Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Brainstorming for backing up/encrypting user data alongside clearing #2

Open
zachherbert opened this issue Dec 23, 2020 · 1 comment

Comments

@zachherbert
Copy link

Thank you @aantonop for putting this together; we think this plugin is a great idea and will significantly help Woocommerce stores implement good data retention practices.

We currently use WooCommerce's built-in features to clear our customer data 30 days after fulfilling the order. We have user accounts disabled, so we don't have to worry about retaining some data and clearing others.

We will be backing up the data to offline, encrypted storage before clearing. This is because we need to keep certain data for tax/accounting/customer service reasons.

Ideally, we'd like to brainstorm if it is possible to add the following features:

  1. Automatically download an encrypted backup of the customer data before clearing. This ensures that businesses can retain the data, but that it is not exposed online in the WooCommerce database.
  2. Encrypt the customer data within WooCommerce, requiring a password in order to view the data. Then, if an attacker accesses the WooCommerce admin portal or database, they still can't see the customer data.

These two options would likely not be used simultaneously, but could be very powerful. Option 2 would provide another layer of security. I'm not sure, however, that it would be feasible or practical– because you'd want to do things like email the customer, send their shipping info to a carrier, etc.

Maybe Option 2 could be an alternative to clearing the data completely. Instead of clearing it, the plugin could replace the sensitive data with an encrypted version requiring a password.

Let me know what you think of these ideas!

@ashfame
Copy link
Contributor

ashfame commented Dec 27, 2020

Hi @zachherbert One problem that I see with Option 1 is you would need to retain all backups ever taken to recover records and depending on how many records you need to check, you would need to restore multiple backups one by one or restore to multiple WordPress installs and consolidate data.

Option 2 sounds much better that you always keep data as is, but encrypt the data once the order reaches complete status. Must use asymmetrical encryption here, so that only public key can stay in the application. You wouldn't need any backup strategy for protecting PII anymore and you simply avoid having to keep all backups and restore multiples of them when the need to read data arises.

But based on your backup schedule, you will always backup some orders unencrypted (orders which haven't reached complete status). Not a big deal if you have a solid backup rotational process in place, which limits the exposure. Ideal would be to encrypt the order right away as it comes and decrypt it on the fulfilment process side when it ingests orders data.

Depending on where you want to decrypt the data, security mileage will vary. Client side decrypting in browser while browsing WordPress admin is not recommended as if private key for encryption once leaked, compromises everything. Done separately in a different install where WooCommerce data is mirrored (or the most recent backup restored), is much better. Offline computer even better. Air Gapped computer - almost the best. All about what security threats you wanna protect yourself against with.

Good idea nonetheless, all depending on what data one as a business needs to retain. Completely anonymising it is best.

If there is enough interest and the community can fund it, I can build this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants