.jpeg)
Stephanie Gaye
Using Confluence like a Pro: Time-saving Shortcuts!
.jpeg?width=30&name=1586511868618%20(1).jpeg){kind=small}
Stephanie Gaye: Apr 19, 2024 10:00:00 AM
More and more customers are moving to the Atlassian Cloud. Find out what security, privacy and compliance requirements it meets and what they include here.
The cloud is no longer just an optional alternative, it has become a strategic requirement as the SaaS revolution continues. SaaS products such as Atlassian Cloud have become standardized enterprise tools and show fundamental differences from on-premise solutions. One major contrast is that the administration and management of the infrastructure is controlled by the provider. Thus, the internal IT team can strategically deploy its freed-up resources elsewhere.
With cloud services, trust starts with security and reliability. Atlassian's cloud products are independently audited on a regular basis. They are certified to meet global security, privacy and compliance requirements.
Compliance in the Atlassian Cloud
ISO / IEC 27001
The International Organization for Standardization (ISO) is an independent, organization that counts 167 standards organizations from around the world as members. The ISO/IEC 27000 family of standards helps organizations ensure the security of their information assets.
First, ISO/IEC 27001:2013 is a security management standard that defines comprehensive security measures according to best practice guidelines from ISO/IEC 27002. The basis of certification is the development and implementation of a rigorous security program.
ISO/IEC 27018 formulates recognized guidelines for implementing measures to protect personal data. The Atlassian Trust Management System supports the operations underlying cloud offerings (ISO-Zertifikat from Atlassian).
GDPR
Atlassian ensures to comply with the General Data Protection Regulation (GDPR) and all data protection regulations. The GDPR gives EU citizens more control over their data and combines various privacy and security laws into one comprehensive law.
As a company with a global customer base, Atlassian is able to transfer and access data all over the world. Atlassian respects the rules for onward transfers of personal data to countries outside the European Economic Area (EEA) and provides customers with a robust framework for international data transfers under the Privacy Addendum.
In addition to the Privacy Addendum, Atlassian protects customers' data and rights by responding to law enforcement requests only after a thorough legal review.
SOC2 / SOC3
SOC 2 and SOC 3 reports (System and Organization Controls) are independent investigative reports that document how a company or organization implements essential compliance measures and objectives.
The Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) applicable Trust Services Criteria (TSC) is the basis of the SOC 2 and SOC 3 reports.
The intent of the reports is to evaluate all of a company's or organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
A SOC 3 report includes a written opinion from the service organization. This ensures that all actions required under the applicable Trust Services Criteria have been taken. The difference between the two reports is that they are accessible to the public. This is only possible with SOC3.
Both SOC 2 reports and SOC 3 reports are evidence investigations conducted in accordance with SSAE 18, which is the responsibility of the AICPA (Sections AT-C 105 and 205).
FedRAMP
The U.S. government has established FedRAMP (Federal Risk and Authorization Management Program), a government program for standardizing security and risk assessment, authorization, and continuous monitoring of cloud products and cloud services.
There are two FedRAMP authorizations: provisional authorization by the Joint Authorization Board (JAB) or authorization by an agency. For authorization, the relevant authorities work directly with the cloud provider. If a cloud service provider chooses to obtain an operating authorization directly through an authority, the entire FedRAMP process is guided by the respective authority.
Requirements for authorizations include an assessment by an assessment firm accredited with the program. In addition, a thorough technical review by the FedRAMP Program Management Office (PMO) is required.
PCI DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard managed by the PCI Security Standards Council.
The PCI Security Council has defined network security and business transaction guidelines to protect customer credit card information as a "minimum security standard."
In this regard, the PCI-DSS applies to all systems, networks and applications that process, store or transmit cardholder data. It also applies to systems used to secure and log access to said systems. The PCI-DSS applies to all legal entities that store, process, or transmit cardholder data or sensitive authentication data.
VPAT
Section 508 is an amendment to the U.S. Rehabilitation Act of 1973. Section 508 requires U.S. federal agencies to provide employees and citizens with impairments comparable access to electronic information and electronic technology as individuals without impairments. In addition, agencies must also consider accessibility when purchasing or using information technology.
ACSC - Cloud Computing Security
This guide helps assessors verify the security of a cloud service to provide independent assurance to organizations that cloud service provider (CSP) security claims are valid. The organization and the CSP share responsibility for mitigating risk when using cloud services. Before using cloud services, organizations should conduct a risk assessment and implement necessary mitigation measures. This document covers Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) provided by a CSP as part of a Public Cloud, Community Cloud and Outsourced Private Cloud.
APRA Prudential Standard CPS 234
The Australian Prudential Regulation Authority (APRA) has issued guidance to financial institutions it supervises to help them maintain cybersecurity and governance in their organizations when using cloud computing. APRA has issued specific guidance on outsourcing cloud computing offerings, and supervisors must review and comply with APRA Prudential Standard CPS 234 Information Security when outsourcing. The APRA 234 Outsourcing Guidance provides mappings to each requirement and outlines how Atlassian Cloud Enterprise can help customers meet their obligations, including information on audit rights, data security, termination, and outsourcing.
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for ensuring security in cloud computing and helps secure other forms of computing. Its Security, Trust & Assurance Registry Program (CSA STAR) evaluates cloud service providers (CSPs) through a three-tiered program of self-assessment, third-party auditing and continuous monitoring.
STAR offers three assurance levels, and CSPs can submit either a completed Common Assurance Initiative Questionnaire (CAIQ) or a report documenting compliance with the Cloud Controls Matrix (CCM) as part of the CSA STAR self-assessment. Atlassian, which is both a corporate member of the Cloud Security Alliance and on the Trusted Cloud Provider list, offers a Level 1 self-assessment for its cloud products.
European Banking Authority (EBA)
The European Banking Authority (EBA) is an EU authority responsible for developing and implementing a set of rules to regulate and supervise banking in all EU countries to ensure financial stability and consumer confidence. Atlassian Cloud Enterprise has developed a solution to help European customers in the financial services sector comply with EBA regulations and guidelines.
Compliance with these requirements is the joint responsibility of the financial institutions and the cloud service provider. Atlassian provides an EBA outsourcing guide with specific mappings to each requirement and outlines how it helps customers meet obligations such as audit rights, data security, location of data processing, chain outsourcing and termination.
Financial Market Supervisory Authority
Atlassian is committed to helping its Swiss financial services clients comply with the Swiss Financial Market Supervisory Authority's (FINMA) requirements for maintaining adequate cybersecurity and governance programs. FINMA's guidance on outsourcing requirements for cloud companies is contained in Circular 2018/3. Atlassian's FINMA outsourcing guidance addresses each requirement and explains how Atlassian Cloud Enterprise helps users meet obligations such as audit rights, data security, termination, and chain outsourcing.
HECVAT
The Higher Education Information Security Council (HEISC), in collaboration with other organizations, has developed the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) for higher education institutions to assess the security and privacy requirements of cloud service providers in the United States. As a cloud service provider, Atlassian Cloud has completed a self-assessment for its core products in accordance with HECVAT, describing its alignment with industry standards and the security of its products and infrastructure.
More cloud content that might interest you:
Confluence Databases: How to Use the New Feature
Maximilian Wardenbach: Mar 6, 2024 1:15:01 PM