build a vault #3504
Comments
|
I think we should host our vault directly on AWS, since they clearly offer a PCI compliant environment, whereas Heroku doesn't advertise as much. |
|
I'm envisioning a very simple key/value store, an expansion of vault.py to put it on the network. I suppose the thing to do would be to use HTTP so we can post into it from javascript. We don't want to transmit sensitive data through the main web app at all. |
|
Let's do some poking around ... https://hashicorp.com/blog/vault.html What else? |
|
|
One key feature of our requirements here is that the web app only needs to write secrets, not read them. It's the payroll process that needs to read secrets, in order to originate ACH credits and populate invoices. My thought is that we should use public key cryptography, with the web app holding the public key (via Introducing a server component, whether Vault or something else (including something DIY), increases our surface area and level of complexity significantly moreso than integrating encryption-before-storage into our existing application architecture. What are the PCI implications of the latter? |
|
Another design requirement: I want separate access groups for the main web app and the PCI vault. I want to be able to grant access to Heroku (app + db) as we've been doing, which is carefully, to be sure ... but we need to be even more careful with access to vaulted data. |
|
Let's distinguish the three pieces of information we're intending to collect, their risk profile, and our immediate application requirements regarding each.
|
|
So the web app does need to read some secrets. |
|
Meaning it does come under the systems we need to consider in terms of PCI compliance. |
|
The requirement for invoices is that VAT be available to both supporters (buyers; #1199 (comment)) and teams (sellers; #1199 (comment)). |
|
Hashi Vault supports dynamic secrets. Could we use that to ensure that access to Heroku doesn't entail access to our vault? |
|
|
Like, when the app spins up, it asks our vault for credentials to our vault? |
|
Looks like that would take some work. |
|
I'm going through the Vault intro. |
|
Alright, I am introduced to Vault. It's a nice piece of software. We very well may be able to use it here. |
|
|
I've registered for an AWS account. |
|
Can we use the browser as the go-between to avoid leaking vault access to people with Heroku access? |
|
I don't see how to meet this requirement with Vault. :( |
|
Or at all, really. If the web app has to be able to write, then whoever has access to the web app could potentially write out their bank account details and collect all of payroll for a week. |
|
Okay, so let's take it that we don't have a separate access tier that is even tighter than access to our production hosting environment and database. Then we're back up against the fact that Heroku does not promise a PCI-compliant environment to nearly the extent that Amazon does. |
|
Gosh. Are we talking about migrating away from Heroku? 🐭
https://www.digitalocean.com/help/policy/ via https://www.digitalocean.com/community/questions/digital-ocean-pci-dss-server-compliance |
|
Amazon > DO > Heroku (PCI-wise) |
|
Okay! Reticketed as #3505. 🏊 |
|
POI:
https://github.com/zero-db/zerodb (h/t) |
|
I propose that we close this ticket. Why? Because we already have a vault. Meaning, we already have a database that contains sensitive information, which we take care to protect. Security means constant vigilance, there is no "done" state where we'll be perfectly ready to store national identity numbers and passport scans. Running HackerOne for a while, observing the security practices of other organizations, and watching NSA predators has me feeling hesitantly confident that we're not at the back of the pack when it comes to security. I think we should go for it. @rohitpaulk @clone1018 @aandis et. al? |
Now I'm saying that we treat our main app and database as our vault (rather than building a separate component), and we evolve towards something like DSS as we scale. |
|
Last call for objections to closing this ticket and declaring that we already have a vault ... |
|
We're a far cry from Uphold's definition of a vault. :-/ |
|
@mattbk at gratipay/inside.gratipay.com#532 (comment):
Unclear. Either everything (our current database is our vault) or just sensitive info such as national identity info (we have a second database). Though in the first case we would still differentiate sensitive info, and store it in the current database in encrypted form. Maybe the difference is semantic. Our vault has "layers" or something. |
|
Alright @rohitpaulk @aandis @mattbk @kaguillera: per gratipay/inside.gratipay.com#539 (comment), let's start with the five of us. Would you store your name, address, and national ID number in Gratipay today? Why not? What is the minimum we need to accomplish before you're comfortable doing so? |
Yes, I would |
|
Sure. |
|
👍 |
|
Awesome! Me, too. :-) I will check with @kaguillera when I see him next week ... |
|
|
Alright, talking w/ @kaguillera here IRL and he is good to go. 👍 (Though he also mentions that national ID numbers are not big in Trinidad and passport or driver's license would be more normal.) |
|
Alright, folks! Closing this one out. We have a vault. 😳 Future work to be organized on the Security Radar. |
We are going to start storing national identification numbers (#3289 (comment)) as well as bank account numbers (#3377 downstream of #3366). We need a vault separate from our main application and database that is more highly secure. We should use the PCI DSS 3.0 standard to self-assess the security of our application (gratipay/inside.gratipay.com#214). This ticket is about building a new vault component of our architecture.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: