DOCSP-31167: Amend admonitions about using security mechanisms together (#3523)

* DOCSP-31167: Amend admonitions about using security mechanisms together

* fix text

* edits

* PRR fixes

* PRR fixes

Author: Chris Cho

source/core/csfle/features.txt

@@ -73,7 +73,7 @@ MongoDB and explains their use cases and limitations:
 Role-Based Access Control
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Role-Based Access Control is a security mechanism that 
+Role-Based Access Control is a security mechanism that
 allows administrators to grant and restrict collection-level permissions
 for users. With the appropriate role definition and assignment, this
 solution prevents accidental disclosure of data and access.
@@ -129,9 +129,11 @@ and the potential security vulnerabilities that they address:
 
 .. important:: Use the Mechanisms Together
 
-   To secure a production deployment, you can use multiple security
-   mechanisms discussed in this guide together. However, you cannot use
-   both {+csfle-abbrev+} and {+qe+} to encrypt data in the same collection.
+   To secure a production deployment, use Role-Based Access
+   Control, Encryption at Rest, Transport Encryption, and optionally, the
+   In-Use Encryption security mechanisms together. Please note that you cannot
+   use both {+csfle-abbrev+} and {+qe+} to encrypt different fields in the same
+   collection.
 
    To learn more about {+qe+}, see :ref:`{+qe+} Features <qe-features>`.
 
@@ -188,7 +190,7 @@ Solution
 ~~~~~~~~
 
 MedcoMD uses the following security mechanisms to satisfy their use cases
-and protect against the disclosure of sensitive medical data: 
+and protect against the disclosure of sensitive medical data:
 
 - :ref:`Transport Encryption (TLS/SSL) <csfle-features-transport-encryption>`
   to secure data as it travels over the network.

source/core/queryable-encryption/features.txt

@@ -15,7 +15,7 @@ Features
 Overview
 --------
 
-On this page, you can learn about the security benefits of {+qe+}, 
+On this page, you can learn about the security benefits of {+qe+},
 how it works, and how it compares to other security mechanisms supported
 by MongoDB. You can also view a fictional scenario that demonstrates the
 value of {+qe+} in securing your data.
@@ -30,53 +30,53 @@ encrypt data before transporting it over the network using fully
 randomized encryption, while maintaining queryability.
 Sensitive data is transparently encrypted and decrypted by the client
 and only communicated to and from the server in encrypted form.
-The security guarantees for sensitive fields containing both low 
+The security guarantees for sensitive fields containing both low
 cardinality (low-frequency) data and high cardinality data are identical
 
 Unlike :ref:`Client-Side Field Level Encryption <manual-csfle-feature>`
 that can use :ref:`Deterministic Encryption <csfle-deterministic-encryption>`,
-{+qe+} uses fast, searchable encryption schemes based on `Structured Encryption <https://dl.acm.org/doi/abs/10.1007/978-3-030-77883-5_13>`__. 
+{+qe+} uses fast, searchable encryption schemes based on `Structured Encryption <https://dl.acm.org/doi/abs/10.1007/978-3-030-77883-5_13>`__.
 These schemes produce different encrypted output values even when given
 the same cleartext input.
 
 How {+qe+} Works
 ------------------------------
 
-The diagram below shows the process and architecture of how {+qe+} is 
+The diagram below shows the process and architecture of how {+qe+} is
 used in a customer environment.
 
 .. image:: /images/QE-how-it-works.png
     :alt: How Queryable Encryption works
 
-In this diagram, the user is able to query on fully randomly encrypted 
+In this diagram, the user is able to query on fully randomly encrypted
 data such as SSN number.
 
 The process and mechanisms that make this possible within {+qe+} are as follows:
 
-1. When the application submits the query, MongoDB drivers first analyze 
+1. When the application submits the query, MongoDB drivers first analyze
    the query.
 
-2. The driver recognizes the query is against an encrypted field and 
-   requests the encryption keys from the customer-provisioned key 
+2. The driver recognizes the query is against an encrypted field and
+   requests the encryption keys from the customer-provisioned key
    provider such as:
 
-   - AWS Key Management Service (AWS KMS) 
+   - AWS Key Management Service (AWS KMS)
    - Google Cloud KMS
    - Azure Key Vault
    - Any {+kmip-kms+}
 
-3. The driver submits the query to the MongoDB server with the encrypted 
+3. The driver submits the query to the MongoDB server with the encrypted
    fields rendered as ciphertext.
 
-4. Queryable Encryption implements a fast, searchable scheme that allows 
-   the server to process queries on fully encrypted data, without knowing 
-   anything about the data. The data and the query itself remain encrypted 
+4. Queryable Encryption implements a fast, searchable scheme that allows
+   the server to process queries on fully encrypted data, without knowing
+   anything about the data. The data and the query itself remain encrypted
    at all times on the server.
 
-5. The MongoDB server returns the encrypted results of the query to the 
+5. The MongoDB server returns the encrypted results of the query to the
    driver.
 
-6. The query results are decrypted with the keys held by the driver and 
+6. The query results are decrypted with the keys held by the driver and
    returned to the client and shown as plaintext.
 
 {+qe+} functions with the help of the following data structures. It is critical
@@ -186,17 +186,19 @@ To learn more, see
 Comparison of Features
 ----------------------
 
-The following diagram describes security features MongoDB supports and 
+The following diagram describes security features MongoDB supports and
 the potential security vulnerabilities that they address:
 
 .. image:: /images/QE_Security_Feature_Chart.png
    :alt: Diagram that describes MongoDB security features and the potential vulnerabilities that they address
 
 .. important:: Use the Mechanisms Together
 
-   To secure a production deployment, you can use multiple security
-   mechanisms discussed in this guide together. However, you cannot use
-   both {+csfle-abbrev+} and {+qe+} to encrypt data in the same collection.
+   To secure a production deployment, use Role-Based Access
+   Control, Encryption at Rest, Transport Encryption, and optionally, the
+   In-Use Encryption security mechanisms together. Please note that you cannot
+   use both {+csfle+} and {+qe+} to encrypt different fields in the same
+   collection.
 
    To learn more about {+csfle+}, see :ref:`{+csfle+} Features <csfle-features>`.