Keeping Jira Service Management secure in the age of remote work

With more than a third of the world’s population in some form of lockdown due to COVID-19, companies’ ability to transition to remote work quickly and effectively is more important than ever. However, recent findings suggest that in the rush to move business-critical operations from in-person to online, many businesses have opened themselves to privacy and cybersecurity threats. 

Let’s take a closer look at how you can mitigate the risks associated with moving your IT service management entirely online, and specifically with regards to publicly accessible helpdesk portals.

Public Service Desks: Key to Digital Transformation, but an Opportunity for Bad Actors

ITSM and online collaboration tools such as Jira Service Management (formerly known as Jira Service Desk) play a crucial role in ensuring business continuity for a workforce that might have gone from centralised to distributed in the course of mere days. Jira allows operations that used to require a face-to-face conversation to be handled online - however, it's important to stay minded of information security.

With the move to remote work, service desk portals that were previously meant for customer service tickets might be repurposed for internal support, which now needs to be provided entirely over the internet.

Since service management can be configured to allow anyone to sign up for a customer account, there are numerous types of threats that need to be addressed, including:

• Impersonating the email credentials and domain of company employees in order to get access to internal information and documents. This can be done by creating a generic email address under the name of a company employee (since agents do not see the customer’s email domain on the UI).
• Seeing ticket assignees and names of relevant IT staff, which could then be targeted in further social engineering or phishing attacks.
• Gathering intelligence about internal processes within the company.

So keeping a close eye on publicly-accessible service desk portals is always a good idea. And when IT managers have a harder time verifying tickets through in-person conversations, it becomes doubly important.

However, in larger Jira deployments, this is not always so straightforward...

The Challenge: Keeping Track of Dozens of Portals

It is not uncommon for a medium-sized company that uses Jira across multiple departments  to have dozens of Jira Service Management portals active at any given time, with different levels of access permissions:

• Publicly available (anyone can create a customer account) - e.g., for customer support
• Limited to Jira users - e.g., for internal IT helpdesk
• Limited to project members - e.g., for specific R&D projects

Making every portal restricted, or requiring the Jira admin to constantly configure granular permissions per project, will require an inordinate amount of time. A more sensible approach would be to allow a certain level of flexibility, while continuously monitoring active service desks to ensure appropriate permissions are set.

The problem is that there's no easy way to get a bird’s eye view of access control per service desk - which makes monitoring dozens, or hundreds, of different portals cumbersome and error-prone.

The Solution: Restrict Access and Continuously Monitor Jira Service Desk Permissions

The first way to prevent bad actors from creating fake service desk tickets is simply to restrict access in the first place. While some service desks might need to be publicly accessible, this is rarely the case for internal helpdesks. Instead, you should sync your corporate directory with Jira via LDAP. 

For the portals that have to stay open to customers from outside your organisation, your focus should be on:

1. Updates: Keeping your JIra instance up-to-date
2. Enabling verification emails: See instructions here
3. Monitoring: Ensuring project admins are granting permissions in a responsible and considered manner

To solve the monitoring challenge, we’ve created the following script, which you can use if you have ScriptRunner for Jira installed on Jira Service Desk version 8.0.0 or above. This script will create a list of all the service desks in your Jira instance, and the type of permissions granted in each one. You can then quickly navigate to a specific portal and change these permissions if you so please.

Here’s an example of what the output from this script might look like:

If you’re already using ScriptRunner, you can copy and paste the script below to try it out now. If not, it takes seconds to get a free trial account on the Atlassian Marketplace. Then you can simply paste the script that appears here into the Console.

Staying Safe in a Time of Rapid Change

The COVID-19 crisis has forced many organisations to rapidly accelerate their digital transformation. Modern communication and collaboration tools can make the transition to remote work easier, but misaligned or mismanaged processes can pose new security challenges.

It’s important to keep sensitive information secure in the process of transitioning to a new way of work. If you’ve recently introduced new Jira Service Management portals to support remote work, you can use the methods we described above to stay on top of your various portals and verify the appropriate permissions are set for each one.