I currently have a setup on the AWS and all the deployment is handled with meteor-up from Arunoda.
I also like Galaxy as a provider but there is one thing that keeps me from using Galaxy as main provider and that is that the settings.json contains a lot of API-KEYs to services like mandrill or exposure to my database credentials seem wrong (credit card info of users?).
Although on the DB level the data is encrypted, with the APP at hand and the DB connections it is super easy to get the information (for the container/service provider).
We take all this care that people cannot “hack” the DB or NOSQL injection but services like galaxy or modulus or all the others save all that keys and secrets which totally expose everything.
I KNOW: Hosting everything myself is an option. But its costly and time intensive and also might be even less secure because im not a database expert.
Did anyone of you guys thought of a model where the settings.json is encrypted or similiar (vaultproject.io ?)?
Whats your general thought? Do you “trust” the teams behind hosting services?
Whats the security promise of galaxy for example? Where do you personally draw the line?