Securing Atlassian’s Path to Containers in the Cloud
Founded in 2002, Atlassian has built a suite of Software-as-a-Service (SaaS)-based products that help to unleash the potential of every team through open work. With offerings spanning both behind-the-firewall and cloud versions of its original product, Jira Software, to other collaboration tools including Confluence and Trello, the company serves more than 125,000 customers around the globe.
With the level of trust placed in it by its customers, security and compliance are of paramount importance for Atlassian. When the infrastructure engineering team took the decision to adopt Kubernetes as the basis of its cloud platform, security was not an optional add-on but had to be built into the architecture from day one.
Atlassian’s objective was to build a central, managed container platform, hosted in AWS, that could eventually support the majority of its compute workloads. That includes not just applications touching customer-sensitive data, but also the Bitbucket/Bamboo code management and continuous integration and deployment (CI/CD) platform. This also builds and runs customers’ code – i.e. arbitrary code execution within a multi-tenant environment: a security professional’s worst nightmare!
After researching various cloud native network security solutions, the Atlassian team came across Calico. Backed by Tigera, a leading name in the Kubernetes community, Calico was the original implementation of Kubernetes Network Policy and the most widely deployed, having been adopted by every major cloud provider and integrated into many commercial distributions. After validating Tigera’s technology, the team reached out to Tigera through its community forum, and partnered closely over a period of several months for implementation in its AWS-based production deployment.
“Our security approach had to be strong enough to isolate not just our own developers’ applications but, more importantly, our external customers’ code,” says Corey Johnston, Kubernetes Platform Senior Team Lead at Atlassian. “This led us to Tigera Calico as the most robust, Kubernetes-native network security solution for achieving microsegmentation of container workloads. Today, the Tigera solution is protecting container workloads running on thousands of vCPUs in AWS.”
There have been some unexpected benefits of using Tigera’s security technology, according to Johnston. The speed with which new rules can be defined and applied globally have enabled the team to respond to incidents — such as blocking abusive bitcoin miners — in less than 15 minutes. Without Calico, this would have required hours or days to update firewall configurations.
Atlassian has also leveraged Tigera’s ability to define ordered, hierarchical policies to achieve separation of concerns. Higher priority cluster-wide policies are defined by the platform team and enforced as part of the base platform automation layer. Individual teams then use the Kubernetes network policy API to define their specific applications’ connectivity requirements. This has enabled application teams to take on more responsibility for security and increased agility across the company.
So what’s next on the Jira backlog? There are a number of capabilities of Tigera Secure, including observability of container-level network flows and integration of AWS Security Groups into Kubernetes network policy, that may be able to help with Atlassian’s Kubernetes deployment. After all, the team has a philosophy of continuous improvement, with every sprint including at least one new security-related enhancement to the platform.
We will be exploring more about this case study, including an in-depth look at the deployment architecture, in an upcoming webinar, hosted by Amazon Web Services. Watch out for the announcement of the date and time!