Alumio Technical Security

Alumio’s security approach ensures that your data remains safe and is never shown to unauthorized parties. The Alumio integration platform as a service integrates data between al your software (cloud platforms, software-as-a-sevice applications, on-premise systems, as well as EDI connections.


Alumio’s Network & Infrastructure Security

Alumio’s iPaaS solution supports all your system integration processes – between cloud platforms, software-as-a-service applications, and on-premise systems. Alumio is a private cloud integration platform, which means that our standard editions are operating in a cloud environment which can be hosted in your local region within Google Cloud Platform.

Alumio’s integration platform as a service (iPaaS) runs on Google Cloud infrastructure, which delivers hosting in several regions including yours. Please click here Google white paper, to learn more about the Google security, or click here to learn more about Google's compliance certifications.

Alumio integrates with Elastic ELK stack, which contains Elasticsearch, Logstash and Kibana. Elastic has high standards regarding security & compliance to make sure the highest possible standards are attained. Review Elastic' security principles and security & compliance standards.

Responsibilities:

Google Cloud is responsible for:

  • Infrastructure
  • Server

Alumio is responsible for:

  • Application
  • Monitoring
  • Configuration management
  • Support

Elastic is responsible for:

  • Logging via Elastic ELK stack (Elasticsearch, Logstash, Kibana)

An overview of certification of Alumio’s (privated) hosted solution:

  • ISO 27001 | 27017 | 27018
  • SOC 1 | 2 | 3
  • MTCS (Singapore) Tier 3
  • BSI C5 Basic
  • CSA Star
  • OSPAR
  • PCI
  • HIPAA
  • Spain Esquema Nacional de Seguridad (ENS)

Download Certifications

During deployment, the data center verifies and authenticates all of its contents before activation. Alumio’s features and platform never sends data to the third party connected software unless explicitly configured by the user.

Alumio’s Security Management System (ISMS)
As we use Google Cloud hosting services, we can rely on Google’s Cloud security measures to handle ISMS, as you can read on Google.

There are various policies in place to guarantee the above. The following policies are described in detail in our internal company Wiki, to which everyone, depending on their function and/or role, must adhere:


● Acceptable Use Policy

● Access Control Policy

● Bring Your Own Device (BYOD) Policy

● Business Continuity Strategy

● Chief Security Officer

● Confidentiality Statement

● Incident Management Procedure

● Information Classification Policy

● Information Security Policy

● Inventory of Assets

● ISMS Scope Document

● List of Authorized Persons

● List of Legal, Regulatory, Contractual and Other Requirements

● Mobile Device and Teleworking Policy

● Operating Procedures for Information and Communication Technology

● Password Policy

● Policy on the Use of Cryptographic Controls

● Procedures for Working in Secure Areas

● Risk Assessment and Risk Treatment Methodology

● Risk Assessment and Risk Treatment Report

● Secure Development Policy

● Security Management Team

● Specification of Information System Requirements

● Statement of Acceptance of ISMS documents

● Statement of Applicability

● Supplier Security Policy

● Training and Awareness Plan

Application & Platform Layer


The Framework

Alumio’s iPaaS is built using best of breed technology frameworks and secure software development practices. All fixes, new features and enhancements will only be released after several rigorous tests and a severe testing and review process. Our testing program exists of automated code testing regarding code quality, as well as a manual testing where every code line is checked, and tested by 2 senior developers.

Development


Security by Design

Alumio’s engineers develop the core application based on the concept of ‘Security-by-Design’, where we specified and trained our engineers:


ISO or information security accreditations for development

Alumio is part of the Youwe group, which is ISO27001 certified. Regarding the hosting we rely on the ISO of Google Cloud services which can be read here: Google.

Acces to the iPaaS

The Alumio access explained:

All Alumio employees are required to pass a background check. In addition to this, employees in engineering, services, support, and operations (basically anyone with access to anything deemed security sensitive) are required to use a multifactor authentication enabled, to store and generate all credentials used to perform job functions.

Engineering employees with access to production systems are also required to undergo varying levels of security training at least annually. All of our employees are always only granted access to the minimal number of applications or systems needed to perform their job function.


Data Storages & Data Handeling


GDPR and other privacy legislation

Please consult the following pages:

Data security standards

All communication from an Alumio to the data center of google cloud uses a minimum SSL 256-bit encryption and occurs via HTTPS, port 443. Alumio ensures via its data mappings and transformer features, that privacy sensitive data has to be transferred without encryption.

Default settings:


Data storage and processing

Alumio’s iPaaS has three ways of storing data:

In some cases the iPaaS is storing or processing personal sensitive data as mentions in DPA or GDPR. The types of data which are processed or stored are noted in the data routes. A report is available or able to be created before starting the mapping process.


Automated Communication of data

Alumio automatically transmits the following information to the Google cloud data center:

Online Status:

Tracking Information:

Integration Process Updates:

Emailings:


User-Initiated Communications of data

If requested by an authorized user, the iPaaS communicates the following to the Alumio data center:

Logging & Monitoring information
Information about the execution of an integration process, including total execution time, logging for each step of the process and execution-failure error messages.

API data or Tasks (Alumio’s had named messages via routes = tasks) related logs are retained for 2 weeks. Server-related logs are retained 1 month. Both are configurable as needed.

Exporting logs:
Alumio offers the ability to provide export of server logs. Any authorized user is able to provide task related logs.

We off site backup the following:

Error Details
A detailed error message explaining what error caused the failed execution of an integration process.

Connector Browsing
When building processes for specific connectors, database schema information can be transmitted to define field mapping rules. No actual data is transmitted.


On-Premise Data Communication Security

No inbound firewall ports need to be open for the Alumio iPaaS to communicate with the data center. The Alumio integration interface always initiates the connection; the data center Google Cloud Platform never pushes data automatically to the Alumio integration platform (or private hosted solution). When the Alumio features initiates a connection, it uses an SSL handshake to authenticate the data center before transmitting data. Alumio uses the digital certificate automatically created during registration and authentication.


Ready to dive in?

Get your demo today.

Let's build an IT-landscape for tomorrow, together!