Security details about 2-way integration of Microsoft Teams and Jira On-Premises.

All communication with Move Work Forward systems is TLS/SSL encrypted using a AWS managed certificate.

Things to know from the Jira side

  1. When Advanced Microsoft Teams Jira Connector is installed it creates an Application Link for the Move Work Forward middleware system. It permits Jira components to call to the external system.

    1. Important: you can delete the Application Link if you don’t plan to use 2-way integration.

    2. Important: the Application Link will be created if you do decide to use 2-way integration in the future while mapping user accounts.

  2. When you register your Jira tenant (System → Microsoft Teams → Bot Settings → Register). There is an API call to the Move Work Forward middleware system to register your Jira tenant. For a call to work, outgoing Internet access to the Move Work Forward system should be permitted. Tenant registration tenant call sends some security information for the Move Work Forward systems to be able to connect to Jira, BUT not all information is sent. The missing part is sent after the user account mapping.

  3. When you are registering, the URL provided should be publicly accessible to Move Work Forward systems and your users. It is used as a base Jira URL for different actions and API calls.

  4. When the users map Microsoft Teams and Jira accounts (using connect command in Microsoft Teams bot chat), they are redirected to the protected Jira page when they Allow/Deny the usage of their Jira account when doing things in Jira (act-on-behalf permission). During this time the user keys are securely sent to the Move Work Forward system for encrypted storage. As a result, Move Work Forward has 4 keys required to act on behalf of the user in Jira.

  5. If you need more details please feel free to contact us.

Things to know from the Move Work Forward side

If you need the list of static IPs or domains of Move Work Forward systems please contact us.

  1. The sensitive information is sent via TLS/SSL connection and encrypted at rest using AWS KMS managed RSA256 tenant-specific keys.

  2. Only the CEO/Founder of Move Work Forward has access to the production systems.

  3. Move Work Forward system stores the following data:

    1. Product info:

      1. host base URL

      2. Jira version

      3. consumerKey (encrypted)

      4. privateKey (encrypted)

      5. publicKey (encrypted)

    2. Connector info:

      1. version

    3. User info:

      1. accessToken (encrypted)

      2. userSecret (encrypted)

    4. Tenant mapping

      1. who mapped Jira to Microsoft Teams

      2. when the mapping has happened

  4. If you need to delete your data mapping in our system please contact us.

Firewall configuration

You need to enable outgoing traffic to https://tenant.moveworkforward.net.

If you need the list of static IPs or domains of Move Work Forward systems please contact us.

Infrastructure

Move Work Forward system is deploying in the US-EAST-1 region of AWS. Our system is 100% Serverless, so we rely on Amazon for all security patches on OS levels.

We use the following AWS components:

  • AWS Lambda

  • AWS API Gateway

  • AWS Key Management Service

  • AWS Certificate Manager

  • AWS Dynamo DB

  • AWS SQS

  • AWS SNS

  • AWS Cloud Watch

  • AWS IAM

If you need our infra to be deployed to another region, please let us know.

Updated: