Data Center
Tier Level
4 certified data center provides us with highest physical protection and infrastructure
availability. This is a fundamental piece of
Altoo 's security measures. It allows us to
assure a very high confidentiality of our customer's data and a high availability of our
service.
"Data-at-Rest" is kept at that location in an encrypted form. And data does not leave
that secure physical home other than to be provided to our customers and their delegates through
our mobile and web clients using encrypted connections ("Data-on-Move" - see
Cyber Space - Network ).
]]>
Office
Altoo's security measures.
This is where we develop and operate our services.
Our Curators support our customers with their wealth data. Our IT operators monitor, maintain
and improve our private cloud infrastructure. Our developers improve our mobile and web client.
Our business developers collect feedback and important insights. And our administration
supports it all. It all happens at our office. The scenarios, we focus most to
protect from, are customer data leakage as well as availability of our service.
]]>
Data Center
Tier Level
4 certified data center provides us with highest physical protection and infrastructure
availability. This is a fundamental piece of
Altoo 's security measures. It allows us to
assure a very high confidentiality of our customer's data and a high availability of our
service.
"Data-at-Rest" is kept at that location in an encrypted form. And data does not leave
that secure physical home other than to be provided to our customers and their delegates through
our mobile and web clients using encrypted connections ("Data-on-Move" - see
Cyber Space - Network ).
]]>
Video Surveillance
But also the inside of the data center is monitored using video surveillance. Besides checking
for unauthorized access, this also allows to verify visually upon any incident alert from
security control room before sending security guards to the specific location.
]]>
Man Lock
Within the building movement isn't free either, but each person must have granted its badge with
access to individual rooms and locations.
]]>
Access Protocols
Tier Level
4 certified data center.
]]>
Redundant Power
The availability of our IT infrastructure relies on this. The data center delivers to all racks
electric power redundantly from 2 sides and all of our hardware is linked to both power supplies
provided. It's a data center service to deliver un-interruptable power supply.
]]>
Redundant Cooling
Tier Level
4 certification, the cooling system must be fully redundant to guarantee high
availability.
So cooling is provided to the rooms hosting our IT infrastructure from 2 sides redundantly.
]]>
Fire Extinguishing
Fire Zones
Swiss Located
Redundant Network
Office
Altoo's security measures.
This is where we develop and operate our services.
Our Curators support our customers with their wealth data. Our IT operators monitor, maintain
and improve our private cloud infrastructure. Our developers improve our mobile and web client.
Our business developers bring back feedback and important insights. And our administration
supports it all. It all happens at our office. So we keep an office security level as one might
know from other companies working with similar sensitive data. The scenarios we focus most to
protect from are customer data leakage as well as availability of our service.
]]>
Badges
Fire Detection
Network
Corona made obvious, that our VPN infrastructure for our supporting employees is essential to
assure our service also in rougher times.
]]>
Encrypted Link
Cyber Space - Network).
]]>
Network
In between there are multiple security components assuring proper guarding of all the
network traffic.
A special focus is "Data-in-Motion" . Depending on the sensitivity of the data
transported, we ensure appropriate protection of that traffic.
]]>
Cascaded Firewalls
Furthermore, we use switch supported VLAN to securely separate different network segments. Also
at our office we allow only specific network communications.
]]>
Cluster Separation
Altoo runs its
services on separated hardware clusters split up
by their main security classification. So, our private cloud actually consists of 4 separated
hardware clusters.
This also reduces operational risks, as unwanted communication and interaction is prohibited on
hardware and network level.
]]>
Subnet Separation
Encrypted
Communication
Altoo web and mobile clients use encryption for
communicating with our online services. So do
we for all other sensitive traffic. For encryption we use the latest encryption algorithms and
frequently review and check our configurations to be up to date.
]]>
Jump Hosts
Persistence
"Data-at-Rest" - needs special attention to
guarantee confidentiality. Data stored also needs to consider physical protection. We
encrypt persisted sensitive data. But encryption on its own is not all that needs to be
done to get a reasonable protection. The keys used must be protected accordingly and we
use specialized Hardware Security Modules (HSM) to keep them safe.
]]>
Event Sourcing
By encrypting the payload of each journal entry - an Event - we protect all sensitive business
data stored in our IT infrastructure. This includes backups, where the encrypted data is copied
to!
]]>
HSM
HSMs are designed to make it hard to steal keys. By using separate keys for each data entity,
we can even guarantee to "delete" data in all backups, by "forgetting" the key used to read
the specific data entity. This helps us to comply with modern data protection laws (e.g. EU's
GDPR).
To guarantee the availability of our data, we need to guarantee the availability of our keys,
which we do by keeping them redundantly on each HSM cluster member whereof one is located in a
different fire zone in our backup space.
]]>
Distributed Data
Authentication
OpenID Connect
Identity Provider does so using multiple authentication factors. Trustworthy
authentication became harder the past few years with cyber criminals trying to trick
everybody with high sophisticated phishing attacks.
]]>
OpenID Connect
OpenID
Connect as standard communication protocol between our own authentication service -
an
implementation of OpenID Connect Identity Provider - and our security gateways acting as
OpenID Connect Client .
]]>
Separated
Authentication Logic
But this separation and the use of standards also leaves us the freedom to always be able to
decide to delegate authentication to any other trusted provider (e.g. in some
countries a citizen identity provider is offered or planned by the government).
The separation also allows us to adapt conditionally how we want to authenticate our users.
Future security requirements might depend authentication on the hardware used by the customer.
]]>
3 Factors
Altoo's own OpenID Connect Identity Provider
currently uses 3 factors - a client certificate, a
2nd factor device and a password - to verify a person's identification. With the
current cyber security situation we want to be follow highest standards to protect our
customer's data.
We allow to pair multiple devices for a 2nd factor. And we also have fallback factors
in case needed.
]]>
Authorization
Rule Based
Additionally, we evaluate rules using a "Veto" principle: at least one rule must allow something
and none must deny allowance. As a consequence, the default access is denied. And very simple
"Veto" rules (e.g. no wealth data access for system administrators) - hard to do wrong - can
prevent errors in more complex rules and easily express general authorization rules.
]]>
Authorization Graph
Conceptual Support of Security
Our software and system architecture planned integration and support of security from
the very beginning. This conceptual support of security allows us to implement very high
sophisticated, powerful and fine granular authorization logic.
This makes our system and software architecture an important and fundamental piece also in
our security concepts. Architecture and security go hand-in-hand with each other at Altoo .
]]>
Micro Services
Message Based
Authorization Graph).
]]>
Separated
Business Logic
IT Operations
"Need-to-Know" and
"Separation of Power" . Operations is also responsible to define and implement all
the security measures within their domains.
]]>
Backup
Monitoring
For urgent care the monitoring system alert technical operations about detected problems, such
that we can react fast.
]]>
"Patch Day"
Automated Scans
Security Software
Software Development
Code Repository
Additionally, our code repository supports separate branches for bug fixing, features and even
individual tasks contributing to a feature, which are all tracked within our issue tracking
system.
]]>
Code Reviews
Automated Tests
Build Server
Test Environments
Each environment has its own configuration, which is also kept in our source code repository and
deployed automatically by corresponding automated processes. These configurations follow the
same development process as our business logic code - also referenced as DevOps.
]]>
Artifact Repository
Release Management
Before bringing an artifact to production, our Release Management process requires an
business sign-off and a technical sign-off. Our weekly meetings between
customer service representative, product owner and technical operations decides about a
release candidate going to production.
]]>
Business Sign-off
User
Acceptance Test, for which we have a specific environment (UAT). Product owners and
business
representatives test each release candidate and have a special focus on new features.
Continuously extended manual test scenarios help to efficiently cover a large part of our
functionality within such test runs.
For a satisfactory release candidate a business sign-off is issued signalling green light to
bring that version to production.
]]>
Technical Sign-off
Integration Test (INT), where we focus on technical integration
with specific hardware (e.g. our HSMs ) and interfaces to
3rd party services.
A technical sign-off is required for each release candidate to make it to production.
]]>
Information Security
Infrastructure
Model
By assigning each business process the levels of protection needed by judging the
confidentiality, availability and integrity of the data concerned by each business process, we
can derive the level of protection needed for each component involved.
]]>
Threat Analysis
Measure Tracking
Penetration Tests
Common
Vulnerabilities and Exposures (CVEs). By frequently running vulnerability scanners that
do black and grey box testing for each release and each infrastructure component we get
reports that verify all of our infrastructure and software for known vulnerabilities.
]]>
Pseudonyms
This little example of applying "Need-to-Know" and making security a habit shows how strong very
small measures contribute to security.
]]>
IS Policy
Human Resources
Swiss based Staff
Verified Employees
confidentiality
-
integrity
-
availability
-
Security@Altoo
by Stefan Thiel, CTO@Altoo , fall
2019
In order to protect our customer's data we at Altoo invest a lot.
Security must be considered
from a holistic point of view. Any attacker will slip in at the weakest point of the defence. This presentation
offers you the possibility to explore some of the measures we take to make our platform a very secure one. We
differ our security measures to insure confidentiality, integrity and availability by spaces:
Physical Space - It's about protecting physical thievery and manipulation of customer data or the
infrastructure
we use to provide our services.
Cyber Space - This is all around electronically protecting from thievery or manipulation of that data
or the infrastructure.
Business Processes - And many measures are also of organizational nature serving the same
purpose to prevent thievery and manipulation of sensitive data or infrastructure.
With this presentation we want to offer you to explore some of our security measures - many conventional ones,
but also a few
unconventional ones.