Security / settings.json & third parties (galaxy,modulus etc)

xan4fun · March 13, 2016, 9:50am

Hi!
I currently have a setup on the AWS and all the deployment is handled with meteor-up from Arunoda.

I also like Galaxy as a provider but there is one thing that keeps me from using Galaxy as main provider and that is that the settings.json contains a lot of API-KEYs to services like mandrill or exposure to my database credentials seem wrong (credit card info of users?).

Although on the DB level the data is encrypted, with the APP at hand and the DB connections it is super easy to get the information (for the container/service provider).

We take all this care that people cannot “hack” the DB or NOSQL injection but services like galaxy or modulus or all the others save all that keys and secrets which totally expose everything.

I KNOW: Hosting everything myself is an option. But its costly and time intensive and also might be even less secure because im not a database expert.

Did anyone of you guys thought of a model where the settings.json is encrypted or similiar (vaultproject.io ?)?
Whats your general thought? Do you “trust” the teams behind hosting services?
Whats the security promise of galaxy for example? Where do you personally draw the line?

sashko · March 13, 2016, 8:01pm

If your app can decrypt the settings, then can’t any hosting service do that as well since it has access to the app code? I feel like you inherently need to trust the people hosting your app, whether that is digital ocean, AWS, Galaxy, modulus, or whatever.

xan4fun · March 14, 2016, 10:00am

Sure i mean is fine you have to trust always someone.
I was just wondering in the age of data security this is for me often an overlooked factor. I know that AWS data centers are especially secure with metal detectors and security protocolls/levels and what not.

but for galaxy hosting on the aws you have to trust their team and their security protocols. and this grows if you host your DB somewhere else. also env.variables can leak if you are not careful.
For example last year (i think) some mandrills API keys got hacked and right there is a honeypot of email fishing.

I just wanted to start a discussion.