SlideShare ist ein Scribd-Unternehmen logo

Percona Live 2021 - MongoDB Security Features

Als PPTX, PDF herunterladen
J
Jean Da Silva

When we speak about security, the actual reality is that companies need to comply with multiples frameworks and regulations, and assessing which rules apply to each organization is no easy feat. Over the talk, we will revisit the security feature we can implement in the #MongoDB environment. The aim is to provide further information on what you can use to help your company with future security implementations. The topics presented will be: * Authentication * Authorization * TLS/SSL * External Authentication * Auditing * Log Redaction * Encryption – Data at Rest and Client Field Encryption. Speaker: Jean da Silva – Percona

Technologie
1 von 57
MongoDB Security Features
Hello! I am Jean da Silva Support Engineer at Percona, student of Database Engineering and Big Data, likes to watch F1 in free time. You can find me at linkedin.com/in/jenunes 3
Agenda • Authorization and Authentication • External Authentication • TLS/SSL • Auditing • Log Redaction • Encryption – Data at Rest and Client Field Encryption 4
“ 5 Objective
6 [1] - The biggest and most impactful data breaches of 2016 [2] - The seven most colossal data breaches of 2017 [3] - Top 10 Biggest Data Breaches in 2018 [4] - The 5 biggest data hacks of 2019 [5] - The top 10 biggest data breaches of 2020 Top 5 only
7 # Where and how to store data. storage: dbPath: /var/lib/mongo journal: enabled: true # where to write logging data. systemLog: destination: file logAppend: true path: /var/log/mongo/mongod.log processManagement: fork: true pidFilePath: /var/run/mongod.pid # network interfaces net: port: 27017 bindIp: 127.0.0.1
“ 8 Authorization and Authentication TLS/SSL Encryption Auditing Log Redaction External Authenti cation
1. Authorization and Authentication
● Authentication is the process to verify the identity of a user. ● Authorization(A.k.a Access Control) determines the verified user's access to resources and operations. By default, Authorization is not enabled; we need to configure and create the root user as the first step for a secure environment. Enabling Authorization on a MongoDB deployment enforces authentication, requiring users to identify themselves. Some Definitions First:
11 > insert Who is Interested in the Default Configuration?
12 mongo> use admin mongo> db.createUser( { user: "myUserAdmin", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } ) Enabling Authorization and Enforcing Authentication • Within an instance without authorization:
mongod --auth --port 27017 --dbpath /var/lib/mongodb 13 - If you start the mongod from the command line, add the --auth command line option: - If you start the mongod using a configuration file, add the security.authorization in configuration file setting: security: authorization: enabled Starting mongod with Access Control Enabled:
14 db: foo role:dbAdmin db:admin clusterMonitor db:mydb role:read
“ 15 How Does it Work for a ReplicaSet or Sharded Cluster?
Enforcing Access Control on a ReplicaSet or Sharded Cluster Requires: ● Security between connecting clients and the cluster using User Access Controls. ● Security between components of the cluster using Internal Authentication. 16
17 Internal/Membership Authentication Keyfile(SCRAM) or x.509 Keyfiles are bare-minimum forms of security and are best suited for testing or development environments. For production environments, x.509 certificates is recommended. Enforcing internal authentication also enforces user access control.
18 { "t":{ "$date":"2021-04-17T23:06:17.487+00:00" }, "s":"I", "c":"ACCESS", "id":20250, "ctx":"conn49", "msg":"Successful authentication", "attr":{ "mechanism":"SCRAM-SHA-256", "principalName":"__system", "authenticationDatabase":"local", "client":"127.0.0.1:34354" } }
2. External Authentication
● Normal Client Authentication – SCRAM(default) or x.509 ● Internal Member Authentication – Keyfile(SCRAM) or x.509 ● External Authentication – LDAP / ActiveDirectory or Kerberos Overview - Authentications
21 Overview - Benefits • Ability to maintain all users in one place • Automated policy enforcement • Password length, complexity • Password expiration • Account expiration • Failed attempts lockout
22 Enterprise Authentication - Percona Server for MongoDB Sandra Romanchenko - QA Engineer @Percona
“ Is the External Authentication an Enterprise feature? 23
Starting from release 4.2.6-6
3. TLS/SSL Transport Encryption
• TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client. Overview • TLS/SSL encryption only allows use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections MongoDB traffic is not encrypted until you create a set of TLS/SSL certificates and keys and apply them in the mongod and mongos configuration files of your entire cluster (or non-sharded replica set).
27 01:36:02.739623 IP 127.0.0.1.3017 > 127.0.0.1.42924: Flags [P.], seq 2605:3215, ack 763, win 1035, options [nop,nop,TS val 36825751 ecr 36825751], length 610 E....;@.@.^$................D.i;........... .1...1..b....3...............I....cursor......firstBatch.|....0.z...._id.`~/*j7W3.s.e.item.....canva s..qty.......Y@.tags......0.....cotton...size.'....h.......<@.w.......A@.uom.....cm....1.z...._id.`~ /.#A..0....item.....canvas..qty.......Y@.tags......0.....cotton...size.'....h.......<@.w.......A@.uo m.....cm....2.z...._id.`~0.#A..0....item.....canvas..qty.......Y@.tags......0.....cotton...size.'... .h.......<@.w.......A@.uom.....cm.....id..........ns.....percona.inventory...ok........?.$clusterTim e.X....clusterTime......0~`.signature.3....hash...........................keyId............operation Time......0~`..................... mongo> use foo switched to db foo mongo>db.inventory.insertOne( { item: "canvas", qty: 100, tags: ["cotton"], size: { h: 28, w: 35.5, uom: "cm" } } ) • Tcpdump on mongod port: Network Traffic Encryption - OFF
28 Certificate Management Important For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. Although you can use self-made certificates, it is not recommended in production deployments. • Using an external certificate authority or making a new root certificate just for these MongoDB clusters • If you are using it just for the internal system authentication between mongod and mongos nodes, or if you are enabling TLS for clients too
29 Value Description disabled The server does not use TLS. allowTLS Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS. preferTLS Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS. requireTLS The server uses and accepts only TLS encrypted connections. Network Traffic Encryption • net.ssl.mode
4. Auditing
The auditing allows administrators and users to track system activity for deployments with multiple users and applications. • Console • Syslog • JSON file • BSON file Overview The audit feature is available on • MongoDB Enterprise ✓ • Percona Server for MongoDB ✓
32 Audit Events: Once enabled, the auditing system can record the following operations: • Schema changes (DDL operations); • Topology changes on ReplicaSet and Sharded Cluster; • Authentication failures and successes; • Authorization changes, and failures; • CRUD operations (requires auditAuthorizationSuccess set to true). Important Enabling the auditAuthorizationSuccess parameter heavily impacts the performance compared to logging only authorization failures.
33 auditLog: destination: file format: JSON path: /var/log/mongo/audit.json Configuring Auditing • On configuration file: mongod --dbpath data/db --auditDestination file --auditFormat JSON -- auditPath /var/log/mongo/audit.json • On mongod for command line:
34 { "atype" : "authCheck", "ts" : { "$date" : "2021-04-20T05:00:04.477+00:00" }, "local" : { "ip" : "127.0.0.1", "port" : 37017 }, "remote" : { "ip" : "127.0.0.1", "port" : 39430 }, "users" : [], "roles" : [], "param" : { "command" : "insert", "ns" : "test.products", "args" : { "insert" : "products", "ordered" : false, "lsid" : { "id" : { "$binary" : "ZE6Bwd20S7iMEOXhT+vbzQ==", "$type" : "04" } }, "$db" : "test" } }, "result" : 0 } auditLog: destination: file format: JSON path: /var/log/mongo/audit.json filter: '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' Configuring Auditing Filters • Audit log:
5. Log Redaction
• Redacts any message accompanying a given log event before logging. Overview The redact feature is available on • MongoDB Enterprise ✓ • Percona Server for MongoDB ✓ • Prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. • Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.
37 […] query","attr":{"type":"command","ns":"test.clients","appName":"MongoDB Shell","command":{"insert":"###","ordered":"###","lsid":{"id":"###"},"$db ´[…] Configuring Log Redaction Enable log redaction by adding the following to the configuration file: security: redactClientLogData: true db.adminCommand( { setParameter: 1, redactClientLogData : true }) To enable log redaction at runtime, use the setParameter command:
6. Encryption - Data at Rest and Client Field Encryption
• Available for the WiredTiger Storage Engine only. • All databases are encrypted when encryption is enabled, it includes admin database. • Support AES256-CBC(default) and AES256-GCM as cipher mode. • Encryption is not a part of replication; master keys and database keys are not replicated, and data is not natively encrypted over the wire. Overview – Data At Rest Encryption Tip Encryption at rest, when used in conjunction with transport encryption(TLS/SSL) and good security policies. It can help ensure compliance with security and privacy standards, including HIPAA, PCI-DSS, and FERPA.
41 Supported Key Management • Local key management using a keyfile: MongoDB Enterprise and Percona Server for MongoDB • Integration with an external key server – HashiCorp Vault: Percona Server for MongoDB • Integration with KMIP server for key management: MongoDB Enterprise
“ Do I need a separate master key for each member in a replica set or sharded cluster? 42
“ How would I recover the database if I lose its master key? 43
Overview – Client-Side Field Encryption • New in version 4.2. Applications can encrypt fields in documents prior to transmitting data over the wire to the server. • Only applications with access to the correct encryption keys can decrypt and read the protected data. • Deleting an encryption key renders all data encrypted using that key as permanently unreadable. X+4kl233rdd
45 MongoDB provides two methods of Field Encryption: • Automatic Client-Side Field Level Encryption • Explicit (Manual) Client-Side Field Level Encryption Feature details The automatic mode is available only on the Enterprise Edition and Atlas, while the manual method is supported on the Community Edition by the MongoDB drivers and mongo shell as well.
“ Does Percona Server for MongoDB support client-side encryption? 46
47 How to Manually Encrypt a Field 1. Create an encryption key: # openssl rand -hex 50 | head -c 96 | base64 | tr -d 'n' > client.key # chmod 600 client.key # chown mongod:mongod client.key • Amazon Web Services KMS • Azure Key Vault • Google Cloud Platform KMS • Locally Managed Key A local keyfile is quick, but lower security, thus not recommended in production environment as it is stored alongside the database. For production, please consider using the one of the following services: As Key Management Service (KMS), MongoDB supports:
48 2. Launch the mongo Shell: # mongo --shell --nodb --eval "var LOCAL_KEY = cat('client.key')" Percona Server for MongoDB shell version v4.4.3-5 type "help" for help mongo> LOCAL_KEY ODEyMTY2YmNmNDA4YWZlZWVhNTFmOTUyODk4YTJjODc1ODk0NTZiN2EzYWQwZDdjNmM4MDQ5ODUzYzRkMjlhN GZlM2UyZDVmMTNjZWQ1YjAyNjAwNzZmMmQ1ZjVkMzdi 3. Create the Encryption Configuration: mongo> var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, LOCAL_KEY) } }}
49 4. Connect with Encryption Support: mongo> csfleDatabaseConnection = Mongo("mongodb://dba:secret@localhost:27017/?authSource=admin", ClientSideFieldLevelEncryptionOptions) connection to localhost:27017 5. Create a Key Vault Object: mongo> keyVault = csfleDatabaseConnection.getKeyVault(); { "mongo" : connection to localhost:27017, "keyColl" : encryption.__dataKeys }
50 6. Create the data Encryption Key: mongo> keyVault.createKey( "local", /*Local-type key*/ "", /*Customer master key, used with external KMSes*/ [ "myFirstCSFLEDataKey" ] ) UUID("5bd46d64-3fe8-4e31-a800-219eaa1b6a85") 7. Insert the document encrypting the field manually: mongo> clientEncryption = csfleDatabaseConnection.getClientEncryption(); mongo> var csfleDB = csfleDatabaseConnection.getDB("percona"); mongo> csfleDB.getCollection("newcollection").insert({ "_id": 1, "medRecNum": 1, "firstName": "Jose", "lastName": "Pereira", "ssn": clientEncryption.encrypt(UUID("5bd46d64-3fe8-4e31-a800-219eaa1b6a85"), "123- 45-6789","AEAD_AES_256_CBC_HMAC_SHA_512-Random"), "comment": "Jose Pereira's SSN encrypted."}); WriteResult({ "nInserted" : 1 })
51 Perfect! At this point, the field has been encrypted manually. mongo> db.newcollection.find().pretty() { "_id" : 1, "medRecNum" : 1, "firstName" : "Jose", "lastName" : "Pereira", "ssn" : BinData(6,"AkcTD7WYfErwnoNer2ctYIsCVXS2nJYpSEgYFlp8ORmZ1i9PO/RGELdm+XxZyN6+ls+KLeDu1 LQFtIIJs1Bwy5AMnaA3Lf4qAfm0Nmov6Iwuqer67HV2nIQk6dIa98QFLXs="), "comment" : "Jose Pereira's SSN encrypted." } exit Important MongoDB client-side field level encryption only supports encrypting single fields in a document.
“ Can a root user be able to read the fields? 52
“ How does it work in a ReplicaSet or Sharded Cluster? 53
Summary 54
55 Authenticantion and Authorization
56 Thanks! Any questions?
57
References: 58 • Authentication/ Authorization https://docs.mongodb.com/manual/tutorial/enable-authentication/ https://docs.mongodb.com/manual/core/authentication/ https://www.percona.com/doc/percona-server-for- mongodb/LATEST/enable-auth.html https://www.percona.com/blog/2020/08/10/securing-mongodb-top- five-security-concerns/ • TLS/SSL https://docs.mongodb.com/manual/core/security-transport- encryption/ https://www.percona.com/blog/2019/07/30/network-transport- encryption-for-mongodb/ • External Authentication https://www.percona.com/doc/percona-server-for- mongodb/LATEST/authentication.html https://www.percona.com/resources/technical- presentations/enterprise-authentication-percona-server-mongodb- ldap-and-kerberos • Auditing https://www.percona.com/doc/percona-server-for- mongodb/LATEST/audit-logging.html#auditauthorizationsuccess https://docs.mongodb.com/manual/core/auditing/ https://www.percona.com/blog/2017/03/03/mongodb-audit-log-why- and-how/ • Log Redaction https://docs.mongodb.com/manual/administration/monitoring/ https://www.percona.com/doc/percona-server-for-mongodb/LATEST/log- redaction.html • Encryption - Data at Rest and Client Field Encryption. https://www.percona.com/blog/2020/09/14/q-a-on-webinar-percona-server- for-mongodb-data-at-rest-encryption/ • Webinars/Presentations https://www.percona.com/live/19/sessions/enhancing-the-default-mongodb- security • Data Breaches https://digitalguardian.com/blog/biggest-and-most-impactful-data-breaches- 2016 https://blog.malwarebytes.com/cybercrime/2017/12/the-seven-most- colossal-data-breaches-of-2017/ https://blog.avast.com/biggest-data-breaches https://exclusive.multibriefs.com/content/the-top-10-biggest-data-breaches- of-2020/science-technology https://www.cnbc.com/2019/12/17/the-5-biggest-data-hacks-of-2019.html

Empfohlen

MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Mydbops
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 

Empfohlen

MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Mydbops
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Why advanced monitoring is key for healthy
Why advanced monitoring is key for healthyWhy advanced monitoring is key for healthy
Why advanced monitoring is key for healthyDenodo
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorWSO2
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewDell World
 
Why Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best FriendWhy Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best FriendOdoo
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Weitere ähnliche Inhalte

Ähnlich wie Percona Live 2021 - MongoDB Security Features

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Why advanced monitoring is key for healthy
Why advanced monitoring is key for healthyWhy advanced monitoring is key for healthy
Why advanced monitoring is key for healthyDenodo
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorWSO2
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewDell World
 
Why Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best FriendWhy Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best FriendOdoo
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB
 

Ähnlich wie Percona Live 2021 - MongoDB Security Features (20)

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDBMongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Why advanced monitoring is key for healthy
Why advanced monitoring is key for healthyWhy advanced monitoring is key for healthy
Why advanced monitoring is key for healthy
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise Integrator
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting Overview
 
Why Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best FriendWhy Browser Debugger is a Developer's Best Friend
Why Browser Debugger is a Developer's Best Friend
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Percona Live 2021 - MongoDB Security Features

  • 1.
  • 3. Hello! I am Jean da Silva Support Engineer at Percona, student of Database Engineering and Big Data, likes to watch F1 in free time. You can find me at linkedin.com/in/jenunes 3
  • 4. Agenda • Authorization and Authentication • External Authentication • TLS/SSL • Auditing • Log Redaction • Encryption – Data at Rest and Client Field Encryption 4
  • 6. 6 [1] - The biggest and most impactful data breaches of 2016 [2] - The seven most colossal data breaches of 2017 [3] - Top 10 Biggest Data Breaches in 2018 [4] - The 5 biggest data hacks of 2019 [5] - The top 10 biggest data breaches of 2020 Top 5 only
  • 7. 7 # Where and how to store data. storage: dbPath: /var/lib/mongo journal: enabled: true # where to write logging data. systemLog: destination: file logAppend: true path: /var/log/mongo/mongod.log processManagement: fork: true pidFilePath: /var/run/mongod.pid # network interfaces net: port: 27017 bindIp: 127.0.0.1
  • 10. ● Authentication is the process to verify the identity of a user. ● Authorization(A.k.a Access Control) determines the verified user's access to resources and operations. By default, Authorization is not enabled; we need to configure and create the root user as the first step for a secure environment. Enabling Authorization on a MongoDB deployment enforces authentication, requiring users to identify themselves. Some Definitions First:
  • 11. 11 > insert Who is Interested in the Default Configuration?
  • 12. 12 mongo> use admin mongo> db.createUser( { user: "myUserAdmin", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } ) Enabling Authorization and Enforcing Authentication • Within an instance without authorization:
  • 13. mongod --auth --port 27017 --dbpath /var/lib/mongodb 13 - If you start the mongod from the command line, add the --auth command line option: - If you start the mongod using a configuration file, add the security.authorization in configuration file setting: security: authorization: enabled Starting mongod with Access Control Enabled:
  • 15. “ 15 How Does it Work for a ReplicaSet or Sharded Cluster?
  • 16. Enforcing Access Control on a ReplicaSet or Sharded Cluster Requires: ● Security between connecting clients and the cluster using User Access Controls. ● Security between components of the cluster using Internal Authentication. 16
  • 17. 17 Internal/Membership Authentication Keyfile(SCRAM) or x.509 Keyfiles are bare-minimum forms of security and are best suited for testing or development environments. For production environments, x.509 certificates is recommended. Enforcing internal authentication also enforces user access control.
  • 20. ● Normal Client Authentication – SCRAM(default) or x.509 ● Internal Member Authentication – Keyfile(SCRAM) or x.509 ● External Authentication – LDAP / ActiveDirectory or Kerberos Overview - Authentications
  • 21. 21 Overview - Benefits • Ability to maintain all users in one place • Automated policy enforcement • Password length, complexity • Password expiration • Account expiration • Failed attempts lockout
  • 22. 22 Enterprise Authentication - Percona Server for MongoDB Sandra Romanchenko - QA Engineer @Percona
  • 23. “ Is the External Authentication an Enterprise feature? 23
  • 26. • TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client. Overview • TLS/SSL encryption only allows use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections MongoDB traffic is not encrypted until you create a set of TLS/SSL certificates and keys and apply them in the mongod and mongos configuration files of your entire cluster (or non-sharded replica set).
  • 27. 27 01:36:02.739623 IP 127.0.0.1.3017 > 127.0.0.1.42924: Flags [P.], seq 2605:3215, ack 763, win 1035, options [nop,nop,TS val 36825751 ecr 36825751], length 610 E....;@.@.^$................D.i;........... .1...1..b....3...............I....cursor......firstBatch.|....0.z...._id.`~/*j7W3.s.e.item.....canva s..qty.......Y@.tags......0.....cotton...size.'....h.......<@.w.......A@.uom.....cm....1.z...._id.`~ /.#A..0....item.....canvas..qty.......Y@.tags......0.....cotton...size.'....h.......<@.w.......A@.uo m.....cm....2.z...._id.`~0.#A..0....item.....canvas..qty.......Y@.tags......0.....cotton...size.'... .h.......<@.w.......A@.uom.....cm.....id..........ns.....percona.inventory...ok........?.$clusterTim e.X....clusterTime......0~`.signature.3....hash...........................keyId............operation Time......0~`..................... mongo> use foo switched to db foo mongo>db.inventory.insertOne( { item: "canvas", qty: 100, tags: ["cotton"], size: { h: 28, w: 35.5, uom: "cm" } } ) • Tcpdump on mongod port: Network Traffic Encryption - OFF
  • 28. 28 Certificate Management Important For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. Although you can use self-made certificates, it is not recommended in production deployments. • Using an external certificate authority or making a new root certificate just for these MongoDB clusters • If you are using it just for the internal system authentication between mongod and mongos nodes, or if you are enabling TLS for clients too
  • 29. 29 Value Description disabled The server does not use TLS. allowTLS Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS. preferTLS Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS. requireTLS The server uses and accepts only TLS encrypted connections. Network Traffic Encryption • net.ssl.mode
  • 31. The auditing allows administrators and users to track system activity for deployments with multiple users and applications. • Console • Syslog • JSON file • BSON file Overview The audit feature is available on • MongoDB Enterprise ✓ • Percona Server for MongoDB ✓
  • 32. 32 Audit Events: Once enabled, the auditing system can record the following operations: • Schema changes (DDL operations); • Topology changes on ReplicaSet and Sharded Cluster; • Authentication failures and successes; • Authorization changes, and failures; • CRUD operations (requires auditAuthorizationSuccess set to true). Important Enabling the auditAuthorizationSuccess parameter heavily impacts the performance compared to logging only authorization failures.
  • 33. 33 auditLog: destination: file format: JSON path: /var/log/mongo/audit.json Configuring Auditing • On configuration file: mongod --dbpath data/db --auditDestination file --auditFormat JSON -- auditPath /var/log/mongo/audit.json • On mongod for command line:
  • 34. 34 { "atype" : "authCheck", "ts" : { "$date" : "2021-04-20T05:00:04.477+00:00" }, "local" : { "ip" : "127.0.0.1", "port" : 37017 }, "remote" : { "ip" : "127.0.0.1", "port" : 39430 }, "users" : [], "roles" : [], "param" : { "command" : "insert", "ns" : "test.products", "args" : { "insert" : "products", "ordered" : false, "lsid" : { "id" : { "$binary" : "ZE6Bwd20S7iMEOXhT+vbzQ==", "$type" : "04" } }, "$db" : "test" } }, "result" : 0 } auditLog: destination: file format: JSON path: /var/log/mongo/audit.json filter: '{ atype: "authCheck", "param.command": { $in: [ "find", "insert", "delete", "update", "findandmodify" ] } }' Configuring Auditing Filters • Audit log:
  • 36. • Redacts any message accompanying a given log event before logging. Overview The redact feature is available on • MongoDB Enterprise ✓ • Percona Server for MongoDB ✓ • Prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. • Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.
  • 37. 37 […] query","attr":{"type":"command","ns":"test.clients","appName":"MongoDB Shell","command":{"insert":"###","ordered":"###","lsid":{"id":"###"},"$db ´[…] Configuring Log Redaction Enable log redaction by adding the following to the configuration file: security: redactClientLogData: true db.adminCommand( { setParameter: 1, redactClientLogData : true }) To enable log redaction at runtime, use the setParameter command:
  • 38. 6. Encryption - Data at Rest and Client Field Encryption
  • 39. • Available for the WiredTiger Storage Engine only. • All databases are encrypted when encryption is enabled, it includes admin database. • Support AES256-CBC(default) and AES256-GCM as cipher mode. • Encryption is not a part of replication; master keys and database keys are not replicated, and data is not natively encrypted over the wire. Overview – Data At Rest Encryption Tip Encryption at rest, when used in conjunction with transport encryption(TLS/SSL) and good security policies. It can help ensure compliance with security and privacy standards, including HIPAA, PCI-DSS, and FERPA.
  • 40. 41 Supported Key Management • Local key management using a keyfile: MongoDB Enterprise and Percona Server for MongoDB • Integration with an external key server – HashiCorp Vault: Percona Server for MongoDB • Integration with KMIP server for key management: MongoDB Enterprise
  • 41. “ Do I need a separate master key for each member in a replica set or sharded cluster? 42
  • 42. “ How would I recover the database if I lose its master key? 43
  • 43. Overview – Client-Side Field Encryption • New in version 4.2. Applications can encrypt fields in documents prior to transmitting data over the wire to the server. • Only applications with access to the correct encryption keys can decrypt and read the protected data. • Deleting an encryption key renders all data encrypted using that key as permanently unreadable. X+4kl233rdd
  • 44. 45 MongoDB provides two methods of Field Encryption: • Automatic Client-Side Field Level Encryption • Explicit (Manual) Client-Side Field Level Encryption Feature details The automatic mode is available only on the Enterprise Edition and Atlas, while the manual method is supported on the Community Edition by the MongoDB drivers and mongo shell as well.
  • 45. “ Does Percona Server for MongoDB support client-side encryption? 46
  • 46. 47 How to Manually Encrypt a Field 1. Create an encryption key: # openssl rand -hex 50 | head -c 96 | base64 | tr -d 'n' > client.key # chmod 600 client.key # chown mongod:mongod client.key • Amazon Web Services KMS • Azure Key Vault • Google Cloud Platform KMS • Locally Managed Key A local keyfile is quick, but lower security, thus not recommended in production environment as it is stored alongside the database. For production, please consider using the one of the following services: As Key Management Service (KMS), MongoDB supports:
  • 47. 48 2. Launch the mongo Shell: # mongo --shell --nodb --eval "var LOCAL_KEY = cat('client.key')" Percona Server for MongoDB shell version v4.4.3-5 type "help" for help mongo> LOCAL_KEY ODEyMTY2YmNmNDA4YWZlZWVhNTFmOTUyODk4YTJjODc1ODk0NTZiN2EzYWQwZDdjNmM4MDQ5ODUzYzRkMjlhN GZlM2UyZDVmMTNjZWQ1YjAyNjAwNzZmMmQ1ZjVkMzdi 3. Create the Encryption Configuration: mongo> var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.__dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, LOCAL_KEY) } }}
  • 48. 49 4. Connect with Encryption Support: mongo> csfleDatabaseConnection = Mongo("mongodb://dba:secret@localhost:27017/?authSource=admin", ClientSideFieldLevelEncryptionOptions) connection to localhost:27017 5. Create a Key Vault Object: mongo> keyVault = csfleDatabaseConnection.getKeyVault(); { "mongo" : connection to localhost:27017, "keyColl" : encryption.__dataKeys }
  • 49. 50 6. Create the data Encryption Key: mongo> keyVault.createKey( "local", /*Local-type key*/ "", /*Customer master key, used with external KMSes*/ [ "myFirstCSFLEDataKey" ] ) UUID("5bd46d64-3fe8-4e31-a800-219eaa1b6a85") 7. Insert the document encrypting the field manually: mongo> clientEncryption = csfleDatabaseConnection.getClientEncryption(); mongo> var csfleDB = csfleDatabaseConnection.getDB("percona"); mongo> csfleDB.getCollection("newcollection").insert({ "_id": 1, "medRecNum": 1, "firstName": "Jose", "lastName": "Pereira", "ssn": clientEncryption.encrypt(UUID("5bd46d64-3fe8-4e31-a800-219eaa1b6a85"), "123- 45-6789","AEAD_AES_256_CBC_HMAC_SHA_512-Random"), "comment": "Jose Pereira's SSN encrypted."}); WriteResult({ "nInserted" : 1 })
  • 50. 51 Perfect! At this point, the field has been encrypted manually. mongo> db.newcollection.find().pretty() { "_id" : 1, "medRecNum" : 1, "firstName" : "Jose", "lastName" : "Pereira", "ssn" : BinData(6,"AkcTD7WYfErwnoNer2ctYIsCVXS2nJYpSEgYFlp8ORmZ1i9PO/RGELdm+XxZyN6+ls+KLeDu1 LQFtIIJs1Bwy5AMnaA3Lf4qAfm0Nmov6Iwuqer67HV2nIQk6dIa98QFLXs="), "comment" : "Jose Pereira's SSN encrypted." } exit Important MongoDB client-side field level encryption only supports encrypting single fields in a document.
  • 51. “ Can a root user be able to read the fields? 52
  • 52. “ How does it work in a ReplicaSet or Sharded Cluster? 53
  • 56. 57
  • 57. References: 58 • Authentication/ Authorization https://docs.mongodb.com/manual/tutorial/enable-authentication/ https://docs.mongodb.com/manual/core/authentication/ https://www.percona.com/doc/percona-server-for- mongodb/LATEST/enable-auth.html https://www.percona.com/blog/2020/08/10/securing-mongodb-top- five-security-concerns/ • TLS/SSL https://docs.mongodb.com/manual/core/security-transport- encryption/ https://www.percona.com/blog/2019/07/30/network-transport- encryption-for-mongodb/ • External Authentication https://www.percona.com/doc/percona-server-for- mongodb/LATEST/authentication.html https://www.percona.com/resources/technical- presentations/enterprise-authentication-percona-server-mongodb- ldap-and-kerberos • Auditing https://www.percona.com/doc/percona-server-for- mongodb/LATEST/audit-logging.html#auditauthorizationsuccess https://docs.mongodb.com/manual/core/auditing/ https://www.percona.com/blog/2017/03/03/mongodb-audit-log-why- and-how/ • Log Redaction https://docs.mongodb.com/manual/administration/monitoring/ https://www.percona.com/doc/percona-server-for-mongodb/LATEST/log- redaction.html • Encryption - Data at Rest and Client Field Encryption. https://www.percona.com/blog/2020/09/14/q-a-on-webinar-percona-server- for-mongodb-data-at-rest-encryption/ • Webinars/Presentations https://www.percona.com/live/19/sessions/enhancing-the-default-mongodb- security • Data Breaches https://digitalguardian.com/blog/biggest-and-most-impactful-data-breaches- 2016 https://blog.malwarebytes.com/cybercrime/2017/12/the-seven-most- colossal-data-breaches-of-2017/ https://blog.avast.com/biggest-data-breaches https://exclusive.multibriefs.com/content/the-top-10-biggest-data-breaches- of-2020/science-technology https://www.cnbc.com/2019/12/17/the-5-biggest-data-hacks-of-2019.html