SlideShare a Scribd company logo

MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive into Protecting Sensitive Workloads

MongoDB
MongoDB

Many applications with high-sensitivity workloads require enhanced technical options to control and limit access to confidential and regulated data. In some cases, system requirements or compliance obligations dictate a separation of duties for staff operating the database and those who maintain the application layer. In cloud-hosted environments, certain data are sometimes deemed too sensitive to store on third-party infrastructure. This is a common pain for system architects in the healthcare, finance, and consumer tech sectors — the benefits of managed, easily expanded compute and storage have been considered unavailable because of data confidentiality and privacy concerns. This session will take a deep dive into new security capabilities in MongoDB 4.2 that address these scenarios, by enabling native client-side field-level encryption, using customer-managed keys. We will review how confidential data can be securely stored and easily accessed by applications running on MongoDB. Common query design patterns will be presented, with example code demonstrating strong end-to-end encryption in Atlas or on-premise. Implications for developers and others designing systems in regulated environments will be discussed, followed by a Q&A with senior MongoDB security engineers.

1 of 86
Download to read offline
Kenneth White MongoDB Product Security New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads @mongodb
New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads
New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads Agenda
New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads Agenda § A brief history of database security § Trust models: server vs. client § Encrypting data-in-use § Hands on deep dive § Q&A
A brief history of database security
A brief history of database security Evolution
A brief history of database security Evolution § access controls
A brief history of database security Evolution § access controls § passwords § plaintext > hashing > key derivation § bearer tokens § NTLM, Kerberos tickets, LDAP/S, SCRAM, web session § multi-factor auth § LCD fobs / SMS / 2FA apps / FIDO-U2F / WebAuthn / mobile enclaves § federated RBAC
A brief history of database security Evolution § network
A brief history of database security Evolution § network § (plaintext) native wire protocols § SSL encryption § TLS § TLS w/ PFS
A brief history of database security Evolution § storage
A brief history of database security Evolution § storage § plaintext / raw filesystem § encrypted
A brief history of database security Evolution § storage § volume-level / full disk encryption (FDE) § BitLocker, DMCrypt, FileVault, encrypted EBS § file-level encryption § whole database § per-database (WiredTiger ESE) § tablespace § database-level encryption § column / field
A brief history of database security These are all important defenses, but…
A brief history of database security What is the threat?
A brief history of database security Against whom/what are we defending?
A brief history of database security Against whom/what are we defending? § “hackers”?
A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors?
A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors? § insiders?
A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors? § insiders? § admins?
A brief history of database security Against whom/what are we defending?
A brief history of database security What is the threat?
A brief history of database security What is the threat?
A brief history of database security What is the threat?
The security model for many Prod databases Source: Imgur (author unknown)
The security model for many Prod databases Source: Imgur (author unknown)
A brief history of database security
A brief history of database security Let’s talk about breaches.
A brief history of database security Every sector of the global economy has been impacted.
A brief history of database security Every sector of the global economy has been impacted § enterprise § consumer tech § retail § government § healthcare § finance …
A brief history of database security Major shifts in regulatory & privacy climate
A brief history of database security Major shifts in regulatory & privacy climate § GDPR § HIPAA § PCI DSS § NIST/FISMA § Consumer protection § State & provincial
A brief history of database security System architect & developer security challenges
A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation
A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
A brief history of database security System architects & develop security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
Trust models: server vs. client
Trust models: server vs. client What is the source of trust?
Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust
Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust § This has implications, many not so obvious
Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust § This has implications, many not so obvious § With a few caveats, the database operator typically has unrestricted technical access, including: § DBAs § system admins § hosting/infrastructure providers
Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic
Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic § This potentially includes: logs, backups, temp files, process memory…
Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic § This potentially includes: logs, backups, temp files, process memory… § They who hold the keys control the kingdom
Trust models: server vs. client This is particularly important in a cloud context, especially so when running highly sensitive workloads.
Trust models: server vs. client A common pain for system architects
Trust models: server vs. client A common pain for system architects • Most notably in healthcare, finance, and consumer tech • The benefits of managed, easily expanded compute & cloud storage have often been considered out of reach because of data confidentiality & privacy concerns.
Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
Encrypting Data-in-Use
Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption
Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption § encryption as a first-class citizen § modern, authenticated encryption algorithms § strong security guarantees § customer-managed keys § content is opaque to server & server operator
Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption § major investment § 2 years in the making § 16+ engineers spanning core server, query, security, drivers, cloud § targeting 12+ languages § all major hardware & operating system platforms § Linux, MacOS, Windows
MongoDB Client-Side Field-Level Encryption
MongoDB Client-Side Field-Level Encryption Core design
MongoDB Client-Side Field-Level Encryption Core design § Enabled in drivers § Drivers have expanded MQL awareness § Extends existing JSON Schema with new “encrypt” property § Adds JSON Schema validation to the client § Individual fields within collections can be marked as encrypted § Keys can be used on a per-field, per-document basis
MongoDB Client-Side Field-Level Encryption Cryptography
MongoDB Client-Side Field-Level Encryption Cryptography § multiple encryption options, including deterministic search § key services are natively integrated § modern authenticated encryption with AES-256 & SHA-2 § AEAD_AES_CBC_HMAC_SHA512 (2015 IETF draft: McGrew, Foley, Paterson) § abuse-resistant derived deterministic IVs § native system crypto libraries used for core operations
MongoDB Client-Side Field-Level Encryption Cryptography § raw key material never persisted to disk (in-memory only) § stored field keys protected by symmetric encryption § field wrapping keys secured in HSM-backed external KMS § key service master key rotation: scheduled or on-demand
MongoDB Client-Side Field-Level Encryption Developer view
MongoDB Client-Side Field-Level Encryption Developer view § new JSON Schema attribute “encrypt” § schema validation extended to the client/application § key management services integrated into drivers § driver generates secure request for field keys § all encryption/decryption is done in the driver (on the client) § server only sees encrypted binary data (BinData subtype-6)
MongoDB Client-Side Field-Level Encryption How does it work?
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive into Protecting Sensitive Workloads
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive into Protecting Sensitive Workloads
MongoDB Client-Side Field-Level Encryption Let’s look at some code
"test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
"test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
"test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
var keystore = db.getCollection("__keystore") var clientSideFLEOptions = { "kmsProviders" : { "aws" : { "accessKeyId" : env.KMSKID , "secretAccessKey" : env.KMSKEY } }, "schemas" : { patientSchema } , "keyVaultCollection" : keystore } encryptedSession = new Mongo("localhost",clientSideFLEOptions)
var keystore = db.getCollection("__keystore") var clientSideFLEOptions = { "kmsProviders" : { "aws" : { "accessKeyId" : env.KMSKID , "secretAccessKey" : env.KMSKEY } }, "schemas" : { patientSchema } , "keyVaultCollection" : keystore } encryptedSession = new Mongo("localhost",clientSideFLEOptions)
var encryptedDb = encryptedSession.getDB("test"); encryptedSession.getKeyStore().createKey( "aws", env.KMSARN, ["key1"] ) var keys = encryptedSession.getKeyStore().getKeys() var key1 = keys.getKeyByAltName("key1”)
View to a client holding a valid key:
encryptedDb.patients.find( { "ssn": "901-01-0001" } ) View to a client holding a valid key:
{ "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : "901-01-0001", "mobile" : "212-555-1234", "email" : "lee@example.com" } View to a client holding a valid key:
{ "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "lee@example.com" } View to a client lacking a valid key:
{ "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "lee@example.com" } View to legacy clients:
{ "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "lee@example.com" } View to database administrator:
{ "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "lee@example.com" } View to database, server memory, logs, backups:
MongoDB Client-Side Field-Level Encryption
MongoDB Client-Side Field-Level Encryption Roadmap
MongoDB Client-Side Field-Level Encryption Roadmap § Beta preview 4.2 rc1 in next two weeks – Java & shell first § Additional language beta previews in coming weeks § Server support in Atlas via rc0 preview § GA planned for late summer § Targeting all supported drivers on all supported platforms § 3rd party expert security audits & code reviews in progress
MongoDB Client-Side Field-Level Encryption Recap
MongoDB Client-Side Field-Level Encryption Recap § 4.2 introduces client-side field-level encryption § Designed for the most sensitive workloads § Enabled in drivers § Allows fields to be marked as encrypted, at the document-level § Multiple enforcement options (server-client, client-side, or both) § Backwards compatible with existing admin & cluster tools
MongoDB Client-Side Field-Level Encryption Q&A
Ad

Recommended

MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
Managing Multi-Tenant SaaS Applications at Scale
Managing Multi-Tenant SaaS Applications at ScaleManaging Multi-Tenant SaaS Applications at Scale
Managing Multi-Tenant SaaS Applications at Scale
MongoDB
 
Introducing Stitch
Introducing Stitch Introducing Stitch
Introducing Stitch
MongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Private Cloud Self-Service at Scale
Private Cloud Self-Service at Scale Private Cloud Self-Service at Scale
Private Cloud Self-Service at Scale
MongoDB
 
Introducing MongoDB Atlas
Introducing MongoDB AtlasIntroducing MongoDB Atlas
Introducing MongoDB Atlas
MongoDB
 
Power Real Estate Property Analytics with MongoDB + Spark
Power Real Estate Property Analytics with MongoDB + SparkPower Real Estate Property Analytics with MongoDB + Spark
Power Real Estate Property Analytics with MongoDB + Spark
MongoDB
 
MongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional ModelMongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional Model
MongoDB
 
Bye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the JourneyBye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the Journey
MongoDB
 
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB
 
Advanced Schema Design Patterns
Advanced Schema Design Patterns Advanced Schema Design Patterns
Advanced Schema Design Patterns
MongoDB
 
Building a Microservices-based ERP System
Building a Microservices-based ERP SystemBuilding a Microservices-based ERP System
Building a Microservices-based ERP System
MongoDB
 
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB CompassMongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the CloudMongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
MongoDB Atlas
MongoDB AtlasMongoDB Atlas
MongoDB Atlas
MongoDB
 
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACIDMongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
MongoDB seminar
MongoDB seminarMongoDB seminar
MongoDB seminar
mahdi dousti
 
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB
 
Performance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI ConnectorPerformance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI Connector
MongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
MongoDB
 
Bloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning TalkBloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning Talk
Felix Gessert
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB
 
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast EncryptionKeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
JAYAPRAKASH JPINFOTECH
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
Ad

More Related Content

What's hot (20)

MongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional ModelMongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional Model
MongoDB
 
Bye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the JourneyBye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the Journey
MongoDB
 
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB
 
Advanced Schema Design Patterns
Advanced Schema Design Patterns Advanced Schema Design Patterns
Advanced Schema Design Patterns
MongoDB
 
Building a Microservices-based ERP System
Building a Microservices-based ERP SystemBuilding a Microservices-based ERP System
Building a Microservices-based ERP System
MongoDB
 
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB CompassMongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the CloudMongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
MongoDB Atlas
MongoDB AtlasMongoDB Atlas
MongoDB Atlas
MongoDB
 
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACIDMongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
MongoDB seminar
MongoDB seminarMongoDB seminar
MongoDB seminar
mahdi dousti
 
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB
 
Performance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI ConnectorPerformance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI Connector
MongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
MongoDB
 
Bloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning TalkBloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning Talk
Felix Gessert
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB
 
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast EncryptionKeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
JAYAPRAKASH JPINFOTECH
 
MongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional ModelMongoDB World 2018: Building a New Transactional Model
MongoDB World 2018: Building a New Transactional Model
MongoDB
 
Bye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the JourneyBye Bye Legacy: Simplifying the Journey
Bye Bye Legacy: Simplifying the Journey
MongoDB
 
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB .local Chicago 2019: Modern Data Backup and Recovery from On-premises...
MongoDB
 
Advanced Schema Design Patterns
Advanced Schema Design Patterns Advanced Schema Design Patterns
Advanced Schema Design Patterns
MongoDB
 
Building a Microservices-based ERP System
Building a Microservices-based ERP SystemBuilding a Microservices-based ERP System
Building a Microservices-based ERP System
MongoDB
 
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB CompassMongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the CloudMongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
MongoDB Atlas
MongoDB AtlasMongoDB Atlas
MongoDB Atlas
MongoDB
 
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACIDMongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
MongoDB seminar
MongoDB seminarMongoDB seminar
MongoDB seminar
mahdi dousti
 
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB
 
Performance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI ConnectorPerformance and Security Enhancements in MongoDB's BI Connector
Performance and Security Enhancements in MongoDB's BI Connector
MongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
MongoDB
 
Bloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning TalkBloom Filters for Web Caching - Lightning Talk
Bloom Filters for Web Caching - Lightning Talk
Felix Gessert
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB
 
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB .local London 2019: Modern Data Backup and Recovery from On-premises ...
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast EncryptionKeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
KeyD: Secure Key-Deduplication with Identity-Based Broadcast Encryption
JAYAPRAKASH JPINFOTECH
 

Similar to MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive into Protecting Sensitive Workloads (20)

MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
Jose Luis Balbiano
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage EngineEngineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
MongoDB
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...
LeMeniz Infotech
 
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam HeywoodC* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
DataStax Academy
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB Enterprise
MongoDB
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
Jose Luis Balbiano
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage EngineEngineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
MongoDB
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...
LeMeniz Infotech
 
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam HeywoodC* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
DataStax Academy
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB Enterprise
MongoDB
 
Ad

More from MongoDB (20)

MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB .local Paris 2020: Tout savoir sur le moteur de recherche Full Text S...
MongoDB
 
Ad

Recently uploaded (20)

UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of ExchangesJignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah Innovator
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Raffi Khatchadourian
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptxWebinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
MSP360
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Safe Software
 
UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of ExchangesJignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah - The Innovator and Czar of Exchanges
Jignesh Shah Innovator
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Hybridize Functions: A Tool for Automatically Refactoring Imperative Deep Lea...
Raffi Khatchadourian
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
UiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer OpportunitiesUiPath Agentic Automation: Community Developer Opportunities
UiPath Agentic Automation: Community Developer Opportunities
DianaGray10
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptxWebinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
Webinar - Top 5 Backup Mistakes MSPs and Businesses Make .pptx
MSP360
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Safe Software
 

MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive into Protecting Sensitive Workloads

  • 1. Kenneth White MongoDB Product Security New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads @mongodb
  • 2. New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads
  • 3. New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads Agenda
  • 4. New encryption capabilities in MongoDB 4.2: A deep dive into protecting sensitive workloads Agenda § A brief history of database security § Trust models: server vs. client § Encrypting data-in-use § Hands on deep dive § Q&A
  • 5. A brief history of database security
  • 6. A brief history of database security Evolution
  • 7. A brief history of database security Evolution § access controls
  • 8. A brief history of database security Evolution § access controls § passwords § plaintext > hashing > key derivation § bearer tokens § NTLM, Kerberos tickets, LDAP/S, SCRAM, web session § multi-factor auth § LCD fobs / SMS / 2FA apps / FIDO-U2F / WebAuthn / mobile enclaves § federated RBAC
  • 9. A brief history of database security Evolution § network
  • 10. A brief history of database security Evolution § network § (plaintext) native wire protocols § SSL encryption § TLS § TLS w/ PFS
  • 11. A brief history of database security Evolution § storage
  • 12. A brief history of database security Evolution § storage § plaintext / raw filesystem § encrypted
  • 13. A brief history of database security Evolution § storage § volume-level / full disk encryption (FDE) § BitLocker, DMCrypt, FileVault, encrypted EBS § file-level encryption § whole database § per-database (WiredTiger ESE) § tablespace § database-level encryption § column / field
  • 14. A brief history of database security These are all important defenses, but…
  • 15. A brief history of database security What is the threat?
  • 16. A brief history of database security Against whom/what are we defending?
  • 17. A brief history of database security Against whom/what are we defending? § “hackers”?
  • 18. A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors?
  • 19. A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors? § insiders?
  • 20. A brief history of database security Against whom/what are we defending? § “hackers”? § criminal blackhats? § competitors? § activists? § unknown actors? § insiders? § admins?
  • 21. A brief history of database security Against whom/what are we defending?
  • 22. A brief history of database security What is the threat?
  • 23. A brief history of database security What is the threat?
  • 24. A brief history of database security What is the threat?
  • 25. The security model for many Prod databases Source: Imgur (author unknown)
  • 26. The security model for many Prod databases Source: Imgur (author unknown)
  • 27. A brief history of database security
  • 28. A brief history of database security Let’s talk about breaches.
  • 29. A brief history of database security Every sector of the global economy has been impacted.
  • 30. A brief history of database security Every sector of the global economy has been impacted § enterprise § consumer tech § retail § government § healthcare § finance …
  • 31. A brief history of database security Major shifts in regulatory & privacy climate
  • 32. A brief history of database security Major shifts in regulatory & privacy climate § GDPR § HIPAA § PCI DSS § NIST/FISMA § Consumer protection § State & provincial
  • 33. A brief history of database security System architect & developer security challenges
  • 34. A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation
  • 35. A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
  • 36. A brief history of database security System architect & developer security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
  • 37. A brief history of database security System architects & develop security challenges Meeting legal/regulatory obligations § Controls § Audit/attestation Defending real-world attacks § First Principles: C/I/A § Separation of duties § Access control § Identifying & protecting sensitive data
  • 38. Trust models: server vs. client
  • 39. Trust models: server vs. client What is the source of trust?
  • 40. Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust
  • 41. Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust § This has implications, many not so obvious
  • 42. Trust models: server vs. client What is the source of trust? § Traditionally, DB encryption has relied on server-side trust § This has implications, many not so obvious § With a few caveats, the database operator typically has unrestricted technical access, including: § DBAs § system admins § hosting/infrastructure providers
  • 43. Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic
  • 44. Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic § This potentially includes: logs, backups, temp files, process memory…
  • 45. Trust models: server vs. client What is the source of trust? § In a server-side encryption model, a leak or breach can be catastrophic § This potentially includes: logs, backups, temp files, process memory… § They who hold the keys control the kingdom
  • 46. Trust models: server vs. client This is particularly important in a cloud context, especially so when running highly sensitive workloads.
  • 47. Trust models: server vs. client A common pain for system architects
  • 48. Trust models: server vs. client A common pain for system architects • Most notably in healthcare, finance, and consumer tech • The benefits of managed, easily expanded compute & cloud storage have often been considered out of reach because of data confidentiality & privacy concerns.
  • 49. Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
  • 50. Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
  • 51. Trust models: server vs. client The fundamental challenge is protecting the confidentiality of data while it’s in use.
  • 53. Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption
  • 54. Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption § encryption as a first-class citizen § modern, authenticated encryption algorithms § strong security guarantees § customer-managed keys § content is opaque to server & server operator
  • 55. Encrypting Data-in-Use Introducing MongoDB Client-Side Field-Level Encryption § major investment § 2 years in the making § 16+ engineers spanning core server, query, security, drivers, cloud § targeting 12+ languages § all major hardware & operating system platforms § Linux, MacOS, Windows
  • 57. MongoDB Client-Side Field-Level Encryption Core design
  • 58. MongoDB Client-Side Field-Level Encryption Core design § Enabled in drivers § Drivers have expanded MQL awareness § Extends existing JSON Schema with new “encrypt” property § Adds JSON Schema validation to the client § Individual fields within collections can be marked as encrypted § Keys can be used on a per-field, per-document basis
  • 59. MongoDB Client-Side Field-Level Encryption Cryptography
  • 60. MongoDB Client-Side Field-Level Encryption Cryptography § multiple encryption options, including deterministic search § key services are natively integrated § modern authenticated encryption with AES-256 & SHA-2 § AEAD_AES_CBC_HMAC_SHA512 (2015 IETF draft: McGrew, Foley, Paterson) § abuse-resistant derived deterministic IVs § native system crypto libraries used for core operations
  • 61. MongoDB Client-Side Field-Level Encryption Cryptography § raw key material never persisted to disk (in-memory only) § stored field keys protected by symmetric encryption § field wrapping keys secured in HSM-backed external KMS § key service master key rotation: scheduled or on-demand
  • 62. MongoDB Client-Side Field-Level Encryption Developer view
  • 63. MongoDB Client-Side Field-Level Encryption Developer view § new JSON Schema attribute “encrypt” § schema validation extended to the client/application § key management services integrated into drivers § driver generates secure request for field keys § all encryption/decryption is done in the driver (on the client) § server only sees encrypted binary data (BinData subtype-6)
  • 64. MongoDB Client-Side Field-Level Encryption How does it work?
  • 67. MongoDB Client-Side Field-Level Encryption Let’s look at some code
  • 68. "test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
  • 69. "test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
  • 70. "test.patients" : { "bsonType" : "object", "properties" : { "medRecNum" : { "bsonType" : "int" }, "firstName" : { "bsonType" : "string" }, "lastName" : { "bsonType" : "string" }, "ssn" : { "encrypt" : { "bsonType" : "string", "algorithm" : encryption_mode, "keyId" : [ key1 ] } }, "mobile" : { "bsonType" : "string" }, "email" : { "bsonType" : "string" }, }}
  • 71. var keystore = db.getCollection("__keystore") var clientSideFLEOptions = { "kmsProviders" : { "aws" : { "accessKeyId" : env.KMSKID , "secretAccessKey" : env.KMSKEY } }, "schemas" : { patientSchema } , "keyVaultCollection" : keystore } encryptedSession = new Mongo("localhost",clientSideFLEOptions)
  • 72. var keystore = db.getCollection("__keystore") var clientSideFLEOptions = { "kmsProviders" : { "aws" : { "accessKeyId" : env.KMSKID , "secretAccessKey" : env.KMSKEY } }, "schemas" : { patientSchema } , "keyVaultCollection" : keystore } encryptedSession = new Mongo("localhost",clientSideFLEOptions)
  • 73. var encryptedDb = encryptedSession.getDB("test"); encryptedSession.getKeyStore().createKey( "aws", env.KMSARN, ["key1"] ) var keys = encryptedSession.getKeyStore().getKeys() var key1 = keys.getKeyByAltName("key1”)
  • 74. View to a client holding a valid key:
  • 75. encryptedDb.patients.find( { "ssn": "901-01-0001" } ) View to a client holding a valid key:
  • 76. { "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : "901-01-0001", "mobile" : "212-555-1234", "email" : "[email protected]" } View to a client holding a valid key:
  • 77. { "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "[email protected]" } View to a client lacking a valid key:
  • 78. { "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "[email protected]" } View to legacy clients:
  • 79. { "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "[email protected]" } View to database administrator:
  • 80. { "firstName" : "Pat", "lastName" : "Lee", "medRecNum" : 235498, "ssn" : BinData(6,"ASV2YBzOhUZZu643i7Y..."), "mobile" : "212-555-1234", "email" : "[email protected]" } View to database, server memory, logs, backups:
  • 82. MongoDB Client-Side Field-Level Encryption Roadmap
  • 83. MongoDB Client-Side Field-Level Encryption Roadmap § Beta preview 4.2 rc1 in next two weeks – Java & shell first § Additional language beta previews in coming weeks § Server support in Atlas via rc0 preview § GA planned for late summer § Targeting all supported drivers on all supported platforms § 3rd party expert security audits & code reviews in progress
  • 85. MongoDB Client-Side Field-Level Encryption Recap § 4.2 introduces client-side field-level encryption § Designed for the most sensitive workloads § Enabled in drivers § Allows fields to be marked as encrypted, at the document-level § Multiple enforcement options (server-client, client-side, or both) § Backwards compatible with existing admin & cluster tools