In this book, we only use Confluence’s Cloud version. Therefore, it’s important to note that your security-related work here is more accessible compared to the Server and Data Center versions. However, this does not mean that you are 100% secure. You should put in a lot of effort to keep the environment safe. In this chapter, we will give numerous security-related tips and a short yet practical guide to keep your Confluence environment much safer.

In this chapter, we will cover the following topics:

• The basic concepts of information security
• The advantages of the Confluence Cloud edition over the Server and Data Center editions
• Security measures on Confluence
• Atlassian Access

Being familiar with the basic concepts related to information security will significantly assist you in securing the Confluence environment you manage. Here, we will go over a few of them:

• Authentication: Verifying users’ identities helps ensure that only authorized individuals gain access
• Authorization: Determining what different users and roles can access helps prevent information from falling into the wrong hands
• Encryption: Encrypting sensitive information in storage and during transmission makes unauthorized access more difficult
• Firewalls and network security: This helps protect a network against internal and external threats
• Data integrity: Maintaining the accuracy and consistency of data is critical for secure and accurate decision-making
• Privacy and compliance: Personal and sensitive data must be protected, and appropriate legal and regulatory requirements must be met (e.g., GDPR)
• Monitoring...

By using Confluence’s Cloud edition, you're delegating numerous routine operations related to information security to Atlassian, which becomes one of the biggest advantages of cloud-based services. In this section, we will briefly summarize the advantages of using Confluence in a cloud-based manner:

• Updates and patching: Security updates and patches are applied automatically in the Cloud edition, providing rapid protection against security vulnerabilities and eliminating manual patching
• Compliance with regulations: Confluence Cloud often ensures compliance with specific legal and regulatory standards (e.g., GDPR), reducing the need for organizations to manage these requirements independently
• Network security: Atlassian manages network security against threats such as DDoS attacks, helping with the in-house security burden
• Data encryption: Confluence Cloud ensures...

Learning what you can do regarding security will help create an effective and sustainable information security policy. It is also beneficial to think about the following layers of security in the Confluence environment:

• Atlassian site and Confluence security settings
• Securing user accounts
• Securing Confluence spaces
• Securing Confluence pages
• Security on Atlassian Marketplace apps
• Securing integrations

Atlassian site and Confluence security settings

When you view Confluence’s settings, you will see many options in the SECURITY section.

Figure 12.1 – The SECURITY section of the Atlassian site and Confluence security settings

As shown in the previous screenshot, there are six options in the SECURITY section:

• Users
• Groups
• Security Configuration
• Global Permissions
• Space Permissions
• Analytics Permissions

Now, let’s go through these one...

Atlassian Access is another Atlassian product. Therefore, it falls outside the scope of this book. However, due to its frequent use with Confluence, we want to provide an overview of Access.

Atlassian Access is in the Enterprise plan and available to buy as a separate product if you are signed up to another plan, such as Premium.

With Access, you can make Confluence much more secure by providing additional authentication options and controls, allowing for a more robust defense against potential risks. Integrating Access with Confluence can form a seamless and safer user experience, reinforcing your organization’s security posture.

Your Atlassian Access subscription will apply across an organization, linking Atlassian Cloud services with your identity provider. This connection allows you to implement advanced authentication features and provides further supervision across different domains of your business. The key benefits are as follows:

• Connecting...

Here are some additional recommendations to improve the security of your Confluence environment:

• Define security roles and responsibilities: We advise determining clear roles and responsibilities for security within your organization to ensure accountability and effective management.
• Create and implement a robust information security policy: It is essential to craft a comprehensive information security policy and put it into action. This should guide all security-related decisions within an organization.
• Plan and execute routine security operations: Regular security operations such as audits, checklists, and development should be planned and carried out consistently. This systematic approach helps maintain a secure environment.
• Include security in every process: Integrating security considerations into every process ensures that it is a central focus, reducing vulnerabilities at every workflow stage.
• Apply change management...

In this chapter, we explored various aspects of security and permissions within Confluence, focusing on creating a robust environment that safeguards data and user access. We delved into the distinctions between default space permissions and individual spaces, detailing how the former allows administrators to set up default authorizations for newly created spaces.

We also examined the Analytics feature, emphasizing the importance of defining user groups with access to this functionality.

We highlighted the importance of utilizing Atlassian's Access product for increased security. Then, we reviewed its various capabilities, including two-step verification and password requirements. We also investigated the detailed controls to secure spaces and pages within Confluence.

We provided guidelines to select and use apps from the Atlassian Marketplace, emphasizing careful consideration of a developer’s credentials, the app’s Privacy & Security tab, and...

1. What is the purpose of using Atlassian’s Access product for Confluence security?
2. How can an administrator set permissions to use Analytics in Confluence?
3. What should be considered when selecting and using apps from the Atlassian Marketplace?
4. How can a space administrator in Confluence control permissions within a space?
5. What are some of the options to restrict access to a page in Confluence?
6. What does the Cloud Fortified certification mean for an app in the Atlassian Marketplace?
7. Why is it essential to follow updates and changes to Confluence closely?

1. Atlassian’s Access product provides enterprise-grade authentication features for Confluence, allowing for higher security. It enables two-step verification, password requirements, idle session duration, and additional oversight across company domains, thus enhancing the overall security of user accounts.
2. The administrator can define which user groups can access the Analytics feature in Confluence through the interface that controls permissions, ensuring only authorized groups can utilize this functionality.
3. When selecting apps from the Atlassian Marketplace, it is advisable to research the developer, read the app’s information on the Privacy & Security tab, and preferably choose apps with the Cloud Fortified certification, ensuring compliance with specific security standards.
4. A space administrator can define who has specific permissions within a space through the Confluence interface. This detailed control allows the administrator to manage...

• https://www.atlassian.com/whitepapers/atlassian-cloud-data-protection
• https://www.atlassian.com/whitepapers/cloud-security-shared-responsibilities
• https://support.atlassian.com/security-and-access-policies/docs/how-to-keep-my-organization-secure/
• https://support.atlassian.com/security-and-access-policies/docs/the-hipaa-implementation-guide/
• https://www.atlassian.com/whitepapers/customer-cloud-security-practices
• https://www.atlassian.com/trust/security/security-practices
• https://www.atlassian.com/trust/data-protection
• https://support.atlassian.com/confluence-cloud/docs/invite-guests-for-external-collaboration/
• https://support.atlassian.com/confluence-cloud/docs/learn-about-confluence-cloud-plans/
• https://support.atlassian.com/security-and-access-policies/docs/create-a-mobile-policy/