New research: the role of Marketplace apps in server to cloud migrations

Hi developer community!

I’m an Atlassian researcher and have been working with Caitlin McCurrie. We’ve been working on understanding more about the role of Marketplace in customer experiences migrating from server to cloud. Some of our learnings have added to our knowledge of what customers are looking for in a Marketplace Partner when selecting an app. Caitlin covered a lot of this already in a post published in June, and we have a little more to add to this that we’d like to share with you all.

We’ve also learned more about the support our mutual customers need from us and from you when migrating their apps. We’d like to pass on some great nuggets of insight to you all so that we can help our customers on their journey to cloud with the apps they need (and love ).

Offer clear and upfront data management and security information

While it remains true that customers look for well-known, larger Marketplace Partners (to quote one of our customers: “someone we’ve heard of”) this is NOT the MOST important factor for customers.

To increase trust in your apps, you can:

  • Include information on security postures upfront. To see an example of well-documented security practices, check out CRXcavator.
  • Build your apps on Forge. Although we understand that many of you are blocked from developing on Forge and we’re working toward addressing many of those challenges.
  • Offer ongoing support.
  • Encourage user reviews and share best-practice advice via Community.

Ensuring data management and security information is upfront, easy to access, and well thought out is one of the main trust-factors customers are looking for . Here’s how one of our customers describes their assessment of apps/Marketplace Partners:

Security is such a big thing at the moment. It’s all about data protection and privacy and yeah. If you’re a vendor and you don’t realize that it’s so important, that that’s the first check I do, are they fully going to be a secure company? Because otherwise, I’m not going to invest time to start a process for buying the app if I already see that they don’t show their security information really easily. That’s really because we’re such a big company. I have a security colleague that’s responsible for security analysis. And if it’s really going to be a long process, I’m not going to bother them. Or I will just tell my colleagues, sorry, this app is not secure.

App security analysis is a rigorous step in the procurement process for some of our customers. While security is important for all customers, not everyone has deep knowledge of data security and management and most will not have the understanding you all do so it’s really important to help ensure customers don’t have to hunt for security information. Where customers see no evidence that a Marketplace Partner is aware of data management and security compliance needs, they will choose not to use the app on cloud.

Clear and upfront, easy-to-find data management and security information is one of the most important factors customers are looking for when selecting an app.

Meeting cloud migration needs

Some apps are more complex than others when it comes to migration. Customers described that migrating apps took up a significant and unexpectedly large portion of the total time invested in migrating to cloud. Migration effort encompasses the exploration and planning stages, Proof of Concept (POC), tracking support tickets with Atlassian and multiple Marketplace Partners, and of course the migration process itself. Complex apps require extra time and effort, manual migration, and manual reconfiguration on cloud.

Customers will drop apps where combinations of the following factors emerge during their exploration phase:

  • The effort to migrate is too intensive
  • The app was not identified as a critical app (i.e. nice to have but can still get work done without this functionality)
  • Speed of reply from Marketplace Partner
  • Lack of parity
  • App is not available on cloud and there is no roadmap/ETA on the Marketplace Partner site

Customers described working through hurdles related to availability. Solutions included:

  • Seeking support: working with Atlassian and Marketplace Partners to overcome migration hurdles
  • Maintaining a hybrid setup: maintaining server alongside their cloud instance to retain the server app while waiting for the app to become available on cloud
  • Working with Solution Partners who then worked with Marketplace Partners to help find a solution

Migration can be really time consuming, especially for our larger more complex customers. We encourage large customers with complex setups to work with Solution Partners who are experienced and trained in migration to cloud. We can’t say enough about the excellent work they do, particularly when it comes to migrating apps. Solution Partners will want to work with you to help find solutions to complex app migrations. Alongside assisting customers in a smooth journey to cloud, they can help you retain customers. Team up with them to:

  • Help understand particular customers’ needs for equivalent apps on cloud (and ensure parity)
  • Configure apps on cloud and ensure all links are ready and working
  • Change management to help customer’s start life on cloud on the right foot

I hope some of these nuggets of insight can help in the excellent support you are already providing for your customers. We’re always keen to know what you think! Please reach out to Caitlin, Cara, or Michaela with any questions or comments - we love chatting with you!


@MichaelaStockeyBridg - this is great insight.
Can you shed some light on what specifically Atlassian is doing/changing as a result of these findings? :slight_smile:

1 Like

We have over 1500 customers, most of them are in Cloud.

From my experience, it’s me to tell the customer how apps actually work, and why they need to whitelist our servers in Digital Ocean.

Never have I ever been asked about Forge or Fortified by a customer. Security policy we provide is more than enough even for an entrerprise customers of 1000+ users scale.

Forge is nowhere ready neither from the functional point, nor from licensing standpoint. Unless Atlassian rework the licensing to make a) transparent b) impossible to cheat on, we as Colined, won’t even think about moving to Forge.

Please stop coming up with delisuonal researches. It’s not helping anyone.


Hello Dmitry! I think we agree with you here :slight_smile:
Forge and fortified might be ways that a partner conveys trust to a customer during migration (or any time in their purchasing journey), but they certainly not the only mechanisms to show your app is secure/trustworthy. These signals happen to have (some more) consistency across apps and this can make it easier for customers evaluate. However, I’m sure that those conversations you have with your customers to explain what you offer are very effective. Particularly as your customers get to interact with a person directly. I hear from customers often that getting on the phone/zoom is really valued and important…and btw they also tell me about the great interactions they have when reaching out to Marketplace partners. Maybe Atlassian can take some pointers :eyes:

1 Like

@MichaelaStockeyBridg do you think with Forge the problem of security reviews can be addressed at scale? What are the security questions that Forge app vendors should be answering when inquired by a potential customer?

Hey Grzegorz :wave: not specific to a Forge app vendor but in terms of what sorts of questions potential customers might have about cloud security, I can share a de-identified list that a solution partner shared with me. This will give a sense of the sorts of concerns customers are raising when evaluating an app during the migration or initial purchase:
EULA & privacy policy
Does vendor have access to [company] data? If yes, what level is accessed?
Types of data app has access to
Where is the software hosted? If non EEA, do we have option to host in EEA?
What data (if any) do they extract from Jira/Confluence into their data centre? How is it secured
Is the vendor willing to discuss T&C and EUA
Are they able to comply with EBA & GDPR regulations?
Has the add on been security assessed - can we see the result
Depending on where hosted - if the add on is hosted by vendor (even in AWS/GCP/Azure) has there been a pen test? Can we see the result
Compared to DC version are there any feature gaps/changes?

I’d note that in my work, this level of nuance in their security questions is not representative of the wider population of customers but reflects an enterprise org or org with some compliance considerations. As Michaela mentioned, we’re seeing many customers that don’t have a strong understanding of cloud security and may have a shorter/simpler version of questions.

1 Like

Hi @ademoss these findings are being shared with a number of teams internally at Atlassian and hope to inform or validate a lot of different work, but I’ll share a few things we’re looking at:

  • Security & Privacy - we’re evaluating content and other ways we can better enable partners with best practices in this space and tool or process enhancements to help customers and our internal teams find information Marketplace Partners have available more easily within the Marketplace and through other vehicles such as our Cloud Migration Playbooks for our Solution Partners.

  • Migration Complexity - Some of these findings help validate the direction we’re going with Apps in our Migration Assistant tools which are now in public beta and recent support changes within Atlassian’s Migration process using MOVE tickets to add Marketplace Partners as participants to the tickets at certain stages for improved visibility and support to the customer or Solution Partner. We’ll continue to use this feedback along with other information to drive continuous improvements to the cloud migration process for all parties involved, but don’t yet have specifics on every aspect of how this might be used.

Was there anything in particular that jumps out at you, you think we should be actioning but aren’t sure if we are?

@amardesich - besides the shameless attempt to push Forge yet again, there wasn’t anything in particular that jumped out at me.

My personal experience is more like that of @dmitry.astapkovich - where we have to educate customers on security. In the past 4 years, we have received maybe 5 inquiries about security that were initiated by a customer. So, not saying your research is bogus, but I simply don’t have the same experience that your research indicates. Similarly, I work with a large marketplace vendor (top 20), and while they see more security related inquiries, the numbers are still really really low.

In terms of things you should be actioning but aren’t… well, that list is longer than you’d like, and let’s be blunt, Atlassian doesn’t really care. CDAC is a littered with threads where the community is asking for things to make everyones life easier, to no avail.
As a great (recent) example, just take a look at the recent thread about Data Center Approval changes, where Atlassian basically told us we now have to do more work in the name of security, but refused to share any of the tooling they already have, instead telling us we’re out of luck, and everyone needs to reinvent the wheel. I don’t quite know how I should reconcile that with this thread.

Thus, me asking what Atlassian is changing… that was more a curiosity to see if this is simple a fluff piece, or if there is actually tangible change that happens as a result of this research, and that I, as a Vendor/Developer, can subscribe to and keep track of.


Hey Anthony, I think this is a really interesting difference of experience. For reference, Michaela’s work was initiated by survey data we have that showed how critical security & apps are to migrating customers. ~Half of our server customer base was blocked from migration by security concerns (not limited to but including the security of apps). Across multiple studies, we’re confident that security, or more appropriately trust, in apps is very important to our customer’s decision making. Naturally I’m hypothesizing on why we might see these differences between what you and I are seeing from customers. I think there may be a few things happening here that contribute:

  • We know customers discover app-related blockers later in their migration journey, you might see more of these challenges arise as customers progress in their migration with those looming key dates.
  • A knowledge gap exists where many customers make (often incorrect) assumptions about the security implications of cloud tools and their apps. We’re seeing a shift where customers become more aware of/concerned by cloud security and I suspect this may also create a shift over time.
  • I wonder if there is an element of customers reaching out to solution partners, Atlassian directly (e.g., migration support), or only using the information available on Marketplace/vendor sites to determine whether they’re happy with the vendor’s security posture, rather than directly to vendors. The latter would be particularly the case for those with less cloud security knowledge, they might not know the right questions to ask you directly so instead lean to the information available online.
    Just some thoughts. I’m really curious to see how the frequency of security conversations might change over time for you and others, if it does change at all.

And…Merry christmas :slight_smile:

1 Like

@CaitlinMcCurrie Could you elaborate more on the security concerns customers have mentioned. You say it was a half of your server customer base. That is a lot, don’t you think? What will they do? Move to cloud (without apps), stay with server as long as they could or move off the Atlassian tools?
Knowing more details could probably help us to address those better.

@CaitlinMcCurrie What I see with some customers is the major issue that Atlassian keeps all user information in the US. This is a problem with GDPR, as the US is not a country with an adequacy decision: Adequacy decisions | European Commission . It seems many customers are not aware of that, because they misinterpret the Atlassian data residency as pertaining to all data at all times.

@CaitlinMcCurrie I wonder if for Forge apps some of those questions can be redirected or even addressed upfront by Atlassian, because Forge app vendors are not responsible for data access, hosting, data residency, or pen testing of the platform.

Agree @Grzegorz.Tanczyk that there is scope for Atlassian to communicate some of this for Forge apps but of course, that is for the product teams to decide how they manage that. I won’t speak on their behalf!

Not surprised that you’re hearing that, Marc! Similar to what I noted above on those assumptions about cloud apps & tools. Theoretically, you could also see the reverse challenge too where app data is hosted in the EU & the customer has FEDRAMP requirements - although a lot rarer compared to your example!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.