The Altium 365 cloud platform is built secure from the ground up. This section
provides details on the steps we take to help ensure the security of your data. It is
not an exhaustive list but is intended to help you understand what we are doing to
keep your data safe. Some aspects of security protocols, procedures, and
implementation are intentionally not included here.
Development of the Altium 365 platform, its features, and the functionality it delivers is carried out with user security in mind, with verification of that security every step of the way. This includes extensive architectural reviews, dependency scanning, code reviews, and dynamic application security testing to ensure any security vulnerabilities are considered, identified, and avoided from the outset, as well as using independent third-party testing to make sure there are no holes in our security.
Reliable Data Protection
Amazon Web Services (AWS) provides a physical layer of security and reliability. Customer data is stored across multiple AWS resources exclusively, and RDS is specifically used as the relational database system. The resource is versioned as S3 for standard binary data storage, FSx for binary storage where fast performance is required, and dedicated Elasticsearch clusters for the high-performance search capability.
Data at rest is encrypted using AWS KMS keys. AWS KMS uses hardware security modules that have been validated under FIPS 140-2. The use of encryption keys is logged and sent to our SIEM to track when and who used the encryption keys.
Access to Altium 365 infrastructure that stores customer data is tightly restricted and controlled by a dedicated group within Altium. Accessing customer data is possible only with the customer’s explicit permission and generally only for troubleshooting purposes.
Communication between Altium 365 clients, such as a web browser, Altium Designer, or a mobile application, and the Altium 365 cloud platform is only permitted through secure, trusted connections, and specifically using the HTTPS protocol, a standard approach to secure World Wide Web communications, over standard ports.
Authentication and Identity Management
Access to Altium 365 services that handle sensitive customer data require users to be authenticated to make any requests. Authentication is controlled by an identity service that requires a username and password and creates time-limited sessions as part of the authentication process. Sensitive login information such as passwords is encrypted during transmission and at rest.
In addition to native authentication, Altium 365 supports Single Sign-on using the SAML 2.0 protocol. That allows customers to enhance identity management properly, with most modern identity providers (IdPs) (OneLogin, Okta, Microsoft Azure AD, Google Identity, etc.). Besides authentication, extended support of SCIM protocol also allows organizing centralized user and group provisioning/de-provisioning. Depending on the IdP, you can opt for enhanced protection with multi-factor authentication (MFA).
Distribution and Control
All regions are protected from the wider internet by being hidden behind a web application firewall (WAF) and an application load balancer (ALB), a saztandard AWS off-the-shelf resource component. This serves two primary purposes: first, to distribute incoming “client” (web browser or Altium Designer) requests across the collection of Elastic Compute Cloud (EC2) instances to distribute the load evenly; second, to act as a firewall between the wider internet and what is effectively a tightly controlled internal network. Requests to service endpoints must come through the load balancer, and connectivity for things such as server administration are such that only restricted internal staff and resources on the internal Altium Corporate network can connect to them.
EC2 Virtual Servers
The Altium 365 cloud platform is hosted on the Amazon Web Services (AWS) infrastructure. It leverages redundant compute resources with multi-availability zone storage services spread across four independent regions. Each region consists of a collection of virtual servers, Elastic Compute Cloud (EC2) instances, which host the Altium 365 application services. These servers do not master any customer-specific data, containing only application code and the associated metadata required to perform some actions on customer data (such as creating a new project or component).
Altium 365 implements a multi-tenancy architecture that operates at the database level. That is, each individual “tenant” (currently synonymous with the concept of a “workspace”) has its own standalone, isolated schema. This helps to ensure customer data isolation.
All instances related to Altium 365 must pass a vulnerability scan before going into production. Any vulnerabilities found during this process are tracked to remediation and fixed at the root cause.
We periodically engage with external third parties to help with penetration testing, most recently with a CREST accredited company Nettitude, to ensure we protect against evolving threats. The development team reviews all feedback from penetration testing, and updates to application services and infrastructure are made as required.
The latest penetration test report can be shared upon request, with a mutual NDA in place.