Table of Contents

+
Example H2
+
Example H3
+
Example H4
+
Example H5
+
Example H6

Introduction

Alta Labs’ cloud-based management platform is included with the purchase of Alta Labs products at no additional cost. It powers thousands of devices from small home and office configurations to large-scale enterprise installs. Our customers deserve peace of mind regarding the security of their networks and the policies and infrastructure in place to ensure that security carries into managing network policy.

Alta Labs does not route any customer network traffic processed by Alta Labs Wireless Access Points, Network Switches, Routers, Gateways, etc. through its cloud infrastructure. Only customer network configuration information is stored in our cloud management platform. Configuration information is not stored in our cloud for the Control hardware or self-hosted software. Alta Labs devices do not need consistent access to our management platform to operate properly. They only require access when a site administrator or user wants to change network policy, view the network status, or run utilization reports.

Alta Labs does not store any configuration data in the cloud for the self-hosted version of Control.

Our security efforts are led by our top-level team of Alta Labs employees, including our CEO Chase Harrison, CTO Jeff Hansen, and Principal Architect Chris Buechler.

Infrastructure Security

The Alta Labs Control management platform can be accessed via our cloud portal at manage.alta.inc, via our Control network controller hardware solution, or our downloadable self-hosted local controller software.

Icon Topic
Cloud Icon Topics that only apply to our Cloud Portal will have a Cloud icon
Control Icon Topics that only apply to our local controller will have a Control icon
Audited/Check Icon Topics that an independent security contractor periodically audits have the Audited/Check icon

Cloud Portal Providers   

Icon

The Alta Labs cloud management platform is deployed with AWS (Amazon Web Services) to provide our customers with highly secure, scalable, redundant, and globally accessible network configuration. Cloud Services are implemented following the: AWS Shared Responsibility Model

Network Architecture

Icon

Alta Labs Cloud Portal is contained within AWS Virtual Private Clouds (VPCs), restricting public access to critical internal services. Services are implemented using AWS Best Practices and distributed across multiple availability zones for redundancy.

All user traffic handled by Alta Labs access points and switches is bridged within the Local Area Network that it originated from. In the case of a user-configured IP tunnel, user traffic is only routed to/from the user’s configured tunnels. 

Icon

Alta Labs does not monitor user traffic.

Icon

All user traffic handled by an Alta Labs Router is routed within the user’s connected networks and is not monitored by Alta Labs.

Network Security

Icon

The Alta Labs management platform is designed to restrict all management traffic (including portal authentication/management and network configuration) to a minimum TLS 1.2 protocol level with high-grade asymmetric and symmetric encryption, always using a publicly verifiable SSL certificate. Self-signed certificates are not used or supported under normal circumstances.

Production Environment Access

Icon

Within Alta Labs, access to production environment configuration and deployment is reserved on a need-to-know basis. Those with access require significant tenure within the company and must pass background checks.

Databases

Icon

All data within Alta Labs management platform databases is encrypted at rest. See the Encryption data section.

Amazon RDS (Amazon Relational Database Service) is deployed to automate tasks such as provisioning, configuring, backing up, and patching. Data is protected with encryption whether at rest or in transit. Databases are encrypted using keys managed through AWS Key Management Service (AWS KMS). Alta Labs is utilizing this architecture as it is well known and has a track record of reliability and security. 

Data Backup

Data is stored, encrypted at rest, and protected in an ISO-27001-compliant data center. Data is partitioned in the database in such a way that one customer cannot access another customer's data without an explicit invite. The invite has to come from the customer who runs the site. Logs are also encrypted at rest and deleted after 90 days.

Encryption

  1. Data in transit
    • Everything in the cloud
      1. Site Authentication
      2. Network Configuration
    • Type
      1. Minimum TLS 1.2 or higher, based on negotiation (can be audited)
      2. Data in transit encryption is military-grade
  2. Data at rest
    • Everything in the cloud
      1. Databases
      2. Backups
    • Type
      1. Maintained by AWS, an encrypted file system that encrypts all of your data and metadata at rest using an industry-standard AES-256 encryption algorithm. This file system is designed to automatically deal with encryption and decryption transparently.  (As described in the Database section above, Amazon RDS is utilized and databases are encrypted using keys managed through AWS Key Management Service (AWS KMS). Alta Labs does not have the encryption keys. 
      2. Data at rest encryption is HIPAA-compliant 
  3. What's not encrypted
    • Configs stored locally on APs and switches

Tenant Separation

Amazon Cognito ensures customer identity and access management with flexible sign-up and sign-in. Scalable to millions of users and hundreds of transactions per second, Amazon Cognito is used in conjunction with SRP (Secure Remote Password) for authentication. 

MFA (Multi-Factor Authentication) can also be employed for an extra layer of protection. App-based authentication using an Authenticator App can be set up or SMS-based authentication with verification done via text/SMS.

There is logical separation based on authentication tokens. The Alta Labs environment is a multi-tenant environment with logical separation between users. Customer data is segregated at the application level using unique IDs combined from several parameters.    

 

The Alta Labs management platform is designed to restrict all management traffic (including portal authentication/management and network configuration) to a minimum TLS 1.2 protocol level with high-grade asymmetric and symmetric encryption, always using a publicly verifiable SSL certificate. Self-signed certificates are not used or supported under normal circumstances.

SLA (Service Level Agreement)

Icon

99.99% Uptime for our cloud-based management platform. The platform is monitored 24 hours a day, 7 days a week. Engineers are notified immediately upon any service interruption.

Security Features and Functionality

How Alta Labs Requires Users to Log In to Platform

Alta Labs requires all users to log in to the management platform. Simply sign in with an email address and password or use a Google or Apple SSO. App-based or SMS-based multi-factor authentication can be enabled for additional security. SSH is available for local device control, but is protected via SSH key authentication. SSH password authentication is not supported for increased security.

Permissions Within a Site

Notifications

  1. Disconnections: Network device notifications
  2. Access Requests: Network access requests

Permissions

  1. Administrator: Allows modification of most site settings.
  2. All Password Access: Allows read/write access to all passwords as an administrator. Allows read access to all WiFi passwords as a non-administrator.
  3. Unlocked Password Access: Allows read/write access to unlocked WiFi passwords, even as a non-administrator.

API

  1. Shared with trusted partners
  2. All requests are protected using signed, timestamped JWT tokens

Application Security

Discrete services

Discrete services.
Cloud services are compartmentalized into discreet, purpose-built systems. Each system is only authorized to perform the task for which it was built, and logs are monitored to ensure that focus is maintained.

Privilege separation: Unprivileged user

Privilege separation: Unprivileged users.
To prevent unauthorized privilege escalation, controller, database, and other services operate using non-administrator accounts.

Operational Security

  1. Customer Data: Alta Labs does not have access to customer data. Alta Labs team members can only see and make changes to a site if a customer invites them to do so via Settings > Users > Invite a user.
  • The Alta Labs team (technical support, sales, training, etc.) can only access sites they have been invited to by the site administrator. This is a global and company-wide policy. Employees cannot browse or access a list of global sites.
  • When invited by a site administrator and given administrator access, Alta Labs team members have the same access as the original site administrator.
  • Alta Labs as a company does not maintain or control any sites that we have not been explicitly invited to unless asked to do so by the site administrator. However, Alta Labs does work to maintain the physical, virtual, and network infrastructure that houses the controller and the sites that leverage that technology. This includes assuring security standards and protocols are being met and exceeded, along with the target uptime service level agreement.
  • Alta Labs team members can only see a list of users who have created accounts within the Alta Labs forum. The Alta Labs team cannot see a list of users you have invited to a particular site unless you have invited a member of our team to help manage that site as a fellow administrator.
  1. Data Retention: AP's, switches, and routers store configuration data, as well as historical traffic and connected client statistics.
  2. Facility Access: Alta Labs facilities are located in Hurricane, Utah, and are only accessible by employees who are active and in good standing.
  3. Cloud Security: AWS Cloud Security is known for having the most secure global cloud infrastructure. Millions of customers, including the most security-sensitive organizations like government, healthcare, and financial services utilize AWS Security

Truster Partners

Alta Labs sources only from top-tier, well-established suppliers for our chipsets and other components. We work exclusively with companies such as Qualcomm, Samsung and Texas Instruments, whose products meet the highest standards for security and performance. This allows us to deliver products that are both reliable and secure for our users.

Compliance, Privacy, and Certifications

  • Proactive Assurance: Alta Labs may from time to time participate in bug bounty programs such as those posted on the HackerOne website
  • ISO Compliance: ISO 9001 (Quality), ISO 22301 (Security and Resilience), ISO 27001 (Security Management), ISO 27017 (Cloud Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data)
  • SOC Compliance: AICPA SOC 1, SOC 2, SOC 3 (Audit controls, security, availability, and confidentiality)
  • PCI (Payment Card Industry) Compliance: PCI DSS (Payment Card Industry Data Security Standards) is a set of security standards defined by the major credit card companies. Alta Labs products in no way jeopardize PCI DSS compliance and our cloud-based management platform back end, AWS, is certified as a Level 1 Service Provider, the highest level available. For more details, see Amazon PCI DSS
  • HIPAA (Health Insurance Portability and Accountability Act): Designed to protect patient confidentiality, this US federal law defines national standards and security guidelines. Alta Labs' cloud-based management platform is based on AWS. Since there is no HIPAA certification for a cloud service provider such as AWS, to meet the HIPAA requirements applicable to our operating model, AWS aligns its HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns with the HIPAA Security Rule. For more information on AWS HIPAA compliance, click here.
  • GDPR (General Data Protection Regulation): Regulation defined by the European Union to protect customer data and privacy. Security and compliance with the GDPR is a shared responsibility between AWS (Amazon Web Services) and Alta Labs. AWS operates, manages, and controls the components from the operating system and virtualization layer down to the physical security of the facilities in which AWS operates.  
  • CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act): The CRPA builds on and updates the CCPA protection of consumers and their rights. Alta Labs does not route any customer network traffic processed by Alta Labs Wireless Access Points, Network Switches, Routers, Gateways, etc. through its cloud infrastructure. Only customer network configuration information is stored in our cloud management platform.  
  • APA (Australia Privacy Act) and APP (Australian Privacy Principles): The Australia Privacy Act is the primary law regulating privacy rights and handling of personal information by government agencies and private organizations in Australia. The APA established 13 APPs (Australian Privacy Principles). Alta Labs is committed to complying with the requirements of the APA and APP.
  • Alta Labs Privacy Policy: The Alta Labs Privacy Policy can be found on our website by clicking here
  • Data Release to Government Authorities: Alta Labs does not provide government authorities with unwarranted access to any customer data. For any requests to disclose customer data from any government entity (US or across the world), our legal and privacy teams will review the request to ensure validity. Any potential disclosures warranted by potential illegal activity would be limited to data strictly necessary by law.

If you have any questions or concerns about your information, privacy, or any of the details discussed here, please feel free to contact us: 

Email us at privacy@alta.inc

You can also reach us via mail at:

Alta Labs

192 N Old Hwy 91 Unit 1

Hurricane, UT 84737

Or contact us directly by phone at: 

+1 435-773-4702.