Confluence security review

Serviceteam IT Security News
Does the SaaS provider protect external data in transit using TLS?

Yes

Atlassian uses TLS 1.2 and Perfect Forward Secrecy to protect external data.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Atlassian meets the Recommended cryptographic profiles for TLS as published by the NCSC. In addition, the Confluence domains currently get an ‘A’ rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Yes

In Atlassian’s Consensus Assessment Initiative Questionnaire (CAIQ), they state that the Atlassian Cloud Platform uses SSH for data and images transported between networks.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Unknown

At this time, it is unknown whether Atlassian protects internal data in transit using correctly configured certificates.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes 

Confluence allows Basic access authentication and JWT for all its API REST calls.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes 

Confluence has a number of different roles within a site structure. If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

No

At the present time, Confluence does not provide multi-factor authentication.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Yes

Atlassian provide an audit log from the service which keep a record of important events, such as changes to global permissions. Does the provider make logs available to the client?

Unknown

At this time, it is unknown whether Atlassian provide logs to the client.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

Atlassian indicate on their CAIQ that they have a clear incident response and patching system for all their services. They also have a responsible disclosure program. Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Atlassian’s CAIQ is available to view and they have published a list of Trust FAQs.

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News In the den with the dragons
Serviceteam IT Security News Microsoft Reveals Which Bugs It Won’t Patch
Serviceteam IT Security News Student discovers security flaw in Virgin Media recruitment system
Serviceteam IT Security News How do you retaliate against a WhatsApp attack? | James O’Malley
Serviceteam IT Security News Crooks Switch from Ransomware to Cryptocurrency Mining
Serviceteam IT Security News GoScanSSH Malware Targets SSH Servers, But Avoids Military and .GOV Systems