Being a security professional in 2022 was no walk in the park. In a year that saw thousands of data breaches, even the most seasoned security professionals had their hands full. In our latest episode of the MongoDB Podcast, MongoDB Chief Information Security Officer, Lena Smart, joined tech legend and MongoDB co-founder, Dwight Merriman, to discuss the changing IT security landscape and the trends that will shape best practices for the future.
As a technology entrepreneur who has been involved in a half-dozen startups, Merriman developed a sense for trends in technology that intersect with user needs. In 1995, the internet was one of those trends. Others that followed include LANs, smart phones, and AI. But what's different about security, Merriman says, is that it acts as more of an anti-trend, meaning that it's a problem that only seems to be getting harder to solve.
"Information security has always been an issue," Merriman says. "But every year it gets harder. Pre-internet it was a bit easier, when you're not plugged into the entire planet. Today, the inherent complexity of modern software means there are more attack vectors."
As the IT complexity anti-trend coincides with an increase in the sophistication of hackers, the job of security professionals only gets harder. "You've got everything from the kid in their basement hacking around to more sophisticated attacks like organized crime and nation-state actors," Merriman says. "How do you defend against that as a company when you have orders of magnitude less resources? As a CISO, security person, or developer, it's just getting harder every day."
Merriman predicts that it's going to get harder every year for the next 10 years, and the stakes are only going to get higher. "You cannot be too paranoid," he says, "We still need to get work done. So I'm a big proponent of, you know, you can't create too much friction."
Controlling what you can control
Ensuring security while reducing friction is one of the core principles of data governance, which includes the processes required to establish proper handling of an organization's data. Whether you're using third-party services, integrating with the software supply chain to build new applications or services, or working across internal departments, the best approach from a security perspective is to start with as little trust as possible.
"Zero Trust is a big term these days," Merriman says. "Part of your supply chain is your internal supply chain. In large companies like a Fortune 500 company, where it's so big, you might as well be separate companies. So, whatever you think about when you think about security and supply chain, do that internally too. Think of each department as a supply chain if it is a supplier for you."
The concept of the Zero Trust model is based around three principles:
Never trust, always verify — This ensures that anyone who accesses company data is verified at the onset of access to network resources.
Provide the least amount of privilege possible — Being judicious with who can access what data is essential to keep data protected. By limiting employee and external access to only data needed to perform a specific task, you reduce the likelihood of a breach.
Apply network segmentation — By dividing data (like with MongoDB clusters), you isolate and protect it, rather than keeping it all in one place that, should it be breached, puts all data at risk.
“Identity is your new security perimeter. You can never be too paranoid or too vigilant when it comes to determining who can access your business’s data,” says Merriman.
Breaking new ground in security
The security imperative is what drove MongoDB to partner with pioneers in the academic community to develop a groundbreaking new form of security, queryable encryption. Working with Brown University cryptographer Seny Kamara and long-time collaborator Tarik Moataz, the team developed the world's first truly searchable encrypted database. It enables organizations to encrypt sensitive data from the client side, store it as fully randomized encrypted data on the database server side, and run expressive queries on the encrypted data. Queryable encryption extends the idea of Zero Trust by adding an extra layer of security for data while it's in use by anyone tasked with handling it.
Designed by our Advanced Cryptography Research Group with 20 years of experience designing peer-reviewed, state-of-the-art encrypted search algorithms, Queryable Encryption is available in Preview now.
Listen to the full conversation with MongoDB Chief Information Security Officer, Lena Smart and legend and MongoDB co-founder, Dwight Merriman.
If your organization needs a way to construct database architectures that are not only scalable, but also secure, consider using MongoDB Atlas to build the next big thing.