Global AppSec DC 2019

Highly sensitive databases require enhanced technical measures to protect the confidentiality of their workloads. Typical controls in our application toolkit for these scenarios include implementing well-defined, mature authentication & authorization, and strong network (data-in-transit) & storage (data-at-rest) encryption paired with modern key management practices. Some systems further offer database-specific encryption mechanisms which work at the physical datafile level (and even the column- or row- level in a relational database) on top of any underlying OS full-disk or whole volume encryption. But fundamentally, these are server-side encryption models where the threat is physical media breach, backup leaks, or possibly protection from certain classes of operating system attacks; the assumption is that the database administrator, root user, or system level processes running on the machine are fully entrusted to access plaintext data and their associated keys.

This session will take a deep dive into the threat models, designs and recent developments in client-side (data-in-use) encryption, including lessons learned from recent work bringing native client-side query integration into the most widely deployed open source NoSQL database in the world. We will discuss the security guarantees, confidentiality/performance trade-offs, and limitations among different types of authenticated encrypted search. Reference query design patterns will be presented, with example code demonstrating strong end-to-end encryption on public cloud or in on-premise datacenters.