Onshape’s cloud technology partner, Amazon Web Services, has security standards tough enough to meet the needs of the CIA.
What does that mean? AWS goes to great lengths to protect your intellectual property. Data centers are housed in nondescript facilities with physical access strictly controlled at both the perimeter and building ingress points by armed guards utilizing video surveillance, intrusion detection systems, and other electronic means. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors and all visitors and contractors are required to present ID and are continually escorted by authorized staff.
You can dive further into the details of AWS cloud security here, but the takeaway is that their multiple layers of safeguards are far more than any one company could implement (or afford) on its own.
What you may not know is that in addition to the built-in security and peace-of-mind that Amazon Web Services provides, Onshape delivers its own extensive protections. This includes multiple security measures on the client side that companies can use to protect access to data – and also in the backend systems to prevent security breaches and data loss.
Unfortunately, risks from external attacks (phishing scams, malware, ransomware) are on the rise for all businesses. To counter these always-evolving security threats, Onshape employs a dedicated security team whose sole job is to protect your data. Furthermore, Onshape’s agile development process and unique database architecture enables emerging security vulnerabilities to be addressed within hours instead of waiting months or years for software updates (as one would with other professional CAD vendors).
For starters, here are 7 ways Onshape proactively helps you better protect your intellectual property. While no one precaution will deter hackers hellbent on breaking into your system, Onshape’s multi-faceted approach on top of AWS security is likely a sharp improvement over what you’re doing now to keep your designs confidential.
ONSHAPE’S ADDITIONAL SECURITY MEASURES
1. Password Protected Access
Before anybody can access your data, they must have valid login credentials: an email and a password. All passwords are subject to minimum complexity requirements and cannot be any of the 5 most recently used passwords. In addition, 5 invalid login attempts will block access to that account for 30 seconds. This prevents "brute force" password attacks, where hackers systematically try all possible passwords and passphrases until the correct one is found.
When Onshape is setup as a Company with multiple users, adding and removing team members is simple. When a new employee or contractor starts, they can be up and running in Onshape in minutes. All that is required is for your system administrator to add the new team member’s email address to the list of users. An invitation to join Onshape is sent to the new user and all they need to do is create a password for their new account. Compare that to a file-based, desktop-installed CAD system, where the process can take days or even weeks. Typically, you would have to:
- Get a purchase order and send that to your Value Added Reseller
- Wait until they process your order and request a license code from the vendor
- Source new hardware powerful enough to run 3D CAD
- Build the new hardware with virus protection and other security measures
- Download, install, and setup the CAD system and PDM software
- Ship the hardware to its intended user
When an employee leaves, a contractor’s term expires or a team member moves on to another project, revoking their access to your CAD data is just as simple. Go to the list of users and click the “x” next to their name. That’s it, you’re done! Their login credentials have been revoked. You can change the system password for desktop-installed CAD systems, but you have no idea if users made any copies of your data before they left.
Onshape never stores customer passwords in the clear. Onshape uses strong, one-way, cryptographic hash functions so that even if the internal password storage is compromised, the original passwords cannot be recovered.
2. Two-Factor Authentication (2FA)
In addition to password protection, each user can enable an extra layer of security on their account called 2-factor authentication (2FA). This is a safeguard that can be used in case your login password has been compromised (which could be as simple as somebody looking over your shoulder as you log in). When 2FA is enabled, each user must enter a 6-digit code generated from a smartphone app like Google Authenticator. This code changes every 30 seconds, so even if an attacker obtained your password and your 2FA code, they would only have 30 seconds to use it. You can configure your account to not ask for your 2FA code on a trusted computer for 30 days. This strikes a nice balance between security and convenience. If you were to lose your phone, you can use the recovery codes that were generated at the time of setup (that you should keep in a safe place) or contact Onshape Support.
3. Database Backup Procedures
Onshape's databases are replicated across multiple, geographically separated data centers. Your data is replicated in a matter of milliseconds as you work. In addition, all of Onshape’s databases are backed up every 3 hours. Data is restored from these backups and subjected to integrity tests on all Documents at least every 3 weeks.
4. Dedicated Servers
All the hundreds of servers that comprise the Onshape service only do one job – run Onshape. Only software that is needed to provide the Onshape service is installed on these virtual servers and it is all done by automation. These servers are replaced regularly, sometimes within hours, to ensure all the Onshape services are running the same versions of each software component. More servers are automatically added when demand for the Onshape service is high.
5. Communications Security
Your design data never leaves Onshape’s secure data center. Your browser or mobile client only receives tessellated (and encrypted) visual approximations of your design, so no usable information is ever physically stored on your computer. Additionally, Onshape accounts can be configured so that the user has no ability to translate or export CAD data.
Onshape requires HTTPS for all services, including the public website and Onshape Forums. The details of this implementation (certificates, certificate authorities and supported ciphers) are regularly audited. Automated tools test Onshape’s live servers for susceptibility to new and existing SSL/TLS vulnerabilities. HSTS is used to ensure browsers interact with Onshape only over HTTPS.
Onshape protects all design data using strong cryptographic cipher suites and encrypted storage with AES-256. All data is encrypted when stored (at rest) and during communication between Onshape’s servers and your client computer or device (in transit). Communication between internal compute servers and internal databases holding your design data uses SSL/TLS.
7. Third-Party Security Testing
Onshape’s servers are continuously penetration tested by a third-party service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly discovered threats. Onshape logs all server activity and audits all user and administrator access. Every transaction is recorded for later analysis and threat detection. All security issues are investigated and resolved rapidly.
This list of security protocols is just the tip of the iceberg. Even if a hacker were to successfully compromise your data on Onshape’s servers, they would never be able to use it. Why? Because that data is encrypted and formatted so that only a full instance of the Onshape production software (which comprises multiple systems and services spread across multiple servers) can be used to make sense of it.
In order for those hackers to be able to use your data, they would not only have to make a copy of all these software components from all the different servers (including locating these servers and bypassing the security that protects them), but also be able to recreate the exact configuration of each of those servers and connect them in the exact same way as the production version of Onshape.
While nothing is technically impossible, it is entirely improbable. Your data is in the safest place with Onshape.