At Altoo, we help wealthy private individuals to keep track and control of their assets. With a larger amount of wealth comes complexity: our customers have multiple e-banking relationships. They have investments in real estate, private equity, and collectables. Dealing with so many service providers is not easy. It is even more complex and difficult to keep an overview and gain transparency over all assets.
The Altoo Wealth Platform is a ‘Software-as-a-Service’ that provides simplicity and control for such diverse assets by connecting wealth, people and processes in a very intuitive and simple way. In addition, it allows individuals and their families to consolidate, interact and communicate with their wealth data securely. With a strong focus on security, Altoo’s technology is developed and hosted in Switzerland.
Protecting stored confidential customer data
Altoo has a particular responsibility as our customers trust us with all of their private wealth data. Therefore, providing very high information security is a key strategic priority of the Altoo Wealth Platform. We continuously invest in improving our platform’s security to ensure confidentiality, integrity and availability of our customer's data. In this blog, we focus specifically on the encryption of confidential data.
Encryption of stored confidential customer data
From a security perspective, we want confidential data to be encrypted to protect it from physical and cyber threats. There are several approaches to do so:
- file system encryption,
- database encryption,
- application-level encryption
Let us follow some of our thoughts when designing our encryption approach.
Data protection laws require us to support customer requests to delete their data. As we want data to be replicated multiple times across our private cloud to guarantee availability and uptime on any server’s failure, such a data deletion needs to find and delete all copies of that data. Using a cryptographic trick, we can just delete the keys that are needed to access that data. It makes all copies, wherever stored, inaccessible at the same time.
Protecting data from malicious activities is another goal. This goal cannot be achieved using file system or database encryption, as operational staff cannot be prevented from accessing that data.
Our architecture, applying Event Source (see White Paper about the Altoo Wealth Platform architecture), allows us to encrypt within the storage access layer. From an operations perspective, this is considered an application-level encryption, whereas application developers perceive it as a storage layer feature similar to a database-level encryption, which is transparent to them. It allows to use different keys for each data entity and prevents access to stored confidential data at a system level.
Protecting stored data
Stored data faces multiple threats. It needs physical protection to prevent being carried away with the hardware it is stored on. And it needs cyber protection to control electronic access. For both, we use the principle of onion-like layers of protection. Starting from the outside the most important layers are:
Our requirements for a secure key store
As encrypted data is only as secure as the key used for encryption, we have carefully chosen this core piece of security: a physical and digital vault to guard the keys to access our customers’ confidential data.
When choosing a key store we were looking for the following features:
Store keys safely and securely – the core functionality of any key store
As a place to store our thousands of keys safely.
Encryption services
To not compromise any encryption keys, the keys are not allowed to leave the key store. So, we need encryption and decryption services that we can use from our application. As our business logic runs in a Java Virtual Machine (JVM), we require a JCA (Java Cryptography Architecture) integration.
Physical and cyber protection
A physical, tamper-proof appliance that resists mechanical manipulation to get physical access to the keys. Such appliances are called Hardware Security Modules (HSM).
All encryption services must provide access control using credentials to protect access from cyberspace.
Tenant support
For our white-labelling offer, we wanted support for separated key spaces to separate data of different tenants' full stack down to the key space.
Cluster support for failover and load balancing
With our highly dynamic data and keys, we need a “live backup” of all keys currently in use. For this, we want multiple synchronised key stores containing all keys at any time. By distributing the cluster members to different locations, we also get higher availability in any case of physical disturbance.
Key management
With that many keys, we also need key creation services, which must assure every key’s quality. Also, key deletion across the whole cluster is a daily operation and therefore a required service.
No auxiliary systems
Having auxiliary systems is always an extra operational effort and an additional security risk. Therefore, we require the key stores to be “self-contained” and to provide all the features, including cluster synchronisation.
After careful evaluations, we decided on the PRIMUS X HSM from Securosys. It is a tamper-proof physical appliance that fulfils Altoo’s requirements. Two Security Officer users are needed to configure the device. They are authenticated by personalised key cards, which enables us to enforce 4-eye principles for any device manipulation. The Primus HSM is built for multi-tenancy, which nicely maps to our requirements and allows us to separate tenants’ keys. Multiple PRIMUS X HSMs can be clustered without the need for additional auxiliary systems and are available in different performance classes to handle encryption load.
“Securosys network-attached Hardware Security Modules (HSMs) were developed for the Swiss financial sector. They have been designed and manufactured in Switzerland to meet the highest safety standards including physical security. The hardware is enclosed in shielded, tamper-evident and resistant cases with a tamper-proof key store. Our solutions are 100% trustworthy and can be audited by our customers. The modern architecture and components enable high performance and flexibility in terms of the number of partitions and users.
The Primus Hardware Security Module (HSMs) performs a range of operations. It generates encryption keys, stores these keys, and manages the distribution of these keys. Besides key management, it can also perform authentication and encryption tasks. Multiple Primus HSMs can be grouped together as a cluster for redundancy and load balancing. Each Primus can also be partitioned for multiple users or applications.”
