Understanding security management
A feasible analogy to understand security management is to look at it as a multi-layered approach from the exposed outer skin to the most protected inner core. Security management means identifying various potential threats and defining and implementing appropriate overarching protection and detection measures.
In part one of our series on IT security at Altoo, we are going to discuss some of the physical and organizational aspects of our security concept. In part two, we will focus more on the cyberspace.
Physical aspects of Altoo’s security concept
The physical layer is the most visible aspect of security. It includes an outer and an inner layer.
The outer layer
When launching Altoo, we first had to decide in which country the data should be stored. Being Swiss ourselves, Switzerland seemed to be a natural choice for Altoo, but there was much more to it than just our own “Swissness”.
Switzerland’s combination of neutrality, a stable political environment, low corruption, and well-developed IT infrastructure makes it a top country for building and maintaining data storage facilities for sensitive content.
The next step was to decide in which data centre facility we wanted to store our data — working with very sensitive data, we chose a data security level comparable with Swiss banks. The technical term is security “tier level 4” out of 4. For those of you who are interested in data centre security level classifications, please click here to find further information.
“Tier level 4” includes a bundle of protection and availability measures such as single person access manlock with strong authentication that includes bio-metrics, air conditioning, fire-extinguishing systems in separated fire zones, and redundant uninterruptible power supply. With all these measures, tier level 4 defines a fault tolerance of 99.995% availability. Access controls and protocols are also enforced for individual rooms within the data centre.
In the case of disaster (e.g. fire) the best approach against data loss is physically separated redundancy. Our hardware and the data stored on it are distributed over separated fire zones within the data centre.
Beyond security considerations, the energy efficiency (PUE) of the data centre was also crucial for us.
The inner layer
After looking at the outer, physical skins of Altoo’s security, we move on to the inner zones, which become important when an attacker overcomes the outer security measures by brute force or trickery and gets access to our hardware.
First of all, the stored data is encrypted. Therefore, simple disk thievery will not expose sensitive data to an attacker.
Encrypted data, however, is only as safe as its keys are. We store data events, any change is stored as an event (the technical concept applied is called “Event Sourcing”) with its business data content being encrypted individually.
All these keys are stored redundantly in tamper-proof physical key storage units, the so-called Hardware Security Modules (HSM). “Tamper-proof” means that any physical manipulation will delete the keys contained. These keys never leave this appliance. This protects the key from being stolen together with the encrypted data.
To summarise the physical aspects: Altoo has physically separated and redundant vaults for the crucial security keys – the HSMs – each in a closed rack, distributed across different closed rooms with individual access control within a highly protected building (a data centre with security tier level 4) in a stable country of low corruption and crime rate to physically secure all client data.
Our office in Zug is protected, too. Besides an alarming system, access control and random security guard patrols ensure appropriate protection of our offices.
The physical protection of our data is the fundamental base of our security concept, but it has little value if it is not accompanied by organisational measures to frequently control, verify, and update the physical measures taken.
Organisational aspects of Altoo’s security concept
The most critical resources in our security concept are the people involved in establishing and maintaining all the bits and pieces of our security infrastructure.
All critical operations, including all security-related tasks on our infrastructure and on our platform, are executed in-house by our own trusted Swiss-based employees. As a consequence, our hiring process is designed to not only check for technical skills but also thoroughly elaborate on each candidate’s character and background.
We ensure that every colleague has our trust and embraces our culture of security awareness. For instance, it is vital for us to co-work in our office without relying on remote collaboration as this enables us to know each other better and fosters trust.
Further, a central piece of our organisational security is the strict application of the need-to-know principle. Developers and even IT operations do not have general and direct access to client data. Client names are generally anonymised through the use of aliases and only visible where necessary (e.g. front support).
Talking about clients in aliases is never meant offensively, but is a protective measure as the habit drastically reduces the risk of accidentally slipping client names, for example during lunch breaks.
Process design at Altoo is centred around security and quality. Examples of IT development and operations processes we implemented to further improve security standards include:
- Client onboarding: We apply a technically enforced 4-eye principle to minimise errors and to ensure access rights are set correctly.
- Monitoring and alerting: All our infrastructure is constantly monitored for suspicious indicators which are then alerted and analysed. We continuously inspect the system’s health while at the same time also caring for availability and stability. Despite being a young company, we are already able to provide excellent uptime with only a few announced planned downtimes.
- IT-Development: Having security in our DNA, we apply many security-relevant concepts during the development process:
- A feature and bug tracking system linked to the source code allows for tracking down all code changes to the original requirement or bug.
- A source repository shows the whole change history and tracks it down to the originator.
- A 4-eye review applies for all code changes checked in.
- Automatic builds generate reproducible artefacts tagged in the source repository automatically to make the chain of origin transparent.
- These automated build processes also execute our many automated tests to ensure steady and high quality. Additional manual tests further increase quality and additionally focus on visuals.
- Artefacts produced by these automated build processes are stored in versions within a repository to be able to guarantee the very same version being deployed to the multiple test stages and finally to production.
- “Patch-day”: IT operations frequently check for security issues in products we use and apply updates to be at the most current state of protection possible.