The short version of this response is "it is not safe to put any system on the internet if it allows people to log into it".  I'm afraid it's not been thought through and is quite simply inaccurate.

Atlassian security have the same problems and solutions as any other web-application.

Hi Nic,

I’m sorry you think my reply was not thought through and inaccurate. Please can you elaborate?

I was answering from the perspective of an Information Security person as well as a Jira Admin. Actually you could shorten my response even further to just “it is not safe to put any system on the internet” because of the information security risks that are introduced. “Allowing people to log into it” is just one risk scenario. From an information security perspective there are many more risks that are introduced and nowadays Jira Admins have to address these according to their organisation’s Information Security Management System (ISMS). As cyber crime grows, organisations are becoming more aware of the need to have an ISMS to protect the data they hold or face the consequences (e.g. Equifax).  Hence my response. I don’t think I was inaccurate – I was just answering from an information security perspective as well as a Jira Admins. I probably did not think through too much because it was immediately obvious from an information security perspective what the answer was.

Since the question was asked two years ago, I don’t think our answers will help questioner, but hopefully will be of use to others who are in the same position today. The difference is that cyber crime and Information Security are much bigger issues now and are part of the Jira Admins job. I don’t get the impression that Atlassian appreciate this very much. With your connections to Atlassian, would you agree with this impression? Could you influence them to take information security more seriously?

Regards,

Adam

There's not much more to add really.  Your posting was wrong about SSL (you should always use SSL as it prevents eavesdropping) and the rest of it was about systems being compromised by existing users was irrelevant because you can't do anything about that in the software.

The questioner asked if external access can compromise internal information. The answer is yes and it is not wrong. SSL will not prevent internal information being compromised. I agree you should have SSL installed but in this day and age that should go without saying. I did not say that people should not use SSL – please do not misrepresent me.

The fact that the software cannot mitigate the risk of internal information being compromised misses the point. The point is that external access makes it much easier for disgruntled employees (or ex-employees) to compromise internal information as they can operate outside the office away from watchful eyes and incriminating audit trails. The wider issue is that there are many more scenarios/risks that are enabled or increased when you give external access. The software will not protect the internal information neither will SSL.

Thanks - we are already on SSL. I personally think this goes without saying now days, there is no excuse. 

The current permissions is what concerns me, they imported contacts using a third party plugin which has little to no integrity or structure in the data, it created circa 800 groups on the import and all sorts of nastiness hence the concerns over our security on the instance with people potentially getting access to internal information.

Ugh, that's a horrid place to land in.  I would indeed be worried about the usage of the groups and what they allow access to, but I'd have a look at what the add-on does with them.  If it's just creating the groups, then there's little to worry about, but if it plonks them into permissions or roles, you're really going to have to slog through all of the projects to check and remove them.