Securing user data -- best practices

For starters, yes I know security is hard and complicated to do right. But for rolling out an MVP of my website I’d like to at least get started on the right track. Here’s where I am right now:

  1. I’ll use an auth provider such as Clerk to handle all the complexity of user authentication and passwords, etc. So far so good.
  2. I’d like to keep a record of who my users are in case my external auth provider disappears. For example I’d at least like to store my users’ email addresses. Is there a stardard way to do this – for example, after a user logs in, should I grab their email and store it in my own DB?
  3. For storing things like the user’s email address should I encrypt the data? If so, is there a standard plugin that will handle this and integrate with Prisma and whatever backend DB I choose?
  4. I’m thinking of integrating with Plaid to let users connect bank account info. I won’t be storing bank login credentials or account numbers, but (as with the email addresses) I’ll need to pull in key records such as account balances. As with email addresses, I’d like to be encrypting these values as well, and probably the same with user’s account nicknames etc.
  5. If I’m encrypting this kind of data can I make the encryption keys unique per user, or is it sufficient to have some sort of rotating global keys to encrypt the whole DB? I suppose this also depends on what encryption solutions are available with Prisma etc.

Any advice welcome! I know I also need to worry about various website attacks, but here I’m most interested in locking down the backend DB due to storing sensitive user data. Thanks!

1 Like

I just want to understand. It sounds like you have two types of data you’re concerned with how to store them.

  1. Email addresses (in case you can’t use your current auth provider)
  2. Finacial data

There’s pros and cons to everything and I am by no means an expert here, that being said my first though was;

  • What does the GDPR say about storing email addresses.
  • Storing personal financial data, what does the internet say about this?
  • FTC’s Protecting Personal Information
    • Summary: This has 5 principals about how to handle the data. the LOCK it section has a part of encrypting the data you need.

      Encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.

Anything you make to store a encryption key would have to be treated like you would na env. variable to your database, keep it really secure. If there isn’t trending one way you could avoid this is by not storing their data in the database, just use the APIs and data in memory. If you aren’t storing the data, its less to worry about.

1 Like