Atlassian introduces Bring Your Own Key (BYOK) encryption for cloud products: Reduced risk - Improved data management - Increased control

Since the company's founding, Atlassian has focused on privacy and protecting customer data. For example, cloud customers can decide where their primary data is stored, whether they need mobile device management and IP positive lists, and whether they want to rely on security controls such as a SAML SSO and SCIM user lifecycle management.

Now, another security control has been added: To increase the level of security, especially when dealing with sensitive data, Atlassian has introduced Bring Your Own Key (BYOK) encryption for its cloud products. This is currently available for all Jira Software customers with an Enterprise plan.

Note: Bring Your Own Key for Confluence is currently available as part of an Early Access Program (EAP) to a limited number of customers with Enterprise plans. If you are interested in participating in the EAP, contact your Atlassian consultant - they can provide more information on it.

What is BYOK encryption?

Bring Your Own Key describes a concept for the encrypted storage of data on a cloud platform - in this case, the Atlassian Cloud. This means that although Atlassian still performs the encryption and decryption of data, the keys required for this are generated and hosted by the customer or user. This gives customers more control over the management of their keys and the ability to revoke access at any time - both for their own end users and for the Atlassian system.

Atlassian continues to be responsible for the encryption software and algorithm.

What are the benefits of BYOK encryption?

BYOK encryption comes with several benefits for Atlassian customers:

  • Reduced risk: BYOK encryption adds another layer of protection for sensitive data. By hosting your own encryption keys, you manage and control the keys at all times
  • Improved data management: Access to encryption keys hosted in the AWS customer account can be logged and monitored via AWS CloudTrail.
  • Increased control: Users can revoke access to their encryption keys without relying on a provider.

How to use BOYK encryption?

Without BYOK encryption, all customer data is encrypted both in transit and at rest using keys managed by Atlassian in the AWS Key Management Service (KMS), and the keys are shared among customers. With the incremental introduction of BYOK encryption, Atlassian customers will be able to encrypt cloud product data with keys generated and hosted in their own external AWS account. To do this, AWS KMS simply integrates with AWS CloudTrail in the AWS customer account and can provide logs of key usage. This solution enables the encryption of data at different levels in the respective applications.

customer-infrastructure

Note: When customers enable BYOK encryption for an Atlassian product, they must set up an AWS KMS account and a specific service role. This account must also be dedicated exclusively to Atlassian products.

Published: Nov 7, 2023

Updated: Oct 28, 2024

Atlassian