How encryption could stop the exposure of personal data in the cloud – NewsDio

An encryption product could improve cloud security.

fake images

What do a chain of Peruvian cinemas and a paid service for US cannabis dispensaries have in common? UU.? Databases without guarantee. In separate incidents this month, confidential data from Cineplanet customers in Peru and THSuite in the US were exposed. UU. On cloud servers without password protection. Identity theft experts say the global trend of exposures is as worrisome as hackers who steal data directly.

To alleviate the problem, database software manufacturers have tried to facilitate the security of cloud database administrators. On Monday, Kenn White, security director of the database software maker MongoDB, will describe a new technique, called field level encryption, to make data more secure in the cloud. The research will be presented at the Enigma Conference in San Francisco.

Field-level encryption works by encoding data before sending it to a database in the cloud and decrypting it when data is retrieved. The promise of the product is to protect the content of a database in the cloud, even if the bad guys access it. The feature has been available in the MongoDB open source product since December, as well as for the company's corporate product customers.

The new feature of MongoDB occurs as more and more companies transfer user data to servers in the cloud, instead of running their own expensive data centers. In April, Gartner projected that cloud computing would be a $ 214 billion industry by the end of 2019. That was more than 17% since 2018, when it was $ 182 billion.

Companies have rushed to the cloud without understanding all the security implications. Many companies have left countless databases exposed, revealing personal data that have included records of drug rehab centers. A database that contains details about who lives in 80 million US homes. UU. It was left unprotected in 2019, as was the data on Facebook users and the anticipated salaries of job seekers.

The seemingly endless exposures, the result of a failure to protect a database with a password, have inspired an army of security researchers looking for countless exposed databases that contain numbers of Social Security users, passwords, personal records and other details that should not be accessible. to anyone with an internet connection.

Data in the cloud must be password protected by default, says Chris Vickery, a security researcher looking for database exposures in UpGuard. Often, however, it is not.

"There are so many different platforms these days," Vickery said. "From one to another, you will have different levels of default security."

Sometimes, the person who sets up the database in the cloud inadvertently disables password protection, says White, the MongoDB executive.

MongoDB field level encryption could encourage some companies that currently do not use the cloud to consider it. Large companies distrust putting financial or health information in the cloud because exposures of that information carry high penalties in the United States. In some cases, companies are not legally allowed to share data with cloud providers in the first place.

Field level encryption could change that because companies would not share the data. Instead, they would share a string of incomprehensible characters that can only be decrypted with an encryption key stored on corporate machines. MongoDB has already subscribed to Apervita, a medical and prescription data processor, to use the function.

MongoDB dedicated 24 engineers to the project, which took two years. Its open source software is popular, it has been downloaded more than 80 million times, because it can be used to build virtual databases that run on many platforms, including Windows and Linux machines. It is compatible with processors in laptops and mobile phones, and is interoperable with more than a dozen programming languages.

The widespread use of MongoDB created a challenge for engineers, who had to create a function that would allow users to store and search encrypted data that works smoothly with all the hardware, operating systems and programming languages currently supported by MongoDB. White called it "a crazy amount of combinations."

Field level encryption addresses a paradox. Database administrators want to store their data in an illegible format, but they also want to be able to find specific information in the database with a simple search query. For example, someone might want to look for health care patients by their Social Security numbers, even if those numbers are stored as random characters.

To make this possible, field-level encryption allows database administrators to encrypt a search term on their machine and send it to the database as a query. The database matches the encrypted version of the search term with the record you are storing and then returns it.

This approach only works with specific types of data. Attackers could break encryption when a database stores information that only has a relatively small number of potential values, such as gender or status codes, by detecting repetitive patterns across the entire data set. Field-level encryption is also not useful for long text entries, such as notes in a patient's medical history, because he cannot search for individual words.

Even so, for data such as account numbers, passwords and government identification numbers, field-level encryption protects the data and maintains a usable database.

Most importantly, White said, it's easy to set up. Database administrators activate it with a unique configuration change when they configure the database.

"That is really powerful," he said.

Read the original here:
How encryption could stop the exposure of personal data in the cloud - NewsDio

Related Post

Comments are closed.