DEV Community: Ovianta

Enhancing Data Security with MongoDB: A Dive into Cryptography and CSFLE at Ovianta

Rubén Martín Pozo — Mon, 02 Dec 2024 10:20:00 +0000

In the digital age, safeguarding sensitive information is not optional. It's essential. At Ovianta, a SaaS solution empowering doctors with streamlined workflows and intelligent insights, protecting patient data is a top priority. MongoDB's cryptographic tools, particularly Client-Side Field Level Encryption (CSFLE), offer powerful methods to secure data in-use.

In this article, we'll explore MongoDB's CSFLE and share how Ovianta leverages encryption to meet stringent data protection requirements while working within the constraints of serverless environments like Vercel.

What is Client-Side Field Level Encryption?

MongoDB's CSFLE encrypts specific fields on the client side, ensuring sensitive data remains inaccessible to unauthorized parties, even if the database itself is compromised. The approach aligns with compliance standards like GDPR and HIPAA, making it an excellent choice for industries handling sensitive information, such as healthcare.

CSFLE Highlights:

Data confidentiality: Data is encrypted before it leaves the client.
Field-level granularity: Only sensitive fields are encrypted, leaving the rest of the database searchable.
Compliance-friendly: Helps meet data protection regulations.

Automatic vs. Manual Encryption

MongoDB supports two CSFLE modes: Automatic Encryption and Manual Encryption.

Automatic Encryption:
- Simplifies implementation by using MongoDB drivers to handle encryption.
- Requires the installation of an extra library.
- Not compatible with all hosting environments, including serverless platforms like Vercel.
Manual Encryption:
- Offers fine-grained control by letting developers manage encryption and decryption explicitly.
- Does not rely on additional libraries, making it suitable for environments with strict resource constraints, including serverless platforms like Vercel.

At Ovianta, we chose manual encryption because automatic encryption's library is incompatible with Vercel's serverless architecture. This decision ensures we maintain robust security without compromising the performance or scalability of our platform.

Manual Encryption: How Ovianta Secures Data

At Ovianta, we handle sensitive patient information, such as medical histories and consultation records. Using manual encryption allows us to encrypt this data securely before storing it in MongoDB. Here's how we do it:

Key Management:
- We generate and manage Data Encryption Keys (DEKs) using a secure Key Management System (KMS).
- Our KMS integrates seamlessly with MongoDB, providing a secure mechanism for key storage.
Encryption and Decryption:
- Data is encrypted using the MongoDB Client Encryption Library before it is sent to the database.
- Authorized services decrypt data when needed, ensuring only specific application workflows can access sensitive information.

import { ClientEncryption } = from 'mongodb-client-encryption');

// Initialize encryption settings
const clientEncryption = new ClientEncryption(client, {
  keyVaultNamespace: 'encryption.__keyVault',
  kmsProviders: {
    aws: {
      accessKeyId: '<AWS_ACCESS_KEY_ID>',
      secretAccessKey: '<AWS_SECRET_ACCESS_KEY>',
    },
  },
});

// Encrypt sensitive patient data
const encryptedValue = await clientEncryption.encrypt('patientSensitiveData', {
  keyId: 'keyId',
  algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
});

// Store encrypted data in MongoDB
await collection.insertOne({ sensitiveField: encryptedValue });

It's also possible to decrypt using the MongoClient directly without needing to activate full automatic encryption by using the property bypassAutoEncryption


const secureClient = new MongoClient(uri, {
    autoEncryption: {
      keyVaultNamespace,
      kmsProviders,
      bypassAutoEncryption: true
    },
  });

const result = await collection.find().toArray();

Why Ovianta Chose Manual Encryption

Manual encryption provides us with:

Flexibility: By managing encryption directly in our code, we avoid dependencies on libraries incompatible with serverless environments.
Granular control: We can tailor encryption to specific fields and workflows, ensuring efficiency and compliance. Although it is possible to achieve this behavior using schemas, that will force us to work on automatic mode that is not working in serverless environments such as Vercel.
Portability: Since no special libraries are required, our encryption setup can be easily replicated across various environments.

How CSFLE Benefits Ovianta's Users

For our customers—doctors and healthcare providers—CSFLE means:

• Enhanced Privacy: Patient data is encrypted before leaving the client, ensuring it remains confidential even in the unlikely event of a breach.
• Regulatory Compliance: By implementing advanced cryptographic measures, Ovianta adheres to stringent healthcare data protection standards, building trust with users.

Conclusion

At Ovianta, securing patient data is central to our mission of empowering healthcare providers with seamless, AI-driven workflows. MongoDB's CSFLE, particularly through manual encryption, allows us to achieve high levels of security while maintaining the flexibility needed for our serverless architecture.

Whether you're building a healthcare app or managing sensitive user data, MongoDB's encryption options offer a reliable path to compliance and trust. For environments like ours, where automatic encryption isn't an option, manual encryption ensures robust security without compromise.

References:

• MongoDB Documentation: Automatic Encryption
• MongoDB Documentation: Manual Encryption

At Ovianta, we're building a next-generation product for doctors to streamline software for their consultations using NextJS. Follow us on this journey to know more about how we're building.

Why the JavaScript ecosystem is so vibrant (and a bit chaotic) for a backend dev

Rubén Martín Pozo — Wed, 30 Oct 2024 11:00:00 +0000

Why the JavaScript Ecosystem is So Vibrant (and a Bit Chaotic) for a Backend Dev

As a backend developer with a background in Java and Spring Boot, stepping into the world of JavaScript felt like entering a parallel universe. JavaScript's ecosystem is dynamic, brimming with creativity, and driven by innovation. In contrast to Java, which is structured and stable, JavaScript thrives in a state of constant flux, fueled by new ideas and ever-evolving tools. For a backend developer used to a world of well-defined patterns and practices, the JavaScript world can feel like a bit of a wild ride, but that's what makes it so exciting.

1. JavaScript: A Breath of Fresh Air for Backend Developers

Coming from a Java and Spring Boot background, JavaScript was a bit of a shock to the system. Java offers reliability and structure. There's a defined way to approach most problems and a certain consistency in how frameworks evolve over time. JavaScript, on the other hand, feels like an open playground. In JavaScript, there are often multiple ways to approach a problem, and sometimes, no clear “right” way at all.

Contrast with Java: Where Java feels familiar and consistent, JavaScript’s freedom opens up possibilities to experiment with new patterns and creative approaches.
Adaptability: JavaScript gives developers the flexibility to break free from traditional constraints, offering a range of tools and techniques that keep things fresh and exciting.

JavaScript's flexibility isn’t just about syntax. It’s a mindset shift. The language encourages innovation and quick pivots, often leading developers to discover more efficient solutions than they might have imagined in a more rigid backend environment. This freedom allows for a sense of creativity that can be incredibly rewarding.

2. The Pros of a Fast-Moving Ecosystem

One of the most fascinating aspects of JavaScript is the sheer speed at which it evolves. The ecosystem is a hub of innovation, with a steady stream of new libraries, frameworks, and tools being released and adopted by the community. JavaScript is in a constant state of reinvention, pushing the envelope to make development faster, easier, and more efficient. In contrast with Java, where everything needs to go through a heavier and more complex process to be adopted by users.

For a backend developer, this fast-moving ecosystem is a breath of fresh air. It means there's always something new to learn, whether it's a framework like React, Vue, or a server-side solution like Node.js. The community is constantly experimenting and finding better ways to solve common problems, pushing developers to stay up-to-date with the latest advancements.

3. The Cons: Chaotic, Unstable, and Ever-Changing

However, the pace of JavaScript's evolution also has its downsides. While Java's stability allows developers to build on a reliable foundation, JavaScript’s constant change can make it feel unstable. Frameworks and libraries rise and fall in popularity, sometimes within just a few months, making it challenging to commit to a particular stack or tool for long-term projects.

Coming from a much more stable environment, it's difficult to understand what library or solution you should use to solve a particular problem, and that might increase your anxiety while trying out different approaches.

Constantly Changing Tools: The fast pace of updates and new releases can make JavaScript feel like a moving target. Just when you've mastered one library or framework, a new version or a whole new approach might come along.
Steep Learning Curve for New Tools: With so many options and regular updates, developers are always learning, which can be exhilarating but also overwhelming.
Project Abandonment: It’s not uncommon for tools or libraries to lose community support or be quickly abandoned, which can be risky for production projects that need long-term reliability.
Documentation: Frequently, the documentation is not as deep as I'm used to seeing in Java. That means more exploration and testing until you fully understand how the framework works.

JavaScript’s experimental nature means that while the ecosystem is highly innovative, it can also be unpredictable. Developers may invest time learning a specific tool only to find that it’s no longer relevant or actively supported. It’s a landscape where you need to stay flexible and be prepared to switch gears when necessary.

4. Why Embrace JavaScript’s Vibrancy?

Despite its challenges, JavaScript’s vibrant ecosystem has a lot to offer backend developers. It’s an environment that encourages a different kind of problem-solving, one that’s creative, flexible, and always evolving. Working in JavaScript has made me a more versatile developer. And also, the journey is a lot of fun!

Broader Career Opportunities: JavaScript's popularity across both frontend and backend roles (thanks to frameworks like Node.js) creates career flexibility.
Fresh Perspective on Development: The experience of working in JavaScript provides new insights that can enhance backend development, encouraging a more agile, creative approach.

In the end, the JavaScript ecosystem is a thrilling place to be. It’s unpredictable and sometimes chaotic, but for those who are willing to embrace the changes, it’s also incredibly rewarding. For a backend developer stepping into JavaScript, it’s a journey that promises to challenge, inspire, and expand your horizons—if you’re up for the ride.

Note: Everything said here applies to TypeScript, too. In fact, it’s even wilder and more fun if you choose to go down the TypeScript path.

At Ovianta, we're building a next-generation product for doctors to streamline software for their consultations using NextJS. Follow us on this journey to know more about how we're building.