How to find sensitive data in your Jira, Confluence & attachments

Have you checked Jira and Confluence for PII?

Sensitive data finds its way into Jira and Confluence. We are aware of passwords, AWS keys, personal identifiable information (PII), and other items finding their way into customer systems. Given that so many users in your organisation are creating tickets and writing pages, this is not surprising. Sometimes, companies have policies to prevent this - but these are on paper only. We now provide a way of checking your entire Confluence or Jira instance for sensitive data items.

In an age when almost everything is done or available online, collecting PII is an important part of business. Being able to identify, contact and classify customers in a reliable, repeatable way is essential to providing the kind of customer service that will keep people coming back time and again. From a legal stand point, the responsibility for protecting and processing PII does not solely fall on organisations.

In the European Union, directive 95/46/EC defines “personal data” as information which can identify person via an ID number, or factors specific to physical, physiological, mental, economic, cultural or social identity.

However, according to a study by Experian, 42% consumers believe that it is a company's duty to protect their personal data and 64% admitted they would be discouraged from using a company’s services following news of a data breach. Coupled with the fact that four in ten UK businesses (39%) reported having cyber security breaches or attacks in 2020 alone. This rises to almost two thirds (65%) of mid to large businesses. Experian have some great advice on how to be prepared (or as prepared as you can be) for the inevitable cyber attack, but prevention is better than cure and the more personal identifiable information you can remove from your internal systems, the fewer people you have to contact WHEN an attack happens. The alternative is - can you really afford to take a chance on loosing two thirds of your customer base over night?

So, what can you do?

There are a range of options available for scanning for PII when performing security audits of your systems, but as good as they are, they can’t find sensitive data in Jira, Confluence or their associated attachments. These amazing products from Atlassian are great for work management and collaboration and are used by thousands of companies across the globe. However, there are currently ZERO services publicly available that can not only dive into your Jira and Confluence instances but their associated attachment files to locate that lost, forgotten or hidden sensitive data.

That’s where the BDQ PII Service steps up. As Atlassian Solution partners with Atlassian certified experts on staff, if any company was qualified to create a way to search Atlassian products for this kind of data, it’s BDQ. BDQ actually stands for “Business Data Quality” - our technical experts have a history in data quality profiling tools. This has allowed us to create proprietary technology that can not only help you identify and locate the PII in Jira and Confluence, including attachments, but it also prioritizes the results so that you can process the most critical items first.

As PII can not only be attained from external sources (customers) but also internal sources (employees) it is recommended that you conduct regular searches for sensitive data across your entire instance. This will help you stay on top of processing errant data and limit the scope of damage should you be the victim of a hacker. But the benefits of regular PII scans don’t stop there. It also helps to develop good habits within your company regarding regular preventative maintenance and may also assist you to identify patterns in how data is being accessed and saved by your employees leading you identify weak links in your data processing procedures.

In summary - we recommend repeated audits, as is it almost impossible to control what customers or users are adding into your system.

We also recommend that you conduct PII scans any time you transfer your data to a third party for any reason. This is especially important as you have no idea what that third party will do with your data or how their security will protect your data. Also a scan is a good idea anytime you have to perform a backup of your data or if you are planning on migrating to the Atlassian Cloud.

But, how does it work?

The service analyses the complete backup of your Jira or Confluence instance. This can be run on-prem behind your own firewall with all your own security in place or we provide your own dedicated AWS Cloud instance, hosted in the region of your choice (the default is UK). It analyses the data, logging PII items by location and severity. You can begin to eradicate the items we’ve found. You have complete control of the scan results and can choose to keep the information for further study (pattern analysis, infrastructure restructuring, etc) or you can choose to delete the results forever.

Our program is set up for a huge range of PII types including (but not limited to) credit card numbers, email addresses and passport numbers.

However, if there is a specific type of PII you would like included in your scan results, let us know and we will do our best to accommodate you.

Finally - if there is another source that needs checking e.g. folders and files, please get in touch.

Useful Links:

BDQ PII Services page

Atlassian Cloud Services page

BDQ Enhancement Hours page

Summary

We know that security in the digital world is a serious consideration. The other fantastic offerings out there go a long way in helping you control the level of Person Identifiable Information in your stored data. But the PII Service from BDQ is currently the ONLY solution that can scour your entire Jira or Confluence instance, on either Server or Cloud, including attachments. Plus, our service can be customized to meet your needs whether it be a variation on the type of PII or where you’d like us to search. And you get the peace of mind knowing that you are in complete control of the scan results whether they are on your own on site instance or hosted securely on a dedicated AWS Cloud instance.

For more information, take a look at our PII Service page, or if you have further questions, please get in touch. Let’s talk about what you need.