Supporting Regulated Industries on Atlassian

15 May 2024

by Marion Lepmets

On May 2, 2024 SoftComply hosted the 2nd edition of Regulated Industries workshop during Atlassian Team event. The workshop’s title was “How to best support Regulated Industries on Atlassian” and was aimed to discuss the customer feedback and best practices of collaboration between Atlassian, app vendors and solution partners to support our customers.

For 2 years in a row we have had the pleasure to come together at Team events as a group of like-minded people working in or with companies from regulated industries using Atlassian. Last year, it started as a discussion over breakfast in the Starbucks. This year we had a technical workshop with 6 speakers: Mix and Joe from Atlassian, Ulrich and Marion from Marketplace Partners & Jan and Geoff from Solution Partners.

The aim of the workshop was to discuss all things compliance that relate to the regulated industries where compliance is expected. Implementing and following compliance frameworks leads to (1) Risk reduction, (2) Enhanced security, (3) Operational efficiency, (4) Technical debt reduction, (5) Enhanced scalability and adaptability, (6) better software development quality, including documentation and Quality Assurance.

Below is a short summary of what was discussed.

DR. MARION LEPMETS – SoftComply

SoftComply is a marketplace partner helping regulated industries get their products to market faster by offering quality and risk management solutions to them. The majority of SoftComply customers are from the medtech space with strict requirements for validation of the software tools they use, data privacy and security requirements, etc.

Marion talked about the regulated industries often using Atlassian tools for software development but keeping quality and compliance management in separate standalone tools. The importance of breaking silos and bringing all departments to Atlassian requires better collaboration between Atlassian marketplace and solution partners.

A few challenges that the medtechs are struggling with on Atlassian Cloud are:

a) dynamic changes of the Atlassian tools which makes manual validation impossible;

b) data security, privacy and data localisation;

c) better permission control for regulated industries, especially for Confluence Cloud;

d) better page versioning in Confluence – old versions of a page can’t be exported and may break macros; etc.

NEWS:

After the 1st Compliance Breakfast at Team23, Izymes & SoftComply decided to create a Compliance Tech Hub site for the Regulated Industry clients who are looking for resources on and around Atlassian and the 3rd party apps that support them in compliance: Home Page

GEOFF METHER – Togetha Group

Geoff was telling us how they supported an Australian Government Office migration journey to Atlassian Cloud and the importance of Atlassian’s irap certificate.

He also mentioned that although the list of compliance certificates that Atlassian is working towards is quite long, there is little transparency when the certificates are expected to be attained, or when are the audits taking place.

For government organisations as with most organisations from regulated industries, the only way they can migrate to Cloud is if they can migrate to Jira Enterprise plan. Jira Cloud Enterprise level pricing for the regulated industries has to be relaxed if Atlassian wants to move its users to Cloud!

MIX MIXON – Atlassian

Mix used to work as a Jira admin in a life-sciences company before she joined Atlassian so she has seen both sides now

Mix was talking about 21 CFR 11 and the requirement of having software tools validated. This means that Atlassian tools should be regularly tested to ensure that no change in Jira has compromised user data integrity or Jira’s performance. To do that, all changes in Jira have to be known but as it turns out not all changes are gated so the release tracks alone won’t work. Now that Mix is in Atlassian, she will try to find the best way to work towards an automated Jira validation. So far, SoftComply has developed an app for automated validation for Confluence Cloud but ideally there should be a framework that helps app vendors validate their apps as well.

Mix also talked about the advantages of having multiple number of sandboxes in larger organisations and the importance of being able to back up and restore data. Currently there is a number of 3rd party apps that help with that.

JAN SZCZEPANSKI – Jodocus

Jan was telling us how they supported a large enterprise customer in the Financial Industry migrate from on-prem to Cloud, just how complex it is and how long it takes.

Jan was also discussing about the work clients expect from solution partners in the sense that all Cloud apps that clients are migrating to have to adhere to strict data privacy and security requirements, performance requirements and the Cloud apps have to have feature parity with the on-prem apps the client was using before.

This got everyone discussing about the new Data and Security tab as well as the Cloud Fortified badges.

On one hand, the marketplace partners have to answer detailed questionnaires regarding how user data is stored and processed by their apps but a) Atlassian does not verify the information marketplace partners provide, b) end-users rarely know how to find this information in the marketplace.

We discussed about how to make the Data and Security tab is not as visible for business users including data access by vendors -> how to make it more visible and how to make sure the partners are telling the truth in the questionnaire, e.g. perhaps there could be different levels of Cloud Fortified badges to make it more visible for users where the app is at like Silver, Gold, Platinum levels etc.

ULRICH KUHNHARDT – Izymes

Ulrich had a fireside chat with Christine about Invesco’s Compliance Journey on Atlassian.

Christine was telling us how to establish compliant procedures, how to ensure they are followed and how to make better use of Atlassian Cloud toolset. As a global organisation in the financial industry, they are required to ‘play by the rules’ in every region they operate in, such as GDPR or SOX. It is beneficial to rely on proven, measurable, and consistent processes to ensure these ‘rules’ are adequately met. Being in compliance will reduce risks, legal fees, and potential penalties.

She admitted that it is typically more challenging to overcome a culture change, moving engineers away from the mindset of delivering to a date vs. delivering the right things at the right time. As such they are focusing on coupling accelerator frameworks with documented guidebooks, that explains the processes (what, why, how) and code snippets to enable the intended experience. Not only does this put the accountability back into the developer role where appropriate, but we are building a larger, stronger skilled community that understands potential impacts that could be introduced with a small code change.

JOE ELGABALAWI – Atlassian

Joe was telling us about the shift in focus from the speed of development to the detail, documentation and transparency, which are all truly important for working towards compliance. There will also be a major architecture change in Jira in regard to shared micro services and data residency/pinning of data.

The FedRAMP journey has only just began and the target date is in 2025. FedRAMP Forge Controls will be built in directly, i.e. implemented in the SDKs.

In general discussion, it was said that it takes minimum 6 months for an enterprise from regulated industries to adopt Atlassian tools and a lot of this time is spent on evaluating Atlassian’s privacy, security and the industry certificates. Atlassian aims to make the regulated industries path to adoption of their tools smoother, from 6 months to less.

Conclusion

If you are interested in the topic of Compliance and supporting of the Regulated Industries on Atlassian, feel free to join us for upcoming webinars on the topic.

May 15th at 4pm CET: Compliance by Design: Integrating Compliance into Atlassian