High profile security breaches have become embarrassingly common, but ultimately avoidable. Now more than ever, database security is a critical component of any production application. In this talk we'll learn to secure your deployment in accordance with best practices and compliance regulations. We'll explore the MongoDB Enterprise features which ensure HIPAA and PCI compliance, and protect you against attack, data exposure and a damaged reputation.
7. 10
WARNING
Some features only supported in
MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.x
Will call out any specific 3.0.x features
9. 12
Authentication
password-based challenge-response mechanism
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3.0)
- SCRAM-SHA-1, MONGO-CR
- Kerberos, LDAP
x.509 certificates
- validate members of replica set’s
and sharded cluster’s are who you think
they are
- also used in SSL connections
12. 15
Localhost Exception
The localhost exception allows you to enable authorization
before creating the first user in the system. When active, the
localhost exception allows connections from the localhost
interface to create the first user on the admin database. The
exception applies only when there are no users created in the
MongoDB instance.
Changed in version 3.0: The localhost exception changed so
that these connections only have access to create the first
user on the admin database. In previous versions,
connections that gained access using the localhost exception
had unrestricted access to the MongoDB instance.
13. 16
Authorization
Role Based Access Control
built-ins, and custom
var stockerRole = {
“role” : “acme.store.stocker”,
“privileges” : [
{ “resource” : {
“db” : “products”,
“collection” : “inventory” },
“actions” : [ “find”, “update” ]
} ],
“roles” : [ “acme.store.user” ]
}
use acme
db.createRole( stockerRole );
15. 18
Encryption
At rest – recommend to always encrypt data on storage system
3rd party tools – more doc online:
• Linux Unified Key Setup (LUKS) LUKS
• IBM Guardium Data Encryption
• Vormetric Data Security Platform
• Bitlocker Drive Encryption (Windows)
Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
17. 20
Demo
Building roles to support healthcare
application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
18. 21
Demo
Role Create Read Update Delete Index
(Maintenance)
Physician
Billing Associate
Patient System
Administrator
Hi – I’m me… JTM, etc.
Welcome to a super boring talk about security and stuff - well I hope not.
Everyone doing good – awesome, isn’t it great to be able to alter things, take a break from your real day-to-day job, and also connect with fellow geeks ;)
Having a chance to relax a bit and also really tap into some core technology stuff?
Cool, let’s get going --- um, well, oh shoot, I forgot, needed forgot to do something….bear with me, just a moment, please – thanks---
<switch to terminal, kick off network scan, make people watch a bit – make them wonder WFT? – (I hope this works)>
nmap -p 27017 -oG openMongodsNmap 192.168.1.0/24
grep '27017/open' openMongodsNmap | cut -d" " -f2 > openMongods
Scan for any open mongod’s in the conference!
This should be a couple of mins or so---
MongoDB is specifically designed for an awesome out-of-box developer experience. You can get your apps up and running very easily. But, this means that most (well like all) the security features are TURNED OFF by DEFAULT. Devs love this, OPS not so much.
So, this is an OPS track – but the title of this talk starts with “Architecting” and then has Applications? WTF???
I’m going to try and give a high-level overview of OP’s “nuts & bolts” stuff (you guys can all look this stuff up ----
Oh, good thing about working for an open source company --- I can google the real docs you can too!
Then cover some essential Best Practices, and wrap up with a demo show how to really make some of this stuff work—
In particular, perhap’s not so OPS-ey – yeah, you’re gonna have to “TALK” to you dev teams here!!! - show you how to create
Some application specific security stuff – WHICH YOU SHOULD DO!!!!!!
Auth – variety of supported mechanisms, integrates with LDAP, Kerberos, X.509 certs
Authorization – Role Based Access Control, out-of-box roles & privileges, ability to build custom roles- can define over whole instance, db or even collection level
Need to point out-
We love and embrace open source, and wouldn’t be were we are without it.
We also support many enterprises who require the highest level of security and confidence in their software providers –
So many advanced security features are only available in the “Enterprise Advanced” versions.
Auditing – logged system changes, modifications – this is not logging read/write from an application, but admin changes – use to ensure and validate you are following best practices
Encryption – support for both “at rest” (integration with 3rd party – Volmetric/IBM/etc) and file system disk-level, also in flight with SSL
Users and their password are defined with a db name – you need to authenticate against the DB you are defined with!!
Take care with different shell/mongod version and auth mechanisms
Users and their password are defined with a db name – you need to authenticate against the DB you are defined with!!
Take care with different shell/mongod version and auth mechanisms
You can start a mongod without –auth and create an ‘admin’ user, then restart with –auth, there is the… localhost exception
From the docs – just want them to see and burn in this “LOCALHOST EXCEPTION” thing
So you’re building an e-commerce website – you need both front end and back end access to you data – what access would a particular person need which only manages inventory?
Roles are made up of a set of privileges, privileges are made up of a set of resources and actions – resources are things like db’s, collection’s,
Actions are commands or functions the user can perform on the resource – find, update, etc.
Lots and lots of actions/privileges defined in the system –
Roles and inherit from other roles – can build complex hierarchy of roles.
System audits for schema changes (e.g. create/drop collection, add indexes), repl set/shard config changes, auth and authz, general db operations.
Supports filters – only audit things you care about
Support api for custom audit messages – “logApplicationMessage” db command
allowSSL, preferSSL, requireSSL – settings for sslMode – use these to gradually “step up” a replica set/cluster to use SSL
--noscripting – turns off server-side Javascript, disabled mapReduce, group, $where
NOT!! Covering all details in this talk – review official documentation!!
NOT!! Covering all details in this talk – review official documentation!!
Doing things right, does take time and effort – but do it from the start and build it into your culture and you will be fine