Security Engineered for Modern Infrastructure
Our Core Security Pillars
Zero Trust Architecture
Altostrat champions the Zero Trust 'never trust, always verify' model, core to our ZTNA offering. We enforce this universally: access to any resource, including SDX controllers or internal apps, requires strict identity proofing, device health checks, and dynamic, context based authorization, minimizing the attack surface and lateral movement.
End-to-End Encryption
We enforce robust encryption across the board. All data uses TLS 1.3+ in transit and AES-256 at rest, covering control plane traffic, APIs, and customer data within our multi-tenant SaaS platforms. Secure key management systems (KMS) underpin this protection, ensuring confidentiality and integrity.
Secure Multi-Tenancy
Tenant isolation is paramount in our SaaS offerings. We utilize strict logical separation, cryptographic controls, and network policies to guarantee data segregation. These application level safeguards prevent data leakage or unauthorized access between different tenants, ensuring privacy and security.
Robust API Security
Our APIs, both internal and external, are rigorously secured. We employ strong authentication (OAuth 2.0/OIDC), fine grained authorization, thorough input validation, protective rate limiting, and continuous monitoring. This multi layered approach actively prevents API abuse and sensitive data exposure.
Secure SDLC & DevSecOps
Security is embedded throughout our development lifecycle via DevSecOps practices. This includes threat modeling, integrated SAST/DAST/IAST security scanning, software composition analysis (SBOM), mandatory peer code reviews, and automated security validation within our CI/CD pipelines to build secure code.
Proactive Incident Response
We leverage AI-driven anomaly detection, powered by AWS SageMaker, for continuous monitoring and rapid threat identification. When potential incidents are detected, our structured response plan (Detect, Contain, Eradicate, Recover, Learn) is initiated, ensuring swift and effective action with clear communication protocols.
Data Protection & Privacy
Data Encryption (At Rest & In Transit)
Comprehensive encryption using AES-256 for data at rest (databases, storage volumes, backups) and TLS 1.3+ for data in transit, including internal microservice communication (mTLS) and external API calls.
Data Minimization & Retention
We collect only necessary data and provide configurable retention policies aligned with business needs and regulatory requirements (e.g., GDPR, CCPA). Data is securely purged upon policy expiration or customer request.
Disaster Recovery & Business Continuity
Regular, automated backups with point-in-time recovery capabilities are stored securely in geographically distinct regions. Our DR plan is tested routinely to ensure resilience and meet defined RPO/RTO objectives.
Privacy by Design
Privacy considerations are embedded into our product design and development processes. We adhere to strict data privacy principles and provide transparency regarding data usage and user controls.
Security Practices Deep Dive
Infrastructure & Network Security
- Cloud-Native Security: Leveraging AWS/GCP security services (WAF, Security Groups, DDoS Protection, CloudTrail/GuardDuty).
- SDX & ZTNA Infrastructure Security: Hardened controller/gateway instances, secure control/data plane communication (e.g., DTLS, IPsec), edge device integrity checks, and robust isolation mechanisms.
- Network Automation Platform Security: Secure execution environments, role-based access to automation tasks, and audit trails for all automated changes.
- Secure Network Design: Redundant firewalls, intrusion detection/prevention systems (IDPS), network segmentation within our own infrastructure.
- Vulnerability Management: Continuous scanning, risk-based prioritization, and timely patching across all systems, including SDX and ZTNA components.
- Secure Configuration: Infrastructure-as-Code (IaC) with security validation and regular audits to maintain secure baselines.
Application & API Security
- OWASP Top 10 Mitigation: Proactive measures against common web application vulnerabilities in our management interfaces and APIs.
- API Gateway Security: Centralized policy enforcement (AuthN/AuthZ), rate limiting, and threat protection for APIs controlling network automation, SDX policies, and ZTNA access.
- Container Security: Image scanning, runtime protection, secure registry management, least-privilege container execution for all application components.
- Secure Coding Practices: Rigorous input validation and output encoding to prevent injection (e.g., SQLi) and XSS flaws.
- Supply Chain Security: Software Composition Analysis (SCA) and SBOM maintenance to manage dependency vulnerabilities.
Identity & Access Management (IAM)
- Centralized Identity Provider (IdP): Leveraging Okta for unified Single Sign-On (SSO), MFA enforcement, and robust identity lifecycle management across all applications, including Google Workspace.
- Multi-Factor Authentication (MFA): Enforced for all user accounts, internal systems, and privileged access via Okta.
- Least Privilege Principle: Granular, role-based access controls (RBAC) applied consistently across Altostrat platforms and internal tools.
- Regular Access Reviews: Periodic reviews and recertification of user permissions managed via Okta workflows.
- Privileged Access Management (PAM): Secure processes and tools for managing and monitoring administrative credentials and sessions.
Operations & Monitoring
- Comprehensive Logging: Centralized logging across infrastructure, applications, and network devices for audit and analysis.
- Threat Detection: Utilizing AI (AWS SageMaker) for anomaly detection alongside traditional security event correlation (SIEM principles).
- Security Orchestration, Automation & Response (SOAR): Automating incident response workflows where applicable for efficiency.
- Threat Intelligence Integration: Leveraging external feeds to enhance detection capabilities and contextualize alerts.
- Incident Response Team: Dedicated personnel responsible for investigating alerts and managing security incidents effectively.
Compliance & Governance
- Alignment with SOC 2 Principles: Designing and operating controls based on SOC 2 trust services criteria (Security, Availability, etc.) as we progress towards formal attestation.
- Preparing for ISO 27001: Implementing an Information Security Management System (ISMS) aligned with ISO 27001 standards in preparation for future certification.
- NIST Framework Alignment: Adherence to the NIST Cybersecurity Framework (CSF) for managing cybersecurity risk effectively.
- GDPR/CCPA Compliance: Meeting stringent data protection and privacy requirements for applicable user data.
- Regular Third-Party Audits & Penetration Tests: Independent validation of our security posture and controls by external experts.
Personnel & Vendor Security
- Employee Background Checks & Security Training: Ensuring a trustworthy and security-aware workforce through vetting and education.
- Secure Collaboration: Enforcing security policies within Google Workspace (e.g., data sharing controls, endpoint verification) managed via Okta integration.
- Secure Onboarding/Offboarding: Rigorous processes for granting and revoking access to systems and data, including SaaS apps like Google Workspace.
- Confidentiality Agreements (NDAs): Legal agreements protecting sensitive company and customer information.
- Vendor Risk Management: Thorough security assessments and contractual requirements enforced for all third-party suppliers and partners.
Security FAQs
Responsible Disclosure
Security is a collaborative effort. We appreciate the work of security researchers and provide clear guidelines for reporting potential vulnerabilities in our systems. Please review our full policy for details on scope, reporting procedures, and safe harbor provisions.
Direct reports can be sent to: security@altostrat.io.