Security on Altium 365
Data security is something that we take extremely seriously. This document provides details around some of the steps we take to help ensure the security of your data on the Altium 365 cloud platform. It is not exhaustive, but is intended to help you understand what we are doing to help keep your data safe. There are aspects of security protocols, procedures, and implementation that are intentionally not included as part of this document.
Unlimited Compute Resources
The Altium 365 cloud platform is hosted on the Amazon Web Services (AWS) infrastructure, one of the World’s largest cloud infrastructures provided by Amazon. It leverages redundant compute resources with multi-availability zone storage services spread across four independent regions.
Communication between Altium 365 clients, such as a web browser, Altium Designer or a mobile application, and the Altium 365 cloud platform is only permitted through secure, trusted connections, and specifically using the HTTPS protocol, a standard approach to secure World Wide Web communications, over standard ports.
Secure Authentication Process
Access to Altium 365 services that handle sensitive customer data require users to be authenticated to make any requests. Authentication is handled by an identity service that requires a username and password and creates time-limited sessions as part of the authentication process. Sensitive login information such as passwords is encrypted during transmission and at rest.
EC2 Virtual Servers
Each region consists of a collection of virtual servers, Elastic Compute Cloud (EC2) instances, which host the Altium 365 application services. These servers do not master any customer-specific data but contain only application code and associated metadata that is required to perform some action on customer data (such as creating a new project or component).
Distribution & Control
All regions are protected from the wider internet by being hidden behind an Application Load Balancer (ALB), a standard AWS off-the-shelf resource component. This serves two primary purposes. Firstly, to distribute incoming “client” (web browser or Altium Designer) requests across the collection of EC2 instances to evenly distribute the load (this also allows for scale-out of the computation resources and Altium 365 services as demand increases). Secondly, to act as a firewall between the wider internet and what is effectively a tightly controlled internal network - requests to service endpoints must come through the load balancer and connectivity for things such as server administration is such that only restricted internal operations staff and resources on the internal Altium Corporate network are able to connect to them.
Reliable Data Protection
Customer data is stored across multiple types of AWS resources exclusively, and specifically makes use of RDS as the relational database system, versioned S3 for standard binary data storage, EBS for binary storage where fast performance is required, and dedicated ElasticSearch clusters for the high-performance search capability. Access to Altium 365 infrastructure that stores customer data is tightly restricted and controlled by a special group within Altium. Accessing customer data is only done with the explicit permission of the customer and generally only for troubleshooting purposes.
Altium 365 implements a multi-tenancy architecture that operates at the database level. That is, each individual “tenant” (currently synonymous with the concept of a “workspace”) has its own standalone, isolated database. This helps to ensure customer data isolation.
Security Implications Review
Our design and development processes constantly consider and review the security implications of changes to existing or new application services. As the Altium 365 cloud platform evolves, we will continue to take a vigilant approach to security to ensure we take every reasonable step to keep your data safe and secure.
Third Party Testing
We periodically engage with external third parties to help with penetration testing, most recently with a CREST accredited company Nettitude , to ensure we continue to protect against constantly evolving threats. Every and all feedback from penetration testing is reviewed by the development team and updates to application services and infrastructure made as required.