SlideShare a Scribd company logo

SSecuring Your MongoDB Deployment

Download as PPTX, PDF
MongoDB, profile picture
MongoDB

The document outlines strategies for securing a MongoDB deployment, emphasizing access control, data protection, and auditing. Key components include enabling authentication, configuring roles, encrypting data in transit and at rest, and utilizing audit logs to track security events. It also provides essential tips for designing and implementing a secure MongoDB environment.

Technology
1 of 29
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Securing Your MongoDB Deployment Andreas Nilsson Lead Security Engineer, MongoDB
The Art of Securing a System “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu, The Art of War 500 BC
Securing the Application: Agenda Securing a Database Access Control Data Protection Auditing
How can we make data accessible securely?
Timeline Plan and design security as early as possible. Design Implement Test Deploy YES! NO!
Designing the Infrastructure
Access Control Configure Authentication and Authorization. Design Implement Test Deploy
MongoDB configuration Authentication -Who are you in MongoDB? • Application user, administrator, backup job, monitoring agent. Authorization -What can you do in MongoDB? • CRUD operations, configure the database, manage sharding, user management.
Enable Authentication Built-in authentication methods • Password challenge response • x.509 certificates Or integrate with existing authentication infrastructure
Enable Access Control Design • Determine which types of users exist in the system. • Match the users to MongoDB roles. Create any customized roles. Deployment • Start/restart MongoDB with access control enabled. • Create the desired users.
Role Based Access Control Builtin roles • read, readWrite, dbAdmin, clusterAdmin, root, etc.. User defined roles • Customized roles based on existing roles and privileges.
Internal Authentication Server-server authentication use shared keyfile or x.509.
Sharding, upgrading and other fancy topics Users in a sharded system • live on the config servers, not the query routers (mongos) • local shard (replica set) users can still exist Users in 2.4 • located in different DBs and in a different format than: Users in >= 2.6 • all reside in the admin DB and hence are always replicated.
Field Level Redaction - $redact $redact • New aggregation framework operator • Conditionally filter user documents Use cases • Implement user-based document level, content filtering. • Create egress filter, redacting sensitive information.
Access Control - Field Level Redaction Note: Need to understand the application better
Data Protection Encrypting data in transit (SSL) and data at rest. Design Implement Test Deploy
Data Protection End to End
Transport Encryption with SSL • Possible to protect client-server, server-server communications with SSL. • Support for commercially and internally issued x.509 certificates • Possible to run the server in FIPS 140-2 mode. • Support for mixed SSL and non-SSL clusters. • Self-signed certificates provides no trust! • Omitting to provide a CA file to MongoDB disables validation!
Data Protection - Transport Encryption Encrypt communications (SSL) Authenticate connections (x.509)
Data Protection - Encryption at rest Alternatives • Encrypt data client side • Use partner or independent solution for file and OS level encryption
Security Auditing
The Audit Log • Security events can be written to either the console, the syslog or a file (JSON/BSON) • By default, all security events are written to audit log when enabled. • Events include Authentication failures and some commands. • Access control is not required for auditing. • They are separate components.
Audit Log Properties • Can filter based off of different criteria – Action Type, TimeFrame, IP Address/Port, Users • Events Have Total Order Per Connection • Audit Guarantees (AKA Writes/config) – Audit event written to disk BEFORE writing to the journal – A write will not complete before it has been audited
Some final tips…
Some tips along the way… 1. Do not directly expose database servers to the Internet 2. Design and configure access control 3. Enable SSL 4. Provide SSL CA files to the client and server as trust base 5. Disable any unnecessary interfaces 6. Lock down database files and minimize account privileges
What did we talk about? Securing a Database Access Control Data Protection Auditing
The Art of Securing a System “All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” Sun Tzu, The Art of War 500 BC
Next steps • MongoDB Security Manual - http://docs.mongodb.org/manual/core/security-introduction/ • MongoDB Security Whitepaper - http://info.mongodb.com/rs/mongodb/images/MongoDB_Security_Archi tecture_WP.pdf
Thank You Andreas Nilsson Lead Security Engineer, MongoDB

More Related Content

PDF
Microsoft Azure Security Infographic
Microsoft Azure
 
PDF
Creating a Single View Part 3: Securing Your Deployment
MongoDB
 
PPTX
Webinar: Creating a Single View: Securing Your Deployment
MongoDB
 
ODP
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PPTX
Tdswe 1810 learn how to create a secure and modern windows device
Per Larsen
 
PPTX
Server 2008 Project
wsolomoniv
 
PDF
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
Microsoft Azure Security Infographic
Microsoft Azure
 
Creating a Single View Part 3: Securing Your Deployment
MongoDB
 
Webinar: Creating a Single View: Securing Your Deployment
MongoDB
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Tdswe 1810 learn how to create a secure and modern windows device
Per Larsen
 
Server 2008 Project
wsolomoniv
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 

What's hot (18)

PDF
Azure Penetration Testing
Cheah Eng Soon
 
PDF
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
 
PPTX
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
PDF
Implementing ossec
Jeronimo Zucco
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PPTX
Introduction to WSO2 Microservices Framework for Java - MSF4J - WSO2Con Asia ...
Afkham Azeez
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PPTX
Oracle plsql code refactoring - from anonymous block to stored procedure
Carlos Oliveira
 
PPTX
WSO2ConUS 2015 - Introduction to WSO2 Microservices Server (MSS)
Afkham Azeez
 
PPT
Network Implementation and Support Lesson 14 Security Features - Eric Vande...
Eric Vanderburg
 
PDF
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PPTX
Kåre Rude Andersen - Create a scombot – automate and monitor azure
Nordic Infrastructure Conference
 
PDF
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
PDF
Sami laiho - What's new in windows 8.1
Nordic Infrastructure Conference
 
PDF
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
PDF
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Azure Penetration Testing
Cheah Eng Soon
 
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Implementing ossec
Jeronimo Zucco
 
Ch 6: Attacking Authentication
Sam Bowne
 
Introduction to WSO2 Microservices Framework for Java - MSF4J - WSO2Con Asia ...
Afkham Azeez
 
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
Oracle plsql code refactoring - from anonymous block to stored procedure
Carlos Oliveira
 
WSO2ConUS 2015 - Introduction to WSO2 Microservices Server (MSS)
Afkham Azeez
 
Network Implementation and Support Lesson 14 Security Features - Eric Vande...
Eric Vanderburg
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Kåre Rude Andersen - Create a scombot – automate and monitor azure
Nordic Infrastructure Conference
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Sami laiho - What's new in windows 8.1
Nordic Infrastructure Conference
 
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Ad

Viewers also liked (14)

PPTX
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
PPTX
Indexing In MongoDB
Kishor Parkhe
 
PPTX
Replication and Replica Sets
MongoDB
 
PDF
Mongo db security guide
Deysi Gmarra
 
PPTX
MongoDB 2.4 Security Features
MongoDB
 
PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
MongoDB in a Mainframe World
MongoDB
 
PPTX
Securing Your MongoDB Implementation
MongoDB
 
PPT
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
PDF
Phplx mongodb
JoaquimSerafim
 
PPTX
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
PPTX
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
PPTX
Webinar: Performance Tuning + Optimization
MongoDB
 
PDF
MongoDB Administration 101
MongoDB
 
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
Indexing In MongoDB
Kishor Parkhe
 
Replication and Replica Sets
MongoDB
 
Mongo db security guide
Deysi Gmarra
 
MongoDB 2.4 Security Features
MongoDB
 
Securing Your MongoDB Deployment
MongoDB
 
MongoDB in a Mainframe World
MongoDB
 
Securing Your MongoDB Implementation
MongoDB
 
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
Phplx mongodb
JoaquimSerafim
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
Webinar: Performance Tuning + Optimization
MongoDB
 
MongoDB Administration 101
MongoDB
 
Ad

Similar to SSecuring Your MongoDB Deployment (20)

PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
PPTX
Securing Your Deployment with MongoDB Enterprise
MongoDB
 
PPTX
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB
 
PDF
Achieving compliance With MongoDB Security
Mydbops
 
PPTX
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
Percona Live 2021 - MongoDB Security Features
Jean Da Silva
 
PPTX
Security Features in MongoDB 2.4
MongoDB
 
PPTX
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
PPTX
It's a Dangerous World
MongoDB
 
PPTX
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
PDF
Mongo db 2.6_security_architecture
Mat Keep
 
PDF
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB
 
PPTX
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
PPTX
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
PPTX
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
PPTX
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
PDF
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB
 
PDF
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB
 
Securing Your MongoDB Deployment
MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Securing Your Deployment with MongoDB Enterprise
MongoDB
 
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB
 
Achieving compliance With MongoDB Security
Mydbops
 
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Securing Your MongoDB Deployment
MongoDB
 
Percona Live 2021 - MongoDB Security Features
Jean Da Silva
 
Security Features in MongoDB 2.4
MongoDB
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
It's a Dangerous World
MongoDB
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
Mongo db 2.6_security_architecture
Mat Keep
 
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB
 
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB
 

More from MongoDB (20)

PDF
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
PDF
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
PDF
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
PDF
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
PDF
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
PDF
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
PDF
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
PDF
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
PDF
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Cloud computing and distributed systems.
kkkkkhan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KodekX | Application Modernization Development
KodekX
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

SSecuring Your MongoDB Deployment

  • 1. Securing Your MongoDB Deployment Andreas Nilsson Lead Security Engineer, MongoDB
  • 2. The Art of Securing a System “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu, The Art of War 500 BC
  • 3. Securing the Application: Agenda Securing a Database Access Control Data Protection Auditing
  • 4. How can we make data accessible securely?
  • 5. Timeline Plan and design security as early as possible. Design Implement Test Deploy YES! NO!
  • 7. Access Control Configure Authentication and Authorization. Design Implement Test Deploy
  • 8. MongoDB configuration Authentication -Who are you in MongoDB? • Application user, administrator, backup job, monitoring agent. Authorization -What can you do in MongoDB? • CRUD operations, configure the database, manage sharding, user management.
  • 9. Enable Authentication Built-in authentication methods • Password challenge response • x.509 certificates Or integrate with existing authentication infrastructure
  • 10. Enable Access Control Design • Determine which types of users exist in the system. • Match the users to MongoDB roles. Create any customized roles. Deployment • Start/restart MongoDB with access control enabled. • Create the desired users.
  • 11. Role Based Access Control Builtin roles • read, readWrite, dbAdmin, clusterAdmin, root, etc.. User defined roles • Customized roles based on existing roles and privileges.
  • 12. Internal Authentication Server-server authentication use shared keyfile or x.509.
  • 13. Sharding, upgrading and other fancy topics Users in a sharded system • live on the config servers, not the query routers (mongos) • local shard (replica set) users can still exist Users in 2.4 • located in different DBs and in a different format than: Users in >= 2.6 • all reside in the admin DB and hence are always replicated.
  • 14. Field Level Redaction - $redact $redact • New aggregation framework operator • Conditionally filter user documents Use cases • Implement user-based document level, content filtering. • Create egress filter, redacting sensitive information.
  • 15. Access Control - Field Level Redaction Note: Need to understand the application better
  • 16. Data Protection Encrypting data in transit (SSL) and data at rest. Design Implement Test Deploy
  • 18. Transport Encryption with SSL • Possible to protect client-server, server-server communications with SSL. • Support for commercially and internally issued x.509 certificates • Possible to run the server in FIPS 140-2 mode. • Support for mixed SSL and non-SSL clusters. • Self-signed certificates provides no trust! • Omitting to provide a CA file to MongoDB disables validation!
  • 19. Data Protection - Transport Encryption Encrypt communications (SSL) Authenticate connections (x.509)
  • 20. Data Protection - Encryption at rest Alternatives • Encrypt data client side • Use partner or independent solution for file and OS level encryption
  • 22. The Audit Log • Security events can be written to either the console, the syslog or a file (JSON/BSON) • By default, all security events are written to audit log when enabled. • Events include Authentication failures and some commands. • Access control is not required for auditing. • They are separate components.
  • 23. Audit Log Properties • Can filter based off of different criteria – Action Type, TimeFrame, IP Address/Port, Users • Events Have Total Order Per Connection • Audit Guarantees (AKA Writes/config) – Audit event written to disk BEFORE writing to the journal – A write will not complete before it has been audited
  • 25. Some tips along the way… 1. Do not directly expose database servers to the Internet 2. Design and configure access control 3. Enable SSL 4. Provide SSL CA files to the client and server as trust base 5. Disable any unnecessary interfaces 6. Lock down database files and minimize account privileges
  • 26. What did we talk about? Securing a Database Access Control Data Protection Auditing
  • 27. The Art of Securing a System “All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” Sun Tzu, The Art of War 500 BC
  • 28. Next steps • MongoDB Security Manual - http://docs.mongodb.org/manual/core/security-introduction/ • MongoDB Security Whitepaper - http://info.mongodb.com/rs/mongodb/images/MongoDB_Security_Archi tecture_WP.pdf
  • 29. Thank You Andreas Nilsson Lead Security Engineer, MongoDB

Editor's Notes

  • #3: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #4: Common process, tooling and management across the data lifecycle from ingestion to presentation Ensuring data provenance Supporting repeatable transformation processes Enabling reliable access for real-time query and reporting
  • #5: Common process, tooling and management across the data lifecycle from ingestion to presentation Ensuring data provenance Supporting repeatable transformation processes Enabling reliable access for real-time query and reporting
  • #6: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #8: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #9: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #10: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #11: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #12: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #13: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #14: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #15: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #16: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #17: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #19: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #20: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #21: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #22: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #26: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #27: Common process, tooling and management across the data lifecycle from ingestion to presentation Ensuring data provenance Supporting repeatable transformation processes Enabling reliable access for real-time query and reporting
  • #28: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
  • #29: Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?