As Atlassian tightens Trello security, here’s what’s changing for you
Earlier this year, Atlassian announced new changes to the way its users access Trello. From 1st June 2020, users of its leading office app, Trello, will switch to single sign-on access via Atlassian’s central platform.
Atlassian changes in security for Trello could affect your planned expenditure. Prepare now for the 1st June deadline by checking your organisation usage.
What does this mean?
Companies using Atlassian Access can now have full transparency on which teams and individuals are using Trello in their organisation, even if the user signed up to the Trello app for free.
Mitigating the clear and present danger of shadow SaaS
Arguably it's a step Atlassian had to take. With the steady proliferation of what has been dubbed ‘shadow SaaS’ - where employees actively source, use, and even pay for software apps using just a credit card. And, worryingly all beneath the radar of their organisation’s approved IT infrastructure.
Shadow SaaS is often seen by users as a quick and convenient fix to getting the tools they need and fast, without having to jump through various security, risk, and procurement hoops.
And, they are right. It’s a quick, easy and pain-free way to access the tools you love. But, there’s a major drawback. It’s unlikely that Shadow SaaS app users are considering any of the wider implications of their actions for their organisation as a whole. In particular, the grave security threats associated with having NO back-up for mission-critical information alongside ZERO data recovery options.
By taking this shadow SaaS bull by the horns, so to speak, Atlassian is addressing this behaviour and helping to mitigate the security threat to its customers.
So, as an admin how will this change affect you and what can you do to prepare? Let’s take a closer look.
Privacy implications for your current Trello users
Trello has in the past made it easy to blur the distinction between our personal and business lives. Making them one and the same. I mean, why would you not use that really easy Trello functionality to record the arrangements for your work team, your sports club and your private life all in the same place?
Any Trello boards that are utilising work email addresses may now have all the information on their Trello boards visible to everyone in their organisation. So if you have organised a surprise party using Trello for one of your colleagues this may now be easily found by them.
Cost and resource implications for your organisation
All Trello users will be automatically integrated onto Atlassian cloud and given an Atlassian Access single sign-on. But, as an admin, you will need to assign a resource to identify and organise your Trello users, and possibly factor in any additional fee for Atlassian Access.
Organisations with Trello not previously on Atlassian Access may encounter a spike in their Atlassian licence cost compared to what they would usually pay. Note the change does not affect your organisation if any of the following apply:
- Your organisation use Trello Enterprise with a verified domain and all accounts are already managed there
- You do not use a verified domain for cloud usage
- Apart from Trello you only use on-premise Atlassian tools
Verified Domain is a specific term used by Atlassian to confirm that as an organisation you have proven that you own a domain.
When you verify a domain for your organisation, you do two things: 1) verify ownership of your company’s domain and 2) claim users' accounts with that domain.
What actions can you take to mitigate a spike in costs?
As an administrator of Atlassian products, you need to be aware of the changes that are coming to how Trello works with verified domains.
Firstly let’s explore the benefits of verifying a domain
It gives you the ability to:
- Manage all your user accounts in a single place - edit, add, delete, deactivate across all your Atlassian tools
- Set security policies for your managed accounts including two-step verification or integration with a single sign-on option
Atlassian Access without a verified domain
If you’re not currently working with verified domains you should follow the instructions on how to proceed here.
Atlassian Access with a verified domain
So you have reached this point and your organisation is using Atlassian Access to manage all of your users and you are wondering what impact adding Trello to the mix is likely to have. Well, the first thing to do is to go into the management tool of Atlassian Access at Directory > Managed Accounts and click on Export accounts with Trello product access.
This will give you a CSV file that you can open in your favourite spreadsheet (or for the masochists a text editor) - this will give you a list of users but also some useful information around their activity.
- Name and email address
- Current status active or deactivated
- Last active date
- Whether they have converted to using their Atlassian account
- Trello plan - Free, Business, Enterprise
- Added to your future Access bill
Now that you have visibility of your affected users, you should speak to them to understand what they use Trello for and if it's for a valid business reason. If it is not for a valid business reason you can share some tips (here) on how to disassociate their personal life from their business life.
Once you’ve agreed which users should continue using Trello for business, you will need to prepare for any changes to your next Atlassian Access bill. Note, you will not pay any extra for the following:
- Users who were last active before Feb 2018
- Users who are already using other Atlassian tools managed by Access
- Trello users in Trello Enterprise
- Users who are deactivated
Think before you deactivate Trello accounts
So now you are actively managing all of your current users but what about people who have left your organisation but are still using Trello?
While you could just deactivate them, this will mean that their access to Trello would then be revoked along with any boards they are using. When you set up Atlassian Access you will have provided an email address for handling any disputes.
Now is the time to make sure you are actively monitoring the registered user admin, for example email@example.com. for any requests to release boards to users who have left your organisation.
Watch your bottom line
Depending on your current licence and platform status, it may be time for you to review a number of areas in order to anticipate the likely changes to your licensing agreements and costs. It’s important to review if it still meets your growing technological processing requirements without exceeding the software licensing budget.
Need help with Atlassian Software Licensing?
Get expert management of all Atlassian Software licences that saves you time and gives you more control over your applications. Our team experts help you get more value from your license portfolio, simplify your procurement processes and deliver a single point of contact dedicated to serving your team.