Securing user data -- best practices

For starters, yes I know security is hard and complicated to do right. But for rolling out an MVP of my website I’d like to at least get started on the right track. Here’s where I am right now:

  1. I’ll use an auth provider such as Clerk to handle all the complexity of user authentication and passwords, etc. So far so good.
  2. I’d like to keep a record of who my users are in case my external auth provider disappears. For example I’d at least like to store my users’ email addresses. Is there a stardard way to do this – for example, after a user logs in, should I grab their email and store it in my own DB?
  3. For storing things like the user’s email address should I encrypt the data? If so, is there a standard plugin that will handle this and integrate with Prisma and whatever backend DB I choose?
  4. I’m thinking of integrating with Plaid to let users connect bank account info. I won’t be storing bank login credentials or account numbers, but (as with the email addresses) I’ll need to pull in key records such as account balances. As with email addresses, I’d like to be encrypting these values as well, and probably the same with user’s account nicknames etc.
  5. If I’m encrypting this kind of data can I make the encryption keys unique per user, or is it sufficient to have some sort of rotating global keys to encrypt the whole DB? I suppose this also depends on what encryption solutions are available with Prisma etc.

Any advice welcome! I know I also need to worry about various website attacks, but here I’m most interested in locking down the backend DB due to storing sensitive user data. Thanks!

1 Like