Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday April 03 2020, @12:07PM   Printer-friendly
from the putting-at-all-tqqq- dept.

MongoDB's Field-Level Encryption Protects Private Data—Even From DBAs[:

In December 2019, popular document database MongoDB added a fairly radical new feature to the platform: field-level database encryption. At first glance, one might wonder whether this is a meaningful feature in a world that already has at-rest storage encryption and in-flight transport encryption—but after a little closer analysis, the answer is a resounding yes.

One of MongoDB's first customers to use the new technology is Apervita, a vendor that handles confidential data for well over 2,000 hospitals and nearly 2 million individual patients. Apervita worked side by side with MongoDB during development and refinement of the technology.

Since reaching general availability in December, the technology has also been adopted by several government agencies and Fortune 50 companies, including some of the largest pharmacies and insurance providers.

This is a good thing. Field Level Encryption (FLE) is a must for any DB these days.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Interesting) by Anonymous Coward on Friday April 03 2020, @02:10PM (9 children)

    by Anonymous Coward on Friday April 03 2020, @02:10PM (#978697)

    If the goal is to protect the data from the prying eyes of admins, then I wonder how they are protecting the keys so that a determined admin cannot get access to the encryption keys?

    • (Score: 1, Informative) by Anonymous Coward on Friday April 03 2020, @02:25PM (7 children)

      by Anonymous Coward on Friday April 03 2020, @02:25PM (#978702)

      The threat model is specifically an admin with access to the mongodb server and that admin is prevented from getting the keys because the keys are never sent to the server. An admin with access to the app server can steal the keys.

      https://webassets.mongodb.com/_com_assets/cms/FLE_GA_v3-zcn705jddn.gif.gif [mongodb.com]

      • (Score: 2, Insightful) by All Your Lawn Are Belong To Us on Friday April 03 2020, @02:57PM (6 children)

        by All Your Lawn Are Belong To Us (6553) on Friday April 03 2020, @02:57PM (#978724) Journal

        e.g. an Edward Snowden. (Regardless of how one feels about what he did - and I tend to think he should be given a full pardon and he is nearly a hero - this is meant to mitigate that kind of compromise).

        --
        This sig for rent.
        • (Score: 4, Insightful) by DannyB on Friday April 03 2020, @03:49PM (3 children)

          by DannyB (5839) Subscriber Badge on Friday April 03 2020, @03:49PM (#978753) Journal

          I would only add that he should have a statue.

          Everything he said revealed that things were already much worse than the most paranoid among us believed (in 2013). And have only gotten worse sense. Some reforms have actually come of Snowden's revelations. I think hero is deserved. If things don't get reigned back in, and corruption ended, and the voting system protected from online voting, we may end up with only an illusion of democracy. Maybe we're already there? How exactly do you know when you've crossed the point of no return near a black hole? (prior to the event horizon)

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 0) by Anonymous Coward on Friday April 03 2020, @09:57PM (2 children)

            by Anonymous Coward on Friday April 03 2020, @09:57PM (#978886)

            I don't think one should be lionized under an ends-justify-the-means argument. I would be more sympathetic to the argument (well, not the beatification stance taken here) if he curated and released information to support some argument, but a blind smash-and-grab of information, then giving the information to the Russians and Chinese, well that is pretty damn bad. He gave up a lot of information on things that weren't illegal too, so I hope that you are at least cognizant of the stance where some people don't feel compelled to bow down and kiss his ring. You laud him for all the good you say he did, but he did a hell of a lot of bad too.

            So, no, I won't go for statues. But they give statues to all sorts of people for all sorts of reasons which I don't agree with either and in the end only pigeons end up caring about.

            • (Score: 3, Insightful) by DannyB on Sunday April 05 2020, @12:20AM

              by DannyB (5839) Subscriber Badge on Sunday April 05 2020, @12:20AM (#979181) Journal

              Prior to Snowden we got to see how genuine whistleblowers were treated.

              I think Snowden took the only avenue available. He didn't remain anonymous. But he realized that going through channels was worse than pointless.

              --
              People today are educated enough to repeat what they are taught but not to question what they are taught.
            • (Score: 0) by Anonymous Coward on Monday April 06 2020, @06:02PM

              by Anonymous Coward on Monday April 06 2020, @06:02PM (#979717)

              So Snowden said and so nobody has offered hard evidence to disprove, Snowden gave the Russians and Chinese nothing. Everything he had was turned over to Glenn Greenwald, not "the Russians" or "the Chinese". (Unless you mean that the things that were publicized also became public knowledge to our adversaries, if they didn't know them already).

              And not all that which is legal is moral. Not all that is moral is legal. So giving away stuff that wasn't illegal but was utterly and unjustifiably immoral doesn't count in my book, either.

              Though I agree a statue is not necessary. It would be if he'd publicized it all, stayed, and was voluntarily in Supermax today. Basically what they're planning for Assange who did nothing but a journalist's job in actuality although talked different from that. Very, very few people can actually walk to a cross willingly, though.

              But oh well. We can't all agree on everything.

        • (Score: 0) by Anonymous Coward on Friday April 03 2020, @09:45PM (1 child)

          by Anonymous Coward on Friday April 03 2020, @09:45PM (#978881)

          Regardless of how one should feel, he should be hailed as a hero? Those two halves of the sentence do not agree with each other.

    • (Score: 2) by takyon on Friday April 03 2020, @02:29PM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Friday April 03 2020, @02:29PM (#978705) Journal

      It supports sharding.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
  • (Score: 0) by Anonymous Coward on Friday April 03 2020, @03:04PM (2 children)

    by Anonymous Coward on Friday April 03 2020, @03:04PM (#978728)

    So basically this has nothing to do with the database really and is just a key management scheme bundled with the DBMS ?
    What else does it offer? Encryption sw has been available, standardized, and used since forever.

    • (Score: 0) by Anonymous Coward on Friday April 03 2020, @03:26PM

      by Anonymous Coward on Friday April 03 2020, @03:26PM (#978740)

      So basically this has nothing to do with the database really and is just a key management scheme bundled with the DBMS ?

      1. sales point
      2. profit

      no need for ??? Just need as a sales point.

    • (Score: 0) by Anonymous Coward on Friday April 03 2020, @05:50PM

      by Anonymous Coward on Friday April 03 2020, @05:50PM (#978812)

      Yes, it looks like it really does nothing that couldn't already be done either explicitly in the application code or with a third-party library/tool hiding some of the details; the "advance" of this is that it is built in and easily provides fine-grained encryption transparently in the client driver without special handling in the application code.

  • (Score: 0) by Anonymous Coward on Friday April 03 2020, @03:39PM (1 child)

    by Anonymous Coward on Friday April 03 2020, @03:39PM (#978747)

    There's nothing to stop the application from encrypting data before it writes it to the database. Probably so many people are doing it that MongoDB is just catching up with what their customers have been doing for years.

    People were encrypting data before writing it to database fields for decades. There are really good reasons, IMHO, to keep the encryption in the application instead of putting it in the database. Particularly if your DBA is an H1-B in Hyderabad.

    Like the previous commenter says, there's no point in encrypting data if all one needs to do is reference the boot time start script for the database, to see the password with which all the data is being encrypted.

    However, expect clueless management, steered by salespersons, to insist that all encryption be moved to the database, for ease of key management.

    Followed, some months or years later, by a major compromise that destroys the company.

    You read it here first.

    ~childo

    • (Score: 0) by Anonymous Coward on Friday April 03 2020, @10:10PM

      by Anonymous Coward on Friday April 03 2020, @10:10PM (#978889)

      Particularly if your DBA is an H1-B in Hyderabad.

      An H1-B visa is for folks *living* in the United States, not in foreign locations.

      Are you that ignorant, or are you just trying to push as many buttons (H1-B, immigration, foreign outsourcing) as possible?

      Either way, it's a dick move. Congratulations!

  • (Score: 2) by Bot on Friday April 03 2020, @05:21PM

    by Bot (3902) on Friday April 03 2020, @05:21PM (#978797) Journal

    Field level encryption is nothing new in app servers, enforcing it at db level could possibly, depending on the configuration, be faster. Problems come with indexes, searching is either badly affected or reveals data to the DBA. The DBA can also inject cleartext to possibly crack the encryption. It is especially good for archives though.

    --
    Account abandoned.
  • (Score: 1, Insightful) by Anonymous Coward on Friday April 03 2020, @07:06PM (1 child)

    by Anonymous Coward on Friday April 03 2020, @07:06PM (#978835)

    I remember either here or the green site had a paper where they showed practical attacks against a theoretically perfect implementation of FLE. They said it was basically worthless.

    The assumptions they made on the database:
    1) It would be possible to search the DB for a range of values in a column rather than requiring equality queries only
    2) The database and its queries would be encrypted ('perfectly'), but the columns headers would be readable (either encrypted or not)
    3) The DBA would be able to see requests come in (encrypted), and responses leave (also encrypted, but countable)

    I think they said that if you wanted the contents of a column to be known within 5%, you would only need 500 queries of random(ish) ranges before you had that degree of accuracy, this was independent of the size of the database, though it did assume that the attacker might have some idea of the applicable ranges (the attack only gave you information as a percent of the applicable range and the sign had to be inferred from the shape after the fact).

    Sadly, my google-fu seems to be coming up short.

    • (Score: 1, Informative) by Anonymous Coward on Saturday April 04 2020, @02:28AM

      by Anonymous Coward on Saturday April 04 2020, @02:28AM (#978946)

      Sadly, my google-fu seems to be coming up short.

      Fortunately I remember reading the same thing from a pointer on Bruce Schneider's blog: https://www.schneier.com/blog/archives/2019/03/data_leakage_fr.html [schneier.com]
      It was interesting to learn that any useful field-level encryption beyond simple key-value pairs was just a false sense of security.

(1)