Hello Ferguson,

I hear you on your concerns. I do want to address a few points to ensure we communicate what options are available and what's already in place around your security concerns. 

Firstly, it’s very important we have the trust of all customers when handling customer data. With this said we wanted to ensure everyone is aware of the Atlassian Trust Center. Within this page, you will see our current list of Compliance at Atlassian (Please visit the page for a detailed listing of current compliance program).

In regards to not having the ability to add security within Cloud, I wanted to clarify this, within our cloud offering you’re able to have SAML SSO, enforced 2FA, and SCIM. More can be found at Security at Atlassian. Atlassian also has an active bug bounty program to ensure our platform and product stay safe, secure, and available for customers. You may find more about this at Atlassian Bug Bounty Program.

To ensure we close the loop of trust with customer data, I would like to quote our Product Security stance:

Encryption in transit

All customer data stored within Atlassian cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Encryption at rest

Data drives on servers holding customer data and attachments in Jira Software Cloud, Jira Service Desk Cloud, Jira Core Cloud, Confluence Cloud, Statuspage, OpsGenie, and Trello use full disk, industry-standard AES-256 encryption at rest. Bitbucket does not offer encryption at rest for repositories at this time.

For encryption at rest, specifically we encrypt customer data that is stored on a disk such as Jira issue data (details, comments, attachments) or Confluence page data (page content, comments, attachments). Data encryption at rest helps guard against unauthorized access and ensures that data can only be access by authorized roles and services with audited access to the encryption keys.

Encryption key management

Atlassian uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

I hope the above information helps to clarify how serious we take the handling, storing, and transporting of your data and the lengths we’ll go to ensure it continues to stay safe.

Respectfully,
Stephen Sifers

@Ferguson

Totally  agree with you. By looking into this decision looks like Atlassion never thinks about their customers.

This is the ONE OF WORST IDEA EVER. WORST IDEA OF CENTURY

I don't really understand that Atlassian decision. Does the Server Version make so much trouble / effort to Atlassian ? Or are they just looking for more money ??

I'm using JIRA plus Confluence for more than 10 years now - in 3 different companies.

All of them:

* put a lot of effort into their installation / customization

* have specific privacy requirements and are looking for installation on their own servers

* I can't talk for the last 2 employers - but I'm pretty sure that both will look for alternatives.

* and I can talk for my current employer - and we are definetely looking for something else.

Besides this I would say that quite a few addons we currently use are not even ready for the Cloud environment.

JIRA plus Confluence + Bitbucket may not be the best solution - but I got used to it. There are a lot of feature requests ignored by Atlassian pending for years - sometimes I would say even very basic ones.

So now time has come to look for something different - still hosted on our servers.

In my case, my JIRA instances are running on private networks, that are not connected to Internet at all, physically, for confidentiality purpose.

There is no way the cloud is going to answer this requirement.

All of our Atlassian products are Data Center based versions or local servers.  Because of the nature/security of the work we are involved in, we cannot use Cloud offerings.  This is a very bad decision on Atlassian's part and I really hope they reconsider.    

We will have to look for alternative tools from other companies and dump all of our Atlassian products if this comes to pass.   Atlassian will lose a LOT of customers, especially across the entire defense industry/DoD if they stick to this plan of forcing everyone to the cloud.

Yes... this decision from Atlassian is very unpleasant for us too.
Security and privacy issues guided us to choose server versions for Atlassian applications.
Knowing that our internal and customer's data travel out of our local servers is a bit scary for us.

We are afraid that such a decision will force us to start looking for other tools, therefore leaving Atlassian products.

Trying to get us all on the same page across all of these threads.

It appears, based on their earnings report, that the future of DC is uncertain too. They claim to have all of their data center customers moved to the cloud in the medium term.

You can read it for yourself here...

https://community.atlassian.com/t5/Feedback-Forum-questions/Re-Re-Answering-your-questions-on-changes-to-server-and/qaq-p/1522838/comment-id/2454#M2454