Today's blog post is brought to you by Anna Odrinskaya. Anna is a Chief Strategy Officer over at Alpha Serve.
Founded in 2003, Alpha Serve is dedicated to helping its customers achieve their goals by increasing process excellence, creating reliable project teams, and delivering high-level custom software development
With 10 years of experience in corporate processes and project management, Anna is currently creating and bringing to life Alpha Serve’s business strategy. She is responsible for product portfolio management, marketing, and business development.
A guide on securing your Atlassian products with 2-Factor Authentication
Are you considering 2FA for your Atlassian products such as Confluence, Jira, and Bitbucket? If that’s the case, this post covers everything on the matter. We start by telling you why securing your Atlassian products is paramount. Next, we cover the issues you might face when using these tools and suggest possible solutions. And to brush up on your knowledge, we briefly touch on 2FA - what it is, its pros and cons, and why it’s essential. Importantly, before summing it up, we highlight the different ways to add two-factor authentication (2FA) to your Atlassian products.
Why is securing your Atlassian products so important?
Each Atlassian product contains sensitive information. For example, Confluence is a repository of useful data, including strategic plans, minutes of meetings, and business Key Performance Indicators. Jira, on its end, manages projects, products, and features still in development. Bitbucket plays its role by holding a project’s source code.
Given the significance of the data on various Atlassian products, it’s essential always to ensure airtight security. Doing this secures the entire system incase these valuable files are breached. Here are some more reasons for safeguarding your Atlassian products:
- To minimize the occurrences of constantly evolving security threats.
- To cut the cost spent on adding extra layers of defensive technology.
- To avoid monetary losses and deteriorating trust with your clients.
- To safeguard the brand reputation and build loyalty.
On a side note, one of the widespread security measures to prevent data leakage that customers adopt is signing an NDA with contractors, partners, and employees. While this is a good move, using 2FA steps up the security efforts a notch higher.
How does Atlassian address security for its products?
The good news for customers is that Atlassian always does its best to provide maximum protection for its solutions. At the moment, some of its key security practices include:
- Data encryption during transmission and storage.
- The use of third-party services to detect vulnerabilities.
- Compliance with industry cloud security standards such as FedRAMP and ISO 27001.
- Real-time dissemination of system status to customers.
- SAML-based SSO across all major portals.
- User Creation (SCIM).
Despite all these security efforts, additional protection is important for safeguarding your data on a software level. That is how we get to 2FA as a more reliable way of adding an extra layer of security to various Atlassian products.
What Is 2FA?
Two-factor authentication (2FA) is a security mechanism that needs two forms of identification to access an online account. Users ascertain their identity by using a set of two different factors such as:
- A thing they know;
- A thing they possess;
- Something they are.
2FA offers an additional security layer that ensures that persons trying to access an online account are who they claim to be. How does it work? First, users provide their usernames and passwords. Next, instead of gaining access right away, they’ll have to provide some form of confirmation. It could be a code sent to the user’s smartphone, a hardware device, or biometrics credentials such as a fingerprint.
Types of 2FA
With 2FA, you need to confirm your identity using more than a password. Access to an account is only provided when you provide the second verification factor. With that, we come to the various kinds of second-factor authenticators.
- SMS: Delivers an instant one-time numerical code that is input to gain access to an account.
- Authenticator applications: They generate one-time codes to be provided when prompted.
- The universal second factor (hardware security key): Refers to hardware that the user plugs into a device or taps at the back of an NFC-enabled phone to gain access to an account.
- Biometrics: Grant access to an account after verifying the user’s fingerprints or face.
Pros and cons of 2FA
The upsides of 2FA include excellent protection of sensitive information, better network security, and no-third party access in case of a device loss. The downsides could be a lengthened login process, integration issues, and a time-consuming setup.
Why 2FA is a must
Cybercriminals today are more ingenious than ever, having devised more sophisticated ways to steal your passwords. And while 2FA seems like a lot of work, going on with operations without it is sure to put any details you have online at risk of theft. It is imperative to add the extra layer of security to make it difficult for hackers to steal your information online. Moreover, some technologies make easy and user-friendly 2FA solutions to provide quick and secure access.
How to add Two-Factor Authentication (2FA) to your Atlassian products
Passwords alone have become impractical and downright risky for the average Atlassian products’ user. Whether you are using one or multiple Atlassian products, 2FA is the best way to keep your data safe. But how do you add two-factor authentication to your Jira, Confluence, or any other Atlassian software? Here are three ways you can do that.
2FA with Atlassian Access (for Cloud)
Atlassian Access is an enterprise-level solution that allows you to apply security policies to your Jira Service Desk, Jira, Confluence, Trello, and Bitbucket accounts. It’s built for Atlassian Cloud products users and works as both a security and an administrative tool. One of its main features is two-factor authentication.
SAML Two-Factor Authentication
If you use Atlassian products on Server or Data Center rather than the Cloud, Atlassian Access won’t work for you. The second option is to use a trustworthy Identity Provider and SAML to authenticate logins into your Atlassian products. SAML (Security Assertion Markup Language) creates a bridge between user identity authentication and authorization to use a product.
SAML 2FA authentication might sometimes be a bit too complicated. That leads us to the third option, which is perhaps the easiest, for securing your Atlassian software using 2FA. That is to use 2FA plugins, which you find on the Atlassian marketplace. The majority of plugins you’ll find on the marketplace come both with Server and Data Center hosting options.
Among the top vendors in this sphere is Alpha Serve, which offers trusted 2FA plugins for various Atlassian software. The good thing is that the add-ons come with a free trial period, which gives you some time to try them out. The 2FA you can try out includes the following.
U2F & TOTP
2FA for Confluence
This add-on allows Confluence admin to secure user login in a relatively quick and straightforward way. It supports U2F and TOTP, which means you can use it with U2F/ FIDO2/WebAuthn products and token-generating mobile apps. You can customize settings to dictate who can log in, track their actions while on the app, etc.
2FA for Jira
You can enjoy the same benefits of 2FA for Confluence: U2F & TOTP with this app for Jira and Jira Service Desk. The plugin is quite easy to install and configure and comes with advanced features such as Brute force defense and IP address whitelisting.
2FA for Bitbucket
For Bitbucket, you can use 2FA: U2F & TOTP to secure and track user activities. Like the previous two plugins, you can install the app on either Data Center or Server instances. It also allows administrators to limit/control access, force users to use MFA, and log in quickly with the Remember Me option.
2FA for Crowd
2FA for Crowd: U2F & TOTP helps secure the Single sign-on process synonymous with Crowd using an ideal second-factor authenticator. The plugin is unique because it allows using TapID, NitroKey, Yubico Yubikey, etc., with key code-generating mobile apps. Moreover, like all the Crowd products, it’s free of charge.
2FA for Fisheye/Crucible
Using Fisheye and Crucible, whether together or in isolation, involves dealing with sensitive data (source code, code reviews, and reports). 2FA for Fisheye/Crucible: U2F & TOTP mitigates most vulnerabilities by allowing safe login using a second-factor authentication. Like the other Alpha Serve plugins, you can whitelist IP addresses and use FIDO2/WebAuthn and TOTP applications.
2FA for Bamboo
Last is 2FA for Bamboo: U2F & TOTP, which adds a solid layer of protection during Bamboo external logins. This app allows you to select groups of users you trust to access sensitive data with 2FA, supports code backup, and more.
Alpha Serve 2FA products use case
To better understand the challenges that the 2FA apps can solve for your business, let’s look at the customer use case shared by the Alpha Serve team. One of the businesses that have implemented Alpha Serve’s security solutions successfully is a well-known academic institution. The client uses both Confluence, Jira, and Jira Service Desk in its IT system. As such, they were looking for a way to protect sensitive data in their repository and secure it when sharing. The institution’s default security measure was to limit access to Jira and Confluence to its local networks. Additionally, it had disabled automatic and anonymous login into their systems.
However, these security protocols became problematic when the institution wanted to allow remote access from individuals and other systems, which became especially actual during COVID-19 limitations. Contractors and engineers could not log in to see tasks and work on them off the facility under the current security policy. For that reason, the institution was looking to eliminate the problem of login for external users. On the other hand, it did not want to complicate the login process for local day-to-day users.
After the trial run of Alpha Serve’s 2FA apps for Jira and Confluence, the institution gave feedback on what they thought needed to be improved to suit their needs best. Then Alpha Serve customized the plugins, and the institution bought them for daily use. Now they are sure that their data is secure even when users access it remotely.
Having multiple users logging into your Atlassian software from external devices can be quite risky. If you haven’t secured your Atlassian products with 2FA, you are exposed to vulnerabilities like malware attacks, phishing, data theft, etc. There are several ways you can go about implementing 2FA. However, using 2FA plugins definitely stands out as the best method because they offer simplicity and convenience.