How Atlassian manages Risk and Compliance

View Show Notes and Transcript

Episode Description

What We Discuss with Michael Fuller:

  • The Cloud Centre of Excellence in Atlassian?
  • What were the challenges of implementing this in a global company like Atlassian?
  • Does everyone understands the importance of security
  • How do we classify maturity in cloud? What does the maturity scale look like?
  • Where does the standardisation help in large cloud footprint?
  • Where should People with lot of AWS Accounts already start?
  • How do you maintain Compliance across different AWS Accounts?
  • Auto remediation for breaches of policy?
  • How do you do effective decision making when working remotely?
  • Would doing security be challenge when working remotely?
  • And much more…

THANKS, Michael Fuller!

If you enjoyed this session with Michael Fuller, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Michael Fuller on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: [00:00:00] Hello, and welcome to cloud security podcast today. I’ve got a local guest for myself and it’s amazing to have someone Australian come into my show. Usually if someone from overseas, so I have Michael fueler is from Atlassian. Welcome, Michael. Thank you. Awesome to have you here, man, for people who don’t know you, who is Michael through them? 

Yeah, so I’ve 

Michael Fuller: been at that last year for just coming up to eight years. I traditionally come from a CIS admin background and I was since I’ve been at Atlassian for the first couple of years at my career here, I, you know, last five to six years have moved into what is the cloud center of excellence at Atlassian, especially as that last year chose to go towards cloud. 

And so really sort of focusing sort of enabling teams around the organization to do cloud correctly. And so, you know, finance risk and compliance, and then obviously, This podcast the security team 

Ashish Rajan: within that last year, I get different answers for this question. So I’m curious to know what does cloud security for? 


Michael Fuller: I take a very sort of I guess engineering background to this, this answer. And so maybe you’re a pure security person might, might cringe at my [00:01:00] answer. I don’t know. Maybe the way I think of cloud security is kind of what is different in the cloud to do what we had within the data center. And so if I look at sort of the operating system, the application that’s running most of that sort of stays fairly the same one. 

You move to your cloud and. I just sat in LA. I mean, there is still physical kit somewhere. Right. But we’re making a trade-off that, that someone Oaks is going to be doing that access lamb control and that sort of stuff. And so I think once you’ve sort of decided to be a cloud first company. Yeah. You’ve probably reasoned with the shared responsibility model of cloud and, and gone past that, you know, is the cloud secure phase and more to the, how do we operate securely in the cloud? 

And so we’re trusting the cloud service provider to give us those low layer things. We should be able to continue to do traditional security at the operating system and up, and that’s that piece in the middle that I think is cloud security. Yeah. That everything gets different. As a cloud service versus what you have in the data center. 

And so, you know, we didn’t really have a globally accessible control API, within the data center. Right. And so there’s a whole things that are different and that’s where I would sort of [00:02:00] classify cloud security. 

Ashish Rajan: Sure. And I think too, it’s very interesting that you mentioned how security has kind of evolved in the cloud space as well. 

Right? So with center of excellence, what do you guys do? Our guys and girls, I guess your team, and how do you guys enable security in your organization? And I guess should everyone should be considering it, I guess. 

Michael Fuller: Yeah, I definitely think everyone should consider it. Awesome. Let’s just get that out of the way first and for our journey, like just in general, like cloud maturity at our last name is Jr. 

Has been on a journey for six years. And what my team is kind of focused on is, is what is common. Across all of our sort of cloud footprint, what is, you know, if we look at the way teams are operating the number of accounts that we have, you know, what are the sort of control aspects that are common across all of that footprint? 

And so, and, and can we as a center of excellence type those controls on and provide sort of the business a way of sort of ignoring or at most sort of knowing that those layers of settings are done sort of correctly. And so, you know, if we look at individual engineering team, They’re going to want to do, you know, set up some things very specific [00:03:00] to them. 

And that stuff is great for engineering team to focus on when it comes to like cloud security. There’s a whole pile of controls at the cloud layer at the, you know, every individual account has a whole heap of settings that can be set. And so what we want to do at the center of excellence side is think about, can we make a standard, a corporate standard on how those settings should be? 

And then can we take on the task of making sure those particular settings are being set and they’re monitored and alerted upon. And so that the company can kind of feel like at some base layer we ask, you know, standardize across the whole cloud footprint. And we know that if anything, steps outside of that standard, that there is processes and practices and alerting, et cetera in 

Ashish Rajan: place for like a little bit of what you guys all had guardians. 

Michael Fuller: Yeah. I mean, either that or like Shire is use the term big brother out. 

Ashish Rajan: Yeah. Fair enough. I was going to ask, obviously doing this across a class here, which is a global organization standardizing this work. Can you think of any challenges that you came across, obviously, apart from getting a lot of teams to agree on something, were there any challenges that you can share in the process of implementing [00:04:00] standardized controls across and what made it work? 

What would you recommend to people who are trying to do this? 

Michael Fuller: The biggest challenge we have is with M and a mergers and acquisitions is we’re bringing in an org. That’s probably fairly well established within cloud. And now we are trying to merge them in and come up with a sort of commonality of agreement on these standards. 

And so. And so we do spend a lot of time sort of figuring out how to sort of merge different environments together. And it’s, you know, sometimes it’s really easy. There’s like, especially when emerging in company is, is less cloud mature. They kind of more willing to adopt it last year. 

Thinking, but the moment you are M and I is that we do, they’re the ones that we have to put a lot more time and energy into making sure that there is you know, I guess taking the opportunity to learn that we’re not missing some, some thinking that that company had, that was really awesome. At the same time, making sure that we do end up with some sort of standardization because it, you know, what we call snowflakes, you know, basically slow down the speed of it last year. 

Yeah. That’s probably the biggest challenge as far as you know, like outside of MNAs, when we look at new staff. And so when we look at new staff joining it last year, so we have new staff joining every [00:05:00] week globally. And they come in with different levels of cloud maturity cloud, cloud knowledge themselves. 

And so they introduce a, you know, a challenge of education for us. And so making sure that everybody has a base level of understanding of, of what cloud is and how it works and not just. Cloud itself, but cloud added last year. So we have a particular view on how cloud should work within that last year and making sure that everyone is on the same. 


Ashish Rajan: sweet. And do you guys run regular training for new joinees or is it more to your point? Because everyone comes with a different set of, I guess, awareness of cloud. Some people are coming from a, I guess, really mature organizations or maybe coming from a less mature. How do you level that playing, playing field for them? 

Except the Atlassian way of doing cloud. 

Michael Fuller: So there’s kind of two parts to this. There’s just cloud knowledge in general. And so we’ll work with you know, our, our main cloud is no secret. We use Amazon web services. And so we work with their training engine to be able to push our staff. And get trained at cloud just from a general specific perspective. 

And then we do do boot camps for particular parts of you know, cloud at last year. So we [00:06:00] have, we have a paths within it last year and that enables our teams to deploy you know, their ideas out to production. And now. And so there’s training boot camps around that. And so, what my team does and, and is probably gonna put a lot more energy on over the next sort of 12 months, especially with, you know, more work from home is building out sort of like training videos around the things that we know and the standards that we apply to an account. 

And so that we can sort of onboard people with just watching. 

Ashish Rajan: Oh, right. So this would be, this would be training for people who are, say doing DevOps or some kind of automation or building applications on the, the platform, or I guess AWS in general. To sort of, this would be for that breadth of PR people, I guess also you guys do training as well. 

Michael Fuller: You know, I think we do a bit of a bit of it. We’ve done some, a handful of different talks that we do internally. And but I think it’s one that we’re going to put a lot more energy on because it is so important. And it’s one of the big challenges that education piece 

Ashish Rajan: do you find that showing the importance of security that easier for new starters and everyone understands the importance of security? 

Michael Fuller: Yeah, I think generally people, you know, you know, I have less trouble with [00:07:00] trying to convince people that they need to do things for security regions. Then I do convincing people. They need to do it for financial reasons. 

Ashish Rajan: Right. Oh. So it’s easier to make them understand that it’s a security thing rather than a financial thing. 

Fair enough. You, because you’ve been in a classroom since I guess a really long time, and you kind of saw that maturity in cloud as well. How do you classify maturity in cloud? And how, what, like, what would you consider someone starting off, in cloud today versus it was super mature? Like, how do you scale that? 

Like what, what does that scale look like for you? 

Michael Fuller: Well, it’s kind of funny because if you drop someone who’s not done cloud before into a large cloud environment you know, they’re definitely going to sort of, you know, make a big of mistakes. Th that’s kind of, not usually what happens when an organization goes to the cloud, they kind of like stop in a crawl phase where they’ve got a little, little tiny bit of cloud infrastructure and then they slowly grow more and more. 

And so usually I find cloud maturity is more sort of reflective of kind of how long you’ve been doing it. And the. Cov at scale. So, you know, if you started out fairly small and you, and you went [00:08:00] from very small to very big really quickly, but I can’t find, you know, sort of those standards within your organization around cloud security that I know that they, they, you know, you will not very mature security while. 

Well, you might have a large cloud footprint. But if you’ve done this over a slower period of time, and you’ve got these standards of how particular settings should be, you’re integrating some sort of, either the, the cloud provided security tools or third party security tools into your cloud layer effectively, you know, you should have. 

So, you know, the, the securities are, or something like that, you know, someone who’s responsible for thinking about this cloud security layer. And so usually what happens with the cloud platforms is, is the dev ops teams go headlong, you know, a hundred mile an hour into cloud. And then everybody else around them has to figure out what the hell is going on. 

Right. And so I think it’s at that point, You’ve realized you’ve gone headlong very fast into the cloud, and now you’re actually building those standards and practices around cloud. You know, I don’t think that I’ll ever get to a point where I can ask my security head of security. You know, are you happy with cloud security? 

Cause you know, I think if you ever said [00:09:00] yes, then we’d probably have a problem. But in the same token, I also took. From, you know, have a look across all of the pillars we support is sometimes just knowing where you have problems is, is in maturity feature in itself. Oh, 

Ashish Rajan: right. And I think to your point about where does standard standardization help you in maturity? 

Because you guys obviously have developed a standard and anyone who’s listening, who’s probably not started on their maturity journey in cloud or are thinking of, oh my God, that sounds like a lot of work. Where do I start today for cloud security? What do you recommend? 

Michael Fuller: Yeah. I think like, you know, when I look across the cloud providers themselves, they do, they’ve done a lot of work to make security easy in the cloud. 

You know, if you went back to 2015, there was a lot of sentiment that the cloud was insecure. And, and so over the last sort of five years, you’ve seen them double down a lot of effort into making sure that people understand that the cloud can be secure if done correctly. And so their tooling that they’ve built over the last five years. 

Really enables you to be more secure within the cloud. And so it’s the main thing though, is, is you have to turn that and tools on. Right. And so when it’s, you know, coming to things [00:10:00] like access logs and audit logs and, you know, all the different sort of monitoring tools that are available to the cloud platform itself, if you’re not turning those on then obviously you can’t sort of be secure, right? 

Like. Not, I guess probably a better way of saying that. And so the standards that we kind of applied is like, we know about these tools and we know that this is how we want them set up. And so we start to build standards on, this is how they should be set. This is how that should be set. And we kind of rolling that out across the whole cloud platform in, in in its entirety, because we don’t want to find that there’s pockets that are being sort of ignored within the cloud platform, because that’s probably what you’re gonna, you know, end up with a bit of pain from. 

Ashish Rajan: Yeah, I think that’s an interesting point for AWS specifically. Now, since AWS has all controlled our it’s like a template for the kind of account that you can create. A lot of people were already doing this and I assume that’s kind of what you mentioned when you said you already have predefined like logging that you should have turned on for people who are listening. 

And they already have a lot of accounts, which they may or may not be aware on how secure they [00:11:00] are. And obviously new accounts are being added consistently for those folks. Would you, where do they, where do you recommend they start? They, should they start at the new account and create the baseline and then try and go back? 

Or what do you recommend for them to start? 

Michael Fuller: So there’s a pile of really good white papers written by Amazon. And I think that in general, they can kind of apply to all cloud. So there’s obviously the well-architected Y Y Piper, which has a whole security pillar in it. But then there’s sort of like CIS white white papers as well. 

That recommends settings specific to Amazon cloud. I don’t know if they do a GCP version, but I’m sure that there’s probably GCP and Azure either coming or. And so it’s like looking across those white papers, you get a good feel for which of those settings need to be turned on and why they give you a sort of a high importance down to low importance. 

And so if I was to say, what’s the most important thing I would say, we’ll go to the white paper, you know, the CIS white paper and pick all the high importance things and just make sure those are the things that have been set within your accounts. And then stopped to, you know, move down the stack to the, to the height from high important, to [00:12:00] just important down to low important. 

And you need to put a bit of a, you know, your own org spin on some of these things. Like we don’t do everything in the CIS white papers, but we have other controls that are in place that kind of negate the need for certain things. And so, you know, I would say that, you know, most of what is sort of required from it. 

The baseline is really just turning things on or setting things in a particular way. If you if you really don’t know where you are in that journey, there’s there’s lots of different tools like these open-source tools that can do like a scan of an account and give you a bit of feedback. Things like Netflix security, monkey, and a scout to buy a company. 

I can’t remember the name of right this moment. Then there’s third party platform, you know, paid, paid the party tools that can really give you good insights to what’s set properly and what’s not. And that really helps you just accelerate to the point where you know, where you are. 

Ashish Rajan: Sure. And what about compliance? 

And I think you kind of touched upon cloud security and kind of look at compliance too. What about standardizing compliance across multiple AWS accounts or multiple cloud environments? What’s your approach for 

Michael Fuller: that? So the [00:13:00] security standard or compliance is in risk and compliance, 

Ashish Rajan: risk and compliance, sorry. 

As a event. 

Michael Fuller: So what we do for our compliance team within the last year, we think about what are the controls that need to be in place, or what are the settings that need to be in place to achieve, you know, basically tick that tick box on one of those compliance reports. And a lot of those settings can actually apply the same sort of checkbox to multiple different reports. 

So whether it’s Sarbanes-Oxley or Sox, SOC two, you know, effectively, these controls can allow us to say, yes, we have that cupboard. The Godfrey in, in parallel to the security checks is how do these then also then enable us to check those risks, compliance, check boxes, and then how do we make sure that we have, you know, I guess it goes one step further. 

It’s like, if, if this checkbox is not ticked, how do we track that? You know, how it got onto it? How do we check, you know, w T antique for a reason, and, and auditing time, we can kind of explain these events. . 

Ashish Rajan: I’m assuming all that’s recorded in JIRA and confluence. Of course it is not just, just checking. 

The the other question that I have is you kinda mentioned on the ongoing compliance thing. [00:14:00] And we spoke about maturity as well. What about threads and working with different kinds of, security incidents? Cause obviously you work from my understanding, you work quite closely with the security team. 

Is your team also trained in security incidents? So you could be that first line of defense or does it go straight to secure? 

Michael Fuller: Yeah, security does the first line of defense. You know, so that that particular team or parts of their teams are focused on that first line defense. What my team usually gets involved in is, is once there, there is an investigation in action. 

They might get pull us in as subject. So, you know, while we have a sort of security function, we also have you know, support for the architecture of cloud. And we have highly certified cloud engineers within our team. And so, you know, when they’re looking at a, you know, Hey, this is how this thing is configured. 

Is this potential, what can I do with this particular setting or, you know, what are the other ways we should be thinking about this particular configuration we’re able to then come into those in support the security team in able to actually explain the full extent of what a, what a configuration is and [00:15:00] how it can be used. 

And that then gives them the sort of extra insight to think, you know, Is there is, have they basically figured out the full extent of this investigation or are they missing parts of the picture because they’re not aware that, you know, this particular configuration allows you to pivot or there’s an escalation path through this particular way of configuring things. 

Ashish Rajan: All right. And I think to your point about this kind of goes back to the standardizing security as well, because there’s already a security standard across the board. You kind of know how how quickly you can apply something or change something. 

Michael Fuller: Yeah. And so in generally, you know, there’s only a handful of you know, personnel within Atlassian that have quite wide access to the cloud platform. 

You know, for obvious reasons. But my team is one of those, these teams, cause we are the ones going and setting all these settings across all the accounts. That also means that we have access to get to those settings within all of our accounts. And so if a security team wants to be able to go in and, you know, check a setting or change a setting, then they can use us as their proxy. 

So we have that access for them. Yeah. Following proper our risk and compliance processes and stuff. 

Ashish Rajan: Sweet. And you guys are you guys at that stage where you’re doing auto remediation for [00:16:00] breaches of compliance or beaches of, I guess, policies? 

Michael Fuller: We have some like, so most of those sort of base layer standards where switch settings have to be in a particular way. 

Drift into Bolden. Yes. There’s tooling to push those back into the place and report upon that. When it gets to the higher level configuration specific to our, you know, individual resource within cloud we’re getting sort of closer and closer to thinking about what our remediation in some of those areas. 

But most of the moment is just making sure that we have full visibility of everything going on and, and have good monitoring on every resource. Cause that last scene works in a bit of a trust, verify model. So. Right thing, but we have to put a lot of effort into making sure that we’re verifying that. 

That’s exactly what 

Ashish Rajan: all right. So as part of standardization and one of the people that I was talking to from one of the big telcos over here, which I’m pretty sure you will know which one it is. They were talking about this, that they has standardized security. And they had followed this process where they were approving the kind of services people could use on the organization. 

Say, for example, you can use S3 bucket, but you can’t use RDS or you can use S3 bucket and RDS, but you [00:17:00] can’t use glue or something else would just come out recently. Setting standards, kind of bring that on board as well. Or is that a lot more freedom for the developers? 

Michael Fuller: Yeah, for us, it’s all about the speed of innovation. 

And to say you can’t use this new feature until, you know, a single team goes through and reviews. It would definitely slow down that within controls. Right. And so we could probably isolate the new service activity. And count within the infrastructure. But we definitely, you know, working on that shared responsibility model, we trust that the cloud service provider has done their due diligence, a bailout, and sort of, as I said, like integrating some third party pooling into the platform enables you to be faster because, you know, Basically paid to think about the security of all these resources and how you monitor them properly. 

Whereas, you know, if we’re going to build everything ourselves, you know, it’s, it’s quite likely that we’re going to ignore a particular service. Cause we don’t think we’re going to use it until someone starts using it. Right. Where when you look at using a third party tool to monitor security configurations They will have a customer that that’s critically important to them [00:18:00] for. 

So they will build a feature around monitoring that. And so, and then they also want to be the first to market, right? And so as a cloud service provider comes out with a new feature or a new product. They want to be the first to market and saying that they support that new product. And so, there’s going to be a good reason to use a third party vendor there to help you with the monitoring and security, but we definitely don’t want to be bottle-necking anyone behind you know, sort of white papers. 

Of, you know, someone checking a checkbox to say, yes, this is, this is approved now. And I understand why people do it, but you know, it’s not the sort of cultural within that last year. 

Ashish Rajan: So, and that’s an interesting one, right? How do you bring that back to visibility for yourselves? And if someone started something new, as in, like, if I start something like a glue today, but you guys have never used glue. 

Yeah, or 

Michael Fuller: part is probably vendor, right? Like we use a, you know, a third party vendor that does configuration checks across resources. And so if, if they believe that there’s you know, medium to high severity of configuration within resources that, that, that you know, should be monitored, they’re going to implement that feature. 

Right. And I think in general though the cloud center of excellence within the last year, Broadly across nearly every [00:19:00] service within the cloud, you know, cloud offering. It’s not to say that I know exactly how to, you know, deploy a video transcoder service within within Amazon, but I’m aware of the service and, you know, the breadth of sort of what it does. 

And so if we start to see those you know, costs coming in from one of those services, we could be aware of it. But I think generally my leaning towards is this idea of using a third party vendor that, that is just paid to think about. Yeah, the things you should be watching because you know, they’re going to go and implement those true 

Ashish Rajan: Antia point. 

You’ve gone. I mean, as a security team, you already have your hands full across the board already NuCalm needs new companies for new services and new challenges coming in. Like how much of it can you really be on top of right. 

Michael Fuller: Exactly. Yeah. And to some, some of that point it’s, it’s exactly why my team I think work well within that last year, this is kind of like security has the handful. 

And if we can take some of that burden off them to say, Hey, you know, this is cloud specific and we can handle this for you. And you know, can we just move the, the barrier of entry to be a security engineer at Alaska and up a little bit. Right. And so if [00:20:00] you’re in prod sec or AppSec, you know, really you’re just worrying. 

The access logs, not how you actually got them away. They come from, you know, just that you have access to those things. And some teams just handled that for you. 

Ashish Rajan: And I think I remember you telling me this when you’re talking about this last week, where it was more around leveling the playing field for security as well. 

So it doesn’t matter what new services coming. 

Michael Fuller: Yeah. So w we w we would be sort of the ones that would probably be one of the first teams to play around with a new service, or at least read what it does and how it works. And if we feel that there’s a, you know, a particular concern for security there, we would flag it to security and show them what we think is a concern. 

And I think that’s kind of where the relationship within the us and security really built strong foundations was this back and forth about here’s the cloud configuration. Can you see anything wrong with this? Or, Hey, have, have you seen a configuration like that before? And then you can you guess what I can do if I have a configuration like that? 

And so these, you know, back and forth with sort of thinking about if I put my black hat on can, can I think about ways to sort of abuse each other back and forth, and that really [00:21:00] done did sort of level both of us up both. As far as you know, how well we think about you know, privilege escalation and, and stuff like that within our accounts, 

Ashish Rajan: Sweden. 

The, this is probably a good segue into my next section, which is mid Buster. And the first question I’ve worked for the is what’s the most common cloud security myth or misconception. 

Michael Fuller: I, so I think that there’s a certain I call them generation of security you know, expert in the field that, that is still stuck on this idea that if it’s someone else’s server, but it seems secure. 

And you know, I, I think that there’s a. You know, maybe a S a little grain of truth in that, like, yes, people have physical access to the kit. But if you look at sort of the cloud service providers, they’ve done a lot to allow you to do encryption at rest using, you know, customer managed keys. And I guess on the flip side, is they completely you know, when I hear these stories are very biased towards. 

The data center being completely the most secure place in the world. And, you know, I worked in data centers for a good 10, 10 years before moving into the cloud. And I can tell you now [00:22:00] that I don’t feel like the data Santa was that secure. I mean, maybe know NSA cage or something like that would be secure, but, yeah. 

It effectively, there’s some, you know, me mid range, paid person at the front door, that’s chicken and Lawson’s and then you get access to a room. And then the other thing is you’re still in a trust and verify model. Anyway, you’re trusting the people that walk in, you know, that work for you walking into those cages to be doing the right thing. 

I guess with the cloud, I, I feel a bit more confident that. No, I have ways of using IPLS to check that things are plugged together properly, as far as, you know, the, the virtual connects. And then I have to just have a layer of trusting in the cloud service provider that, that the people going into vacate just you know, a loss at least somewhat vetted properly. 

But, I don’t know. I just feel like this this feeling that the cloud is stealing. Sticking in that that phase of talking about the cloud is insecure, is maybe missing the point. And I think that it usually then leads onto the same conversations about how you can do so much better in the office and a bar and it’s cost-effective and then you’re missing the point that I think the cloud is about innovation speed and you know, effectively, if [00:23:00] you can sort of see the, the way we can audit security or audit risk and compliance wise, a cloud platform. 

You can do these with automation and JIRA tickets. Whereas if you go and audit a physical data center, you’re paying auditor’s to come in and look and ask people questions and stuff like that. It takes, it takes weeks on end. Right. And so, yeah. 

Ashish Rajan: Just sort of similar, not worn. Do you think people are not talking enough about Clark’s secure? 

Michael Fuller: Yeah. So when I look at the change to cloud, like a company, can’t just do all of the same practices that they were doing in the data center and they can’t just, you know, move to the cloud and, and just think that it’s the data center that changed, right. It’s the cloud is, is a paradigm shift in the way people think. 

And so we, we see this, when we look at the financial aspect of cloud or, you know, definitely within the security aspect of cloud, you know, within a data center, things didn’t, replug themselves. You know, bar and API call. And so the way things were set up can change very, very rapidly within cloud. 

And if you’re not sort of able to work at that pace, the pace of cloud then effectively, you’re just working too [00:24:00] slowly. And so teams like finance and security don’t realize that they are actually involved in this cloud change. And to, you know, you’re already in the cloud. And then that’s usually the point where you start hear about these cloud breaches, right? 

It’s cause. Involved in this process weren’t involved early enough. And then when they are involved, they’re trying to catch. 

Ashish Rajan: Yeah. Cool. No, that’s a great answer, man. I’ve got another section that I’ve recently introduced and we were talking about this offline, the whole work from home thing because COVID has forced a lot of us to work from home at last and being a global organization. 

And you spoke about Daisy a bit earlier. Well, I guess this is offline, but kinship. If you can share how you guys are working effectively, if you have done something different to work from home and how Daisy pays. 

Michael Fuller: Yeah. So I guess you know, I guess first stop last year was 100% work from home globally at the moment. 

So that’s a, it’s a new experience for us and I’m sure that there’s many companies in a similar boat where this is a brand new experience for them. And we are still figuring this out, just like everybody else. I don’t think that you know, we magically we’re the best company in the world work from home. 

You know, some teams are really taken to it like [00:25:00] shining stars and other teams are really sort of struggling. To figure out exactly how they should be working in this environment. But I think in general that we had, because we were a global company already, we had the challenges of working across the time zone, you know, already and working on VC calls and stuff like that. 

And trying to move towards a world where you can work a little bit less, a little bit more asynchronously, and sorry. You know, we were talking offline about the dicey process at Atlassian team playbook available on our website. And this is just really a, you know, one example of a structure that Atlassian has that enables us to work from home effectively. 

And so this is really a decision making. But you know, so the idea here is you have a driver that’s kind of wanting to make a change or a decision around some aspect of Atlassian and approval. Who’s maybe usually one or maybe two or three people, depending on the importance of the decision to be made. 

Basically they’re the people that are trying to get, I guess, convinced on this change, the contributors, and this is the main, the main important piece here for the Dacey and why it works well for us is, is you bring in contributors from, from all around the world that are important to [00:26:00] this decision being made and making sure that everybody who should be contributing is contributing to a decision. 

The last is just the informed who should be aware that this decision is, is being made and has been made, within the company. And so, you know, when you’re in a room, you can kind of argue back and forth with each other over the water cooler. But as you start to work from home or work more globally, then you really have to have some framework that aligns this communication to get captured asynchronously, and then a decision that we made. 

Ashish Rajan: Oh, sweet. No, that’s a great answer as well. Are you finding that? If this country is doing security remotely, would that be a challenge? 

Michael Fuller: I don’t think so. I think that the more that we’ve built the tooling around the way we work. So both third party vendor in house tooling and cloud service provider tools, most of this stuff is happening asynchronously already. 

It’s it’s monitoring alerting. And, and we, as I said, we already were sort of a global company, so we were already sort of working with teams across the world, but yeah. And so I think in general, the You know, teams will kind of aware of how to work remotely. Some of our security engineers are [00:27:00] actually already full-time work from home. 

And so they’re kind of working towards that. But I think in general old practices within businesses are probably going to be readdressed. Globally around this idea of what happens if you work from home or what happens if someone’s working from home. And I think you know, if we all come out the other side of COVID-19 with more, fluid you know, processes around people not being in the same room, it’s probably a great thing for. 

Ashish Rajan: On that note, we are in the last section now, which is a fun section, which I don’t really talk much about because it was like completely non-technical. The first question that is, what do you spend most time on when you’re not working on cloud or technology? 

Michael Fuller: Interesting at work or at home, or 

Ashish Rajan: either at home, I guess. 

Michael Fuller: So my, I actually I have a small property away from the city. And so that’s been an interesting process to sort of learn how to look after a bit of land and, you know, 

Ashish Rajan: so farming as in like veggie passengers. 

Michael Fuller: Not so much, it was early days for us, but yeah, basically just you know, maintaining the land. 

There’s lots of trees and driveways and stuff like that. And so, and just starting to little, work that out and experience for the kids to get out in the countryside and walk the [00:28:00] paddocks and see the animals and stuff like that. We got a lot of wildlife, so, you know, kangaroos and wombats and stuff like that. 

And so they get to see those sort of animals outside of the zoo. It’s a great sort of way of putting it. 

Ashish Rajan: The next question is what is something that you’re proud of? What is not on your social media? 

Michael Fuller: I’d have to say like my kids, right? Yeah. 

Ashish Rajan: A hundred percent, man. All right. Final question. What’s your favorite cuisine or restaurant that you can share? 

Michael Fuller: Ah, I’m I’m in postural do an American burglary, you know, pickles and stuff like that on it. So every time I go to the state, so I said a seek, seek a good proper American Doner out, but 

Ashish Rajan: nice. That was pretty much what we had time for, but this is really good, man. Thank you so much for taking the time out. 

Where can people find you online? 

Michael Fuller: Definitely can find me on LinkedIn. I think it’s like Mike dot fuller on LinkedIn. So seek me out. I get a lot of, reach outs from LinkedIn. So it’s probably probably my most sort of active corporate space is on LinkedIn. I don’t really do Twitter or anything. 

Ashish Rajan: Oh good. Now. Thank you. I now add that in the show notes as well, but thanks again so much for taking the time out, man. I had a really great learning experience from knowing what, how you guys use security effectively and globally, but thanks so [00:29:00] much for taking the time out. Thank you.

No items found.
More Videos