Encryption for Enterprise Search
Introduction.
Data is one of the most valuable commodities of the 21st century which means there’s always someone looking to go to the ends of the earth to take what’s not theirs. Tackling these problems have been challenging to say the least.
The basics securing a system to protect data for the past few years have been:
- Using strong passwords along with Multi-Factor Authentication (MFA)
- Using HTTPS for all communications and
- User Management with strong ACLs.
Unfortunately, these measures have repeatedly fallen short in protecting the data from the attackers.
Some of the biggest data leaks of the past year have been around Elasticsearch which is the core component behind most of the enterprise search vendors out there. These data leaks have been a result of not securing Elasticsearch with passwords at all or having weak passwords or those passwords being leaked online. This has led to data of billions of people and their personal and security information being leaked online.
HTTPS alone is not enough because it only encrypts the data that is being transmitted, which means the downfall for enterprises is that if attackers find their way and gain access to the source, then all that data is now in the hands of the attackers.
When it comes to ACL, you can never be 100% safe enough especially in larger organizations. This still doesn’t protect the data in edge cases.
What are the solutions if even the tech titans are affected by this?
At SearchBlox, we’ve worked on Enterprise for over 18 years, and we take the security of our clients’ data very seriously. We provide different levels of ACLs enterprises can configure and can use LDAP/AD groups to provide granular access to your data. But we went further, creating a new model for security and encryption to ensure your data security is rock solid.
Encryption at Access, not just at Rest.
In our pursuit to provide the best data security for our customers, we are introducing data encryption at access. Encryption at rest means the data is encrypted when stored on disk, whereas encryption at access means the searchable data is stored encrypted in Elasticsearch and is decrypted on-the-fly at search time for authorized users only. Therefore, any data you deem sensitive can be encrypted using industry standard AES256 encryption and decryption is allowed only at access (i.e., via SearchBlox search). This ensures no data (especially the sensitive data) is viewed in its normal form, even by the database admins without the right access and encryption keys.
How does it work?
When you are indexing your data into SearchBlox, you get to choose the fields to encrypt. For example, you can choose fields that store PII like credit card numbers, addresses, SSNs etc — giving it the very best of data security. This means that in the event someone makes a search on Elasticsearch, they will get encrypted data making it useless for them. Best of all, you can search on all the data even though it is encrypted and stored. Additionally, you can periodically change the secret keys if you want the highest levels of security!
As for search, when a user makes a search query, SearchBlox receives the request, makes a search on the encrypted data and retrieves the encrypted data, decrypts it using the secret key and returns search results to the user only if the user has the right role access for viewing this sensitive data. This way, all your sensitive data stays safe and far away from the hands of those with malicious intent and your days of worrying about data leaks will be soon forgotten.
As for how to provide granular access to your data, we’ve written a detailed piece here: https://www.searchblox.com/blog/user-access-security-for-your-data
Encrypt your enterprise data for search access by default today using SearchBlox!
Give us a call at +1(866) 933–3626 or send us a message here.
