Mongodb's plan to limit breaches: "Field Level Encryption"

Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling 'Field Level Encryption' which encrypts the data in database fields with its own key -- possibly a different key for every user or every field. That means that attackers will have to compromise a lot of cryptographic keys as well as breaking into a server.

Depending on how it is configured, Field Level Encryption also severely limits the ability of vendors to spy on their customers. The downside is that it adds complexity -- key management -- to the design of clients and possibly user key-management. The Field Level Encryption tool is free/open source software, and open to auditing and improvement by all comers. Both Adobe and Google -- as well as other giant tech companies -- rely on Mongodb for some database technology and could use Field Level Encryption to add another layer of security to their data-handling practices.

However, relational SQL databases would struggle to implement comparable measures, so Field Level Encryption will be limited to nosql applications.

For regular users, not much will be visibly different. If their credentials are stolen and they aren't using multi-factor authentication, an attacker will still be able to access everything the victim could. But the new feature is meant to eliminate single points of failure. With Field Level encryption in place, a hacker who steals an administrative username and password, or finds a software vulnerability that gives them system access, still won't be able to use these holes to access readable data.

The focus, Ottenheimer says, was on trying to offer that security in a form customers would actually adopt—a classic cybersecurity problem. 'We really focused on making this easy for developers to put into their path to release,' he says. 'We want them to be able to release new products and code as quickly as possible.'

A Plan to Stop Breaches With Dead Simple Database Encryption [Lily Hay Newman/Wired]

(Image: Iain Watson, CC-BY)