Security questions

[jillh510]

How will we secure users' email addresses and phone numbers (store them encrypted?) How long do we keep information about each carpool? Need to publish who gets what information about the carpool, especially if we'll be sharing information about volunteers with campaign offices

[karpet]

+1 to all these questions. Storage of PII is always a security concern.

[karpet]

Yes, for security and privacy we should encrypt all PII at rest in the database. That would include names, emails, phone numbers.

There are 2 main attack vectors for compromising PII: (1) obtaining a copy of the database file from disk snapshot (as from a backup .sql file), or (2) compromising direct database access, via the running application.

In case (1), we should mitigate against that by enabling on-disk encryption. E.g. https://blog.heroku.com/the_new_database_experience_with_heroku_postgres#continuous-protection-now-with-on-disk-encryption https://aws.amazon.com/about-aws/whats-new/2017/06/amazon-rds-enables-encryption-at-rest-for-additional-t2-instance-types/

In case (2), we should encrypt each column at rest. E.g. https://bunn.cc/2015/django-encryption-at-rest/ (NOTE I have not used this and cannot vouch for it but the idea is correct)

Encryption is hard to get right, and complex. At this late stage of development, I think case (1) is the biggest threat and the easiest to enable since it should require zero changes.

[iandees]

We're using Heroku right now. We have to pay (at minimum) $200/mo to get to a tier that supports at-rest encryption: https://www.heroku.com/pricing#heroku-postgres-premium.

[karpet]

@iandees understood. It might be cheaper to use RDS directly with the Heroku app. https://devcenter.heroku.com/articles/amazon-rds that would require provisioning an RDS instance and managing it outside of Heroku. Given that Ragtag is dealing with PII on a regular basis, this seems like a good opportunity to establish and re-enforce some best practices about infrastructure.

[jmcarp]

What scenarios does rds with at-rest encryption protect against? If an attacker gets access to the application environment, emails are exposed. If an attacker gets access to rds, emails are exposed. If an attacker gets access to the rds server instance, we're protected. I'm guessing the first two scenarios (we leak heroku/rds credentials, have a sql injection vulnerability, etc.) are much more likely than the third (aws servers are compromised), so the value here might not be very high.

That said, if you all think the risk of an aws compromise (or other factors) justifies moving the database to rds, I'd be happy to help with that.

[karpet]

@jmcarp I agree with everything you said.

My point was that on-disk encryption was a good idea and required near-zero code changes. It's a configuration change at most.

[iandees]

I'm reticent to make our deployment system more complicated than it is right now. Part of the reason we're able to move so quickly and get this project so far in 2 weeks is that we are relying on the quick and easy deploy setup in Heroku. I don't have the time to set up something similar in AWS. And setting up an AWS account specifically for RDS only makes things more complicated and prone to failure.

I'm happy to work with someone if they're interested in getting this set up on a more-secure, faster, and cheaper setup in AWS or GCS or something, but the benefits have to outweigh the risks.