Anonymizing your application database

Question

I'd like to keep the real names, emails, and any other personal identifiable information out of my primary application database, and in another database/encrypted file. And I'm curious on if there's a best practices solution for this or if I'm totally over looking something.

Some thoughts I had were the following:

• User logs in with a username and password that are both hashed in the primary database
• This server then makes some sort of secure call to the member database with the user's id
• And in return the member database returns the name, email, address etc.

I'm wondering if this is the right approach, and if so where the keys are stored and authenticated etc..

Answer 1

It's an interesting question, I think, but it needs some more context. That is, you need to be clear about who you are wishing to anonymise them against. That is, who is the threat, here? Do you want the information hidden from only the public? Clearly, that's trivial, just don't show it (don't link it). Do you want the information hidden from someone who gains access to your database? How hidden? How will they get access to your db? Can they, if they gain access to the not-anonymous one, get access to the other? OpenID may also be of interest to you (externalise the authentication, you just do role management).

I'd suggest sit down and plan that out a bit.

You don't want to introduce complexity (multiple db's, linking, etc) if they're all just on the same server anyway, and hence accessible to any successful attacker.

I'd think the number 1 solution to keeping things anonymous is to never actually collect any information yourself. It's more of a model thing (i.e. the details of your app matter).