이 문서는 Atlassian Cloud 보안 설문 관련 정리한 문서입니다.
Compliance(규정준수)
Evaluation Content | Question | Answer | Remark |
---|---|---|---|
ISO27001, SOC 정보보호 국제표준인증 여부 | ISO27001, SOC 정보보호 국제표준인증을 획득하였는가? | O | We post all compliance and certifications to our website: https://compliance.atlassian.com/ To read more about our Compliance Framework, see : https://www.atlassian.com/trust/compliance/common-controls-framework |
데이터 저장소 위치(지역) | SaaS 데이터 저장소의 Region은 어디인가? | O | Our production systems for Jira and Confluence are hosted in AWS regions USEast For more information, see : https://www.atlassian.com/trust/reliability/infrastructure At this time, most customers cannot define which jurisdictions their data travels through. We have optimized for latency, and you data will be housed in the region closest to your users. We offer data residency for our Enterprise, Premium and Standard Cloud customers. For more information, please see: https://www.atlassian.com/enterprise/cloud. |
Are critical servers kept in different network zones in DC/CP? | O | Our partner data centers are SOC-2 compliant. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Access to the data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures include: onpremises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures. AWS maintains multiple certifications for the protection of their data centers. AWS physical protection assurance information can be found at : http://aws.amazon.com/compliance/ Our Atlassian offices are guided by our internal Physical and Environmental | |
What measures have been prepared against targeted DDoS attacks? | O | Network threat protection is performed by AWS, including DDoS protection and some Web Application Firewall features. | |
Do remote users enter a separate network defined zone? | O | For network access we use a centralized LDAP enabled directory implementing role based access control based on defined profiles. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR Internal production network access rules are maintained using explicitly designated Security Groups within AWS VPC environments. There's an Access Control Policy and its implementation is controlled every 3 months | |
Is there an application layer firewall to protect against web attacks? | O | We use a 3rd party HTTP proxy product for our cloud public edge and we've implemented L7 HTTP security rules on it (The functionality is essentially the same as WAF). | |
Is there policy to deny communication with known malicious IP addresses? | Yes, we block incoming requests from known malicious actors on the Internet. | ||
Are IPS/IDS/Firewalls logs sent to SIEM for analysis? | Currently, the Atlassian Security Team merges data from various logging sources in our Centralized Logging Platform. All logs are reviewed within our SIEM platform(Splunk). | ||
Is VPN access granted based upon remote access policy? What is your policy | O | Atlassian has an established workflow linking our HR management system and our access provisioning system. We use role based access control based on pre-defined user profiles. All user accounts must be Our SRE team maintains an account on all hosted systems and applications for the purposes of This support team accesses hosted applications and data only for purposes of application health The SRE team performs logical access review for the mission critical systems monthly. Disabling of a single VPN account would remove all production access. Additional authentication mechanisms are also in place that are required for access to production systems. | |
What is the process upon breach and notification to customers? | O | Atlassian understands how important it is for you to be notified promptly of any data breach. That is why Atlassian has built out an extensive cross-functional team and process to handle security incidents as described at : https://www.atlassian.com/trust/security/security-incidentmanagement Atlassian has a strong track record of timely and proactive notification of incidents, and working with our customers on any necessary mitigations. Because it is critical that Atlassian's security incident response teams to immediately focus on triage and mitigation of an incident as it develops, we cannot agree to a 72 hour timeline. Instead, we offer customers notification 'without undue delay', which follows the legal requirement Incidents can range from simple to incredibly complex, so while we can offer what is necessary under the law we cannot agree to a 'one-size fits all' timeline. | |
데이터 전송 방법을 포함한 흐름도 | "데이터(서비스) 흐름도 sheet"를 작성 했는가? | O | high-level data flow diagram can be found at : https://confluence.atlassian.com/cloud/atlassian-cloudarchitecture-973494795.html |
데이터 보관 기간 | 저장되는 데이터의 보관 기간이 명시되어 있는가? | O | Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. For customer data, On termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to The team’s data will remain in encrypted backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with our Atlassian data retention policy. In the event that a database restore is necessary within 90 days of a requested data deletion, the Data is classified in line with our Atlassian Data Security & Information Lifecycle Policy, and controls implemented based on that. |
데이터 이전, 파기 방법, 파 기 인증 방법 | 저장되는 데이터의 이전/파기 방법/파기 인증 방법이 명시되어 있는가? | O | For customer data, On termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to Atlassian will be removed within 14 days. The team’s data will remain in encrypted backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with our Atlassian data retention policy |
Web/Application/DB and others, How and where is the data being stored? | O | Our Jira and Confluence Cloud products are available in US-East and US-West regions of AWS, the AWS Ireland region, the AWS Frankfurt region, the AWS Sydney region and the AWS Singapore region. Location of data is homed in the region closest to the majority of your users upon sign-up. Fore more information, see : We offer data residency for our Enterprise, Premium and Standard Cloud customers. For more information, please see: |
Disaster Recovery(재해 복구)
Evaluation Content | Question | Answer | Remark |
---|---|---|---|
안정성, 가용성 확보 방안 | 서비스 네트워크(리소스) 안전성 및 가용성 확보 방안 이 있는가? | O | |
How many DR sites exist? | Minimum of two data centers within AZ(availability zone) | ||
What are the locations? Please be specific | See Comliance item | ||
Any DR sites outside of the U.S.? | For our Atlassian Cloud services, Disaster Recovery plans are tested at least quarterly. Multiple region availability is monitored in real time. Automated region failover tests are performed each week on pre-production environment. Automated configuration data restoration tests are performed daily on Production. All of Atlassian services perform Availability Zone resiliency test on pre-production environment every quarter. For more information on our Business Continuity program, | ||
Do you have 1:1 mirror or scaled down version of primary site as DR? | We maintain a minimum of two data center AZ(availability zones) within each AWS Region. We do not have 'cold DR sites'. | ||
Do you have a DR strategy? | Atlassian's DR/BCP documents are considered internal and are not externally published. see : https://www.atlassian.com/trust/security/securitypractices#faqd323ae61-59b8-4ddb-96d4-30716b603e3e and https://www.atlassian.com/trust/security/data-management. | ||
Do you have 1:1 mirror or scaled down version of primary site as DR? | We maintain a minimum of two data center availability zones within each AWS Region. We do not have 'cold DR sites'. |