At its latest developer conference, MongoDB has announced the general availability of Mongo Queryable Encryption. The company claims it is a first-of-its-kind technology that helps protect sensitive data when it is queried and in use on MongoDB.
According to Sahir Azam, Chief Product Officer at MongoDB, “Protecting data is critical for every organization, especially as the volume of data being generated grows and the sophistication of modern applications is only increasing. Organizations also face the challenge of meeting a growing number of data privacy and customer data protection requirements.
“Now, with MongoDB Queryable Encryption, customers can protect their data with state-of-the-art encryption and reduce operational risk—all while providing an easy-to-use capability developers can quickly build into applications to power experiences their end-users expect.”
What is this about?
Organisations have invested very large sums of money in encrypting their data. It’s encrypted at rest and when in transit. But, it is still vulnerable when in use, such as being queried, because to query data, most systems assume that it has to be in clear.
There are solutions to that, such as partial and fully homomorphic encryption, which have been around for years. The former allows for limited operations on data to be encrypted and then applied to the data without decrypting it. The latter, which underpins a growing body of privacy-enhancing technologies, encrypts complex searches and applies that to the data without decrypting it.
What MongoDB is looking to do is join that select band of vendors who do not decrypt data and therefore keep it encrypted through its lifecycle.
How does it work?
It is important to note that this is not a whole data solution, unlike some others on the market. That is important because it makes this more flexible and less resource intensive than some others. Nor, it seems, is MongoDB using a ladder encryption option such as that used by homomorphic encryption schemes.
The solution works by allowing organisations to tag fields with sensitive data that need to be protected. Typically these will be fields such as name, address, account number, account balance, and effectively anything that can be considered Personally Identifiable Information (PII). Organisations can choose to go further, but the flexibility here allows them to match what they protect to regulatory requirements.
When the user requests the data, it stays encrypted until it hits the application that they are using to view the data. That application will have access to the decryption key for the data and will only decrypt it for the application. The same is true in reverse. When the user creates the data in the app, if the data is going into an encrypted field, it will encrypt that data before sending it to the database.
Another key factor here is that everything is provided for the developer to use. There is no complex coding required; developers just simply use the encryption hooks required. It’s a simple and effective approach.
How secure is the cryptography?
As with all cryptographic solutions these days, there is always the question of, how secure is this? Rather than get into complex debates as to quantum-safe or what is required to crack the encryption, MongoDB has taken a different approach.
In the press release, the company states, “The MongoDB Cryptography Research Group developed the underlying encryption technology behind MongoDB Queryable Encryption and is open source. Organizations can freely examine the cryptographic techniques and code behind the technology to help meet security and compliance requirements.
“MongoDB Queryable Encryption can be used with AWS Key Management Service, Microsoft Azure Key Vault, Google Cloud Key Management Service, and other services compliant with the key management interoperability protocol (KMIP) to manage cryptographic keys. The general availability of MongoDB Queryable Encryption includes support for equality queries, with additional query types (e.g., range, prefix, suffix, and substring) generally available in upcoming releases.”
It is a welcome level of transparency around the work MongoDB has done. It is also good news for its customers as to the number of key management solutions it is supporting out of the box.
Enterprise Times: What does this mean?
Despite the billions spent on encrypting data, all too often, the weaknesses in how we use the data defeat the encryption. Over the last few years, attention has finally begun to be paid to the encryption lifecycle of data. It means that the gaps we know about are beginning to be addressed.
What is interesting here is that the solution is designed to be developer and user-friendly. By removing many of the coding hurdles for developers, MongoDB is making it easy for companies to improve data safety. Such a move is likely to be followed by its competitors in time, but for now, MongoDB has the high ground.
