Unlocking Enhanced Security: BYOK Encryption for Jira & Confluence

Posted on 03.26.2024
-
Written by John R. Worsley
-

Keeping your data secure is paramount. Atlassian’s Cloud products encrypt data at rest, but now you have even more control with Bring Your Own Key (BYOK) encryption for Jira Software & Confluence (Early Access Program).

Atlassian Cloud products now empower you to take control of your data encryption with Bring Your Own Key (BYOK). Previously, Atlassian generated encryption keys for each customer and managed them within AWS Key Management Service (KMS) using their own account. Now, you can choose to encrypt your Jira and Confluence data with keys stored directly in your own AWS account.

Who needs BYOK Encryption for Jira & Confluence?

BYOK encryption for Jira & Confluence is ideal for organizations with highly sensitive data or those in strictly regulated industries. These organizations often have strong compliance requirements and need the utmost control over their encryption keys. BYOK offers them the ability to manage and rotate their own keys, ensuring that even Atlassian doesn’t have access to decrypt their data. This extra layer of control can be crucial for meeting specific security standards and mitigating the risk of unauthorized access. It empowers you to:

  • Manage your encryption keys: You hold the keys in your dedicated AWS account, giving you complete control and the ability to revoke access in emergencies.
  • Gain audit trail visibility: Take advantage of AWS CloudTrail to monitor key activity and access detailed logs.

BYOK is available to Cloud Enterprise plans with any of these Atlassian products:

  • Jira Software
  • Jira Work Management*
  • Jira Product Discovery*
  • Jira Service Management (EAP)
  • Confluence (EAP)

Who Can Use BYOK Encryption for Jira & Confluence?

Atlassian offers BYOK encryption on a tiered basis for Jira & Confluence. For Jira Software, all Cloud Enterprise or Cloud Enterprise trial subscribers have immediate access to BYOK encryption. However, BYOK encryption for Jira Service Management and Confluence is still in an Early Access Program (EAP). To leverage BYOK encryption for Jira Service Management and Confluence, contact your Atlassian Enterprise account representative to confirm your eligibility for the Early Access Program (EAP).

Jira Service Management implementation services
  • Attachments
  • Comments
  • Issues and field content (including systems and custom fields)
  • Search data
  • Permissions and restriction configuration data
Confluence consultants
  • Page content
  • Blog content
  • Comments
  • Attachments
  • Confluence questions
  • Whiteboards

Benefits of BYOK Encryption for Jira & Confluence

Leveraging BYOK encryption for Jira & Confluence unlocks several advantages, especially for organizations handling sensitive data. Here’s a breakdown of the key benefits:

  • Enhanced Security: Mitigate the risk associated with relying on someone else’s keys.
    • Using your own encryption key removes the potential security risk inherent in using someone else’s key. You manage and control the key at all times, including the ability to revoke access in the event of security emergencies, such as intrusion.
  • Granular Control: Manage and audit key usage within your AWS environment.
    • You have full visibility into key-related activity because you’re using your own AWS account, and you can use tools like AWS CloudTrail to record activity and access audit logs.
  • Compliance Alignment: Facilitate adherence to strict data security regulations.
    • BYOK encryption can help your organization meet compliance requirements for data security, especially those that mandate stricter control over encryption keys.

Using your own encryption key removes the potential security risk inherent in using someone else’s key. You manage and control the key at all times, including the ability to revoke access in the event of security emergencies, such as intrusion. You have full visibility into key-related activity because you’re using your own AWS account, and you can use tools like AWS CloudTrail to record activity and access audit logs.

Who Should Use BYOK Encryption?

If you have more stringent security or compliance needs and are already on Atlassian’s Cloud Enterprise plan, then BYOK encryption for Jira & Confluence is a good fit. Oxalis can help you assess whether your organization would benefit.

What Data Does BYOK Encryption for Jira & Confluence Cover?

BYOK encryption for Jira & Confluence secures a significant portion of your data, but it’s not all-encompassing. Here’s the breakdown:

  • Good news: When enabled for Jira Software or Service Management, BYOK safeguards all product data for Jira family products within that same site. This means your project details, tickets, attachments, and comments in Jira applications are shielded by BYOK encryption.
  • Important to note: Certain data categories like backups, personal access tokens, and audit logs remain encrypted using keys managed by Atlassian.

For a complete picture of what BYOK encrypts, we recommend consulting Atlassian’s documentation.

As of March 2024, Atlassian’s BYOK only covers data stored in a few Cloud products, as shown in the image below:

If you need more complete encryption of data in Jira and Confluence, Atlassian’s Data Center products may be the answer. With Data Center, since you host the product instances yourself, you have full control over the underlying file systems, disks, and database, and can enable encryption. Oxalis can help you decide if Data Center better suits your needs. We offer a range of services, from implementing encryption solutions (like Self-Encrypting Drives, Linux Unified Key Setup, or Windows BitLocker) to assisting you with setup. Additionally, we can facilitate the migration of your instances from Cloud to Data Center. We can also migrate your instances from Cloud to Data Center.

How Do I Enable BYOK Encryption for Jira & Confluence?

Ready to enable BYOK encryption for Jira & Confluence?

  1. Set Up a Dedicated AWS Account: Security first! Create a new AWS account solely for managing BYOK encryption for your Atlassian products. Avoid compromising security by using an existing account shared with other applications.
  2. IAM Role Setup: Within your dedicated AWS account, configure an Identity and Access Management (IAM) role (for the Stack Name, use atlassian-key-management-role). This role grants Atlassian the necessary, limited permissions to manage encryption keys on your organization’s AWS account via AWS KMS (Key Management Service).
  3. AWS KMS Key Costs: Be aware that each KMS key incurs a $1/month charge. Additional costs apply if you anticipate exceeding 20,000 requests per month.

Finally, an admin for the relevant Atlassian organization (or an Atlassian Partner, such as Oxalis) contacts your Enterprise account representative to set up your BYOK encryption and add a BYOK-encrypted product to your site. You can check the provisioning status of your BYOK sites through admin.atlassian.com.

BYOK Encryption for Jira & Confluence
The Security tab in your Admin site shows the current BYOK-enabled products,
along with the domain they belong to. Photo credit: Atlassian
Important Notes

Atlassian currently supports BYOK in two regions: the European Union and the United States; data cannot be migrated between locations after selection.

BYOK is available for JSM and Confluence only to participants in Atlassian’s Early Access Program (EAP), which lets you use upcoming releases while developers are still working on them. Cloud Enterprise plans now have full access to BYOK encryption for Jira Software! If you already have an Enterprise account representative, they can sign you up. If not, Oxalis can help evaluate whether Cloud Enterprise is a good fit for your organization, and can sign you up for the EAP for Jira Service Management and Confluence.

BYOK encryption offers enhanced data security and control for organizations with sensitive data in Jira & Confluence, particularly those in regulated industries. While BYOK doesn’t cover everything (backups and audit logs for example), it safeguards critical project details, tickets, attachments, and comments. BYOK encryption only applies to new products created within a site. You cannot retroactively add BYOK to existing products.

Here’s the inside scoop on BYOK limitations:

  • Single BYOK Policy per Organization: Your organization can only have one BYOK encryption policy, applied at the Admin site level.
  • New Products Only: BYOK applies proactively. You cannot enable it for existing products; they must be created with BYOK from the start.
  • Adding New Products: Atlassian can activate BYOK for new products added to the same site. However, directly adding a product through admin.atlassian.com won’t enable BYOK encryption.
  • Data Re-encryption: While you can’t re-encrypt product data with a new key, you can leverage AWS KMS’s auto-rotation feature set to occur annually. This ensures your encryption keys stay fresh.

Once BYOK encryption is in place, you can revoke access, restore access, and request BYOK re-encryption of previously encrypted data. For more detailed information, Atlassian has a BYOK FAQ that may answer some basic questions about BYOK encryption for Jira and Confluence.

Considering BYOK for your Atlassian instance? Oxalis, an Atlassian Platinum Solutions Partner, can help! Our experts can assess your needs and determine if BYOK is the right fit for your data security posture. We can also handle the implementation process or guide you through it yourself. Contact our experts today to learn more!

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: