Understanding the Limitations of Atlassian Guard DLP: What You Need to Know

In November 2024, a cyber cartel hacking group called "Grep" stole 40 GB of sensitive data from Schneider Electric's Jira instance using stolen login credentials. Demanding a ransom, the group claimed to have possession of 75,000 unique PII records tied to Schneider customers and employees.

Last year, Beeline, a software-as-a-service (SaaS) business, lost 1.5GB of sensitive data when attackers breached their Jira account with stolen user credentials. This breach included an entire database of customer data, including their first and last names, usernames, role in the company, and more.

To avoid a similar fate, should you be using the DLP product sold by Jira's parent company, Atlassian? Let's explore.

What We Love About Atlassian Products

First of all, we love the way Atlassian supports productivity–especially for technology companies. They make powerful collaboration software that can help you track and manage projects, as well as collaborate in ways that greatly enhance your level of visibility into ongoing company initiatives. Further, Jira and Confluence offer robust access control to help you prevent unauthorized access to sensitive data.

1. Comprehensive Seamless Collaboration: Atlassian's integrated suite of tools enables teams to collaborate more effectively across different functions. Products like Jira, Confluence, Trello, and Bitbucket create a unified workflow that supports project management, documentation, communication, and code repository needs.
2. Extreme Customization: Atlassian solutions are highly adaptable to various team sizes and organizational structures. Whether you're a small startup or a large enterprise, the tools can be customized to match specific workflow requirements. The Atlassian Marketplace offers thousands of apps and integrations (like Nightfall AI) that extend the functionality of core products, allowing organizations to tailor their toolset precisely to their unique operational needs.
3. Robust Workflow Automation: The Atlassian suite excels in providing powerful automation capabilities and detailed analytics. Teams can create complex workflow rules, automate repetitive tasks, and generate comprehensive reports that provide deep insights into team performance, project progress, and operational efficiency.

These benefits make Atlassian solutions particularly attractive for technology teams, project managers, and organizations looking for flexible, powerful collaboration tools, but don't do much to reassure security leaders that their data will be secure in them.

Challenges of Data Loss Prevention in SaaS Applications

Exposure of Sensitive Data and Insider Threats

While centralizing functions like project tracking and code repositories support productivity and project visibility, they also add significant security risks. Due to their invite-only nature, corporate SaaS apps can feel "private" to employees, reducing their fear of violating security standards when intentionally attaching or pasting sensitive data into tickets and posts.

Additionally, these apps carry a great deal of risk around accidental sharing– a problem rooted in human error that just comes with using any cloud products that invite a high volume of activity. Insider threats don't have to be intentional. Often, they are well meaning employees who are just trying to do the jobs with which they've been tasked. Nevertheless, it's insider risk can cause serious problems when–as with Schnieder Electric–an attacker gets in and takes malicious actions.

Specific Types of Data at Risk

A wide range of file types and sensitive data types find their way into collaboration apps not as an exception, but as the norm across companies moving fast. This can range from credit card data, to personal data and PII, to access tokens. Anytime you have a multitude of users, you're going to have issues–not because people are careless, but because they're human.

API Keys and Secrets

Of all the data types you may have lurking inside your Atlassian collaboration apps, secrets can be the most damaging if leaked. For example, API keys may be attached to Jira issues or or Confluence pages as an act of convenience for engineering teams. If leaked, however, active keys could allow attackers to put your entire organization over a barrel, from holding your cloud environment for ransom, to making security configuration changes, to launching new attacks from your own servers. (Learn more about how leaked API keys can create risk, and what to do about it.)

Intellectual property, like source code, is another data type that often finds its way into collaboration apps. For commercial companies, this could look like acquisition planning documents. For technology startups, IP is more likely to be code, product maps, and other "secret sauce" data.

Regardless of the data type, the point is that what is normally positive employee behavior can result in more than just optimal productivity when projects include sensitive content types, resulting in regulatory compliance violations, fines, security incidents, drops in customer confidence levels, reputational damage, and a wide array of other problems.

Atlassian Guard Premium

Solution Overview

1. Atlassian Guard Premium offers two features for classification and sensitive content scanning apart from a few different security policies. Based on Atlassian's documentation, admins must manually classify the sensitivity level of individual pages and issues. When you rely on manual classification processes, you're adding another management step for your admins who probably have a lot other critical tasks to attend to.
2. Then users must manually set default classification levels for each individual space and project. Without that step, they will all have the same classification level by default.
3. Organization admins then create their own data security policies to correspond with classification levels.
4. Guard does offer detection, but only as a separate product (Atlassian Detect) or premium upgrade. Even then, threat detection accuracy will rely on how well data, issues, and projects have been classified. Since Detect doesn't use advanced data detection models like those built by AI-powered solutions like Nightfall AI, its engine is less robust. In real life, what that means for your security teams is that 1) they will be flooded with false positives and 2) true problems will get missed.  

Needless to say, Guard's lack of an AI-powered,  robust detection engine is a serious downside for teams who want to move fast and stay secure without slowing down business processes. The impact on compliance efforts, alone, would be time prohibitive in many cases, which is exactly why so many organizations haven't begun addressing DLP in even their most critical SaaS apps.

Still, any DLP is better than no DLP, and Atlassian is very good at their core functionality: collaboration.

Limitation of Atlassian Guard Premium

Limited Contextual Understanding

Sensitive content scanning within Atlassian Guard Premium relies on more traditional, rule-based detection methods that lack the nuanced contextual comprehension of AI-powered solutions. In other words, AI-powered tools are better able to understand context. In fact, most native DLP (specific to a particular app or ecosystem, like Slack, GitHub, and Atlassian) is based on outdated functions like regular expressions (regex) and basic pattern matching. Even apps that contain optical character recognition (OCR) for images (drivers licenses, passports, etc.) often rely on outdated technology versions that are unassisted by other advanced large language model (LLM) powered detection capabilities.

What that means is that there are not enough data points to correlate and understand context.

Unstructured sensitive data is both pervasive and hard to detect.

Traditional DLP tools often struggle with understanding the subtle contexts that define data as sensitive or not. For example, HIPAA data is difficult for most platforms to detect accurately because they rely on the proximity of certain words or characters. However, a nonsensitive email could be sent about a plumbing appointment on a certain day, at a particular time, for a specific address, with a named plumber, at a hospital with "Cancer Center" in the name. 99% of data detection engines will mistake this for PHI.

Only the most advanced tools that have been highly trained as mature AI models specifically designed to detect sensitive data will fall into the 1% for accurate signaling. If your DLP provider doesn't have a large AI team stacked with expert engineers, you're not going to get that kind of accuracy.

Reduced Adaptive Capabilities

Sensitive content scanning in Atlassian Guard Premium has limited support for just 10 out of the box detectors to identify Atlassian API tokens, AWS access keys, passwords, SSNs, credit card numbers, bank account numbers, JSON web tokens, and bitcoin addresses. Additionally, you can define custom detectors using regular expressions or keywords. However, all these detectors are based on more static detection rules that don't evolve as quickly as machine learning-powered alternatives.

To illustrate, traditional approaches to detect such secrets and credentials cannot recognize subtle variations of how these tokens are referenced, cannot identify complex patterns represented in different languages, or do not have semantic or contextual recognition. While this is on par with industry standards for native DLP solutions, it's another example of why we don't recommend using those.

Limited Insight and Visibility into Risk

1. Lack of automated proactivity: Atlassian Guard is reactive in nature, only identifying issues after potential data exposure has happened. If you add Detect, you can find more data but will still be limited to its level of accuracy based on outdated detection methods. AI-powered DLP solutions can help you proactively anticipate and mitigate potential data breach risks before they occur based on the types, locations, and even actors connected to data handling errors.
2. Limited support of SaaS apps: Atlassian Guard Premium is focused entirely on Atlassian ecosystem tools. While Atlassian Guard Premium offers basic content scanning, its coverage is surprisingly restricted: Scanning is limited to Confluence page and blog post bodies and titles. Critical areas remain unprotected, including: comments and collaborative discussions, space descriptions and labels and most of Jira's content environment. This means you won't even see sensitive data exposure risks, data exfiltration and lineage trends, including unusual activity, across your entire Atlassian environment let alone other SaaS applications in use. If you want to address potential risks in multiple SaaS, GenAI apps and endpoints, you'll have to use multiple vendors, switch portals, and accept that this will also likely make your favorite go-to features unavailable to you in some channels.
3. No Data Lineage and exfiltration prevention capability: User activity monitoring supports a handful of different activities that can be monitored such as exports of Confluence spaces, anonymous access to Jira or Confluence and more. However, Atlassian Guard (and Detect) are more rigid, lacking the ability to track the full lineage of any sensitive corporate IP getting exfiltrated and subsequently getting uploaded to personal apps such as Dropbox, or a personal Gmail account.
4. Non-existent machine learning powered detection capabilities: Sensitive content scanning in Atlassian Guard Premium lacks the ability to understand natural language and its nuances, which are a rich source of context for more advanced AI detection models–especially when it comes to unstructured communications. That means it won't detect many of your data security risks in Confluence and other apps where people use unstructured communications.
5. Potential Performance Limitations: As a more traditional DLP tool, Guard Premium may become less performant, reliable and effective as data complexity and volume increase. The ability to perform with high accuracy at-scale is essential for any modern DLP solution. For example, Guard Premium may not be able to handle complex file types such as HAR files, large archive files, PDF’s or documents embedded with images, large spreadsheets with several thousand rows, or image file types. Additionally, as the data volume increases, Atlassian Guard Detect may not be able to scan in real-time and might miss key updates. AI solutions can handle large volumes of data with more efficiency, reliability and accuracy.
6. Less Advanced Intelligence: Guard Detect’s's localized, static threat detection mechanisms mean it will miss potential security incidents, while returning a host of false positives to consume security teams' time. AI-driven solutions often incorporate real-time threat intelligence. This means any built-in security features for automating responses will be significantly less impactful, as they are acting on inaccurate data. Custom fields are central to Atlassian apps, which is part of what makes them so effective as collaboration tools. At the same time, even its own, native DLP tool will not be able to find and remediate sensitive data events in these fields.
7. Higher Manual Configuration Overhead: Traditional DLP solutions like Guard require more manual rule configuration and maintenance. They also lack the native features needed to meet modern security requirements that mature organizations expect to help them navigate today's threat landscape, like automatically adjusting and optimizing detection strategies. Guard Premium's lack of real-time user engagement creates a critical gap in security education. When employees inadvertently share sensitive data, there's no mechanism to:
8. 1. Send instant notifications via Slack or email
   2. Provide in-the-moment guidance on proper data handling
   3. Coach users through secure alternatives
   4. Turn security incidents into learning opportunities

This absence of real-time feedback prevents organizations from building a proactive security culture, leaving employees to repeat the same mistakes.  In other words, you'll pay for this native DLP and still have to purchase additional security solutions for an effective degree of accuracy.

Impact of Collaboration Workflows

We'll say it again: we're big fans of Atlassian products at Nightfall. We just want you to make sure you mitigate the risk of exposure to data theft that's inherent to collaboration workflows. Whether these are standard tasks being performed by humans, or automated tasks that create issues based on triggers, you're likely to end up with some customer's credit card data or employee credentials in your collaboration tools. Be careful not to interpret this as employee negligence, though, remembering that most people are just trying to be helpful.

However it gets there, sensitive data in your SaaS apps happens. And it opens you up to the risk of severe data breaches like those seen at Beeline, Samsung and Disney. Contrary to popular belief, the main culprit is not inadequate access controls, but human behavior on both the front (poor credentials management) and back end (oversharing, accidental data sharing, and unsecure sharing in SaaS).

Unified DLP coverage across SaaS, GenAI apps

When it comes to DLP, you have to think not just about your cloud workspace and protecting data at rest, but also about all the integrations you have in your environment that make business faster, more profitable, and more effective. Those are the places hackers are going to look for the juiciest targets, because they know how hard it is to detect, remediate, track, and maintain visibility across SaaS. Even most enterprise DLP tools just don't cut it, leading to loss of business, loss of customer trust, regulatory non-compliance, and financial losses–all due to the desire to work quickly and efficiently.

Don't ditch the apps that make you successful. Just secure them, all of them, with one tool that gives you comprehensive visibility. In-app, native DLP tools can't give you that.

Best Practices for DLP Implementation

Conduct Risk Assessments

In the past, security risk assessments were annual events that were only performed because of some specific compliance requirements. Things have evolved since then. While a baseline assessment is still key to defining your starting point, companies with more mature security programs perform continuous monitoring to identify and mitigate risk in real time, all the time. So, a strong cloud and SaaS DLP strategy will give you around-the-clock coverage with data scanning and automated security workflows–as well as the ability to do periodic audits.

Establishing Data Governance Policies

To effectively mitigate the risk of accidental or intentional insider actions that can expose your data, it's essential to first define internal policies for what people can and cannot access, and can or cannot do based on the asset's level of sensitivity. Once you create those policies, it's time to enforce them.

You can take one of two approaches:

1. Treat all employees as likely threats and block all access with granular control, or
2. Invite employees to participate in data hygiene and partner with them to build a culture of security.

At Nightfall, we combine the best of both worlds. Users can choose how to remediate their own errors based on options the security team defines, and security teams can set thresholds for which kinds of potential security threats to their data need to be blocked altogether. For example, a CISO might decide to allow users to request exceptions to policy violations when a business case is provided. However, they might decide to completely block attempts to email HIPAA data in plain text to avoid violating regulatory requirements. Such advanced features can help organizations significantly reduce their data security risk over time by partnering with employees, rather than always reacting to emergencies after the fact.

Training Employees on Data Security

Given today's threat and security landscape, it's important to make data security initiatives a part of daily life, as opposed to annual training events. Inviting users to learn better practices in the context of their daily work empowers them with trust, and it helps them learn faster, more effectively. So, DLP tools that leverage employee training in workflows helps end users improve data handling habits and take ownership for the security of their work. Partnering together, the whole company can accomplish more together than they can when  an organization's security strategy is only owned by one or two teams.

Regularly Reviewing DLP Strategies

DLP strategies deserve thought and regular review. It's important to analyze false positive rates, time spent in remediation, total number of incidents and events, and look for improvement across user activities over time. Are your users taking initiative to remediate faster and more often? Are you seeing a reduction in policy violations over time? Are your protection efforts paying off in security ROI? If you have no visibility into those metrics–or if you just don't feel good about your results, it might be time to reevaluate your DLP strategy.

Are you taking a comprehensive approach to visibility? Are your policies up-to-date? Are you monitoring for security posture changes and data handling violations in near real time?

Comparing Atlassian Guard with Third-Party DLP Solutions

You know what Altassian Guard offers. Now let's have a look at what we consider to be comprehensive data security solutions.

Features and Capabilities to Look for in Comprehensive DLP Solutions

• Dozens of detectors and policy templates built in to support day-one security

• Custom data detectors and flexible data detection policies that AI engineers and support teams can add or build for your use cases. (Hint: Effective PII protection means accommodating regional differences, such as citizen ID numbers that vary by country.)

• Context-rich notifications that speed up security teams and don't require multiple views, reports, or portals.

• Seamless integrations with all your mission critical cloud workspaces and apps

• Ability to track user permissions, sharing changes, and behavior over time

• Powerful security posture capabilities in SaaS

• Enforcement of regulatory compliance obligations for data handling

• Near real-time detection and protection measures

• Tracking and management of access permissions

• Secure sharing enablement to improve data protection strategies, like email encryption

• Automated security workflows that support prompt action on remediation tasks

• Automated scanning, classification, and labeling of sensitive documents to keep you up-to-date as employees work

• Content-aware automated file scanning and classification

• Response mechanisms that improve your culture of security and prevent potential breaches at the same time

• Self-serve historical scans of content, including archived items and proprietary documents

Incident Response Strategies

As part of your annual incident response plan review, it's important to ensure you have an effective response to all kinds of worst case scenario data security incidents that could occur in each of your SaaS applications. In addition to having a response plan, it's also important to remediate current problems that may be increasing your risk of experiencing a breach. Incident response includes daily events and acting quickly on threats and alerts. Using a comprehensive DLP tool can help with data detection and response, by handling risky data handling events before become serious security incidents or violate regulatory compliance requirements.

Need for Enhanced DLP Solutions

Overview of Nightfall DLP

Nightfall AI is the market leader in Next-Gen DLP. From a single pane of glass, Nightfall gives you visibility into sensitive data in all your mission-critical SaaS apps, cloud workspaces, GenAI tools, and now endpoints. With Nightfall, you can put remediation tasks on autopilot across cloud data loss prevention. No portal switching, no lengthy manual processes, just comprehensive coverage.

With powerful reporting tools and advanced threat detection for your data, Nightfall AI is the perfect tool for a layered approach to data security.

Recommendations for Effective DLP

Define and take a multi-layered approach.

Cybersecurity practitioners focus on building layers of cybersecurity, because when it comes to securing your environment, there is no such thing as one silver bullet that does everything. You need adequate protection measures at every step.

1. Granular access controls can reduce the risk of unauthorized access incidents by placing a hurdle to their path. It's not an insurmountable challenge, but every roadblock helps deter attacks.
2. Enforcing internal credentials management with a tool like RPass from Rippling can help ensure your team members use strong passwords that are not reused, unsecurely stored, or unrotated for long periods of time.
3. Data discovery and classification is vital to your strategy, can be daunting. Using an automated tool to help ensure you always know where your sensitive data lives and that it's labeled with appropriate sensitivity levels supports effective data governance. Effective governance, in turn, supports stronger data security controls.
4. Mitigating the risk of accidental or intentional breaches also requires continuous monitoring of data handling events with data detection and response (DDR) is one highly effective layer of this strategy.
5. Next, you will also need to monitor your data security posture in cloud workspaces with DSPM capabilities, tracking and taking swift action on all real-time notifications of data sharing and access changes to sensitive files. This helps prevent employees from sharing content that should remain private.
6. Email encryption is one of the most common types of data security available on the market, but the effectiveness of your solution will rely on how easy it is for end users to apply, encryption strength, and most importantly proper detection of sensitive data. If your detection engine can't accurately signal on PHI, secrets, and other unstructured sensitive data, you are once again relying on employees to have a consistently perfect memory and performance every time they send an email with sensitive data.
7. Employee training and awareness programs need to be directly tied to your DLP strategy as an additional layer. By involving them in the process, you help employees become a human firewall for your data. Be sure your solution offers this feature.
8. Policy and data detection templates to speed up the time it takes to mitigate common challenges in data security plays a critical role in launching new data security controls quickly and easily.
9. Flexible policy creation and enforcement is another piece of the DLP puzzle, so be sure your solution allows you to create policies that might be unique to your organization.
10. Finally, be sure you have a way to protect data flowing through your users' endpoints. What this gives you is the ability to implement SaaS agnostic DLP that works no matter where your users are online, what apps they're using, and more.

Conclusion: Balancing Collaboration and Security

Extending advanced, fundamental data protection measures to your SaaS apps is crucial in preventing serious potential security risks to your organization. Further, making sure internal users are part of the process (with backstops in place), is a critical aspect of success in SaaS / cloud data security. Activity monitoring, in itself, is not helpful to improving data hygiene. It becomes extremely valuable, however, when users are invited to participate in remediation steps. Collaboration reduces resistance from users to strict security controls, taking a "same team" approach to protecting your sensitive data everywhere employees work.

Building a culture of security is one aspect of cybersecurity that eludes most organizations. To some, that might mean monitoring activity and laying down the law with a heavy hand. To others, it might mean sending continuous reminders to not click phishing emails. However, comprehensive monitoring mechanisms allow you to support employees as they grow in their intuitive cybersecurity reflexes, increase user engagement in protecting data, and still prevent breaches absolutely. Even better, a collaborative approach reduces workload and speeds up processes for busy tech teams. The sum of the whole will always be greater than its parts.

‍

Want to compare solutions? Request a demo to learn more about Nightfall AI.