Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
There are many services you can use to handle sensitive data for you.
Again, this list won't be exhaustive; new services and techniques come up every day. Here, though, are a few articles, services, and tools you can use to offset some of your own work:
- OAuth in Plain English by Rob Sobers
- OpenID Connect, the newest version of OpenID which works on top of OAuth 2.0.
- Stripe
- Authorize.Net
- PayPal
- PCI DSS
- Okta
- Certify
One of the biggest challenges of data
today is just how much of it is out there.
0:00
Data breaches are unfortunately a given.
0:04
Your data as a user or
consumer is going to get out there.
0:06
Your data as a business
is highly sought after.
0:09
We give out a lot of data.
0:12
Phone numbers, government ID numbers,
dates of birth,
0:13
not to mention payment info like
credit card and bank account numbers.
0:16
As a service provider, you can help to
minimize the damage done by data breaches,
0:19
by just not collecting and storing data.
0:22
Let's start with the easiest part,
don't collect data that you don't need.
0:25
It's really tempting to ask users for
anything you think you might ever need.
0:28
For example,
your service might in the future,
0:32
implement automatic phone calls for
suspicious account behavior.
0:34
That's a great feature.
0:37
But you don't have it yet, and
I certainly haven't opted into it yet, so
0:38
don't ask me for my phone number.
0:41
The less data you store, the less can be
lost in a successful hacking attempt.
0:43
Okay, but that's obvious, right?
0:47
What about things you
have to have the data?
0:49
Like user accounts, you can't really
get around storing passwords, right?
0:51
Actually you can.
There are few common modern ways of
0:55
avoiding storing user passwords
that could get leaked.
0:56
The first is social media accounts.
0:59
Instead of requiring your users to
create a new account on your service and
1:02
you having to store their password and
other account details,
1:05
you let them sign up with their Facebook,
Twitter, GitHub or whatever else account.
1:08
You'll store a token that the service
provides you instead of a password.
1:12
You can usually request other information
from the third party service too
1:15
like email addresses and legal names.
1:18
Sometimes you can even ask for
that on demand.
1:20
This technique is known as OAuth,
1:23
and it's quickly becoming a common
feature throughout the industry.
1:24
Check the teacher's notes on for
1:27
links to treehouse content on how to take
advantage of OAuth for your own projects.
1:28
Another alternative is
the OpenID technology.
1:32
This bit of tech allows people to
use their logins from other systems,
1:35
much like with OAuth.
1:38
OpenID relies, as you should have come to
expect by now, on a shared secret between
1:40
the requesting system, your site or
service, and the authentication provider.
1:44
It's not quite as popular as OAuth,
but it's a secure, reliable system.
1:48
Isn't that data still
vulnerable to a breach though?
1:52
I mean if Facebook gets hacked that
data is still gonna be out there right?
1:54
Sure.
1:58
But companies like Facebook
have massive teams and
1:58
massive bank accounts aimed squarely
at preventing these breaches.
2:01
While they won't always have more
protection and security than you do,
2:04
it's often a good assumption.
2:06
There's a theory in the industry too.
2:08
That one of the reasons
users stick with bad or
2:09
repeated passwords is because we
require them to create so many of them.
2:11
It's possible that users will use
better passwords if they have to
2:15
have a few of them.
2:18
Services like OAuth and
OpenID might lead to this.
2:19
The next option is a newer type of service
that's been appearing the last few years.
2:23
Much like using social media sites for
login, services like Octa and
2:27
Certify let you register and
2:30
authenticate users without having to
store their details on your own servers.
2:31
Again, you're relying on a much
more focused company for
2:35
the security instead of having
to divide up your own attention.
2:38
Lastly, what about payment details?
2:41
I know in the early days of buying
things on the Internet it wasn't
2:43
uncommon to find a service provider or
e-commerce shop that would store their
2:46
customers payment details
in their own database.
2:49
Often these were stored in plain,
unencrypted text too.
2:51
The headaches caused by any
breach in those databases.
2:54
Luckily, now though, services like Stripe,
PayPal and Authorize.net all exist and
2:57
allow you to safely and securely charge
people money for your products and
3:01
services.
3:05
Without having to store
the the payment details yourself.
3:05
In fact, if you did want to store those
major credit card details yourself,
3:09
you must implement PCIDSS, or the Payment
Card Industry Data Security Standard.
3:12
PCI represents American Express,
Discover, JCB, MasterCard and Visa.
3:18
There aren't many cards out there
that aren't issued by one of those.
3:23
Depending on the size of your operation,
you may or
3:26
may not have to have
your compliance verified.
3:28
I put some information in the teacher's
notes about all of these services.
3:31
Be sure to read through them if
they apply to your projects.
3:33
And look for places where you
can avoid storing user data.
3:36
Now, let's take a look at a feature
that's quickly becoming a requirement for
3:38
messaging software, end-to-end encryption.
3:41
You need to sign up for Treehouse in order to download course files.
Sign up