MongoDB unveils data encryption tech for developers to boosting data privacy and compliance

MongoDB today announced at its developer conference MongoDB.local Chicago the general availability of Queryable Encryption, which it says is a first-of-its-kind technology that helps organizations protect sensitive data when it is queried and in-use on MongoDB. 

As data volumes skyrocket, so do the intricacies of modern applications. Coupled with growing regulatory demands, companies face a challenging task of managing sensitive information. Enter MongoDB Queryable Encryption: a tool that not only bolsters data protection, but also ensures a seamless developer experience, according to the company — no Ph.D. in cryptography needed.

“Protecting data is critical for every organization, especially as the volume of data being generated grows and the sophistication of modern applications is only increasing,” said MongoDB Chief Product Officer Sahir Azam. “Organizations also face the challenge of meeting a growing number of data privacy and customer data protection requirements. Now, with MongoDB Queryable Encryption, customers can protect their data with state-of-the-art encryption and reduce operational risk — all while providing an easy-to-use capability developers can quickly build into applications to power experiences their end-users expect.”

Historically, encryption has been the cornerstone of data protection. Whether it’s in-transit across networks, at-rest in storage or in-use during processing, data encryption ensures sensitive information remains in the right hands. The roadblocks? Processing and analyzing encrypted data, which requires decryption.

The big takeaway from MongoDB’s Queryable Encryption is in its ability to keep data encrypted across its entire lifecycle — even during query processing. Picture this: A financial analyst needs to pull up a customer’s savings account details. With Queryable Encryption in play, the entire process, from querying to retrieval, keeps the data encrypted.

Only with a customer-controlled decryption key can the information be viewed, substantially mitigating the risk of unwanted exposure. The Holy Grail in encryption has been smart, high performance, secure access and retrieval of data unhackable. Now, says MongoDB, it’s here with Queryable Encryption. 

The encryption technology has its roots in the MongoDB Cryptography Research Group and, notably, is open source. This move allows developers and businesses worldwide to dive deep into the cryptographic methods and code that power this state-of-the-art technology — further enhancing trust and compliance.

Moreover, MongoDB’s encryption is designed to integrate with key management services across major cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud, offering businesses flexibility in managing cryptographic keys.

MongoDB’s innovation hasn’t gone unnoticed. Renault Group, a big name in the auto industry, stands out as an enthusiastic early adopter. “MongoDB’s Queryable Encryption is pivotal for their data protection and compliance,” noted Xin Wang, a solutions architect at Renault. “As they look toward the future, we’re eager on delving deeper into this technology, especially as it pertains to performance optimization.”

For developers, grappling with data protection protocols can be a maze of complexities. MongoDB hopes to change that with its newly launched MongoDB Queryable Encryption.

Azam emphasizes the tool’s easy integration into application development, potentially reducing the steep learning curve often associated with encryption.

At the heart of application development lies the crucial aspect of data management and searching data securely or encrypted. Traditional encryption processes, while effective, often introduce added layers of complexity during the data querying phase. MongoDB’s offering, on the other hand, promises consistent encryption, even during querying. This could prove a game-changer for sensitive workloads.

For a developer, this means less juggling. Imagine building a banking application: With Queryable Encryption, both the data retrieval and processing steps are encrypted, reducing the steps and potential pitfalls for developers. The promise? More secure applications, built more efficiently.

The open-source nature of MongoDB’s encryption, birthed from its Cryptography Research Group, means a developer can dive deep into it, understand, tweak and even contribute to it. It’s an avenue for collective growth, though MongoDB will need to ensure the platform remains secure amid this transparency.

Additionally, its compatibility with major services such as AWS, Azure and Google Cloud suggests an ease of integration, making a developer’s life potentially less fragmented.

While larger industry names like Renault Group have shown interest, it’s the developer community that will be the litmus test. 

MongoDB’s Queryable Encryption appears poised to offer developers a more streamlined approach to data security. Though it’s early days, the signs point to a potentially indispensable tool in a developer’s workflows. As with all tech, its true value will be determined by how well developers can integrate it into their daily grind.

Kenn White, a security principal at MongoDB, talked about the story behind the technology’s development that really captured attention. MongoDB’s journey from concept to reality, and the obstacles faced along the way, shed light on the immense complexities of modern encryption.

According to White, MongoDB faced a myriad of challenges in the creation of their new encryption technology. Encryption is intricate, where the smallest leaks or vulnerabilities can have huge ramifications. Issues such as buffer overflows had to be navigated meticulously because they might let attackers undermine security. MongoDB says it worked with crypto pros and experts to lock down all aspects of hacking encryption.  

The company took an external collaborative approach, partnering with Brown University’s Encrypted Systems Lab. The project gained valuable insights from academia. But theoretical knowledge wasn’t enough.

MongoDB recognized the gap between academia and real-world application and acquired the encryption team and encrypted search was on the road to real-world scenarios like server-side cache, coherency and state. Although MongoDB wouldn’t reveal the exact acquisition date, the strategic investment symbolizes their significant foray into advanced security for MongoDB and its high end customers and now for developers.

Ensuring performance isn’t compromised is vital. While the initial tests for IoT streaming and heavy inserts revealed performance concerns, MongoDB dedicated five months to enhancing this. Performance is incredible and only getting better, says White.  “In real-time, the delay amounted to just milliseconds — a benchmark many developers will appreciate, especially for sensitive operations like credit card transactions,” he said.

White identifies the win for developers. “Recognizing that developers aren’t cryptography experts, their goal is to simplify the process — from auto-generating keys to ensuring compatibility with cloud providers’ transition to ‘bearer tokens,'” he said.

The release of Queryable Encryption isn’t just about adding a feature. It’s a step toward MongoDB’s vision of broader, distributed security across cloud platforms, countering both external and internal threats. As the digital landscape transforms, MongoDB seems poised to make encryption not just more robust but more user-friendly for developers everywhere.

If developers can get encryption that’s easy to use, that should make programming secure apps easier.

“TheCUBE is an important partner to the industry. You guys really are a part of their events and they really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

MongoDB Atlas completes IRAP Security Assessment for use with Australian Government Systems and Data

COMPANY NEWS: MongoDB Atlas can now be used by Australian government agencies to securely build modern applications in the cloud, quickly and at scale.

MongoDB, Inc. announced the completion of an Information Security Registered Assessor Program (IRAP) exam that allows federal government agencies across Australia to use MongoDB’s developer data platform MongoDB Atlas to quickly and easily build, manage, and deploy modern applications. Carried out by security firm CyberCX, the IRAP exam evaluated MongoDB Atlas’s platform for data workloads up to “PROTECTED” level across all three major cloud providers— AWS, Microsoft Azure, and Google Cloud Platform. Completion of this exam provides Australian government customers with the required assurance that MongoDB Atlas has the appropriate security controls in place for the processing, storing and transmission of information classified up to and including the “‘PROTECTED” level. 

Australian government agencies are under growing pressure to accelerate digital transformation efforts and increase time to market for new digital government services to Improve citizen experiences while ensuring data is safe and secure. Many Australian government agencies currently use MongoDB on premises but want to take advantage of a fully managed experience in the cloud. With the completion of the IRAP exam, government agencies in Australia will now be able to use MongoDB Atlas’s multi-cloud infrastructure and take advantage of embedded encryption capabilities, text-based and generative-AI-based search, and stream processing for high-volume and high-velocity data of virtually any type to quickly build modern applications for desktop and mobile with less complexity.

MongoDB Atlas is the only platform today offering true multi-cloud capabilities, meaning that data can be stored and synchronised on multiple cloud providers at the same time, rather than on one single cloud provider, to ensure high levels of resilience for critical government services. MongoDB’s multi-region capability allows organisations to use multiple cloud regions within the same defined geographic area, which makes applications more resilient and makes data sovereignty easier. 

Finally, embedded security features built-in within MongoDB Atlas provide government agencies with the utmost data protection and data privacy levels. In particular, Queryable Encryption introduces an industry-first fast, searchable encryption scheme developed by the pioneers in encrypted search. The new feature means organisations can search and return encrypted data that becomes visible to application end-users only when decrypted with customer-controlled cryptographic keys—but remains encrypted in use throughout the query process, in transit over networks, and at rest in storage.

More than one thousand public sector customers globally rely on MongoDB to run mission-critical workloads every day and use MongoDB Atlas to transform the way they serve citizens all around the world.

For example, as the COVID-19 crisis increased demand for digital services from millions of citizens and thousands of businesses overnight, the UK’s largest government department, the Department for Work and Pensions (DWP), has used MongoDB Atlas flexible document model and scale to offer its development team a new and more productive way to build applications, handle highly diverse data types and manage data efficiently at scale.

Government continues to be a growing focus for MongoDB, with the Australian IRAP exam following the launch last month of the MongoDB Atlas for Public Sector initiative to help government agencies and public sector organisations address unique digital transformation and cloud adoption challenges to accelerate time-to-mission.

“Government agencies are expected to offer citizens flawless and secure digital services, as well as easier ways to engage with government entities,” said Simon Eid, Senior Vice President, APAC at MongoDB. “Internally, teams are pressured to make data-driven decisions that are accurate and timely while improving efficiency without jeopardising security. Legacy database models have become a real hindrance, and government agencies are looking at new ways to build and deliver the government services of tomorrow. Now, with the completion of the IRAP exam, government agencies in Australia can empower their development teams to build new classes of applications that reimagine citizen experiences using MongoDB Atlas. They think this will actively contribute to Australia’s reaching its goal of being the most cyber-secure nation in the world by 2030.”

Lee Hickin, ANZ Chief Technology Officer, Microsoft, said: "We are pleased to see MongoDB Atlas successfully complete the IRAP exam, enabling Australian government agencies to securely build modern applications in the cloud. This will take the partnership between Microsoft and MongoDB to a new level, creating more opportunities for their joint customers, and providing government customers with a robust and reliable platform to accelerate digital transformation efforts, enhance citizen experiences, and ensure data safety and security. "

MongoDB Atlas is the leading multi-cloud developer data platform that accelerates and simplifies building with data. MongoDB Atlas provides an integrated set of data and application services in a unified environment to enable developer teams to quickly build with the capabilities, performance, and scale modern applications require.

Headquartered in New York, MongoDB’s mission is to empower innovators to create, transform, and disrupt industries by unleashing the power of software and data. Built by developers, for developers, their developer data platform is a database with an integrated set of related services that allow development teams to address the growing requirements for today’s wide variety of modern applications, all in a unified and consistent user experience. MongoDB has tens of thousands of customers in over 100 countries. The MongoDB database platform has been downloaded hundreds of millions of times since 2007, and there have been millions of builders trained through MongoDB University courses. To learn more, visit mongodb.com.