skip to Main Content

I am creating accounting/invoicing software and my database is in postgreSQL. Should I create a separate database for each user since the data is sensitive financial data? Or is having a user foreign key secure enough? If I am hosting the database on aws I understand that I could have a few db servers across multiple availability zones and regions so that if one is compromised it wouldn’t effect everyone even if many users have info stored in a single database. Is this safe enough? Thanks!

2

Answers


  1. In general no. Encrypt the data so that if someone exfiltrates a dump they can’t actually use it without the decryption key. If you’re worried that someone with admin access can see the user’s information then you might want to consider a user-level encryption for all fields related to personally identifiable information.

    Login or Signup to reply.
  2. There are few ways you could go about it but I wouldn’t create a new DB for every customers. It will be too expensive and a pain to maintain and evolve.

    To me, this sounds like you are creating a multi-tenant application.

    I’d personally use the row-level security feature in Postgres (see this article) or create a separate Schema for each Customer.

    You can add an extra layer of protection with encryption at rest. AWS support it (link)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search