Introduction
Amino Orchestrate is a cloud-based device management platform that enables remote provisioning, monitoring, and maintenance of deployed devices. This document outlines security measures, best practices, and compliance guidelines to protect user data and ensure secure operations.
In this article
Summary
Data Diagram
Amino has created a data flow diagram that illustrates how information moves through Orchestrate and specifies where sensitive data is stored.
Compliance and Notifications
GDPR, CCPA, and PCI
Amino confirms it is compliant with GDPR and meets requirements for CCPA and PCI.
Downtime Notifications
Customers receive notice of any planned downtime at least two weeks in advance.
Data Handling and Security
Data Processing
Orchestrate manages Amino H200 devices, handling settings and performance data. It does not process or store Personally Identifiable Information (PII).
Identification
Devices are identified by serial numbers and MAC addresses. All data transfers use mTLS and HTTPS.
Data Entry
The Orchestrate API, secured by mTLS, and the web UI both allow data entry. The web UI supports password authentication or Single Sign-On (SSO). Amino’s Terms and Conditions prohibit entering PII in free text fields. Data in transit is always secured via HTTPS.
Access Controls
Single Sign-On (SSO)
Orchestrate supports SAML 2.0-based SSO with providers such as Microsoft ADFS, Microsoft Azure, Okta, and Cisco Duo Security. SSO is included under the Orchestrate Premium tier at no extra cost.
Password Requirements
Passwords must include uppercase and lowercase letters, plus at least one digit or non-alphabetic character.
Principle of Least Privilege
Amino enforces least privilege and separation of duties. High-privilege or administrator accounts exist where necessary.
Role-Based Access Control (RBAC)
Orchestrate uses RBAC with roles such as system administrator, administrator, technical user, and regular user. These roles manage system features including device management, troubleshooting, and analytics. Permissions are assigned to each role, and administrators can manage them through the web UI.
Data Security
Encryption
Data in transit is protected using HTTPS/TLS. Data at rest is protected using AES-256.
Network Transfer
Sensitive data moving within the Amino network is encrypted. Access to Orchestrate requires allowing specific IPs and ports, ensuring only trusted sources can connect.
Data Integrity
PII is not stored in Orchestrate, though administrators may need access for support or troubleshooting.
Data Loss Prevention
Data is replicated, and daily backups are maintained for seven days.
Device Decommissioning
Devices are securely wiped following NIST 800-88 guidelines. Deleted data is permanently removed unless it resides in backup snapshots.
Third-Party Hosting
Amino uses AWS and Google Cloud for hosting.
Backups
Full backups are performed daily and secured in the AWS EU region.
Availability
High availability is ensured through multiple deployment instances, monitoring, and automatic failover.
Infrastructure
Multi-Tenant Environment
Orchestrate uses a multi-tenant architecture with logical separation of customer data. Data is tagged with unique identifiers and filtered at the application layer to prevent unauthorized access.
Data Storage Location
Data is stored in the AWS EMEA region.
Secure Configuration
Cloud security settings are reviewed regularly, and monthly security scans are conducted. Amino maintains an inventory of software and applies patches as needed.
Network Security Controls
A Web Application Firewall (WAF) performs rate limiting and other protective functions.
Logging and Monitoring
Audit Logs
User activity audit logs are accessible to administrators via the UI. System logs are restricted to Amino support and engineering teams.
IT Staff Activity
When Amino staff access customer accounts, those activities are logged. Customers can view these logs via the UI.
Log Storage
Logs are stored in the AWS EMEA region and protected using RBAC and file permissions.
Incident Response
Security Team
Amino has a dedicated Security Committee comprising IT and executive members.
Security Breaches
Orchestrate has not experienced any known security breaches.
Monitoring
Amino regularly reviews access logs and database activities, and performs periodic vulnerability scans.
Incident Response Plan
If an incident occurs, Amino follows a documented plan covering containment, investigation, notification, remediation, and post-incident reviews.
Vulnerability Scans
Automated scans are conducted monthly.
Patch Management
Vulnerability patching timeframes vary depending on severity and nature of the issue.