Data Privacy: Securing JSON

Although my full-time job these days is not data privacy, I am on my way to the annual Ponemon Fellows and Responsible Information Management conference next month and got to thinking about the state of data privacy and JSON document stores like MongoDB. Other than the JSON Web Encryption standard (JWE), remarkably little information of a generic nature is available, and most relates to specific data stores. For JWE, there are few end-to-end tutorials, it says nothing about how to pinpoint what to protect,and it can be rather complex. With respect to data stores, e.g. Redis, many do not have much in the way of security at all (albeit by design). Others, implemented as SAAS services, simply take an all or nothing approach to encrypting data. This article demonstrates via code a simple, flexible security approach that could be used with almost any JSON document store in the browser or on a server.

Future articles will cover creating a full-text searchable but encrypted index, sharding data for compliance and security, approaches to authorization, and records retention/deletion.

Case Description

Let’s assume that Joe is creating JavaScript objects on a client machine and wishes to transfer them to a server or another client machine while protecting different aspects on the objects in different ways and also allowing them to be indexed and searched. Below is a part of one of Joe’s objects:

const joe = {
  messages: [
   {
     security:"confidential",
     summary:"confidential…