Securing Your Deployment with MongoDB Enterprise

Mat KeepDirector, MongoDB Product Teammat.keep@mongodb.com@matkeep

Agenda

• Data Security Landscape• Best Practices for Securing MongoDB• Resources to Get Started

The Art Of Securing A System

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun Tzu, The Art of War 500 BC

The Most Recent Security Breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

117k Security Attacks…..PER DAY

PWC: Global State of Information Security

Security: Largest Skills Deficit

• Data growth: 40 trillion GBs (40 ZBs) generated by 2020. 6TB for every person on earth (IDC)

• Technology diversity: Over 280 data stores available.

• High growth threats: nation states, organized crime. Less brute force, more phishing & malware

Increased Attack Surface Area

• Compliance = People + Process + Product• Multiple standards

– PCI-DSS, HIPAA, NIST, FISMA, STIG, EU Data Protection Directive, APEC data protection standardization

• Common database requirements– Data access controls– Data permission– Data protection controls– Data audit

Regulatory Compliance

Requirements Define Security Architecture

Securing MongoDB

Timeline

Plan and design security as early as possible.

Designing the Infrastructure

Access Control

Design• Assess sensitivity of the data• Determine which types of users exist in the system & what they need to do• Match the users to MongoDB roles. Create any customized roles.

Test• Enable MongoDB access control• Create the desired users.

• Confirming identity for everything accessing the database

• Create unique credentials for each entity • Clients & app servers, admins/devs,

management tools, other cluster nodes

• Multiple options• Built in authentication: challenge/response

(SCRAM-SHA-1) or x509 certificates• Integration with corporate authentication

infrastructure

AuthenticationApplication

Reporting

ETL

application@enterprise.com

reporting@enterprise.com

etl@enterprise.com

Joe.Blow@enterprise.comJane.Doe@enterprise.comSam.Stein@enterprise.com

shard1@enterprise.comshard2@enterprise.comshard3@enterprise.com

• Kerberos protocol: Linux and Windows, including AD

• LDAP: proxy authentication to an LDAP service– LDAP or Active Directory (Windows clients not supported)

– Use VPN or SSL to encrypt user data between client and server

MongoDB Enterprise Authentication

• Defines what an entity can do in the database• Control which actions an entity can perform

• Grant access only to the specific data or commands needed

Authorization

User Identity ResourceCommands

Responses

Authorization

Authorization in MongoDBBuilt-in roles• read, readWrite,

dbAdmin, clusterAdmin, root, etc..

User defined roles• Customized roles

based on existing roles and privileges

• Delegate across teams

Authorization: MongoDB Field Level Redaction

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

• Enables a single document to store data with multiple security levels

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redacted

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redaction in Action

User 1- Confidentia

l- Secret

{ _id: ‘xyz’, field1: { level: [ “Confidential” ], data: 123 }, field2: { level: [ “Top Secret” ], data: 456 }, field3: { level: [ “Unclassified” ], data: 789 }}

User 2- Top Secret- Secret- Confidentia

lUser 3- Unclassified

Fiel

d Le

vel A

cces

s C

ontr

ol

Redacted

Redaction Implementation: Implementation

Auditing in MongoDB

• Audit log of all actions taken against the database• DDL & DML• Configurable filters (commands, IP, etc) & role-based auditing• Write log to multiple destinations in JSON or BSON

• Protecting data in-flight & at-rest– Connections to database, and between nodes– Data stored on disk…protecting against attacks targeting

database, OS or physical storage– Mechanisms to sign & rotate keys, store off-server– FIPS-compliant cryptography

Encryption

In-Flight Encryption

• SSL/TLS on all connections & utilities– Mix with non-SSL on the same

port

– Combine with x.509 to authenticate connections

– FIPS 140-2 mode (MongoDB Enterprise Advanced). Requires OpenSSL library

At-Rest Encryption: Current Solutions• Encrypt in the application layer• Encrypt at the disk or file

system level– Commercial solutions: Vormetric or

IBM Guardium– OS level solutions: LUKS or Bitlocker– Adds complexity and cost to the

deployment

New: MongoDB Encrypted Storage Engine• Integrated encryption natively within the

database• AES 256 + FIPS compliant• 1 master key per server, 1 key per

database, rolling restarts for key rotation• Compatible with KMIP appliance or use

self managed keyfiles• Hardware acceleration with Intel AES-NI• Requires WiredTiger, compatible with

compression. • MongoDB Enterprise 3.2

KMIPAppliance

MongoDB Ops Manager

& Cloud Manager

Operational automation

Monitoring and alerting against 100+ metrics

Alerts against internet exposed instances (Cloud Manager)

Advanced backup features: point-in-time backups of replica sets and cluster-wide snapshots of sharded clusters

RESTful API to integrate with monitoring or orchestration tools you already use

• Network filters: Router ACLs and Firewall• Bind IP Addresses: limits network interfaces• Run in VPN• Dedicated OS user account: don’t run as root• File system permissions: protect data, configuration &

keyfiles

Environmental Control

Putting it all Together

Deployments• Manage clinical trials for pharma industry• Ingesting billions of data points from patient wearables• Qualcomm medical device platform, MongoDB & AWS• HIPPA compliance + EU Data Protection• MongoDB Enterprise Advanced

– Encryption, Audit, Point-in-Time recovery

• Multi-tenant SaaS for customers to monitor security appliances

• AWS, MEAN stack• Database per-tenant• MongoDB Enterprise Advanced

– RBAC, Encryption, Audit, Cloud Manager

Business Needs Security Features

AuthenticationSHA-SCRAM Challenge / Responsex.509 Certificates LDAP* & Kerberos*

Authorization Built-in Roles & RBACField Level Redaction

Auditing Audit Log* (DML & DDL)

Encryption Network: SSL/TLS (with FIPS 140-2*)Disk: Encrypted Storage Engine* (MongoDB 3.2)

MongoDB Enterprise-Grade Security

*Requires a MongoDB Enterprise

Resources to Get Started• MongoDB Security

Architecture Guide & Security Checklist

• Extensive tutorials in the documentation

• MongoDB Enterprise free for evaluation & development

For More InformationResource Location

MongoDB Downloads mongodb.com/download

Free Online Training education.mongodb.com

Webinars and Events mongodb.com/events

White Papers mongodb.com/white-papers

Case Studies mongodb.com/customers

Presentations mongodb.com/presentations

Documentation docs.mongodb.org

Additional Info info@mongodb.com

Resource Location

Inter-Node Cluster MembershipServer-Server authentication• use shared keyfile• or x.509 certificates