Earlier this year, Atlassian brought its Server product to end-of-life (EOL), forcing IT administration and DevOps teams to abandon the on-premises data protection and compliance work they’d spent years carefully piecing together.
You may have been one of those unfortunate folks or a team tasked with swerving your organization through this unwanted but necessary transition to Atlassian Cloud. Without technical support or security updates for platforms that are mission-critical to your software development lifecycle, like Jira, Bitbucket, Trello, and Confluence, you know that simply migrating from on-premises to the cloud is not the end of a journey, but just one step.
You’re still facing the problem of what happens to all that data security and compliance work after the migration. How do you build the same guarantees in an environment you no longer control?
As partners to these organizations deeply affected by the Atlassian Server EOL, Rewind and E7 Solutions have listened to all the pain points and watched proudly as many organizations found viable solutions to secure their mission-critical SaaS data in the cloud.
As waypoints for your journey, here are ten of the most critical lessons we’ve learned along the way.
Lesson 1: Cyberattacks on SaaS data are getting smarter
In Verizon’s 2023 Data Breach Investigations Report (DBIR), 84% of all data breaches involved external actors, and 74% of breaches involved some human element.
Social engineering attacks have nearly doubled since 2022 to account for 17% of all breaches, with the most common vectors being the well-known phishing attacks, followed closely by the fast-growing pretexting attack, involving a false scenario that gains your trust before convincing you to hand over confidential data.
Generative AIs capable of spoofing voices or mimicking a peer’s writing style only make phishing and pretexting attacks more powerful. Recently, a finance worker at a multinational firm handed over $25 million after being convinced he was on a Zoom call with his executive team discussing an acquisition…only to realize his “peers” were all deep-faked.
Third-party AI tools and assistants open organizations up to an entirely new scale of data loss. With full privileges to read and write data on your behalf, they can render your SaaS platform unrecognizable or empty at the speed of its GPU-accelerated cloud computing environment. In other words: Far faster and with less transparency than even the most malicious of human actors.
Lesson 2: SaaS platforms don’t protect your data by default
When you operate on-premises, there is no confusion over who owns, maintains, and is responsible for your data. If your servers crash or your office burns to the ground, data loss falls on your organization’s shoulders.
When working on a cloud-based SaaS, data security becomes a shared responsibility. The SaaS provider maintains the availability of their platform, but isn’t responsible for your organization’s data. Despite having backups of their entire platform, they have no way of restoring your granular data in the event of any of the attacks we just covered.
Unfortunately, many of these platforms also don’t offer robust, built-in backup features for organization-wide and individual data. You can export your data to a CSV or JSON file and download it directly to your local machine, but we all know that it fails to meet even the lowest standards for a reliable backup strategy.
Lesson 3: Recoveries are the hardest part of protecting SaaS data
How long can your SaaS platforms be down before your business starts hurting? That figure is your recovery time objective (RTO)—your goalpost for how quickly you should be able to recover from even the worst of data loss incidents completely.
Let’s say you had enough foresight to implement a manual process to export your mission-critical SaaS every Friday afternoon and store the JSON file in a secure Amazon S3 bucket. In the event of a partial or complete data loss, how long would you need to download the file back to your local system, prepare the data as often as required by the platform, navigate through the product’s admin dashboard, wait for the upload to finish, and clean up any errors?
An RTO of even a few hours can be extremely challenging to achieve, even for the most savvy of IT/DevOps teams. If you want to shave off meaningful time and stressful manual work, a platform like Rewind automates daily backups and lets you recover Jira, Confluence, Bitbucket, or Trello data with a single click.
Lesson 4: Compliance basics require a few must-haves
The scope and severity of compliance requirements are wildly different from one organization to the next, but for a safe baseline, look for data partners offering features like:
- Multiple regions for data residency are needed to store identifiable information (PII) in the same place where it was created
- Granular restores and on-demand recovery so you can pinpoint exact files that have been edited or deleted over time
- SSO support for SAML-based identity providers (IdPs) such as Okta, OneLogin, or Auth0 to simplify how you create, maintain, and restore SaaS data
- An enterprise-ready audit log will centralize all your users’ activities, such as on-demand backups, restores, logins, account creations/deletions, and more
- Readily available SOC 2 Type 2 reports detailing a provider’s security controls over time for data security assurances
- Use of AES-256 bit encryption both at rest and in transit
One more nice-to-have? Assess whether your providers participate in bug bounty programs to proactively detect vulnerabilities through crowdsourcing, as Rewind does with the Atlassian Marketplace Security Bug Bounty Program.
Lesson 5: Look for GDPR data residency policies and Data Processing Addendums
When working with users living in any country of the European Economic Area (EEA), which includes all 27 members of the European Union plus Iceland, Liechtenstein, and Norway, you must control and process your data within the EEA. Protections specified by GDPR on data collected in the EEA follow the data to any new region and SaaS environment in the cloud.
Any third-party data security platform you engage with should offer data residency options and publicize an approved mechanism for transferring data outside the EEA, detailed in a Data Processing Addendum (DPA). This binding agreement should clarify the roles and responsibilities of the vendor and customer, give a clear definition of a “security incident,” and detail steps to remedy incidents.
Rewind, for example, offers data residency by asking you to choose between one of three supported regions—EEA, US, or Australia—during your initial setup process, and publishes a public DPA for full transparency.
Lesson 6: Cloud migrations smooth some HIPAA compliance hurdles and sharpen others
Complying with HIPAA regulations can be easier with Atlassian, as the company already offers comprehensive privacy and security protections.
A migration to Atlassian Cloud, unfortunately, doesn’t fix the human element of data security risk. You still need to tag and secure PHI-related fields in your SaaS data to disable email/push notifications as HIPAA requires and verify the compliance of all third-party apps you add to your SaaS platforms in Atlassian Cloud. Your current training and security review programs can’t go away either—you need continuous diligence to stay compliant in the cloud, even with technical help from Atlassian.
Navigating ongoing human risk is one area where an experienced consultancy like E7 Solutions pays off—with their expert help, your talented teams can focus on larger-order business goals, not endlessly changing policy and the doldrums of internal training.
Lesson 7: Understand all the limits and pricing terms of your data security partners
Securing your mission-critical SaaS data shouldn’t come with bill shock.
Probe your potential data security platforms with a few vital questions:
- How frequently is my Atlassian Cloud data backed up?
- How long will the provider retain previous snapshots on my behalf?
- Are there any fees associated with transferring or storing data with the provider?
- Are there any fees associated with running on-demand restores of my SaaS data?
For example, Rewind offers daily snapshots and 365 days of retention for daily backups, with no limits on the size of your SaaS data. There are also no additional fees for data transfer or the transfers of on-demand restores of your SaaS data.
Lesson 8: Be wary of acquisitions or other compliance-triggering business chance
Every time your organization acquires another, you don’t just get their IP and employees—you get all their data, security risk, and compliance unknowns.
The consultants at E7 Solutions recently worked with the Information Security Risk and Compliance (ISRC) team at a major social good technology company that struggled with disparate workflows and strategies from multiple Jira Service Management (JSM) instances in the cloud. Each new acquisition sowed compliance issues and new worries about data security. After aligning all the disjointed processes onto a single platform, their ISRC team can deal with data and compliance issues quickly.
The good news is that once you’ve locked in a compliance-ready partner for securing your mission-critical SaaS data, you can more easily roll new instances, users, and essential knowledge into your existing plans.
Lesson 9: Look for Atlassian-approved partners
There are countless ways to back up data, from custom Bash scripts to exporting CSV/JSON files to fully automated SaaS experiences like Rewind. The inherent flexibility is part of what makes managing data such an exciting challenge for IT and DevOps leaders.
Not all solutions are created with Atlassian products in mind, and others have sprung up solely to capitalize on the Atlassian Server EOL. To validate unknown solutions from proven ones, Atlassian maintains a Solution Partner Program, invests in promising startups that support their customers, and awards proven solutions.
For example, Rewind is backed directly by Atlassian Ventures, won New Cloud App Partner of the Year 2022, and proudly participates in the Cloud Fortified Apps program. E7 Solutions is an Atlassian Platinum Solution Partner and has won multiple Partner of the Year awards.
Lesson 10: What’s next?
If you’re feeling overwhelmed after all these compliance-driven lessons, take some comfort in knowing that in many organizations’ transition from on-premises to SaaS software, the risk to data security and compliance doesn’t necessarily escalate but rather mutate.
If you operate with complex compliance requirements, manage acquisitions while migrating to the cloud, or have too large or essential a system to steer yourself, E7 can guide your journey to the cloud with Atlassian. With their Cloud Migration Packages, the transition becomes seamless and cost-effective.
Once you’re in Atlassian Cloud, either with E7’s assistance or having bravely bushwhacked a path, get Rewind to secure all of your mission-critical SaaS data surrounding your software development lifecycle.
Having the right data security and compliance partners on your side, with thorough experience in implementing these cloud-specific lessons and more, ensures that the next time you’re inevitably hit with data loss, it’s just one baby step back on that cloud migration journey, not a shortcut straight back to the beginning.
About E7 Solutions
E7 is a Michigan-based Atlassian Platinum Solution Partner that guides growth-minded companies through digital transformation. They are focused on improving collaboration, productivity, and efficiency. As transformation enablers, E7 is highly specialized in all aspects of service management and platform migrations.
