Altium 365 Security Architecture
The Altium 365 cloud platform is built securely from the ground up. This page
provides details about our security architecture and the steps we take to secure your data.
It is not an exhaustive breakdown of our security architecture design but is intended to help you
understand what we are doing to keep your data safe. Some aspects of cybersecurity strategy,
security protocols, procedures, and implementation are intentionally not included here.
Security-Driven Development
Development of the Altium 365 platform, its features, and the functionality it delivers is carried out with user security in mind. We verify that security any time we add new features. This includes extensive security architecture reviews, dependency scanning, code reviews, and dynamic application security testing to ensure any security vulnerabilities are identified and avoided from the outset. We also use independent third-party testing to make sure there are no holes in Altium 365’s security.
Reliable Data Protection
Amazon Web Services (AWS) robust cybersecurity architecture provides a physical layer of security and reliability. Customer data is stored across multiple AWS resources. We use RDS as the relational database system. We store standard binary data in S3 and use FSx for binary storage where fast performance is required. We use dedicated Elasticsearch clusters for high-performance search.
We encrypt data-at-rest using AWS KMS keys. AWS KMS uses hardware security modules that have been validated under FIPS 140-2. The use of encryption keys is logged and sent to our SIEM to track when and who used the encryption keys.
A dedicated group within Altium controls access to Altium 365 infrastructure that stores customer data. Accessing customer data is possible only with the customer’s explicit permission and generally only for troubleshooting purposes.
Secure Communication
We only permit communication between Altium 365 clients (such as a web browser, Altium Designer, or a mobile application) and the Altium 365 cloud platform through secure, trusted connections using the HTTPS protocol, a standard approach to secure World Wide Web communications, over standard ports.
Authentication and Identity Management
Altium 365 requires users to authenticate before they can make requests to services that handle sensitive customer data. The system controls authentication through an identity service that requires a username and password and creates time-limited sessions as part of the authentication process. Sensitive login information such as passwords is encrypted during transmission and at rest.
In addition to native authentication, Altium 365 supports Single Sign-on using the SAML 2.0 protocol. This allows customers to enhance identity management with modern identity providers (IdPs) (OneLogin, Okta, Microsoft Azure AD, Google Identity, etc.). Besides authentication, extended support of SCIM protocol allows the organization of centralized user and group provisioning/de-provisioning. Depending on the IdP, you can opt for enhanced protection with multi-factor authentication (MFA).
Distribution and Control
All regions are protected from the wider internet by being hidden behind a web application firewall (WAF) and an application load balancer (ALB), a standard AWS off-the-shelf resource component. This serves two primary purposes: first, to distribute incoming “client” (web browser or Altium Designer) requests across the collection of Elastic Compute Cloud (EC2) instances to distribute the load evenly; second, to act as a firewall between the wider internet and what is effectively a tightly controlled internal network. Requests to service endpoints must come through the load balancer. Connectivity for tasks such as server administration is restricted to internal staff and resources on the internal Altium Corporate network.
EC2 Virtual Servers
The Altium 365 cloud platform is hosted on the Amazon Web Services (AWS) infrastructure. It leverages redundant compute resources with multi-availability zone storage services spread across four independent regions. Each region consists of a collection of virtual servers, Elastic Compute Cloud (EC2) instances, which host the Altium 365 application services. These servers do not store customer-specific data. They store only application code and the associated metadata required to perform some actions on customer data (such as creating a new project or component).
Multi-Tenancy Architecture
Altium 365 implements a multi-tenancy architecture that operates at the database level. That is, each individual “tenant” (currently synonymous with the concept of a “workspace”) has its own standalone, isolated schema. This helps to ensure customer data isolation.
Vulnerability Scanning
All instances related to Altium 365 must pass a vulnerability scan before going into production. Any vulnerabilities found during this process are tracked for remediation and fixed at the root cause.
Third-party Testing
We periodically engage with external third parties to help with penetration testing and ensure our security architecture design meets evolving threats. Most recently, penetration testing was carried out by Nettitude, a CREST-accredited company. The development team reviews all feedback from penetration testing and updates application services and infrastructure as required.
The latest penetration test report can be shared upon request, with a mutual NDA in place.