Services

One of the biggest challenges of data today is just how much of it is out there. 0:00 Data breaches are unfortunately a given. 0:04 Your data as a user or consumer is going to get out there. 0:06 Your data as a business is highly sought after. 0:09 We give out a lot of data. 0:12 Phone numbers, government ID numbers, dates of birth, 0:13 not to mention payment info like credit card and bank account numbers. 0:16 As a service provider, you can help to minimize the damage done by data breaches, 0:19 by just not collecting and storing data. 0:22 Let's start with the easiest part, don't collect data that you don't need. 0:25 It's really tempting to ask users for anything you think you might ever need. 0:28 For example, your service might in the future, 0:32 implement automatic phone calls for suspicious account behavior. 0:34 That's a great feature. 0:37 But you don't have it yet, and I certainly haven't opted into it yet, so 0:38 don't ask me for my phone number. 0:41 The less data you store, the less can be lost in a successful hacking attempt. 0:43 Okay, but that's obvious, right? 0:47 What about things you have to have the data? 0:49 Like user accounts, you can't really get around storing passwords, right? 0:51 Actually you can. There are few common modern ways of 0:55 avoiding storing user passwords that could get leaked. 0:56 The first is social media accounts. 0:59 Instead of requiring your users to create a new account on your service and 1:02 you having to store their password and other account details, 1:05 you let them sign up with their Facebook, Twitter, GitHub or whatever else account. 1:08 You'll store a token that the service provides you instead of a password. 1:12 You can usually request other information from the third party service too 1:15 like email addresses and legal names. 1:18 Sometimes you can even ask for that on demand. 1:20 This technique is known as OAuth, 1:23 and it's quickly becoming a common feature throughout the industry. 1:24 Check the teacher's notes on for 1:27 links to treehouse content on how to take advantage of OAuth for your own projects. 1:28 Another alternative is the OpenID technology. 1:32 This bit of tech allows people to use their logins from other systems, 1:35 much like with OAuth. 1:38 OpenID relies, as you should have come to expect by now, on a shared secret between 1:40 the requesting system, your site or service, and the authentication provider. 1:44 It's not quite as popular as OAuth, but it's a secure, reliable system. 1:48 Isn't that data still vulnerable to a breach though? 1:52 I mean if Facebook gets hacked that data is still gonna be out there right? 1:54 Sure. 1:58 But companies like Facebook have massive teams and 1:58 massive bank accounts aimed squarely at preventing these breaches. 2:01 While they won't always have more protection and security than you do, 2:04 it's often a good assumption. 2:06 There's a theory in the industry too. 2:08 That one of the reasons users stick with bad or 2:09 repeated passwords is because we require them to create so many of them. 2:11 It's possible that users will use better passwords if they have to 2:15 have a few of them. 2:18 Services like OAuth and OpenID might lead to this. 2:19 The next option is a newer type of service that's been appearing the last few years. 2:23 Much like using social media sites for login, services like Octa and 2:27 Certify let you register and 2:30 authenticate users without having to store their details on your own servers. 2:31 Again, you're relying on a much more focused company for 2:35 the security instead of having to divide up your own attention. 2:38 Lastly, what about payment details? 2:41 I know in the early days of buying things on the Internet it wasn't 2:43 uncommon to find a service provider or e-commerce shop that would store their 2:46 customers payment details in their own database. 2:49 Often these were stored in plain, unencrypted text too. 2:51 The headaches caused by any breach in those databases. 2:54 Luckily, now though, services like Stripe, PayPal and Authorize.net all exist and 2:57 allow you to safely and securely charge people money for your products and 3:01 services. 3:05 Without having to store the the payment details yourself. 3:05 In fact, if you did want to store those major credit card details yourself, 3:09 you must implement PCIDSS, or the Payment Card Industry Data Security Standard. 3:12 PCI represents American Express, Discover, JCB, MasterCard and Visa. 3:18 There aren't many cards out there that aren't issued by one of those. 3:23 Depending on the size of your operation, you may or 3:26 may not have to have your compliance verified. 3:28 I put some information in the teacher's notes about all of these services. 3:31 Be sure to read through them if they apply to your projects. 3:33 And look for places where you can avoid storing user data. 3:36 Now, let's take a look at a feature that's quickly becoming a requirement for 3:38 messaging software, end-to-end encryption. 3:41