How life insurance companies in Taiwan comply with compliance management through MongoDB 4.2
Author: Seth Chuang
As an engineer manager at ThinkPower, I assist Taiwanese customers in installing and maintaining MongoDB. One of the customers is one of the largest insurance companies in Taiwan, using MongoDB to store nearly 100 TB of insurance images.
Recently, due to the assessment of security consultants, it is recommended that this system needs to comply with the PCI-DSS specification to avoid internal employees having the right to see high sensitivity data.
Although the Taiwan government does not strictly require companies to meet PCI-DSS, they still oblige insurance companies to evaluate how to encrypt these images.
One of the new features of MongoDB 4.2 is the framework for providing user-level field-level encryption, which prevents the MongoDB server from obtaining encrypted key information. All encryption and decryption are done by the client's driver.
Besides, if you delete the key in the key management system, all data encrypted with that key will not be resolvable.
The following figure illustrates the relationship between the driver and each cryptographic component:
MongoDB 4.2 automatic field encryption is available in the following driver versions:
Python Python (PyMongo) 3.9.0
Although personal information field encryption is complicated and time-consuming, it is our responsibility to improve the security of customer data.