For the first time this year, 10gen will be offering a track completely dedicated to Operations at MongoSV, 10gen's annual MongoDB user conference on December 4. Learn more at MongoSV.com
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
Securing Data in MongoDB with Gazzang and Chef
1. Securing Data in MongoDB with Gazzang and Chef
Robert Linden, Sr. Solutions Architect at Gazzang
November 7, 2012
2. What’s in your Cloud?
What data are you storing?
11/7/2012 Gazzang - All rights reserved 2012
3. What’s in your Cloud?
How are you protecting that data?
11/7/2012 Gazzang - All rights reserved 2012
4. What’s in your Cloud?
How are you managing the keys?
11/7/2012 Gazzang - All rights reserved 2012
5. Student Record Breaches
• Since 2010, more than three million student records have been
compromised due to hack attacks or lost, stolen or missing files.
• This year alone…
• 23,000 SSN’s breached at the University of North Florida
• 16,000 SSN’s, birth dates and
student ID’s breached from
Eugene, Oregon school district
• 650,000 records breached from
University of Nebraska
• 350,000 records from UNC
Charlotte
• and more….
11/7/2012 Gazzang - All rights reserved 2012
6. Breaches Hit Every Industry
11/7/201
Gazzang - All rights reserved 2012 6
2
7. Data Security For MongoDB
Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB
• Pre-built integration requires no changes to your
application or database
• Leverages automation tools for distributed
deployment
• World-class support available through Gazzang, 10gen
and Opscode
11/7/2012 Gazzang - All rights reserved 2012
8. MongoDB Native Security
Admin Users Regular Users
User
user1 user2 authentication
user3
SSL encryption SSL encryption
for client for inter-server
connection traffic
Primary Secondary
Client
Data Files Data Files
11/7/2012 Gazzang - All rights reserved 2012 8
9. Education Use Case on MongoDB
Node 1 Node 2
Data Files Data Files
Teacher
First Name Bob Student
Last Name Jones First Name Alice
Email bob@xx.edu Last Name Smith
Phone 555-5555 Email alice@yy.edu
SSN XXX-XX-XXXX Grade 5th
Address 804 Congress
City Austin
State TX
11/7/2012 Gazzang - All rights reserved 2012 9
10. Cloud Security Challenges
• Protect Sensitive Data in the Cloud
– Ensure sensitive data and encryption keys are never
stored in plain text nor exposed publicly
– Maintain control of your encryption keys and your
proprietary data
• Ensure Big Data Security
– Harden Big Data infrastructures that have relatively
weak security and no encryption protection
– Maintain Big Data performance and availability
• Enable Compliance
– Encrypt data at rest and enforce tight access
control policies
– Protect your regulated data in the event of
a breach
11/7/2012 Gazzang - All rights reserved 2012 10
11. Gazzang zNcrypt™
zNcrypt sits between the file system and ANY database,
application or service running on Linux to encrypt data before
it writes to the disk.
• AES 256 encryption
• Process-based ACLs
• Maximum performance
• Transparent data encryption
• Enterprise scalability
• Packaged support for
MongoDB
11/7/2012 Gazzang - All rights reserved 2011 11
12. zNcrypt Architecture
• Key Management
– Off-site key storage
– In the cloud / on premises
– Hardened & highly available
• Access Control
– Process-based ACL rules
– Transparent data encryption
– Separate from users & groups
• Encryption
– Data at rest / AES-256
– File level encryption
– Excellent performance
11/7/2012 Gazzang - All rights reserved 2012 12
13. ACL Rules and Encryption
• MongoDB ACL Rule
“ALLOW @mongodata * /home/mymongo/mongodb-
linux/bin/mongod”
This says that mongod is a trusted application, using the category
@mongodata, and has access to the KSS where the Master
Encryption Key is stored.
• MongoDB data node directory encryption
“ezncrypt --encrypt @mongodata
/var/lib/mongodb/data/db/”
This says that /data/db directory is encrypted, along with any new
file or data saved to it. Only the MongoDB process will be able to
“see” the data by linking encryption to the ACL w/ @mongodata.
11/7/2012 Gazzang - All rights reserved 2012 13
14. Key Management
• zNcrypt KSS (Key Storage System)
– Hardened SaaS offering (or within enterprise / private cloud)
– Secure access from zNcrypt client, multiple layers of security
– SaaS KSS configured with high availability / failover
11/7/2012 Gazzang - All rights reserved 2012 14
15. Ease of Deployment
• Install zNcrypt
– Package managers (yum, apt-get), Chef, Puppet, JuJu, etc
• Create master encryption key
– Passphrase method (optional “split security”)
– RSA Key file method
• Create ACLs
– Simple command-lines (ALLOW/DENY style)
– Almost any process or script allowed:
• Virtually any application, process or script:
MongoDB, MySQL, Apache, Tomcat, backup software, document
management, etc
• Encrypt data
– Simple command line calls, down to the file level
11/7/2012 Gazzang - All rights reserved 2012 15
16. Chef – Opscode Community
11/7/2012 Gazzang - All rights reserved 2012 16
19. Install MongoDB and zNcrypt with #chef-client
11/7/201
Gazzang - All rights reserved 2011 19
2
20. Install MongoDB and zNcrypt with #chef-client
11/7/201
Gazzang - All rights reserved 2011 20
2
21. Install MongoDB and zNcrypt with #chef-client
11/7/201
Gazzang - All rights reserved 2011 21
2
22. Gazzang Overview
Gazzang provides big data security and diagnostics solutions and
that help enterprises protect sensitive information and maintain
performance in cloud environments
– Based in Austin, Texas
– Funded by Austin Ventures and Silver Creek Ventures
– 225+ customers
– SaaS, Healthcare, Financial Services, Government, Technology
11/7/2012 Gazzang - All rights reserved 2011 22
23. Thank You
Q&A
11/7/2012 Gazzang - All rights reserved 2012 23
24. Protect Your MongoDB Data
For more information
contact us: info@gazzang.com
Robert Linden
robert.linden@gazzang.com
11/7/2012 Gazzang - All rights reserved 2012 24