1. InfoconDB
  2. OWASP
  3. Global AppSec - DC 2019
  4. Beyond data-at-rest: Advances in Native NoSQL Database Encryption

Beyond data-at-rest: Advances in Native NoSQL Database Encryption

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 3:30 p.m. (45 minutes)

Highly sensitive databases require enhanced technical measures to protect the confidentiality of their workloads. Typical controls in our application toolkit for these scenarios include implementing well-defined, mature authentication & authorization, and strong network (data-in-transit) & storage (data-at-rest) encryption paired with modern key management practices. Some systems further offer database-specific encryption mechanisms which work at the physical datafile level (and even the column- or row- level in a relational database) on top of any underlying OS full-disk or whole volume encryption. But fundamentally, these are server-side encryption models where the threat is physical media breach, backup leaks, or possibly protection from certain classes of operating system attacks; the assumption is that the database administrator, root user, or system level processes running on the machine are fully entrusted to access plaintext data and their associated keys. This session will take a deep dive into the threat models, designs and recent developments in client-side (data-in-use) encryption, including lessons learned from recent work bringing native client-side query integration into the most widely deployed open source NoSQL database in the world. We will discuss the security guarantees, confidentiality/performance trade-offs, and limitations among different types of authenticated encrypted search. Reference query design patterns will be presented, with example code demonstrating strong end-to-end encryption on public cloud or in on-premise datacenters.

Presenters:

  • Kenneth White - MongoDB
    Kenneth White is a security engineer whose work focuses on networks and global systems. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He currently leads applied encryption engineering in MongoDB's global product group. He has directed R&D and security Ops in organizations ranging from startups to nonprofits to defense agencies to the Fortune 50. His work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences. He created software powering the largest clinical trial & cardiac safety research networks in the world. His work on network security and forensics has been cited by the Wall Street Journal, Reuters, Wired, and the BBC.

Links:

Similar Presentations: