For those following me who run SaaS businesses. Do any of you encrypt your multi-tenant databases? And I don't mean at rest. I mean full-on in production mode? Can it even be done?
-
-
Replying to @reinink
When I ran SaaS companies one of them had HIPAA issues with respect to encryption, so we were compliant with that requirement, but broadly speaking I don't think there is any way to isolate Tenant A and Tenant B 100% of the time and that encryption would not be major part it.
1 reply 1 retweet 4 likes -
A less sexy but more useful bit of security advice is making sure you have patterns and practices which ensure you're always accessing data from only the logged-in user's account, and that cross-account queries look obviously dangerous and are the higher-toil path for engineers.
3 replies 0 retweets 3 likes
e.g. supposing Rails-land, straight-up disallow Model.where() and prefer either @account.models.where() and, if someone needs to use it for cross-action for admin pages or analytics, force them to say Model.unsafe_actions.where()... (which you can audit, grep for, discourage)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.