Blog

Understanding Atlassian App Privacy for the Public Sector | Contegix

Written by Elizabeth Clor | Apr 5, 2023 8:43:00 AM

While security and privacy are vital concerns for any team, these values especially matter to those in the public sector, where teams interact with sensitive information and are beholden to additional security and compliance requirements. Public sector teams require an especially high level of trust in every element of their tool stack, including marketplace apps.

Atlassian already requires every vendor to follow strong standards for application security, data protection, authentication and authorization, privacy, and vulnerability management in order to list their app in the marketplace. Recently, Atlassian announced plans to add a new tab in the cloud app listing interface to provide users with more extensive details about an app’s privacy, security, data handling, and compliance qualifications, and to acknowledge the vendors that go above and beyond existing requirements.

This tab functions as a subsection of each app's individual listing to aggregate significantly more detailed info about security and privacy than was previously available to users without reaching out to a vendor. Users can quickly but confidently perform an initial evaluation of an app’s trustworthiness and security measures without having to do external research.

With new details at their fingertips, public sector organizations can be more informed when choosing marketplace apps to support their Atlassian tools. From encryption to vulnerability detection, here are the security features this tab helps public sector teams easily identify—as well as some security-minded apps that are especially useful for government teams.

Four Security and Privacy Features Government Teams Should Look For in Atlassian Marketplace Apps

1. Data protection and encryption

Every Atlassian tool encrypts data in transit using TLS 1.2+, and servers holding user data use full disk AES 256 encryption. Strong data protection requirements are also included in Atlassian’s basic security standards for any marketplace app. For instance, Atlassian requires that any end user data an app accesses must be authenticated and authorized appropriately, and any user data that is stored outside of the Atlassian product or a user’s browser must have full disk encryption at-rest.

These robust encryption protocols provide the protection most teams need, but government organizations operating under “zero trust” regulations such as FedRAMP require end-to-end encryption. While Atlassian uses zero trust protocols internally, this functionality is not built into Atlassian tools.

Luckily, organizations that need to be FedRAMP compliant can achieve zero trust encryption using marketplace apps. These apps, like Security & Encryption for Confluence, often come with additional security and compliance features baked-in, such as compliance audit tools and data management. In addition, government teams should look for apps that go above and beyond the minimum data protection requirements regardless of functionality, such as apps that encrypt data at rest using AES256 or similar encryption, use a dependency scanner, and avoid logging sensitive data. This information will be available in the new Privacy & Security tab.

2. Credentialing

Before dispersed work became the norm for many government teams, signatures necessary for routine processes like purchase orders and grants could be obtained in person—an obvious impossibility in a world where coworkers collaborate from miles apart.

As a result, electronic signatures are now essential to daily operations. However, the veracity and validity of these signatures depends on their secure credentialing: government teams must use apps that certify e-signature credentials sufficiently and safely. Comala Document Management is a great example, offering full document approval workflows in Jira with credentials certified at each step in the approval process. This certification is specifically designed to allow teams to achieve compliance with e-signatures.

3. Risk traceability

For software teams, risk traceability is a valuable tool for holistically evaluating and minimizing risk. For government teams in particular, risk traceability helps ensure regulatory compliance, and makes risk analysis significantly easier, offering a record of risk at every stage of the development process.

Maintaining traceability can be tedious, but apps that automate traceability in Jira, such as SoftComply Risk Manager, alleviate that burden. In addition to bolstering security, automation makes it easier for teams to compile reports, gain insight into risks, and ensure compliance at every step of the way.

4. Atlassian certification

App vendors can apply for additional Atlassian certifications, such as the Atlassian Marketplace Partner Program and Cloud Fortified Apps Program. These programs demonstrate an app vendor’s commitment to security, and provide an extra layer of trust.

To qualify for any of these certifications, developers are required to participate in Atlassian’s Bug Bounty program, which means these apps are proactively working to minimize risk for their users—a responsibility that is particularly important for government teams, for whom risk management is a top priority. 

Contegix Puts Marketplace App Data at Your Fingertips

With extensive experience configuring apps and plug-ins, Contegix experts know that marketplace apps can be operations-critical tools for Atlassian users. To help our staff and clients evaluate an app’s qualifications, Contegix offers the Marketplace Analytic Research Service, or MARS. MARS is Contegix’s unique database that provides a wide range of insights into Atlassian Marketplace apps.

Harnessing the power of MARS, alongside our industry experience, Contegix experts compare security and compliance offerings and make knowledgeable recommendations. That means we can provide the insight and implementation assistance necessary to build an Atlassian tool stack that meets unique organizational needs—and critical compliance, security, and privacy requirements.

From first-level app evaluation to configuration, implementation, and monitoring, Contegix is prepared to assist public sector organizations in making Atlassian plug-ins and apps work with their compliance needs. Learn More about how Contegix can help your organization get the most out of Atlassian tools.