Construction of the Atlassian Cloud Infrastructure

Atlassian Cloud products are hosted by the industry-leading cloud provider AWS (Amazon Web Services). Below is a more detailed explanation of the cloud infrastructure. You can find the six main components and their respective meanings below.

Jira and Confluence data is closest to the region where the majority of users have logged in. Atlassian understands that some organizations need to keep data in a specific location, so Atlassian offers data residency. In this case, data is only kept in the specific region.

Data residency is currently offered in the US and EU regions, with plans to roll out support for the UK, Canada and Japan soon. Data residency is available for standard, premium and enterprise cloud plans. Teams of any size can securely manage their data in any of the three regions.

Atlassian leverages highly available AWS data centers located in multiple regions around the world. AWS regions are geographically separated and themselves consist of multiple isolated locations. Jira and Confluence use deployment mode in multiple availability zones for Amazon RDS (Amazon Relational Database Service).

Atlassian follows a comprehensive backup program. Atlassian uses the Amazon RDS (Relational Database Service) snapshot feature to create automatic daily backups of each RDS instance.

Amazon RDS snapshots are retained for 30 days. They support point-in-time recovery and are encrypted using the AES-256 standard. Backup data is not stored off-site, but replicated across multiple data centers within a given AWS region. In addition, backups are tested every three months.

AWS has multiple certifications to protect its data centers. These certifications cover physical and environmental security, system availability, network and IP backbone access, customer provisioning, and problem management.

Data center access is restricted to authorized personnel only and controlled by biometric identity checks. On-site security guards, video surveillance equipment, access gates, and other intrusion prevention measures also provide security.

In addition to the cloud infrastructure, a more multi-tenant microservice architecture with a sharable platform is being developed to support the Atlassian products. In a more multi-tenant architecture, a single service serves multiple organizations, including the relational databases required to run the cloud products. Each tenant's data is isolated and inaccessible to other tenants.

Microservices are based on the principle of least privilege, limiting the scope of zero-day attacks. Each microservice has its own data store that can only be accessed using an authentication protocol for that specific service.

Application-level data authentication and authorization serve as an additional security checkpoint when requests are sent to these services.

The data at Atlassian is additionally protected by so-called edges. These are virtual walls that are built around the software. When a request is received, it is sent to the nearest edge. Through several validation procedures, the request is then allowed or denied.

• It arrives at the Atlassian Edge closest to the user. The Edge verifies the user's session and identity using an identity system.
  
  
• The Edge determines where the product data is located based on data in the TCS information.

• It forwards the request to the destination region, where it travels to a compute node.

• The node uses the client configuration system to determine information such as the license and database location

• The original user query then receives information gathered from previous queries from other services.

The more multi-tenant architecture of cloud products allows additional security controls to be added. With a single-tenant solution, no further authorization checks would normally be performed for high volumes of requests. The impact of a zero-day attack is thus drastically reduced.

With the platform, the principle of least privilege is used for data access. This means that access is granted only to the service responsible for storing, processing or retrieving the data in question. Any service that needs access to media content must interact with the media services API. Consequently, secure authentication and authorization at the service level ensures strict segregation of duties and data access according to the principle of least privilege.

Customer data in Atlassian Cloud products is encrypted using TLS 1.2+ with PFS (Perfect Forward Secrecy) when transmitted over public networks to protect it from unauthorized disclosure or modification. This requires the use of strong encryption and key lengths, if supported by the browser. This is the case with popular browsers such as Chrome, Firefox and Safari should they be running on a newer version.

Data drives on servers that store customer data and attachments in Jira Software Cloud, Jira Service Management Cloud, Jira Work Management, Bitbucket Cloud, Confluence Cloud, Statuspage, Opsgenie, and Trello use industry-standard AES-256 encryption at rest.

Atlassian's internal Cryptography and Encryption Policy sets forth general principles for encryption and cryptography mechanisms implemented by Atlassian to reduce risks associated with storage and transmission on networks.

Interested in the Cloud?

Contact us now and get a no-obligation consultation on migrating to the cloud!