Upload
mongodb
View
755
Download
2
Embed Size (px)
Citation preview
Securing Your Deployment with MongoDB Enterprise
Mat KeepDirector, MongoDB Product [email protected]@matkeep
Agenda
• Data Security Landscape• Best Practices for Securing MongoDB• Resources to Get Started
Takeaway• Attacks are happening more frequently. Breaches are
getting larger• Governments are responding with new regulations• MongoDB feature set and best practices strengthen your
defenses
The Art Of Securing A System
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu, The Art of War 500 BC
117k Security Attacks…..PER DAY
PWC: Global State of Information Security
Security: Largest Skills Deficit
• Data growth: 40 trillion GBs (40 ZBs) generated by 2020. 6TB for every person on earth (IDC)
• Technology diversity: Over 280 data stores available.
• High growth threats: nation states, organized crime. Less brute force, more phishing & malware
Increased Attack Surface Area
• Compliance = People + Process + Product• Multiple standards
– PCI-DSS, HIPAA, NIST, FISMA, STIG, EU Data Protection Directive, APEC data protection standardization
• Common database requirements– Data access controls– Data permission– Data protection controls– Data audit
Regulatory Compliance
Requirements Define Security Architecture
Securing MongoDB
Timeline
Plan and design security as early as possible.
Designing the Infrastructure
Access Control
Design• Assess sensitivity of the data• Determine which types of users exist in the system & what they need to do• Match the users to MongoDB roles. Create any customized roles.
Test• Enable MongoDB access control• Create the desired users.
• Confirming identity for everything accessing the database
• Create unique credentials for each entity
• Multiple options• Built in authentication: challenge/response
(SCRAM-SHA-1)• x509 certificates• Integration with corporate authentication
infrastructure
AuthenticationApplication
Reporting
ETL
• Kerberos protocol: Linux and Windows, including AD
• LDAP: proxy authentication to an LDAP service– LDAP or Active Directory (Windows clients not supported)
– Use VPN or SSL to encrypt user data between client and server
MongoDB Enterprise Authentication
• Defines what an entity can do in the database• Control which actions an entity can perform
• Grant access only to the specific data or commands needed
Authorization
User Identity ResourceCommands
Responses
Authorization
Authorization in MongoDBBuilt-in roles• read, readWrite,
dbAdmin, clusterAdmin, root, etc..
User defined roles• Customized roles
based on existing roles and privileges
• Delegate across teams
Authorization: MongoDB Field Level Redaction
User 1- Confidentia
l- Secret
{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}
User 2- Top Secret- Secret- Confidentia
lUser 3- Unclassified
Fiel
d Le
vel A
cces
s C
ontr
ol
• Enables a single document to store data with multiple security levels
Redaction in Action
User 1- Confidentia
l- Secret
{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}
User 2- Top Secret- Secret- Confidentia
lUser 3- Unclassified
Fiel
d Le
vel A
cces
s C
ontr
ol
Redacted
Redaction in Action
User 1- Confidentia
l- Secret
{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}
User 2- Top Secret- Secret- Confidentia
lUser 3- Unclassified
Fiel
d Le
vel A
cces
s C
ontr
ol
Redaction in Action
User 1- Confidentia
l- Secret
{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}
User 2- Top Secret- Secret- Confidentia
lUser 3- Unclassified
Fiel
d Le
vel A
cces
s C
ontr
ol
Redacted
Redaction Implementation: Implementation
Auditing in MongoDB
• Audit log of all actions taken against the database• Configurable filters (commands, IP, etc) & role-based auditing
• Protecting data in-flight & at-rest– Connections to database, and between nodes– Data stored on disk– Mechanisms to sign & rotate keys, store off-server
Encryption
In-Flight Encryption
• SSL/TLS on all connections & utilities– Combine with x.509 to
authenticate connections
– FIPS 140-2 mode (MongoDB Enterprise Advanced). Requires OpenSSL library
At-Rest Encryption: Current Solutions
• 1. Encrypt in the application layer
• 2. Encrypt at the disk or file system level– Can add complexity and cost to the
deployment
New: MongoDB Encrypted Storage Engine• Integrated encryption natively
within the database• AES 256 + FIPS compliant• 1 master key per server, 1 key per
database• KMIP or keyfiles• MongoDB Enterprise 3.2
KMIPAppliance
MongoDB Ops Manager & Cloud Manager
Operational automation
Monitoring and alerting against 100+ metrics
Advanced point-in-time backups
Functions exposed with a RESTful API
• Network filters: Router ACLs and Firewall• Bind IP Addresses: limits network interfaces• Run in VPN• Dedicated OS user account: don’t run as root• File system permissions: protect data, configuration &
keyfiles
Environmental Control
Putting it all Together
Deployments• Manage data from patient wearables for clinical • Qualcomm medical device platform, MongoDB &
AWS• HIPPA compliance + EU Data Protection• MongoDB Enterprise Advanced
– Encryption, Audit, Point-in-Time recovery
• Multi-tenant SaaS for customers to monitor security appliances
• AWS, MEAN stack• MongoDB Enterprise Advanced
– RBAC, Encryption, Audit, Cloud Manager
Business Needs Security Features
AuthenticationSHA-SCRAM Challenge / Responsex.509 Certificates LDAP* & Kerberos*
Authorization Built-in Roles & RBACField Level Redaction
Auditing Audit Log* (DML & DDL)
Encryption Network: SSL/TLS (with FIPS 140-2*)Disk: Encrypted Storage Engine* (MongoDB 3.2)
MongoDB Enterprise-Grade Security
*Requires a MongoDB Enterprise
Resources to Get Started• MongoDB Security
Architecture Guide & Security Checklist
• Extensive tutorials in the documentation
• MongoDB Enterprise free for evaluation & development
For More InformationResource Location
MongoDB Downloads mongodb.com/download
Free Online Training education.mongodb.com
Webinars and Events mongodb.com/events
White Papers mongodb.com/white-papers
Case Studies mongodb.com/customers
Presentations mongodb.com/presentations
Documentation docs.mongodb.org
Additional Info [email protected]
Resource Location
Inter-Node Cluster MembershipServer-Server authentication• use shared keyfile• or x.509 certificates
The Most Recent Security Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/