Physical Space Data Center We operate our private cloud in a Swiss data center. The <a target="_blank" href="https://en.wikipedia.org/wiki/Data_center#Data_center_levels_and_tiers">Tier Level 4</a> certified data center provides us with highest physical protection and infrastructure availability. This is a fundamental piece of <a target="_blank" href='https://altoo.io'>Altoo</a>'s security measures. It allows us to assure a very high confidentiality of our customer's data and a high availability of our service.<br/> <i>"Data-at-Rest"</i> is kept at that location in an encrypted form. And data does not leave that secure physical home other than to be provided to our customers and their delegates through our mobile and web clients using encrypted connections (<i>"Data-on-Move"</i> - see <a href="#Cyber_Space-Network">Cyber Space - Network</a>). Office Our office is the other important physical space considered in <a target="_blank" href='https://altoo.io'>Altoo</a>'s security measures. This is where we develop and operate our services.<br/> Our Curators support our customers with their wealth data. Our IT operators monitor, maintain and improve our private cloud infrastructure. Our developers improve our mobile and web client. Our business developers collect feedback and important insights. And our administration supports it all. It all happens at our office. The scenarios, we focus most to protect from, are customer data leakage as well as availability of our service. Physical Space

Physical
Space

Data Center We operate our private cloud in a Swiss data center. The <a target="_blank" href="https://en.wikipedia.org/wiki/Data_center#Data_center_levels_and_tiers">Tier Level 4</a> certified data center provides us with highest physical protection and infrastructure availability. This is a fundamental piece of <a target="_blank" href='https://altoo.io'>Altoo</a>'s security measures. It allows us to assure a very high confidentiality of our customer's data and a high availability of our service.<br/> <i>"Data-at-Rest"</i> is kept at that location in an encrypted form. And data does not leave that secure physical home other than to be provided to our customers and their delegates through our mobile and web clients using encrypted connections (<i>"Data-on-Move"</i> - see <a href="#Cyber_Space-Network">Cyber Space - Network</a>). Video Surveillance The data center's perimeter is under video surveillance. Security operations can monitor anybody approaching the data center building.<br/> But also the inside of the data center is monitored using video surveillance. Besides checking for unauthorized access, this also allows to verify visually upon any incident alert from security control room before sending security guards to the specific location. Man Lock The required 24h-access for our IT operations staff is enabled and secured by a single person man lock. It includes check of biometrics to get access to the data center. In case of material transports not fitting the man lock a security guard must attend and operate the heavy weight elevator from the security control room.<br/> Within the building movement isn't free either, but each person must have granted its badge with access to individual rooms and locations. Access Protocols All persons entering and leaving are squeamishly logged. Such protocols allow detailed investigation about any type of incident. The very precise timed log entries of the man lock and each door shows the fine granular access security measures one expects from a <a target="_blank" href="https://en.wikipedia.org/wiki/Data_center#Data_center_levels_and_tiers">Tier Level 4</a> certified data center. Redundant Power To have highest availability an uninterrupted power source is a must-have. Not only provide multiple and distinct power supply tracks the required high availability. With its battery buffered power supply and redundant on site diesel generators the data center provides the expected and require availability of electric power.<br/> The availability of our IT infrastructure relies on this. The data center delivers to all racks electric power redundantly from 2 sides and all of our hardware is linked to both power supplies provided. It's a data center service to deliver un-interruptable power supply. Redundant Cooling Redundant cooling systems prevent overheating of IT hardware and are a data center service required for high availability. As all data center services with a <a target="_blank" href="https://en.wikipedia.org/wiki/Data_center#Data_center_levels_and_tiers">Tier Level 4</a> certification, the cooling system must be fully redundant to guarantee high availability. So cooling is provided to the rooms hosting our IT infrastructure from 2 sides redundantly. Fire Extinguishing An impressive data center service is also the automated fire extinguishing system. In case of a fire detection the corresponding room (fire zone) is automatically flooded with a specialized gas. This reduces oxygen within that room and therefore fights fires quite efficiently. To protect people, like our IT operations staff, that might be within that room, the oxygen is only reduced to a survivable minimum. Such that people can still leave and the security guards can fight the fires manually. Fire Zones To further increase availability with we distribute our IT infrastructure across different fire zones (rooms) within the data center. The data center's wall are fire proof. Thus a separation to different fire zones reduces the risk of a total IT infrastructure loss due to a fire incident. Although modern hardware is less probably to take fire compared with a few decades ago, this improves the availability of our customer's data. Swiss Located With a Swiss based data center we profit from our country's political stability. This combined with the availability of latest technologies and stable resource supply are a good base to build our security measures upon. Trustworthy and high educated staff is an important building block of our security. Legal certainty provides the basement to store sensitive data. Redundant Network Talking of the availability of an online service, the network is evidently also an important piece contributing. Our private cloud bases on network providers that guarantee a high availability using redundant tracks for their cables. Not only within the data center but also the external supply tracks follow distinct paths to avoid interruption. For security they are underground. And to protect e.g. from the typical interruption by construction sites and their excavators, the distinct redundant track is the best protection.
Office Our office is the other important physical space considered in <a target="_blank" href='https://altoo.io'>Altoo</a>'s security measures. This is where we develop and operate our services.<br/> Our Curators support our customers with their wealth data. Our IT operators monitor, maintain and improve our private cloud infrastructure. Our developers improve our mobile and web client. Our business developers bring back feedback and important insights. And our administration supports it all. It all happens at our office. So we keep an office security level as one might know from other companies working with similar sensitive data. The scenarios we focus most to protect from are customer data leakage as well as availability of our service. Badges Our office building requires employee badges to be accessed. Some special rooms, e.g. communication room, and archive cabinets require additional physical keys. Fire Detection To reduce fire incident damage, the fire detectors are directly linked with our security service's control center, which will coordinate the engagement of the fire fighters. Network It's from our office where we provide our customer support service, that help customers on their demand to maintain their data or with any other help we can provide. Thus the availability of our office infrastructure is an important element.<br/> Corona made obvious, that our VPN infrastructure for our supporting employees is essential to assure our service also in rougher times. Encrypted Link Evidently, the network link to our data center is very important. To protect any traffic we operate a permanent and encrypted link to make sure all traffic to to our data center is protected. Additionally, we also engage firewalls to protect the cyber space at our office (see <a href="#Cyber_Space-Network">Cyber Space - Network</a>).
Cyber Space Network The network is certainly a core component to provide our online service. It links the public internet in a secure way with our internal application services. Also our office makes heavy use of its permanent and encrypted link to our data center.<br/> In between there are multiple security components assuring proper guarding of all the network traffic. <br/> A special focus is <i>"Data-in-Motion"</i>. Depending on the sensitivity of the data transported, we ensure appropriate protection of that traffic. Persistence Persisted data - often referred to as <i>"Data-at-Rest"</i> - needs special attention to guarantee confidentiality. Data stored also needs to consider physical protection. We encrypt persisted sensitive data. But encryption on its own is not all that needs to be done to get a reasonable protection. The keys used must be protected accordingly and we use specialized Hardware Security Modules (HSM) to keep them safe. Authentication An important piece in security is to know with certainty, who it is, that wants to get access. Our own implementation of an <i><a target="_blank" href="https://en.wikipedia.org/wiki/OpenID_Connect">OpenID Connect </a> Identity Provider</i> does so using multiple authentication factors. Trustworthy authentication became harder the past few years with cyber criminals trying to trick everybody with high sophisticated phishing attacks. Authorization After authentication it is the mission of authorization to decide whether to allow or deny an interaction with our different services and data. Our security logic, separated and independent from the business logic, is expressed by the means of rules. With this uncommon - maybe even unique - approach we reduce the error rate and make security logic transparent for security reviews. Conceptual It is hard to improve security on existing software. It can only be wrapped with additional layers trying to provide increased security.<br/> Our software and system architecture planned integration and support of security from the very beginning. This conceptual support of security allows us to implement very high sophisticated, powerful and fine granular authorization logic.<br/> This makes our system and software architecture an important and fundamental piece also in our security concepts. Architecture and security go hand-in-hand with each other at <a target="_blank" href='https://altoo.io'>Altoo</a>. Cyber Space

Cyber
Space

Network The network is certainly a core component to provide our online service. It links the public internet in a secure way with our internal application services. Also our office makes heavy use of its permanent and encrypted link to our data center.<br/> In between there are multiple security components assuring proper guarding of all the network traffic. <br/> A special focus is <i>"Data-in-Motion"</i>. Depending on the sensitivity of the data transported, we ensure appropriate protection of that traffic. Cascaded Firewalls Well known and certainly important security devices in any network are firewalls. We protect our core infrastructure, cluster and network separations using firewalls of different brands. With them embracing our DMZ, where we have dedicated and application level security proxies for any incoming traffic, we ensure basic network level protection of our customer data and our online services.<br/> Furthermore, we use switch supported VLAN to securely separate different network segments. Also at our office we allow only specific network communications. Cluster Separation Nowadays with Meltdown and Spectre kind of CPU security vulnerabilities, hardware sharing needs to be considered a risk. So, <a target="_blank" href='https://altoo.io'>Altoo</a> runs its services on separated hardware clusters split up by their main security classification. So, our private cloud actually consists of 4 separated hardware clusters.<br/> This also reduces operational risks, as unwanted communication and interaction is prohibited on hardware and network level. Subnet Separation Even within the same cluster we enforce subnet separated services using VLAN. This prevents illegal traffic that would help intruders to spread and exfiltrate. Traffic between separated subnets is controlled by firewalls. Encrypted Communication <a target="_blank" href='https://altoo.io'>Altoo</a> web and mobile clients use encryption for communicating with our online services. So do we for all other sensitive traffic. For encryption we use the latest encryption algorithms and frequently review and check our configurations to be up to date. Jump Hosts A common concept to avoid traffic and data to leave the data center at all, is to engage jump hosts as virtual desktops in the data center to access sensitive data and infrastructure management. Accessing that remote desktop with a different network protocol (e.g. RDP) and then working on-site is what we use for our Curators, working with sensitive customer data, and for our technical operations, managing critical infrastructure. Additionally, it is quite trivial to control the remote access to these jump hosts on network level. We use this fact to restrict e.g. the access to the virtual Curator desktops from very few workplaces within our office.
Persistence Persisted data - often referred to as <i>"Data-at-Rest"</i> - needs special attention to guarantee confidentiality. Data stored also needs to consider physical protection. We encrypt persisted sensitive data. But encryption on its own is not all that needs to be done to get a reasonable protection. The keys used must be protected accordingly and we use specialized Hardware Security Modules (HSM) to keep them safe. Event Sourcing "Event Sourcing" is a concept of storing data. Instead of storing the current state, as we would in a relational database, we store a journal of events - a numbered list of signed and dated entries -, that modified our data. So, the current state of any data entity is a cumulation of that data entity's events. This implicitly provides a verifiable technical history of that data entity and allows to regenerate any state of the past.<br/> By encrypting the payload of each journal entry - an Event - we protect all sensitive business data stored in our IT infrastructure. This includes backups, where the encrypted data is copied to! HSM Encryption is only as secure, as the keys used are treated. We keep them in a cluster of specialized hardware, the Hardware Security Modules (HSMs). The keys never leave that tamper-proof hardware. So it is the very same HSMs, that are used to encrypt and decrypt the data upon read and write operations.<br/> HSMs are designed to make it hard to steal keys. By using separate keys for each data entity, we can even guarantee to "delete" data in all backups, by "forgetting" the key used to read the specific data entity. This helps us to comply with modern data protection laws (e.g. EU's GDPR).<br/> To guarantee the availability of our data, we need to guarantee the availability of our keys, which we do by keeping them redundantly on each HSM cluster member whereof one is located in a different fire zone in our backup space. Distributed Data The availability of our customer's data is very important to us. Therefore, we keep that data redundant already in our operational environment. Thus a loss of some hardware does not even impact the availability of that data or our services.
Authentication An important piece in security is to know with certainty, who it is, that wants to get access. Our own implementation of an <i><a target="_blank" href="https://en.wikipedia.org/wiki/OpenID_Connect">OpenID Connect</a> Identity Provider</i> does so using multiple authentication factors. Trustworthy authentication became harder the past few years with cyber criminals trying to trick everybody with high sophisticated phishing attacks. OpenID Connect In front of our application services a cluster of security gateways ensures proper encryption and authentication. We separated authentication from the application service into a specialized component. We use <i><a target="_blank" href="https://en.wikipedia.org/wiki/OpenID_Connect">OpenID Connect</a></i> as standard communication protocol between our own authentication service - an implementation of <i>OpenID Connect Identity Provider</i> - and our security gateways acting as <i>OpenID Connect Client</i>. Separated Authentication Logic The separation of application and authentication code helps us to maintain these components independently. Additionally, we can always profit from further tools around the OpenID Connect standard.<br/> But this separation and the use of standards also leaves us the freedom to always be able to decide to delegate authentication to any other trusted provider (e.g. in some countries a citizen identity provider is offered or planned by the government).<br/> The separation also allows us to adapt conditionally how we want to authenticate our users. Future security requirements might depend authentication on the hardware used by the customer. 3 Factors <a target="_blank" href='https://altoo.io'>Altoo</a>'s own OpenID Connect Identity Provider currently uses 3 factors - a client certificate, a 2<sup>nd</sup> factor device and a password - to verify a person's identification. With the current cyber security situation we want to be follow highest standards to protect our customer's data.<br/> We allow to pair multiple devices for a 2<sub>nd</sub> factor. And we also have fallback factors in case needed.
Authorization After authentication it is the mission of authorization to decide whether to allow or deny an interaction with our services and data. Our security logic, separated and independent from the business logic, is expressed by the means of rules. With this uncommon - maybe even unique - approach we reduce the error rate and make security logic transparent for security reviews. Rule Based Our authorization logic is expressed by means of rules. Rules are much more natural when discussing about authorization.<br/> Additionally, we evaluate rules using a "Veto" principle: at least one rule must allow something and none must deny allowance. As a consequence, the default access is denied. And very simple "Veto" rules (e.g. no wealth data access for system administrators) - hard to do wrong - can prevent errors in more complex rules and easily express general authorization rules. Authorization Graph To help evaluate for our fine granular access rights we use a structural graph representing our data entities ownership and other relationships. A graph database with just a few security relevant properties on nodes representing data entities and even fewer security properties on edges representing their relationships provides as the require information for such authorization decisions. Specialized rules use GraphQL to evaluate for appropriate ownership and similar access rights.
Conceptual Support of Security It is hard to improve security on existing software. It can only be wrapped with additional layers trying to provide increased security.<br/> Our software and system architecture planned integration and support of security from the very beginning. This conceptual support of security allows us to implement very high sophisticated, powerful and fine granular authorization logic.<br/> This makes our system and software architecture an important and fundamental piece also in our security concepts. Architecture and security go hand-in-hand with each other at <a target="_blank" href='https://altoo.io'>Altoo</a>. Micro Services Our architecture bases on Micro Services, so we break the whole business logic up in small services, which are easier to maintain and if needed to replace. Each Micro Service is responsible for its own data and the security of that data. The authorization rule set for such a service is easy to review due to the Micro Service's relatively small API(s). Message Based The Micro Services composing our services communicate only via messages. Also the web and the mobile client communicate by means of such messages. This goes hand-in-hand with authorization, which can easily sit on top of the message bus and evaluate the authorization rules for each message sent around. A message which does not get allowance of authorization will be logged and never be delivered. As data is part of such messages this also allows for data based authorization rules (e.g. to check a data entity's relationship with the requesting user using our <a href="#Cyber_Space-Authorization">Authorization Graph</a>). Separated Business Logic Compared to splattered if-user-has-right statements, rules are a lot less error prone to write, easier to review and maintain consistently. And this is only possible when authorization logic is separated from business logic. Rules require a different execution environment: a rule engine. An additional conceptual advantage is, that many rule engine instances can balance the load of authorization evaluations. Within our architecture that bases of on Micro Services, which balance their load between several instances, that is a perfect conceptual fit where architecture and security go hand-in-hand.
Operations It's the duty of IT and business operations to keep the high level of security we have up every day. To ensure this we follow a few fundamental principles: <i>"Need-to-Know"</i> and <i>"Separation of Power"</i>. Operations is also responsible to define and implement all the security measures within their domains. Development Our development process also contributes to our high level of security with code reviews, automated test and much more. It must assure to keep our code base maintainable, our releases of good quality to foster highest availability, to have resilient code and share the know-how about our code base. Release Management Before bringing an artifact to production, our Release Management process requires an business sign-off <i>and</i> a technical sign-off. Our weekly meetings between customer service representative, product owner and technical operations decides about a release candidate going to production. Information Security Our Information Security Management process is keeping track of all measures contributing to security. Human Resources To provide a high level of security we also depend on our staff. It is for that reason that we choose carefully when hiring new colleagues.

Business
Processes

IT Operations It's the duty of IT and business operations to keep the high level of security we have up every day. To ensure this we follow a few fundamental principles: <i>"Need-to-Know"</i> and <i>"Separation of Power"</i>. Operations is also responsible to define and implement all the security measures within their domains. Backup Additionally to our redundant data stores in the operational environment, we have a cascaded backup strategy, which spans also to our backup rack space in a different fire zone. The backups taken in few hours interval are redundantly mirrored through these cascaded backup stores. High sophisticated backup strategies define the number and pick of backups kept. Monitoring Operating a private cloud with hundreds, even thousands, of virtual instances requires a special focus on monitoring these systems and the resources required to operate them. Collecting real time data, statistics and logs into a centralized monitoring system allows us to notice a lot of problems in very early stage. Most problems can therefore be solved without interruption of our service or any inconvenience for our customers.<br/> For urgent care the monitoring system alert technical operations about detected problems, such that we can react fast. "Patch Day" For security it is also important to keep hardware, software and library dependencies up to date. We call that process "Patch Day", which makes us go frequently through all systems and check for required updates. Occasional security warnings from providers might require updates in between of specific components in between. Automated Scans For sensitive components we run automated scans, that consume public threat and security warning databases, to alert us additionally about urgent security patches. Security Software All of our client and server devices have standard security software installed, which is updated frequently - mostly automatically - and adds security for the specific device not being used as entry point.
Software Development Our development process also contributes to our high level of security with code reviews, automated test and much more. It must assure to keep our code base maintainable, our releases of good quality to foster highest availability, to have resilient code and share the know-how about our code base. Code Repository Our source code is kept in a code repository. It links each commit to either a feature or a bug in our issue tracking system. So, each line of code can be linked back to its original intent it was written for.<br/> Additionally, our code repository supports separate branches for bug fixing, features and even individual tasks contributing to a feature, which are all tracked within our issue tracking system. Code Reviews Each commit to our code repository is reviewed from another developer - 4-eye principle. This helps us to ensure the quality of our code and to spread the know-how across the whole developer team. As such, this is also relevant to security, which is also considered in these reviews. Automated Tests Thousands of automated tests at all levels - from small unit test to full system tests - allow us to ensure the quality contributing to the high level of availability despite very frequent releases to production - currently bi-weekly. These tests cover a large part of business and security logic, and prove correctness and stability of the covered code. Build Server We operate our own build server to control all the automated development process - usually referenced as Continuous Integration (CI). It's its duty to build and deploy our software and running the automated tests upon each code checkin. It produces, in a reproducible way, the software artifacts that are then deployed to various staging environments for automated tests, use by developers and reflecting the latest state for product owners. Test Environments We concurrently operate various test environments where different versions under go automated or manual tests, product owners verify new features or developers analyse performance, stability or bugs. Another such an environment is our public DEMO environment, where interested prospects can explore our online product.<br/> Each environment has its own configuration, which is also kept in our source code repository and deployed automatically by corresponding automated processes. These configurations follow the same development process as our business logic code - also referenced as DevOps. Artifact Repository The result of each automated build are software artifacts, that are automatically versioned and stored in an artifact repository. These artifacts are then used to be deployed to the various environments and guarantee, that what we test is also what potentially ends up in the production environment. There is no manipulation of these software artifacts later on, which is an important aspect to security, quality and stability.
Release Management <!-- explanation text copied from above --> Before bringing an artifact to production, our Release Management process requires an business sign-off <i>and</i> a technical sign-off. Our weekly meetings between customer service representative, product owner and technical operations decides about a release candidate going to production. Business Sign-off Additionally to all the automated quality checks, release candidates undergo a specific <i>User Acceptance Test</i>, for which we have a specific environment (UAT). Product owners and business representatives test each release candidate and have a special focus on new features.<br/> Continuously extended manual test scenarios help to efficiently cover a large part of our functionality within such test runs.<br/> For a satisfactory release candidate a business sign-off is issued signalling green light to bring that version to production. Technical Sign-off We also test each release candidate from a technical perspective. Each candidate is deployed to a specialized environment <i>Integration Test</i> (INT), where we focus on technical integration with specific hardware (e.g. our <a href="#Cyber_Space-Persistence">HSMs</a>) and interfaces to 3<sup>rd</sup> party services.<br/> A technical sign-off is required for each release candidate to make it to production.
Information Security Our Information Security Management process is keeping track of all measures contributing to security. Frequent reviews and updates allow us to keep the overview on all security measures within the company across all business processes. The mission of information security together with the definition of what to protect on what level is the main benchmark all security related decisions are measured with. Infrastructure Model Within an Information Security Management System (ISMS) we model our physical and technical infrastructure. The model also links the individual components and indicates how they are involved and support our business processes.<br/> By assigning each business process the levels of protection needed by judging the confidentiality, availability and integrity of the data concerned by each business process, we can derive the level of protection needed for each component involved. Threat Analysis With the model providing us an overview across our company's infrastructure we analyse threats to each part of our infrastructure. Each threat is judge by its severity and impact to our data and processes. For all threats we defined appropriate measures to fulfill our security mission. Measure Tracking With all measures to the threats identified we track their state of implementation within the ISMS. Frequent updates and reviews may initiate new measures or adapt them to new circumstances. The priority and urgency of each measure is a major criteria to consider when planning their implementation. Penetration Tests One source of detecting and identifying threats, that we automated, is our frequent penetration test. Our penetration test servers consume public databases of <a target="_blank" href="https://de.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">Common Vulnerabilities and Exposures (CVEs)</a>. By frequently running vulnerability scanners that do <i>black and grey box testing</i> for each release and each infrastructure component we get reports that verify all of our infrastructure and software for known vulnerabilities. Pseudonyms As already the names of our customers are sensitive, we only use pseudonyms when talking about them. Making this a habit, most employees do not even know the real names. And as a habit is hard to change, the risk of slipping a name at lunch in public or at some other occasion, is reduced even more. It also prevents customer names appearing in other systems (e.g. our bug tracking system) that are less secure than our service platform.<br/> This little example of applying "Need-to-Know" and making security a habit shows how strong very small measures contribute to security. IS Policy An internal policy, the "Information Security Guideline", raises the awareness about security with all employees and indicates them about everyday behavior habits to raise security.
Human Resources To provide a high level of security we also depend on our staff. It is for that reason that we choose carefully when hiring new colleagues. Swiss based Staff With our Swiss based staff we profit from the political stability we have in Switzerland. Verified Employees We also have the possibility to scan frequently the background of our employees by getting excerpts from their criminal record and debt collection register. For data protection, a trustee executes such scans.

Your browser doesn't support the features required to interactively explore this presentation - SORRY.

Security@Altoo

by Stefan Thiel, CTO@Altoo, fall 2019

In order to protect our customer's data we at Altoo invest a lot. Security must be considered from a holistic point of view. Any attacker will slip in at the weakest point of the defence. This presentation offers you the possibility to explore some of the measures we take to make our platform a very secure one. We differ our security measures to insure confidentiality, integrity and availability by spaces:

With this presentation we want to offer you to explore some of our security measures - many conventional ones, but also a few unconventional ones.