Securing Your Deployment with MongoDB Enterprise

Mat KeepDirector, MongoDB Product Teammat.keep@mongodb.com@matkeep

Agenda

• Data Security Landscape• Best Practices for Securing MongoDB• Resources to Get Started

Takeaway• Attacks are happening more frequently. Breaches are

getting larger• Governments are responding with new regulations• MongoDB feature set and best practices strengthen your

defenses

The Art Of Securing A System

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun Tzu, The Art of War 500 BC

117k Security Attacks…..PER DAY

PWC: Global State of Information Security

Security: Largest Skills Deficit

• Data growth: 40 trillion GBs (40 ZBs) generated by 2020. 6TB for every person on earth (IDC)

• Technology diversity: Over 280 data stores available.

• High growth threats: nation states, organized crime. Less brute force, more phishing & malware

Increased Attack Surface Area

• Compliance = People + Process + Product• Multiple standards

– PCI-DSS, HIPAA, NIST, FISMA, STIG, EU Data Protection Directive, APEC data protection standardization

• Common database requirements– Data access controls– Data permission– Data protection controls– Data audit

Regulatory Compliance

Requirements Define Security Architecture

Securing MongoDB

Timeline

Plan and design security as early as possible.

Designing the Infrastructure

Access Control

Design• Assess sensitivity of the data• Determine which types of users exist in the system & what they need to do• Match the users to MongoDB roles. Create any customized roles.

Test• Enable MongoDB access control• Create the desired users.

• Confirming identity for everything accessing the database

• Create unique credentials for each entity

• Multiple options• Built in authentication: challenge/response

(SCRAM-SHA-1)• x509 certificates• Integration with corporate authentication

infrastructure

AuthenticationApplication

Reporting

ETL

application@enterprise.com

reporting@enterprise.com

etl@enterprise.com

Joe.Blow@enterprise.comJane.Doe@enterprise.comSam.Stein@enterprise.com

shard1@enterprise.comshard2@enterprise.comshard3@enterprise.com

• Kerberos protocol: Linux and Windows, including AD

• LDAP: proxy authentication to an LDAP service– LDAP or Active Directory (Windows clients not supported)

– Use VPN or SSL to encrypt user data between client and server

MongoDB Enterprise Authentication

• Defines what an entity can do in the database• Control which actions an entity can perform

• Grant access only to the specific data or commands needed

Authorization

User Identity ResourceCommands

Responses

Authorization

Authorization in MongoDBBuilt-in roles• read, readWrite,

dbAdmin, clusterAdmin, root, etc..

User defined roles• Customized roles

based on existing roles and privileges

• Delegate across teams

Authorization: MongoDB Field Level Redaction

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

• Enables a single document to store data with multiple security levels

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redacted

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redacted

Redaction Implementation: Implementation

Auditing in MongoDB

• Audit log of all actions taken against the database• Configurable filters (commands, IP, etc) & role-based auditing

• Protecting data in-flight & at-rest– Connections to database, and between nodes– Data stored on disk– Mechanisms to sign & rotate keys, store off-server

Encryption

In-Flight Encryption

• SSL/TLS on all connections & utilities– Combine with x.509 to

authenticate connections

– FIPS 140-2 mode (MongoDB Enterprise Advanced). Requires OpenSSL library

At-Rest Encryption: Current Solutions

• 1. Encrypt in the application layer

• 2. Encrypt at the disk or file system level– Can add complexity and cost to the

deployment

New: MongoDB Encrypted Storage Engine• Integrated encryption natively

within the database• AES 256 + FIPS compliant• 1 master key per server, 1 key per

database• KMIP or keyfiles• MongoDB Enterprise 3.2

KMIPAppliance

MongoDB Ops Manager & Cloud Manager

Operational automation

Monitoring and alerting against 100+ metrics

Advanced point-in-time backups

Functions exposed with a RESTful API

• Network filters: Router ACLs and Firewall• Bind IP Addresses: limits network interfaces• Run in VPN• Dedicated OS user account: don’t run as root• File system permissions: protect data, configuration &

keyfiles

Environmental Control

Putting it all Together

Deployments• Manage data from patient wearables for clinical • Qualcomm medical device platform, MongoDB &

AWS• HIPPA compliance + EU Data Protection• MongoDB Enterprise Advanced

– Encryption, Audit, Point-in-Time recovery

• Multi-tenant SaaS for customers to monitor security appliances

• AWS, MEAN stack• MongoDB Enterprise Advanced

– RBAC, Encryption, Audit, Cloud Manager

Business Needs Security Features

AuthenticationSHA-SCRAM Challenge / Responsex.509 Certificates LDAP* & Kerberos*

Authorization Built-in Roles & RBACField Level Redaction

Auditing Audit Log* (DML & DDL)

Encryption Network: SSL/TLS (with FIPS 140-2*)Disk: Encrypted Storage Engine* (MongoDB 3.2)

MongoDB Enterprise-Grade Security

*Requires a MongoDB Enterprise

Resources to Get Started• MongoDB Security

Architecture Guide & Security Checklist

• Extensive tutorials in the documentation

• MongoDB Enterprise free for evaluation & development

For More InformationResource Location

MongoDB Downloads mongodb.com/download

Free Online Training education.mongodb.com

Webinars and Events mongodb.com/events

White Papers mongodb.com/white-papers

Case Studies mongodb.com/customers

Presentations mongodb.com/presentations

Documentation docs.mongodb.org

Additional Info info@mongodb.com

Resource Location

Inter-Node Cluster MembershipServer-Server authentication• use shared keyfile• or x.509 certificates

The Most Recent Security Breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/