Bamboo: Security of processing
Introduction
The GDPR requires that personal data be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. What measures you use to secure the personal data depend on the type of personal data processed, the risk to the individual and relevant industry standard practices. Security measures implemented will vary on a case-by-case basis, and you should be chosen with the assistance of legal counsel. Below is a summary of security tools and configurations available to you within certain Atlassian products, along with how to implement.
Please note that Atlassian recommends that customers implement a secure and reliable network that ensures the protection of its users' data in the infrastructure that is hosting our applications.
Securing Your Infrastructure
Atlassian strongly recommends that customers implement SSL to secure the TCP/IP communication between Bamboo, Bamboo agents, Bamboo users or any other system interacting with Bamboo. Depending on your organization's needs, the following documentation may be helpful:
Agents
Remote agent
Default communication between remote agents and your Bamboo server is not encrypted. Please read Securing your remote agents for more details on securing the communication.
Elastic agent
Communication between elastic agent and server is by default encrypted through an SSH Tunnel. You may also use VPC. Please read Elastic Bamboo Security for more information.
Bamboo Server
Security best practices
Atlassian offers best practice guides for securing both your network and your application. Please read Best practices for Bamboo security for more information.
Upgrades and Updates
You should keep Bamboo up to date as this helps protect your application from security threats. We recommend upgrading Bamboo to the latest available version regularly. Release notes will give you an overview of what's changed between versions: Bamboo release notes.
There are several ways to upgrade Bamboo, and the method you choose to use depends on which version of Bamboo you use, and the type of environment you use it in. Please read the Bamboo upgrade guide form ore information.
Health checks
A health check will check your application for known issues. Our Premier Support team can help you run health checks on a quarterly basis on your installed products in production, QA, and staging environments to help prevent outages and ensure best practices are followed. During a health check, our team will look for known issues with configurations, compatibility, driver versions, performance conditions, memory settings, and other improvements. Health checks can be very helpful as a preventive tool for production outages and slowdowns as well as during system upgrades to ensure success. This information is collected to generate a system health baseline report and prescriptive roadmap that recommends how you can improve performance, scalability, and productivity of your Bamboo instance.
More information:
Monitoring
Atlassian provides a best practice guide for system administrators who would like a clearer view of what's happening in their instances, and get the most out of Atlassian Support. The guide describes what we consider the best tools for monitoring and analyzing diagnostic data produced by Atlassian products, and show you the best way of getting this information to the Atlassian Support team when required. More details are available here: Performance Troubleshooting Tools - Best Practice.
For large instances of Bamboo Server, enabling JMX allows you to more easily monitor the consumption of application resources. This enables you to make better decisions about how to maintain and optimixe machine resources. More information about JMX monitoring. Please read 2019-05-28_09-02-31_Monitoring and Profiling Bamboo for more information.
Operating System
Bamboo is a pure Java-based application and should run on any supported operating system, provided that the JDK / JRE requirements are satisfied.
Network
The following guide describes the specific network and connectivity errors that can be diagnosed automatically by application links and the actions you can take to correct those errors. It also provides a general troubleshooting guide to help you identify and correct network and connectivity errors that may occur when using Bamboo application links: Network and Connectivity Troubleshooting Guide.
Database
Your choice of a database can significantly affect your subsequent experience with Bamboo. If you have a choice of databases, please read our list of supported databases, followed by:
User management
As an administrator, you can manage users directly in Bamboo or enable public signup so users can create their own accounts. You can refer to these pages for information on managing users across multiple projects and applications.
Application access
To grant users log in access to your Bamboo application, the application must first be licensed, and secondly, the application must have at least one default group assigned to it. Any users added to this group will be able to log in to the application. This is called application access.
Permissions
Permissions are settings within your Bamboo application that control what users within that application can see and do:
Backup and Restore
Bamboo supports generating backups:
and restoring the backup:
Atlassian Security & Bug Bounty Program
Atlassian releases regular security advisory reports to inform our customers about security vulnerabilities. These can be viewed and tracked in the Security Advisories.
Atlassian offers the community a way to contribute in enhancing the security of our products through the Vulnerability Bug Bounty Program.
Additional notes
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.
If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.