What is the Zero Trust security model (at Atlassian)?
In earlier times, the “castle and moat” network security model where no one got access to data unless they were inside the network was ruling the day. Then again, everyone got access to data as soon as they were inside the network. Like a castle: when the drawbridge was lowered and the moat was crossed, one had open access inside the castle (on the network).
However, immense security systems such as firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are necessary to ensure that not everyone can overcome the drawbridge. Employees outside the network can connect via a virtual private network (VPN).
Problems of the “castle and moat” model
The model just explained is simply no longer suitable for meeting current Cloud needs. Today, data is no longer stored locally behind a single castle wall, but may be distributed across multiple Cloud providers such as AWS.
The major security problem of the “castle and moat” model is that an attacker can cause unrestrained damage as long as he has overcome the drawbridge and is in the network. Firewalls and the like can stop some attacks, but once an attack has happened, the damage is enormous.
Here comes the Zero Trust model
The Zero Trust model, which is widely used around the world, follows the approach of constantly checking the security of individual users, devices and assets, regardless of the network from which they log on. Unlike the “castle and moat” model, zero-trust assumes security risks inside and outside the network. Nothing is trusted by default. This is where the name “zero trust” comes from.
Imagine that the castle has been turned into a museum. You surely have some statues and exhibits that need special protection. Although you strictly control entrances, you would want to use cameras and additional protective measures to ensure that all visitors are compliant.
Zero-trust means continuously authenticating credentials and devices and generally restricting access to information.
Principles of the Zero-Trust Architecture
The following principles are the foundation of the new security model:
- Never trust. No one.
- Sounds harsh, but it is the means to success. All users can be verified at any time. Localization alone is not an indication of trust.
- Dynamic access controls
- Routine authorization checks ensure that no potential risks are overlooked.
- Access only with authentication
- Access to data is granted only when the identity of users is authenticated.
Zero Trust at Atlassian
- Establish strong user identity and authentication processes
- Multi-factor authentication (MFA) such as with password and tokens can strengthen data security.
- Authenticate devices
- Unverified endpoints such as cell phones present a security risk. For this reason, Atlassian stores devices in a Mobile Device Management (MDM) program.
- Use access management
Under the least privilege principle, users have only the most minimal access rights. If a hacker obtains a single user’s credentials, set roles and user access restrictions can prevent immense damage. With Atlassian Access user management, different user groups can be created.
Atlassian’s implementation of Zero-Trust can help protect your modern enterprise from today’s security threats. Implementing the Zero-Trust strategy is a trusted safeguard to avoid heavy penalties for violations against policies such as GDPR, CCPA, or HIPAA.