Overview

Security and privacy are part of the core foundations of the TackleBox platform. TackleBox helps customers find better ways to leverage data, and as a result, the protection of data is paramount. That means security is incorporated into every feature development of TackleBox. We hold TackleBox to the highest standards for privacy and security standards. 

TackleBox employees a defense in depth strategy to protect data. This strategy makes use of multiple layers of security control to secure TackleBox data properly.

 

Physical Security

TackleBox is hosted in Microsoft Azure datacenters. Azure datacenters provide rigorous physical security controls. Azure is designed and managed to meet or exceed a broad set of international and industry-specific compliance standards, such as ISO 27001, FedRAMP, SOC 1, and SOC 2. 

Azure designs, builds, and operates data centers in a way that tightly controls physical access to the areas where TackleBox data is stored. Azure datacenters have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the data center floor.

 

Data Security

Protecting data is fundamental to TackleBox, and as a result, all available security controls are used to protect customer data.

Encryption

TackleBox encrypts all customer data to ensure it is protected within the platform. Encryption ensures that customer data remains private and can not be tampered with. TackleBox’s encryption standard requires the following:

  • All data-at-rest is encrypted using AES 256-bit algorithms.
  • All data-at-rest is encrypted using NIST approved encryption ciphers.
  • All data-motion is encrypted using TLS and strictly adheres to NIST TLS Guidelines.
  • Azure’s TDE service manages all encryption keys.

Procedures

TackleBox maintains many procedures to ensure the protection of data. At the core of TackleBox, all customer data is protected with row-level access control lists to ensure granular security. 

Separation of duty ensures that only the TackleBox DevOps team has access to production systems. 

The internal TackleBox team audits security protections and monitors for security incidents using machine-learning behavior analysis

Application Security

The TackleBox Software Development Lifecycle (SDLC) fully incorporates industry-standard security best practices. TackleBox’s AppSec program includes the following:

  •  Security training for TackleBox staff. 
  • Application designs that are reviewed for security best practices. 
  • Secure coding policies and standards that are used throughout the development process. 
  • Source code scanning using static analysis security testing to identify security vulnerabilities during development. 
  • Dynamic application security testing is used to identify runtime security vulnerabilities. 
  • Web Application Firewalls are used in production to protect TackleBox from application-layer attacks.

Cloud Security

TackleBox is a native cloud application leveraging Microsoft’s Azure public cloud. Azure provides core security functionality for TackleBox. However, TackleBox performs cloud security posture monitoring to ensure all cloud components are correctly configured and free of vulnerabilities. 

Remediating cloud vulnerabilities are treated with the highest priority by the TackleBox team.

User Authentication

TackleBox leverages federated authentication to allow users to access the application using their existing identity. The identity provider handles passwords and 2nd-factor authentication. TackleBox trusts the identity provider and grants appropriate access.

Security Governance

TackleBox follows the NIST Cybersecurity Framework for security management. The NIST CSF is used as a basis for TackleBox’s standards and guidelines. The Azure CIS benchmark is also used as a benchmark for cloud security.