Security of processing in Bitbucket Server and Data Center
The GDPR requires that personal data be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. What measures you use to secure the personal data depend on the type of personal data processed, the risk to the individual and relevant industry standard practices. Security measures implemented will vary on a case-by-case basis, and you should be chosen with the assistance of legal counsel. Below is a summary of security tools and configurations available to you within certain Atlassian products, along with how to implement.
Atlassian recommends our customers implement a secure and reliable network that ensures the protection of its users' data, in the infrastructure that is hosting our products.
Using Bitbucket Server in the enterprise lists some general considerations and advice for running a production Bitbucket Server system.
Securing user connections
Atlassian strongly recommends customers implement SSL, to secure the TCP communication between Bitbucket Server and its users, or any other system interacting with it.
Proxying and securing Bitbucket Server covers a number of different ways to implement SSL with Bitbucket Server.
Bitbucket Server and Elasticsearch
Bitbucket Server 4.6 and above, include Elasticsearch to support search functionality. For single-node Bitbucket Server systems, the default Elasticsearch configuration will communicate with Bitbucket Server over an authenticated, encrypted connection. Multi-node Bitbucket Data Center systems must configure their own Elasticsearch installation.
Using an Elasticsearch cluster with Bitbucket Data Center gives advice on how to secure an Elasticsearch installation.
Load balancing a Bitbucket Data Center system
In Bitbucket Data Center, you are required to have a load balancer in place for the load to be spread across the cluster nodes. For increased security, we recommend that you secure the communication between the load balancer and the Bitbucket Server nodes. There are some examples given in the Bitbucket Data Center installation guide.
If you are hosting your Bitbucket Server instance on a cloud service, work with your cloud service provider to develop a suitable plan for securing your environment.
See securing Bitbucket Server in AWS for considerations when hosting in AWS.
Security best practice
Atlassian offers some best practices for securing both your network, as well as your product. Please review the documentation about Configuring Confluence Security.
Atlassian security and BugBounty program
Atlassian releases regular security advisories, to inform our customers about vulnerabilities. These can be viewed and tracked on the Bitbucket Server security advisories page.
Atlassian also offers the community a way to contribute to enhancing the security of our products through the Vulnerability BugBounty program.
Please note the following limitations:
- Bitbucket Server does not provide a data encryption feature.
- In Bitbucket Data Center, communication between nodes happens over tcp sockets, but is unencrypted.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.