The World Health Organization officially declared COVID-19 a pandemic on March 11, once it became apparent that the virus was accelerating in multiple countries concurrently. The uncertainty around COVID-19 drastically and rapidly shifted the global professional landscape in an unprecedented way. This created what CNN called “the world’s biggest work-from-home experiment”. This experiment has the opportunity of catapulting the already 70% of global office employees working remotely, to new heights.
But the speed of experimentation often comes along with risks that are difficult to evaluate.
How many managers thought it was just fine to hold the company meeting every morning over Zoom until they found out about unexpected visitors bombing the service? We can feel lucky that the security hole has been exposed so blatantly that there’s even a “war dialer” to force login to Zoom sessions not protected by passwords: at least that’s a known risk by now.
While literally thousands of corporations have mandated work from home during this pandemic, many of them don’t have neither the policies nor the infrastructure in place to maintain acceptable levels of enterprise security without sacrificing remote employee efficiency.
So here’s a quick guide on how to quickly get up to speed with the security capabilities of technological behemoths like Atlassian, Google, or Cisco, not to mention smaller remote-native companies like Automattic (makers of WordPress), GitLab, or Zapier, to name just a few.
Since the topic has many possible ramifications, we’ll be focusing on actionable recommendations to address security vulnerabilities of the Atlassian stack.
Understanding Security with Atlassian Products
Every Atlassian tool contains sensitive information: Confluence is a repository of internal knowledge, often including strategic plans and business KPIs; Jira manages new products and features waiting to be released; while Bitbucket holds the source code. Customers typically protect this information against dissemination internally with NDA’s signed by employees, contractors, and partners; but how well is it protected from outsiders?
The answer is that it depends. For starters, it depends on the type of hosting. Traditionally, on premises installations of Atlassian products have been regarded as more secure — they can be firewalled or even function offline, an extreme that can be an advantage for classified projects. On the contrary, cloud environments rely on constant transmissions via an https protocol and, although secure, are obviously more exposed than the corporate bunker.
So what happens when an entire workforce must leave the premises and work from their home offices using their personal WIFIs? Again, it depends. If the Atlassian products are hosted on the cloud, at a very high level, we’re still looking at an entirely online, decentralized network.
But if the products are self-hosted, the change is radical: where there used to be a closed system, now there’s a fence pierced by thousands of external connections.
While useful also to users of Atlassian cloud, the following recommendations are aimed specifically at helping customers of Server or Data Center deployments transition to this new standard of work.
#1 Create (and Document) a Culture of Remote Security
While cybersecurity might bore most employees, it’s important to communicate effectively that every enterprise is only as secure as its weakest link. Intruders only need one bad password (or non-secure transmission of a great password) to get inside. And once they’re in, it’s almost impossible to stop them.
A library of authorized and secure resources is one good way to start building awareness and security best practices. Make sure to include easy to read tips, guidelines, and basic do’s and don’ts and to refer to the library on different messages and channels — we all know that the secret of a successful Confluence page is in the usage as much as it is in the content itself.
This tactic doesn’t have much overhead, and it helps fight shadow IT by sending a clear message that many workday decisions, like the choice of using a cloud application, could have serious security implications and are not to be taken lightly.
#2 Minimize The Number of Passwords
In addition to the tools typically used onsite, remote employees need to access more and more cloud products like Zoom, Slack, Microsoft Teams or Miro to replicate the type of collaboration and responsiveness that exists in office environments. The risks are proportional: the more decentralized accounts, the less secure enterprise assets will be – particularly since a high percentage of employees use one memorable, arguably weaker password to log in everywhere.
The good news is, bad password habits can be eradicated for every app that can be authenticated via single sign-on
The idea behind single sign-on is ironically simple: get rid of passwords; instead, use the same authentication for every tool and govern it from a central location. This authentication happens via an identity provider like G Suite or Microsoft Azure, enabling you to use a limitless amount of compatible apps without having to authenticate each individually. Sometimes the only login to which employees are prompted is in the OS start session of their corporate devices.
But what’s usually seen as a synonym of user experience has tremendous advantages in terms of security:
it’s easier to maintain or even remember one great password than to keep separate, secure passwords for potentially hundreds of applications.
Our Single Sign-On apps are available across the Atlassian product suite.
#3 Synchronize Logout
Would you like to have a master key that opens all your doors but can’t be used to lock them when you’re out? That’s a bit of the problem you have when you implement SSO solutions that don’t feature Single Log Out. When preventing account hijackers or actively fighting against them, Single Log Out (SLO) is not a nice to have; it’s the single most important resource for users who want to cover their track and for systems administrators that spots unusual activity and have serious reasons to believe that the information held by the enterprise identity provider may have been compromised.
See how simple it is to implement SLO in our SAML Single Sign-On apps.
#4 Reduce Shadow IT Risk
As mentioned, remote employees need new tools to adapt to the changing professional landscape. Many of these tools are low-cost, easily deployable and user friendly enough to get up and running in a matter of minutes. But with so many new apps, comes security risk. Zapier for example provides access to over 1,000 cloud apps and endless integration possibilities with Atlassian products. The potential of these integrations is undeniable, but the read and write access permitted to APIs can cause security loopholes.
Going back to the main idea that the enterprise is only as secure as its weakest link, integrations with external services must be seen as a liability: they can easily expose an employee’s credentials transmitting them over http without being encrypted.
What’s worse: services that by design have ongoing access to corporate passwords are an obvious target for cybercriminals.
The solution this time is not to minimize passwords, but to control the usage with API tokens.
If you’re not using a SAML SSO app, resolution’s API Token Authentication for Jira and Confluence can limit the amount of API connections (like Zapier/IFTTT) by disabling password authentication in exchange for service/account level API tokens. The creation of tokens can be centrally managed by your Atlassian admin, and rights can be configured for specific teams/groups.
If you’re using a SAML SSO for your Atlassian products, then your users won’t have passwords for Jira or Confluence. This is problematic when a cloud app needs to integrate with your Atlassian apps. Instead, you can create service level tokens as a replacement for passwords so users can authenticate these cloud apps and services. These unique tokens are created individually and can be revoked at any time.
#5 Beware of Phishing Scams
Phishing scams are a tried and tested strategy for hackers. Companies have reported receiving these scams in the context of coronavirus, even posing as the WHO. These cyber criminals are likely exploiting the urgency of the remote workers together with the fact that we are receiving so many surprising news and adapting to organizational changes that we may overlook a message that would otherwise raise many flags.
Look out for anything that looks dubious or untrustworthy and remember to never send confidential information or credentials per email, social media, or text messaging, as the addressee can perfectly be someone outside the organization.
Many of these seem like obvious signs, but companies are still spending millions in responding to especially clever phishing scams.
Here are some things you should check for if you’re skeptical:
- Spelling and bad grammar
- Suspicious links
- Suspicious attachments
- Altered web addresses
- Incorrect salutation of your name
Securing enterprise information these days can’t be an afterthought: it requires careful planning, proper resources, and extensive training. It’s also vital to have a comprehensive mindset and understand that there’s no magic trick to protect your company.
What really works is combining best practices and technologies that supplement each other and cover the entire scope of your enterprise stack, from the IT department to the last need of each business employee.
We hope that the recommendations above serve as a starting point to reach an acceptable baseline of security that will keep you reasonably safe and away from harmful practices while exploiting the great advantages of remote collaboration with Atlassian tools.