Shared Responsibility Model

AngelTrack is SaaS using a Shared Responsibility Model, in which the responsibilities for IT reliability and security are shared between AngelTrack, its datacenter (Rackspace), and the Customer.

This document summarizes the many details given in the AngelTrack Security Guide, so that all parties can know their responsibilities.

Responsibilities of AngelTrack LLC

Backups per our published backup schedule (in the aforementioned security guide)

Backup offsiting

All servers and firewalls deployed high availability [HA]

Prompt patching of all servers, application stacks, and firewalls 

Live monitoring and alerting of 35 different measures of application health

Live monitoring and alerting of aggregate (cluster-level) attacks such as denial of service, password-cracking, and exfiltrations

Outbound whitelist on firewalls

Virus-scan of all AngelTrack servers

Virus-scan of files uploaded by users (excluding simple images)

Server-side ransomware detection and recovery

Provision of user password security features e.g. 2FA

Monitoring of CVEs affecting AngelTrack's tech stack

Permanent deletion of data at the end of its defined lifetime

Responsibilities of Rackspace Corporation

Physical access control of server and networking hardware

Networking redundancy and health monitoring

Hardware health monitoring, alerting, and prompt intervention

Power resilience and redundancy

DDOS defense

Responsibilities of the Customer

Outbound whitelist on customer premise firewalls

Endpoint security including anti-virus, whole-disk encryption, and the restriction of Administrator-level accounts

Prompt patching of all operating systems and installed applications (AngelTrack itself does not require patching, but web browsers do)

Power resilience aka UPS devices, and a standby generator for the dispatch office

Network redundancy aka a secondary internet connection, even if it's just tethering

Lockdown of all computers and mobile devices

Remote wipe of lost mobile devices

Physical security of company premises, especially the dispatch and billing offices

Paper document destruction

Endpoint ransomware protection e.g. OneDrive

2FA on all SaaS accounts, especially Microsoft 365 including OneDrive, and any high-access accounts in AngelTrack

Proactive management of employees' AngelTrack accounts with a goal of minimum necessary access

Employee training for internet security and hygiene

Review and deployment of AngelTrack's advanced security features, including 2FA, Fort Knox mode, IP whitelist, and provisional access

HIPAA compliance

Employee training for HIPAA compliance

PCI compliance (if you process credit card payments over the telephone)

Employee training for PCI compliance (if applicable)

Export and archival of data before its defined lifetime is reached

Monitoring of exfiltration alerts sent by AngelTrack

Forensics of any exfiltrations that targeted just one AngelTrack customer e.g. a rogue employee