Things you’ll learn
- Overview of Atlassian DC
- Is Atlassian Cloud HIPAA compliant?
- Data loss prevention tools
- Third-party plugin usage
- Process & Policy for reporting and remediation
- Atlassian’s compliance roadmap
- Atlassian’s data center option
- How Oxalis can help you
Atlassian Cloud vs Data center? If your organization uses Atlassian products such as Jira or Confluence, you are likely aware of and planning for Atlassian’s shift toward a cloud-first strategy. In short:
- The sale of new Atlassian Server licenses have been discontinued as of February 2021.
- Support and maintenance for Atlassian Server products will end in 2024.
- Atlassian is making significant investments and updates to Data Center and Cloud hosting options, in an effort to improve their core offerings.
While much has been said about the differences between Atlassian Cloud and Data Center products (in fact, we wrote an entire Buyer’s Guide on this topic), the question of what to do next takes on particular significance for healthcare organizations and other entities operating in high compliance industries. Is Atlassian (Jira) Cloud HIPAA compliant? How do I know whether Atlassian Cloud or Data Center will satisfy our security and regulatory requirements? What are the tradeoffs associated with Cloud vs Data Center vs hybrid approaches?
This page will be kept up-to-date with the latest information related to HIPAA compliance with Atlassian so that you can better understand your options and select the path that best suits your needs. If you’d like to take a deeper dive into your Atlassian Cloud options, feel free to download a copy of our new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.
Most Atlassian Enterprise Cloud products are HIPAA-compliant.
The Cloud versions of Jira Software, Jira Service Management, and Confluence are HIPAA-compliant on the Enterprise plan, and Atlassian is prepared to sign Business Associate Agreements for them. We’ve covered the details in another post.
If you aren’t on the Enterprise plan, and can’t upgrade, there’s still hope. Depending on how you intend to use your tools, and what type of data is being stored, you may still be able to store PHI/PII in the Atlassian Cloud. Consider the following factors.
Data Loss Prevention Tools
Data Loss Prevention (DLP) tools are critical for enforcing data upload policies so that sensitive information such as PHI/PII doesn’t make its way into the Atlassian Cloud in the form of attachments, service requests, or internal comments. DLPs also play an important role in the identification, classification, and remediation of PHI which may have slipped past your technical, physical, and process controls. DLPs generally fall into one of four categories: browser, endpoint, network, or application based.
As a healthcare organization, you are likely already leveraging one or more DLPs as part of your HIPAA-compliance strategy. Oxalis can help you determine whether your existing controls are sufficient to secure your Atlassian Cloud, or if a purpose-built market solution is a required add-on.
Third-Party Plugin Usage
One of Atlassian’s greatest features is the Atlassian Marketplace, a platform to buy apps that enhance and extend the base functionality of Atlassian’s products. With thousands of apps and integrations in the Marketplace, it’s likely that your system already has a third-party plugin installed today. Plugin vendors may or may not sign BAAs, and may or may not provide that information in the Marketplace. Remember that ultimately you’re responsible for HIPAA compliance regardless of what a vendor discloses, so contact them if necessary to know for sure whether a plugin is compliant.
Process & Policy for Reporting and Remediation
While DLP tools should help keep PHI out of your system, and will identify PHI that’s already been added, you will inevitably need a manual reporting mechanism for flagging records containing sensitive information. You will also need to define a cadence for reviewing manual/automated reports of PHI/PII, verifying that the report is accurate, and triggering an appropriate response for remediation. Atlassian’s products such as Jira and Confluence include rich audit history and versioning for easy auditing, but these can stand in the way of simple “data scrubbing.” A carefully crafted approach will differentiate between Jira issues and Confluence pages that can be deleted outright vs those that require separate quarantining so that important data may be salvaged.
Atlassian’s Compliance Roadmap
The chart below details current and future Cloud compliance standards according to the Atlassian Cloud compliance roadmap.
| Compliance Standard | Software | Status |
|---|---|---|
| SOC 2 Type II | Jira Service Management, Halp, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage. | Shipped |
| ISO IEC 27001 | Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage. | Shipped |
| ISO IEC 27018 | Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage | Shipped |
| GDPR | Jira Software, Confluence, Jira Service Management, Bitbucket | Shipped |
| VPAT for Cloud Products | Jira Software, Confluence, Jira Service Management, Bitbucket | Shipped |
| WCAG 2.1 Standards | Jira Software, Confluence, Jira Service Management, Bitbucket | Shipped |
| HIPAA | Jira Software, JSM, and Confluence | Shipped |
| Financial services industry compliance – US | Jira Software and Confluence | Shipped |
| Financial services industry compliance – Australia (APRA) | Jira Software and Confluence | Shipped |
| Financial services industry compliance – EU (BaFin) | Jira Software and Confluence | Shipped |
| NIST 800.53 | Jira Software and Confluence | Future |
| FedRAMP Tailored | Jira Software Cloud and Confluence Cloud | Future |
| FedRAMP Moderate | Jira Software and Confluence | Future |
Atlassian’s Data Center is a more traditional “Behind the Firewall” option.
Atlassian’s Data Center products offer a traditional “Behind the Firewall” approach for organizations that must handle PHI/PII in their environment, and cannot adopt the Atlassian Cloud. With greater security capabilities, options for self-hosting, and more hands-on customization, Data Center serves larger companies well should they find a need for any extra levels of security or compliance that Cloud does not offer at this time.
The Data Center versions of Jira and Confluence are reliable tools providing easy scalability, high availability, load balancing, improved performance with project archiving, and Atlassian-supported disaster recovery. You will get all of the same functionality you’re familiar with from the old Server products, but with features and capabilities designed to serve enterprise organizations.
The primary drawbacks of Atlassian’s Data Center offerings, are that:
A “hybrid cloud” approach can give you the best of both worlds.
For organizations looking to get the best of both worlds, a “hybrid cloud” approach may be justified where one or multiple Atlassian Cloud products are combined with one or multiple Atlassian Data Center products. A few scenarios below illustrate this concept:
Oxalis can help you assess your needs, architect a hybrid cloud strategy, and deploy a process for integration, manual (or automated) import/export, and archival data retention.
As Atlassian cloud migration advisors, Oxalis’s unique expertise ensures Cloud Migration success.
The Cloud Migration Playbook, written for any company that needs to migrate from Atlassian Server or Data Center to the Cloud, covers the entire migration process from pre-planning to testing to executing the migration.
Oxalis Can Help You Determine the Best Path Forward.
At Oxalis, it’s important that clients be able to make good decisions and select a course of action that meets the needs of their business. But it’s equally important that you make sure you aren’t boxing yourself into a place where you won’t be able to take advantage of future cloud evolution.
Furthermore, the professionals at Oxalis want to help you approach the decision between Atlassian Cloud and Data Center with a holistic, compliance-first mindset. If not, this is a great time to make a shift in priorities and select a path that will meet your needs today and in the future.
After all, a migration is an investment. You want to ensure you’re getting the most of your investment by providing a full picture of compliance for your organization, even if that involves incorporating additional tools outside Atlassian.
To learn more about how to plan a path forward with your Atlassian products, please download a copy of Oxalis’ new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.
Or, if you need 1:1 support planning your next steps with Atlassian, please reach out today to set up a time to chat.
