Altium 365 GovCloud Offers Increased Security

Estimated reading time: 7 minutes

Altium recently launched Altium 365 GovCloud, a dedicated platform accessible only to—and managed solely by—U.S. persons. The company says that GovCloud can help customers to be in compliance with ITAR, EAR, and other requirements.  

I spoke with Bruno Blasigh, Director of Cloud Security for Altium 365, about the new platform, how it functions, and how GovCloud can help to keep foreign entities from accessing your data. 

Andy Shaughnessy: Bruno, how are you doing? Give us a little background about yourself. 

Bruno Blasigh: I'm the director of cloud security for Altium 365. Ultimately Altium 365 is an electronics product design platform, allowing people to bring together all the aspects of PCB design, as well as helping organizations to build better products faster. 

Shaughnessy: Altium recently launched Altium 365 GovCloud. Tell us about this and how it's different from the standard platform. 

Blasigh: Sure. GovCloud allows us to be more specialized with secure workloads, allowing us to work together with companies that deal with what we call CUI, which is controlled unclassified information, as well as ITAR and other requirements. So, Altium 365 GovCloud offers more compliance measures and certifications tailored to meet these government requirements. 

That's where this secure workload started coming in with the cloud service providers, which many SaaS companies like Altium are utilizing to meet those infrastructure requirements. This allows us to build a more secure platform locking down systems to meet those requirements. I think one of the biggest struggles with the cloud in general is its openness and aspects with open sources, right? So Altium 365 GovCloud gives us a better measure to let us know that the underlying infrastructure, which is critical for storing the data and all the other information, does meet those high standards. 

Shaughnessy: Was this something that your customers asked you for? 

Blasigh: Yes, our GovCloud started underneath the ITAR banner, and we restricted this specifically to not sharing information outside of the United States. We're controlling all of that data within the platform. But then, from there, it slowly progressed due to many requests for CUI security in the cloud. We are a very customer-focused company, and that's what we tried to accomplish here. 

Shaughnessy: Could you walk us through how GovCloud works? 

Blasigh: Sure. For customers that currently use the standard Altium 365, we have a very similar environment inside GovCloud. We separate the access to those environments, meaning we have different access controls in place for what you call the commercial side vs. the GovCloud side. 

For example, one of the requirements for ITAR is that only US persons shall have access to that information, so we segregate that. Our access controls allow us to do single-sign-on (SSO) multi-factor authentication separated from our commercial Altium 365. We use the web application firewall, or WAF, which enables us to lock all of that down. Anyone trying to come in from France, China, Italy, or anywhere else worldwide will not have access. Those are the controls for the inbound access. For the outbound access, we use the network firewall in order to allow the customers to put in IP addresses that they want the traffic to leave from. 

GovCloud uses whitelists, and customers can have those whitelists updated with IPs. Plus, only a limited number of our US-only DevOps team have access to it. We put a lot of controls in place in order to meet these requirements. The workspace admin would be monitoring and maintaining the workspace themselves from the customer perspective, allowing who they want in. They are responsible for managing the people they give access to; It is up to the customer to ensure that the people they give access to in their workspaces are meeting their compliance requirements. We're there to make sure to protect the environment itself. It’s up to the customer to manage the data they want to put in, who they give access to, the level of access, and how they utilize that environment. 

Shaughnessy: I understand this is all set up through Amazon Web Services, correct?  

Blasigh: Yes, you are correct. Altium 365 GovCloud is situated within the AWS GovCloud region in the United States, ensuring compliance and implementing various controls for all aspects of the infrastructure. We have actually completed our SOC 2, Type 2 compliance. Now, we're working towards our CMMC certification, and there are three compliance levels: Level 1, 2, and 3. We are focused on achieving Levels 1 and 2. We are working towards those certifications. We will have the CMMC Level 1 self-certification by the end of this quarter. Then we're going to start immediately working on our Level 2 certification, which is also a self-assessment.  

Shaughnessy: It sounds like this would dovetail with the NIST 800 requirements. 

Blasigh: That's great that you brought up NIST-800. You know, there are a few different ones, like NIST 800-53 Rev. 5. But the one we're focused on is actually NIST 800-171. At one point, DoD tried CMMC version 1.0, which was five levels and very difficult for anyone to achieve. So then they moved down to a three-level model. DoD is doing what they can to support the contractors that they've hired, as well as making sure that they're meeting these requirements.  

I think that with these last couple of breaches over the last year or two, DoD is basically saying, “OK, we need to make sure that everyone's supply chain is actually secure. And so we're going to tell them they have X amount of time to get compliance done.” And so, we hear them, and we want to support our customers. 

Shaughnessy: One of the points you all made in the release was GovCloud’s scalability. Tell us about that. 

Blasigh: Sure. This scalability allows the company to grow and increase the amount of data they can store and meet user requirements. So as they need to collaborate, they’ll say, “Oh, wow, I can just log in here, go into this workspace that I've been invited to, and I can support the development process immediately instead of waiting for it to be downloaded or put on some sort of a shared drive or someone's local machine. You can just move over and fix it and move it back and forth.  

Shaughnessy: So, there really isn’t a “sweet spot” as far as the company's size using GovCloud? 

Blasigh: No, Whether you're a small or very big shop, we can speed up your time to market or time to completion of your project. 

Shaughnessy: So, what is the migration process like for somebody who already has Altium 365? How big a process is that? 

Blasigh: That will depend on the data and the amount of data. If you’re moving over to GovCloud, you’ll work with our CSM teams to create the workspace and get the data moved over. And again, the complexity is dependent upon what you already have in place, what you're working with, and if you’re working with SVN within your company already. It’s very dependent on that information. 

Shaughnessy: Can someone turn the security off inside GovCloud?   

Blasigh: No, if you’re in GovCloud and you don't really want that restriction, you can't just turn it off. It’s integrated into the product. That's one of the things that's going to be a balancing act. These restrictions have been put in place to make sure that the information doesn't get leaked accidentally.

And even if a company doesn't have government workloads, they still may not want their IP to get released outside of the United States. 

Shaughnessy: Right. So, what’s next? Where do you all see GovCloud moving in the next few years? 

Blasigh: Yes, we’re always working to improve the platform, whether it's efficiency or functionality. Can we provide more functionality without risking or reducing the security posture? We’re fortunate to have some great visionaries here at Altium. We have a great team to take those visions from pen and paper to concept and production. And we're always looking at all of the avenues. “Okay, what does this do? Does this open up anything? Does this increase the risk for our customers in any asset?” There’s a constant collaboration between the developers between the security teams. 

Shaughnessy: Is there anything else you want to mention that we haven't discussed? 

Blasigh: I think we’ve covered everything.  

Shaughnessy: Thanks for speaking with me, Bruno.   

Blasigh: Thank you, Andy. 

For additional content from Altium, be sure to download The Printed Circuit Designer’s Guide to… Design for Manufacturing by David Marrakchi. You can also view other titles in our full I-007eBooks library.