At monday.com, security is a top priority. We want to make sure you're confident when you build out your workflow with us. This article will answer frequently asked questions about the security and IT implementation of the Jira cloud and server integration.
Who is the developer for the Jira Integration?
The developer of the Jira Integration (both Jira cloud and server) is monday.com.
What party originates the required network connection?
While we're the one who originates the connection, both parties need to participate in order to create the connection successfully.
Is your application using "Google Analytics"?
How is authentication handled in this service?
It's a token based authentication, where the user is entering their JIRA creds to monday.com, and from that moment forward the interaction between the two parties is being managed using an access token.
For Jira server, does monday.com have a binary agent to install in our network which will manage the security components automatically?
No. The Jira server configuration is based on typical HTTPS communications and any additional security filtering needs to be implemented on the user’s network firewall.
Do you use CAL for logging or have you implemented your own logging system?
We have implemented a SIEM solution, to which we stream logs from our NIDS, traffic logs from edge locations, and general authentication and authorization logs, both from the application itself as well as from infrastructure resources. Security events are regularly reviewed by a managed SOC team and are addressed in accordance with their severity.
For Jira server, how can we setup integration with Jira when our Jira instance is behind a firewall/ VPN?
There has to be some kind of access from the internet in order to integrate with Jira server or any 3rd party.
Additionally, the following IP ranges need to be unblocked on your firewall/ VPN in order for the integration to work:
- 184.108.40.206 / 24
- This range (containing 256 public addresses 220.127.116.11 to 18.104.22.168) is used by our egress (outgoing) networking to send data out to customers. This range must be whitelisted to accept incoming connections from our infrastructure.
- There is no way to whitelist our ingress (incoming) IP's, used to receive data from customers (like calling our API's) as we're using Cloudfare as our edge network provider, and they may change IP's at any time. This should not be a problem in most cases.
Why are global admin permissions required?
We use JIRA's REST API to create Webhooks and in order to do so, the credentials authorized need to be that of the JIRA admin with global permissions.
What security controls apply?
- JIRA cloud: For monday.com<>third party app, for outbound we don’t have any enforcement, and for inbound the data is encrypted using TLS 1.2.
- JIRA server: For JIRA Server, it depends on the on premise server and on the person that will create the integration - if the client will type in a base url which uses http, and not https, then the communication will not be encrypted in transit. In general if they use https (ssl), with a valid trusted certificate - then the data will be encrypted on transit.
For Jira server, is the application/API accessible only internally or would it be directly exposed to the internet?
monday.com is accessible from anywhere and exposed to the internet. Your JIRA server is not, as it an on prem instance. Therefore in order to make these two objects work together, you're being requested to allow requests coming from monday.com (in the external world) to your server.
Data transfer and storage
What data is transferred?
The data which is being transferred is based on the mapping defined by the user at the time of the integration configuration. The scopes are issues and projects on jira's end, and items on our end.
Which data can we access and what can we do with it (read vs write)?
The answer to this depends on the scopes of the API token:
- The JIRA integration is a token based integration (not Oauth2), which means we don't ask for specific scopes. Neither monday.com nor the user can control the scopes of the API token. This is based on Jira's settings. Meaning - if some of the permissions are changed after authentication, we have no control over it - whether it will be in adding new API capabilities, or removing them.
- With the above noted, monday.com will only access the requested data as populated in the recipe. Every time the integration is triggered, it will try to fetch ONLY the relevant data which is mandatory for the sake of the completion of the run. We don't do any unneeded API calls to fetch unused data.
If you have any questions, please reach out to our team by using our contact form. We're available 24/7 and happy to help!