AngelTrack's Security Features

AngelTrack's secure design looks like this:

AngelTrack system geometry

AngelTrack's security stands on eleven pillars, discussed in detail in the next sections:

  1. Secure datacenters
  2. Secure network traffic
  3. Foreign traffic blocked
  4. Modern software platforms always updated
  5. Secure code immune to SQL injection
  6. No outsourcing
  7. No remote control and no firewall openings
  8. Self-contained server
  9. Request-level logging of all activity
  10. Automatic daily backups
  11. Codebase open for review

Secure Datacenters

AngelTrack's four datacenters are operated by Rackspace, at the internet backbone hubs in:

Each datacenter implements strong physical access control, redundant power, and redundant internet connectivity.

Automatic daily backups are stored on a separate blade inside the secure datacenter. They are never transferred or stored anywhere else.


Secure Network Traffic

All traffic to and from your AngelTrack cloud server is HTTPS, encrypted by TLS version 1.2 using a 2048-bit RSA key. This satisfies the NIST's FIPS 140-2 standard.

Insecure connections are not permitted. Your employees are free to connect from the office, from the field, and from home; their network traffic will be automatically secured.


Automatic Blocking of Foreign Internet Traffic

Your AngelTrack cloud server is configured to block all internet traffic originating from outside your continent. Because AngelTrack is for use only by your employees and your local customers, there is no legitimate reason why anyone on a distant continent should be accessing your cloud server.

The list of blocked IP address ranges is available for review:

Your location Blocklist type Download blocklist
North America Blacklist NA blocked IP address ranges
Australia Whitelist AU allowed IP address ranges

If you wish to access your cloud server from outside your continent, such as while traveling to Europe, Asia, Africa, South America, or Antarctica, an exception to the blocklist must be temporarily added to your cloud server. To accomplish this:

  1. Travel to your destination.
  2. Connect to the internet and visit http://WhatIsMyIPAddress.com….
  3. Note the IP address reported by the website.
  4. Contact AngelTrack support and give them the IP address, as well as your expected date of return.

Modern Software Components, Always Updated

An AngelTrack cloud server is built from three base components:

These three core components are modern products which receive ongoing support and security improvements from Microsoft. All cloud servers are configured to retrieve and install all recommended patches and updates from Microsoft, just as soon as they become available. Your AngelTrack cloud server therefore enjoys the maximum available protection from threats on the internet.


Secure Code Immune to SQL Injection Attacks

Probably the most common vulnerability in cloud software is SQL injection attacks, in which a rogue employee intentionally enters a malicious piece of text designed to corrupt the application's database. For example, a rogue employee using a cloud application might type a piece of sneaky SQL code into an unsuspecting datafield (such as "Customer's last name"), and when that datafield is sent to the database, the sneaky code is executed and does damage.

AngelTrack is immune to SQL injection attacks thanks to two strict rules in its code:

To learn more about SQL injection attacks and defense, start with this tutorial from Oracle.


Made in Texas Made in USA

No Outsourcing

100% of AngelTrack LLC employees, past and present, are U.S. citizens living in America.


No Remote Control and No Firewall Openings

AngelTrack does not require you run remote-control software; all you need is a web browser. Nor is it necessary to open any ports in your company firewalls for AngelTrack's traffic; all traffic passes over the standard HTTP port 80 and the standard HTTPS port 443.


Self-Contained Server

Your AngelTrack cloud server is entirely self-contained, and does not depend on any other computers or internet services. It depends only on its own internet connection, which is redundant and is maintained by Rackspace. Rackspace knows far more about running a datacenter than anyone at AngelTrack LLC, so we defer to their expertise.

Beware of competing products that claim to be in the cloud but have dependencies on computers residing in your own office or in the software provider's offices. Such arrangements introduce far too many failure points into the system.


Request-Level Logging of AngelTrack Activity

AngelTrack logs the activity of your employees, at the web request level.

These logs can be downloaded from the Support Home page, by anyone who is a member of the HR or Administrator roles.

Cloud server logs look like this, a typical snippet of log showing user jdoe opening the Shifts page and then beginning a new shift:

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-10-02 00:00:21
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-10-02 00:25:03
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-10-02 00:25:21 67.192.246.43 GET /Shifts.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/Dispatch.aspx 200 0 0 292
2016-10-02 00:25:21 67.192.246.43 GET /images/icons/Export.png - 443 - 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/Shifts.aspx 200 0 0 61
2016-10-02 00:25:21 67.192.246.43 GET /images/icons/Add.png - 443 - 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/Shifts.aspx 200 0 0 75
2016-10-02 00:25:23 67.192.246.43 GET /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/Shifts.aspx 200 0 0 461
2016-10-02 00:25:23 67.192.246.43 GET /scripts/FuelLevels.js - 443 - 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 92
2016-10-02 00:25:31 67.192.246.43 POST /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 172
2016-10-02 00:25:40 67.192.246.43 POST /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 198
2016-10-02 00:25:42 67.192.246.43 POST /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 145
2016-10-02 00:25:44 67.192.246.43 POST /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 160
2016-10-02 00:25:45 67.192.246.43 POST /ShiftBegin.aspx - 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 209
2016-10-02 00:25:45 67.192.246.43 GET /Shifts.aspx ATSaveRefer=0 443 angeltrack\jdoe 60.159.247.137 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.116+Safari/537.36 https://sandbox2.angeltracksoftware.com/ShiftBegin.aspx 200 0 0 139
[...]

For instructions on how to interpret a webserver log, read the Data Leak Forensics Guide.

Logfile retention policy

Owing to their size, the raw logs of web requests are retained by your AngelTrack cloud server for 180 days, at which time they are automatically and permanently deleted.

Journal entries, by contrast, are retained forever -- provided you maintain an active AngelTrack license.


Automatic Daily Backups

All of your data is automatically backed-up once per day, at 2:30 AM your local time, and stored off-server. If this backup process ever fails, AngelTrack Support staff are immediately notified and will act to correct the problem.

If everything that can go wrong does go wrong, and your AngelTrack cloud server must be rebuilt from scratch by AngelTrack Support, the daily backups are expected to minimize data loss to a maximum of 24 hours.


Codebase Open for Review

AngelTrack's entire codebase is open for review and audit to anyone appearing in person at the Houston, Texas development office during normal business hours. Upon request, a developer familiar with the code will act as a tour guide.

No code may be taken off-premises during the audit, or copied to a private computer or storage device. Any person who works directly or indirectly for a competing EMS software venture is forbidden from attending the audit.



AngelTrack Help Index - AngelTrack Support