Security & Systems Policy
Learn about Galaxy's Security and Systems Policy.
Galaxy is committed to ensuring that the application code and data stored in the Meteor Galaxy platform is accessible only by authorized individuals. Security best practices are employed consistently and evolve to meet the needs of our customers.
When you sign up for a Galaxy Account, you agree to our standard SLA, found here. If you need a customized SLA for your account, please reach out to Galaxy Support.
Galaxy's physical infrastructure is hosted and managed within Amazon's secure data centers and utilizes Amazon Web Service (AWS) technology.
Galaxy consists of Platform services built and run on top of Amazon's Elastic Container Service and Amazon Web Services.
Galaxy utilizes Amazon EC2 virtual machine and Docker isolation mechanisms. Each application instance is run in its own Docker container on an Amazon EC2 virtual machine.
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon's data center operations have been accredited under:
ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)
Galaxy itself has not pursued independent certifications.
System configuration and consistency are maintained through standard images, configuration management software, and the replacement of select systems with updated deployments.
Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.
Customer application configuration secrets are stored in a Galaxy system database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel only, for purposes of administration and support.
Customer application certificates and keys are stored in encrypted form in the Galaxy system database. These certificates are only decrypted on the Galaxy Proxy machines and are not exposed to application containers.
Access to private information is protected using Docker isolation in the application container.
Galaxy provides SSL encryption to protect data transmission over the wire from external entities to the Galaxy Proxy layer. Internally in Galaxy, Amazon EC2 virtual machine and Docker container network isolation is utilized to protect data transmission over the wire.
Galaxy does not maintain databases that are utilized for production application use. These databases are provisioned, configured, and maintained by the customer.
Galaxy free MongoDB databases are only available for hobby projects and open-source demos.
Galaxy captures and stores Application Logs in an off-site database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel for administration and support only.
Galaxy employees do not access customer data or customer environments as part of day-to-day operations. When customers need support, authorized employees are able to view customer data when specifically requested.
All company employees are trained to understand that customer data privacy and confidentiality are paramount. Under no circumstances is customer data ever disclosed to a third party. Only a limited subset of employees have the ability to view customer environments and stored data.
Access is routinely evaluated to ensure those rights are retained only when necessary by job function. Galaxy maintains a policy and operational checklist for removing access for employees that are no longer associated with its operations.
Meteor Developer Accounts support Two-Factor Authentication, so we recommend that all members of your organization have it enabled.
You can check if all members of your organization have this enabled in your Members tab on your account page on Galaxy. You will see a lock icon on each member with Two-Factor Authentication enabled.
Each member can enable Two-Factor Authentication on cloud.meteor.com/security in the Security section.
It's important to save the backup codes in a safe place as well.
Our two-factor authentication works via email, so you will receive an email when you authenticate with your confirmation code.
If you authenticate with GitHub, the confirmation code will not be sent as you should have two-factor on GitHub as well. So our two-factor is not going to do anything in the GitHub authentication.
Starting from June 22, 2021, meteor.com is a domain with DNSSEC enabled. Check what DNSSEC is, and why it's important here.
Galaxy applied the following changes to its infrastructure:
Disable HTTP 1.0 protocol support
Galaxy Sticky cookie will have a secure flag for force-ssl enabled domains
HSTS will be sent for every force-ssl enabled domain
Removal of some supported ciphers. The updated list will only include the ciphers listed below:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
This can affect clients older than 5 years, like old browsers.
Galaxy's Security Practices
Galaxy is committed to ensuring that the application code and data stored in the Meteor Galaxy platform is accessible only by authorized individuals. Security best practices are employed consistently and evolve to meet the needs of our customers.
When you sign up for a Galaxy Account, you agree to our standard SLA, found here. If you need a customized SLA for your account, please reach out to Galaxy Support.
Platform Architecture
Galaxy's physical infrastructure is hosted and managed within Amazon's secure data centers and utilizes Amazon Web Service (AWS) technology.
Galaxy consists of Platform services built and run on top of Amazon's Elastic Container Service and Amazon Web Services.
Galaxy utilizes Amazon EC2 virtual machine and Docker isolation mechanisms. Each application instance is run in its own Docker container on an Amazon EC2 virtual machine.
Risk Assessment
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon's data center operations have been accredited under:
ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)
Galaxy itself has not pursued independent certifications.
Policy around Software Security Updates
System configuration and consistency are maintained through standard images, configuration management software, and the replacement of select systems with updated deployments.
Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.
Customer Data Security
Customer application configuration secrets are stored in a Galaxy system database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel only, for purposes of administration and support.
Customer application certificates and keys are stored in encrypted form in the Galaxy system database. These certificates are only decrypted on the Galaxy Proxy machines and are not exposed to application containers.
Access to private information is protected using Docker isolation in the application container.
Application Data
Galaxy provides SSL encryption to protect data transmission over the wire from external entities to the Galaxy Proxy layer. Internally in Galaxy, Amazon EC2 virtual machine and Docker container network isolation is utilized to protect data transmission over the wire.
Galaxy does not maintain databases that are utilized for production application use. These databases are provisioned, configured, and maintained by the customer.
Galaxy free MongoDB databases are only available for hobby projects and open-source demos.
Application Logs
Galaxy captures and stores Application Logs in an off-site database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel for administration and support only.
Operational Policies
Galaxy employees do not access customer data or customer environments as part of day-to-day operations. When customers need support, authorized employees are able to view customer data when specifically requested.
All company employees are trained to understand that customer data privacy and confidentiality are paramount. Under no circumstances is customer data ever disclosed to a third party. Only a limited subset of employees have the ability to view customer environments and stored data.
Access is routinely evaluated to ensure those rights are retained only when necessary by job function. Galaxy maintains a policy and operational checklist for removing access for employees that are no longer associated with its operations.
Two-Factor Authentication
Meteor Developer Accounts support Two-Factor Authentication, so we recommend that all members of your organization have it enabled.
You can check if all members of your organization have this enabled in your Members tab on your account page on Galaxy. You will see a lock icon on each member with Two-Factor Authentication enabled.
Each member can enable Two-Factor Authentication on cloud.meteor.com/security in the Security section.
It's important to save the backup codes in a safe place as well.
Our two-factor authentication works via email, so you will receive an email when you authenticate with your confirmation code.
If you authenticate with GitHub, the confirmation code will not be sent as you should have two-factor on GitHub as well. So our two-factor is not going to do anything in the GitHub authentication.
DNSSEC
Starting from June 22, 2021, meteor.com is a domain with DNSSEC enabled. Check what DNSSEC is, and why it's important here.
Changes
Sep 25th, 2021
Galaxy applied the following changes to its infrastructure:
Disable HTTP 1.0 protocol support
Galaxy Sticky cookie will have a secure flag for force-ssl enabled domains
HSTS will be sent for every force-ssl enabled domain
Removal of some supported ciphers. The updated list will only include the ciphers listed below:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
This can affect clients older than 5 years, like old browsers.
Updated on: 29/07/2024
Thank you!