Developer data platform MongoDB has announced the general availability of queryable encryption, an end-to-end data encryption technology for securing sensitive application workflows. It is designed to reduce the risk of data exposure for organizations and helps businesses protect sensitive information when it is queried/in-use on MongoDB.
MongoDB’s queryable encryption can be used with AWS Key Management Service, Microsoft Azure Key Vault, Google Cloud Key Management Service, and other services compliant with the key management interoperability protocol (KMIP) to manage cryptographic keys, the company said.
General availability includes support for equality queries, with additional query types (e.g., range, prefix, suffix, and substring) available in upcoming releases, the firm added. MongoDB first introduced a preview version of queryable encryption at MongoDB World last year.
Queryable encryption provides the capability to reduce the attack surface for confidential data in several use cases. Data remains encrypted at insert, storage, and query, with both queries and their responses encrypted over the wire and randomized for resistance to frequency analysis. However, there is a cost to space and time requirements for queries involving encrypted fields.
Users select fields to encrypt based on data sensitivity
With the general availability of queryable encryption, customers can secure sensitive workloads for use cases in highly regulated or data-sensitive industries such as financial services, health care, government, and critical infrastructure by encrypting data while it is being processed and in use, MongoDB said in a press release. Users can select the fields in MongoDB databases that contain sensitive data that need to be encrypted.
For example, an authorized application end-user at a financial services company may need to query records using a customer’s savings account number. When configured with MongoDB queryable encryption, the content of the query and the data in the savings account field will remain encrypted when traveling over the network, while it is stored in the database, and while the query processes the data to retrieve relevant information, according to the firm.
After data is retrieved, it becomes visible only to an authorized application end user with a customer-controlled decryption key to help prevent inadvertent data exposure or exfiltration by malicious actors, it added.
Queryable encryption requires no cryptography expertise
“Data protection is critical for all types of organizations. Not only is the volume of data we generate rapidly proliferating but so are the regulations and requirements businesses must abide by,” said Kenn White, security principle at MongoDB.
MongoDB queryable encryption will significantly reduce the risk of data exposure for organizations and help improve security postures, meeting the most stringent compliance requirements, White said. “It will also support developer productivity for highly sensitive application workflows, as no cryptography expertise is required.”
The underlying encryption technology was developed by the MongoDB Cryptography Research Group. Organizations can freely examine the cryptographic techniques and code it uses.
Technology is “gold standard” but data management fundamentals must be addressed first
Anything that reduces vectors of attack upon sensitive data whilst enabling it to be safely utilized is to be applauded, said Paul Watts, distinguished analyst at the Information Security Forum. “Time will tell whether real-world use cases throw up constraints that limit queryable encryption’s efficacy or scalability, or whether the additional storage overheads associated with it limit the application of the technology for some.”
A lot of organizations are still struggling with “step one” of data management, Watts said, battling to answer questions such as: What data have we got? How sensitive is it? Who has access to it? And how can we balance data security with data exploitability? “The technology is gold standard, and only useful if you have addressed the fundamental basics of information governance and data protection first.”
