Jira Security Best Practices—What is Logical Separation?

Whether you are a small business or a large enterprise, protecting your sensitive data is always a concern. How do you allow your teams to work together without exposing your sensitive data, especially to those not authorized to view it?

With the proper configuration, Jira can securely protect your PHI, export control, financial, or proprietary information while allowing all of your users to work in one instance. Jira security best practices support the use of “logical separation.”

By properly implementing a logical separation in Jira, you may not need to create and maintain separate instances of Jira to hold sensitive and shared information.

What is logical separation?

Logical separation is the process of classifying and restricting data visibility on the front-end of an application. Only authorized users will be able to see each class of information. Logical separation is the first step towards a full physical separation in case of a merger or acquisition or to restrict and protect different data classifications while maintaining one combined instance.

No matter your use case, a logical separation can be valuable to help secure your data. However, weighing the benefits and considerations of implementing a logical separation is essential. If implemented incorrectly, it can grant a false sense of security where you think that your data is protected.

Take special consideration if you are running on—or are looking to migrate to—an SaaS solution like the Atlassian Cloud. There may also be limitations to implementing a logical separation on a Jira Cloud instance or the type of data hosted on the cloud.

What are the benefits of a logical separation?

How do you manage sensitive or regulated data in an instance with users who are and are not authorized to see it? Do you need to pay for and support multiple instances to protect your data? Thankfully not always.

Logical separation allows you to limit visibility to authorized users without managing separate instances for unauthorized users. Maintaining only one instance, with proper logical separation permissions in place, saves the cost of licensing multiple instances and applications. You save on the cost of supporting, maintaining, and customizing multiple instances. Not duplicating efforts across instances will allow your application admins to work on what matters most.

Remaining in one instance allows for greater collaboration across teams. Your users will not have to manage multiple logins, or answer questions about which instance they need access to or which instance a particular issue is in. This will help your support teams, as they will not have to follow up with users on which instance they require access to or are having trouble with.

Besides the user and support benefits of logic separation, it can also help with your compliance. Logical separation is a valuable tool for regulated industries such as:

  • Government
  • Export control
  • Financial organizations which have to abide by strict regulations

Maintaining and certifying compliance is essential for these industries to avoid fines and data breaches and, by extension, to build and maintain customer confidence. You can also apply the same logic used to protect internal proprietary information to protect your PHI, PII, ITAR, or financial data.

Logical separation is a great way to effectively protect data in your system and have the confidence that your data will remain protected.


Cloud_Migration_Medium_black_coralWhen considering whether your company can use logical separation to manage your data security and compliance, you must understand the limitations.

Firstly, a logical separation in Jira is only a front-end solution to data visibility. A logical separation will not be present at the server or database level. If you have your applications hosted on Atlassian’s cloud, this is less of a concern as your team will not have backend access to their applications.

Secondly, you need to determine if the cloud is compliant with your data standard. The Atlassian cloud is not currently compliant with all types of regulated data. However, they are constantly working on improving it. A logical separation itself will not be enough to guarantee or certify compliance. Your organization will still be responsible for implementing infrastructure and application control alongside your logical separation. These may include:

  • FedRAMP
  • CMMC
  • SOC filings

Thirdly, Standard and Premium Atlassian Cloud plans only cover one cloud instance. An Enterprise plan allows you to have multiple instances. However, splitting instances often leads to:

  • Duplicated work
  • Difficulty in collating metrics
  • User and support confusion
  • A lack of transparency and collaboration between teams that work across multiple classifications

You should also consider the additional cost of an enterprise plan versus a standard or premium plan.

What type of data can Jira and Confluence cloud hold?

Jira and Confluence cloud instances are GDPR and SOC Type II compliant out of the box for Standard, Premium, and Enterprise plans. They can also be HIPAA-compliant upon request when running on an Enterprise plan.

These regulations or your internal requirements may also require specific data residency. Atlassian Cloud offers solutions here as well, though with some limitations. You can currently choose a data residency location for the United States, Europe, and Australia, with expansion for residency options to Canada, the UK, and Japan in the near future.

Atlassian also intends to improve the breadth of data that can be resident. Other data such as DevOps commits and branches, product analytics, user account information, and logs cannot currently be pinned to a residency location if chosen. A complete list of what data is included in Atlassian’s data residency can be seen here.

Again, just because a cloud instance can hold a certain data classification doesn’t guarantee compliance. Logical separation is simply a tool to allow you to keep multiple classifications of data in a single instance. It is still up to your organization to put the proper controls and procedures in place to ensure compliance.

How do we create a logical separation in Jira?

Once you have decided that a logical separation will work for your organization, the most important question is, how do you implement it? Stay tuned for our next blog, where we will break down the key steps and considerations when implementing a logical separation in Jira.

Explore Our Atlassian Cloud Solutions

Learn More
Kyle Krug, Solutions Architect
Kyle Krug, Solutions Architect