is included, protecting your data and saving space in the process.

How different organisations can use data discovery tools for Atlassian Confluence

Every company is different, but the regulations each industry needs to comply with stay pretty much the same.  Let’s take a look at how players in some key industries are taking care of their sensitive data with data discovery tools.

• Large Healthcare Provider

A large healthcare provider uses Atlassian Confluence as a central platform for documenting clinical protocols, internal policies and patient care projects, regularly collaborating on patient treatment methods, research data.  They also share patient case studies for educational purposes.

Under HIPAA, the organisation must ensure that all Protected Health Information (PHI) is securely handled and access strictly controlled.  Patient information, such as names, medical records or insurance details may be inadvertently included in Confluence pages, attachments or comments.

Manual monitoring of such vast amounts of data for HIPAA compliance is impractical and error-prone, so the healthcare provider uses SecurEnvoy Data Discovery to automatically scan and identify instances of PHI.  The tool is configured to recognise various forms of PHI, such as patient identifiers or specific medical terminology which may be indicative of sensitive information.

How SecurEnvoy data discovery tools assist with HIPAA compliance:

1. Automated Detection of PHI: The tool continuously scans all Confluence content, reducing the risk of unnoticed PHI exposure.
2. Immediate Notification: When PHI is detected in an inappropriate location or without proper security controls, the page owner is immediately notified.
3. Prompt Remediation: The tool’s notification enables immediate action, either to remove the PHI, anonymise it, or apply appropriate access restrictions.
4. Access Control Enforcement: If remediation actions are not taken promptly, the tool can automatically restrict access to the content, thereby preventing unauthorised PHI access.
5. Audit Trails: The tool maintains logs of detected PHI and actions taken, aiding in compliance audits and investigations.

By using SecurEnvoy’s Sensitive Data Discovery in this way, the healthcare organisation can maintain a high compliance standard with HIPAA, ensuring both the security of patient information and the integrity of their internal processes.

• Multi-branch retail chain

A retail chain has multiple branches using Atlassian Confluence as a collaborative platform for a range of purposes, including managing marketing strategies, internal policies and employee training materials. The business frequently deals with credit card transactions and stores related information for billing, customer service and promotional activities.

To comply with PCI DSS the retail chain must safeguard all credit card information, ensuring that it is not improperly stored or exposed. Given the large number of pages and documents on Confluence, there is a risk of credit card details being inadvertently saved or shared in an unsecured manner, so the retail chain implements data discovery tools to systematically scan and identify instances of credit card information within their Confluence workspace.

How SecurEnvoy data discovery tools assist with PCI compliance:

1. Automated Identification of Cardholder Data: The tool continuously scans for credit card numbers, CVV codes, and other sensitive data associated with credit card transactions.
2. Immediate Alerts: When sensitive credit card data is found in an inappropriate location, the page owner is automatically alerted.
3. Proactive Data Remediation: These alerts prompt the responsible individuals to either remove the sensitive data, anonymise it, or apply correct security controls.
4. Enforced Access Restrictions: If the required remediation is not actioned in a timely manner, the tool can be configured to restrict access to the content, minimising the risk of unauthorised access.
5. Compliance Documentation: The tool logs all detections and actions, creating an audit trail that is essential for PCI DSS compliance reporting.

By using SecurEnvoy Data Discovery, the retail organisation can significantly reduce the risk of credit card data breaches. The automated system ensures that cardholder data is managed and stored appropriately, streamlining the process of maintaining compliance which is crucial for an organisation with a large and dynamic Atlassian Confluence environment.

• International insurance company

An international insurance company uses Atlassian Confluence to manage client policies, internal training documents and various types of personal data. The company deals with a large amount of personal data from EU citizens, including sensitive information such as health records, financial details and personal identifiers.

Under GDPR the company is required to handle personal data with stringent privacy and security measures. With vast amounts of data in Confluence, including client information, this poses a risk and manual monitoring of GDPR-sensitive data across numerous Confluence pages and spaces is inefficient and prone to errors.  With SecurEnvoy’s data discovery tool, the company can automatically scan for GDPR-related sensitive data.

How SecurEnvoy data discovery tools help with GDPR compliance:

1. Automated Detection of Personal Data: The tool scans for various types of personal data as defined under GDPR, like names, contact details, and other identifiers.
2. Immediate Notification: If personal data that might not comply with GDPR is detected, the page owner is alerted for immediate review.
3. Prompt Remediation and Data Minimisation: These alerts enable timely actions to either remove, anonymise, or properly secure the personal data, adhering to GDPR’s data minimisation principle.
4. Access Control and Data Protection by Design: If remediation is not undertaken promptly, access restrictions can be applied automatically to mitigate unauthorised data exposure.
5. Audit Trail for Compliance: The tool provides a log of all detected instances and actions taken, essential for GDPR compliance documentation and audits.

With SecurEnvoy Data Discovery tools the insurance company can maintain compliance continuously, ensuring the correct handling of personal data across Confluence to align with the strict privacy standards of GDPR.

Read how an international bank reduced their costs by 93% with SecurEnvoy Data Discovery >

Benefits of using SecurEnvoy Data Discovery for Atlassian

With SecurEnvoy Data Discovery, we’ve seen how companies and organisations can:

• Ensure sensitive personal data and company information is not exposed to insider threats and that IP is properly secured.
• Educate users on data sensitivity, in case they inadvertently mishandle sensitive data due to lack of awareness or understanding.
• Prevent accidental or intentional sharing of sensitive information outside of the intended audience.
• Stay on top of insider threats and ensure continuous data security awareness of employees

For the Atlassian Suite of products, SecurEnvoy data discovery tools offer a quick and easy to use automated solution to data discovery and remediation of data security issues with some key features:

• User Remediation – automated alerts and audit trails.
• Permission Management – the ability to remove permissions and control access to data, defer actions.
• Scanning controls – depth and intensity of scanning can be adjusted.
• Integration with other data streams for centralised dashboard management and enhanced audit capabilities – feeding into syslog, for example

SecurEnvoy Data Discovery for Atlassian, provides seamless integration across the Atlassian Suite, with comprehensive monitoring and real-time scanning across Confluence, Jira and Bitbucket, along with full support for server, data centre and cloud deployments.

Trial for SecurEnvoy for free today >

Category: Industry Research

Data Discovery / Healthcare / Retail

Adam Bruce, CRO, SecurEnvoy

Adam’s career spans over twenty years, starting with a technical specialisation in Networking and Security. This start provided a sound technical understanding of Cyber Security and gave the foundation for twenty years in commercial sales. Adam’s experience includes over seven years operating within a high-profile Cyber Security VAR, working with household names across a wide range of sectors. Adam joined SecurEnvoy in 2005, as the first sales hire, with a hand in both End User Sales and Channel Development. The fifteen year SecurEnvoy journey has resulted in Adam successfully building out and leading the commercial operations and strategy. He has risen through many roles within the business at SecurEnvoy, culminating as Chief Revenue Officer.