Why Queryable Encryption Matters to Developers and IT Decision Makers

Cynthia Braund and Pramod Borkar

Illustration depicting queryable encryption.

Enterprises face new challenges in protecting data as modern applications constantly change requirements. There are new technologies, advances in cryptography, regulatory constraints, and architectural complexities. The threat landscape and attack techniques are also changing, making it harder for developers to be experts in data protection.

Client-side field level encryption, sometimes referred to as end-to-end encryption, provides another layer of security that enables enterprises to protect sensitive data. Although client-side encryption fulfills many modern requirements, architects, and developers face challenges in implementing these solutions to protect their data efficiently for several reasons:

  • Multiple cryptographic tools to choose from — Identifying the relevant libraries, selecting the appropriate encryption algorithms, configuring the selected algorithms, and correctly setting up the API for interaction are some of the challenges around tools.

  • Encryption key management challenges — how and where to store the encryption keys, how to manage access, and how to manage key lifecycle such as rotation and revocation.

  • Customize application(s) — Developers might have to write custom code to encrypt, decrypt, and query the data requiring widespread application changes.

With Queryable Encryption now generally available, MongoDB helps customers protect data throughout its data lifecycle — data is encrypted at the client side and remains encrypted in transit, at rest, and in use while in memory, in logs, and backups. Also, MongoDB is the only database provider that allows customers to run rich queries on encrypted data, just like they can on unencrypted data. This is a huge advantage for customers as they can query and secure the data confidently. Why does Queryable Encryption matter to IT decision-makers and developers? Here are a few reasons:

  • Security teams within enterprises deal with protecting their customers’ sensitive data — financial records, personal data, medical records, and transaction data. Queryable Encryption provides a high level of security — by encrypting sensitive fields from the client side, the data remains encrypted while in transit, at rest, and in use and is only ever decrypted back at the client.

  • With Queryable Encryption, customers can run expressive queries on encrypted data using an industry-first fast, encrypted search algorithm. This allows the server to process and retrieve matching documents without the server understanding the data or why the document should be returned.

  • Queryable Encryption was designed by the pioneers of encrypted search with decades of research and experience in cryptography and uses NIST-standard cryptographic primitives such as AES-256, SHA2, and HMACs.

  • Queryable Encryption allows a faster and easier development cycle — developers can easily encrypt sensitive data without making changes to their application code by using language-specific drivers provided by MongoDB. There is no crypto experience required and it’s intuitive and easy for developers to set up and use.

  • Developers need not be cryptography experts to encrypt, format, and transmit the data. They don't have to figure out how to use the right algorithms or encryption options to implement a secure encryption solution. MongoDB has built a comprehensive encryption solution including key management.

  • Queryable Encryption helps enterprises meet strict data privacy requirements such as HIPAA, GDPR, CCPA, PCI, and more using strong data protection techniques.

  • It offers customer-managed and controlled keys. The MongoDB driver handles all cryptographic operations and communication with the customer-provisioned key provider. Queryable Encryption supports AWS KMS, Google Cloud KMS, Azure Key Vault, and KMIP-compliant key providers. MongoDB also provides APIs for key rotation and key migration that customers can leverage to make key management seamless.

Chart indicating why Queryable Encryption matters to Developers, Security Teams, and ITDMs. High level of security - end-to-end encryption throughout the data lifecycle matters to all three groups. Ability to run expressive queries on encrypted data ** matter to all three groups. The fact that it helps meet strict data privacy requirements matters to all three groups. The ability to control and limit access to confidential and regulated data matters to all three groups. Reduce operational risk - Customers can keep their data on any of the cloud providers and be assured that their data is protected matters to security teams and ITDMs. Fast state-of-the-art encrypted search algorithm matters to all three groups. The fact that no cryptographic experience is needed matters to all three groups. Multi-cloud support to store data (with MongoDB Atlas) matters to all three groups. Robust key management matters to all three groups. The fact that there are no costly application code changes * matters to developers and ITDMs. And finally, language specific drivers matter to developers.

** Equality query type is supported in 7.0 GA
*With automation encryption enabled

For more information on Queryable Encryption, refer to the following resources: