The interactive presentation will use a metaphor, comparing security features to magical creatures, in that they both must be treated right. This game-based learning session will help audiences to understand the security features MongoDB has to offer and how to use them correctly.
6. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
7. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
8. SCRAM
Challenge-response mechanism for authenticating users with passwords,
uses hash and salt to conceal the password
MongoDB uses SHA1 and SHA256* with SCRAM mechanism against
name, password and authentication database**
Habitat: DB
9. x.509
The client can authenticate to the server, using certificates rather than
username/password
Server has to have a CA certificate to be able to ensure the authenticity of
the client, trying to connect
x.509 is a standard defining the format of public certificates
Habitat: Admin DB
10. LDAPS
LDAPS server stores users and roles (access permissions)
It uses hierarchical structure
Centralized repository to control resources, in case of MongoDB it’s the
collections, databases, cluster, users etc.
Can be used as authentication and authorization mechanism
Habitat: LDAPS server, MongoDB configuration
11. KERBEROS
Authentication protocol
Uses tickets to authenticate users
Avoids storing passwords locally or sending them over the internet
Involves a trusted 3rd-party
Built on symmetric-key cryptography
Habitant: KERBEROS setup
12. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
13. RBAC (Role Based Access Control)
Authorization mechanism
Within an organization, roles are created for various job functions
Permission to perform certain actions on certain resources are assigned to a
specific role
Habitat: DB
14. LDAPS
LDAPS server stores users and roles (access permissions)
It uses hierarchical structure
Centralized repository to control resources, in case of MongoDB it’s the collections,
databases, cluster, users etc.
Can be used as authentication and authorization mechanism
Habitat: LDAPS server, MongoDB configuration
15. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
16. Encryption at rest (Storage level encryption)
Protects data by encrypting it with AES256-CBC*
Stores encrypted data on disc
Habitat: Storage
17. Encryption at transit (TLS)
Communication security over computer network
The secure connection is established using symmetric cryptography
One time private key(shared secret) for each session
Habitat: Network, cert store
18. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
19. IP Whitelists
IP whitelisting allows you to create lists of trusted IP addresses from which your
users can access your domains
IP whitelist is a security feature often used for limiting and controlling access only
from trusted sources
Habitat: Configuration
20. The monster pack
Authentication
SCRAM
x.509 (Certificate based)
LDAPS (Lightweight Directory Access Protocol Service)
KERBEROS
Authorization
RBAC (Role Based Access Control)
LDAPS (Lightweight Directory Access Protocol Service)
Encryption
At rest (Storage level encryption)
At transit (TLS)
Restricted Access
IP Whitelists
Auditing
21. Auditing
Auditing allows administrators to track and log user activity on a MongoDB server
Output can be file or console
Once enabled, can record:
-Schema (DDL)
-Replica set and sharded cluster
-Authentication and authorization
-CRUD operations
Habitant: Console or syslog or JSON/BSON file
26. Note: All the cases described based on real events, which took place in city of
Monstropolis...
27. Scenario 1 - Roz (security chief)
Roz is a head chief officer of security at “Monsters Inc.” The organization stores personal
information about every single monster within the company. This information is highly
sensitive and has to be protected from any unrestricted access.
For example, there are pictures of all monsters going wild at the last corporate party.
Company’s SysAdmin decided to move from paper files to MongoDB and store all the personal
information and compromising photos in the database.
It is highly important that the data will stay protected and secured. Roz has unlimited
resources for this job. What kind of security setup would you advise in this case?
28.
29. Recommended setup
- KERBEROS + LDAP for authentication and authorization
- Encryption at rest to protect data, using KMIP
- TLS for encrypted traffic
- Optional: Auditing
30. Scenario 2 - Mike and Sully
After Mike and Sully figured out that much more energy can be drained from
children’s laugh, they started a blog, writing all pranks and jokes that makes kids
laugh.
Blog’s data is stored in MongoDB Atlas solution. It does not have sensitive
information, since the blog is already public.
Mike and Sully don’t have more money to spend, so they can’t afford any
additional service or a system administrator.
What kind of security setup would you advice for Mike and Sully?
33. Scenario 3 - Randall & Henry Waternoose III
After Randall was kicked out of the “Monsters Inc.”, he and Henry decided they’ll
follow all Sully and Mike moves to plan a revenge.
They decided to use MongoDB, to store all data, they can find. No one has physical
access to the database and the setup is not connected to the network.
Randall only adds more documents.
Henry has more DB knowledge, so he does all the administrative work
What kind of security setup would you advice to Randall and Henry?
37. Presenter name or subtitle here – keep it to one line or 57 characters
Title of the presentation goes here – keep title to two lines
maximum and/or 112 characters with spaces
SocialMedia
38. Use this title slide layout when there are two speakers
Speaker One, Title Speaker Two, Title
SocialMedia SocialMedia
39. Use this title slide layout when there are two speakers and
speaker name and title need to go on two lines
Speaker One,
Title and/or Company
Speaker Two,
Title and/or Company
SocialMediaSocialMedia
40. Title with content slide – Keep the title to two lines
maximum or 91 characters with spaces
First line of copy is not bulleted. Use bold or green font treatment to
place emphasize on content.
§ Bullet one - use Paragraph > Increase List Level to add bullet
§ Bullet two – click Increase List Level again for 2nd level bullet
§ Bullet three
41. Titles on one line looks so much better
First line of copy is not bulleted. Use bold or green font treatment to
place emphasize on content.
§ Bullet one - use Paragraph > Increase List Level to add bullet
§ Bullet two – click Increase List Level again for next level bullet
§ Bullet three – click Increase List Level again for next level bullet
42. Title with content and subtitle
Subtitle
First line of copy is not bulleted. Use bold or green font treatment to
place emphasize on content.
§ Bullet one - use Paragraph > Increase List Level to add bullet
§ Bullet two – click Increase List Level again for 2nd level bullet
§ Bullet three
43. Title with bar chart 1
4.3
2.5
3.5
4.5
2.4
4.4
1.8
2.8
2 2
3
5
Category 1 Category 2 Category 3 Category 4
Series 1 Series 2 Series 3
44. Title with bar chart 2 – use green to highlight
MongoDB data
4.3
2.5
3.5
4.5
2.4
4.4
1.8
2.8
2 2
3
5
Category 1 Category 2 Category 3 Category 4
Series 1 Series 2 Series 3
45. Title with build animation bar chart 3
150
250
200
100
100
50
200
100
250
200
100
300
CATEGORY 1
CATEGORY 2
CATEGORY 3
CATEGORY 4
Series 1 Series 2 Series 3
49. Title two content
First line of copy is not bulleted. Use
bold or green font treatment to place
emphasize on content.
§ Bullet one
§ Bullet
§ Bullet
First line of copy is not bulleted. Use
bold or green font treatment to place
emphasize on content.
§ Bullet one
§ Bullet
§ Bullet
50. Title two content with subheads
Subhead
First line of copy is not bulleted. Use
bold or green font treatment to place
emphasize on content.
Subhead
First line of copy is not bulleted. Use
bold or green font treatment to place
emphasize on content.
51. Title with doughnut chart and text
35%
15%15%
15%
10%
10%
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr 5th Qtr 6th Qtr
First line of copy is not bulleted. Use
bold or green font treatment to place
emphasize on content.
52. Title three content
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
53. Title three content with subheads
Subhead
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
Subhead
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
Subhead
First line of copy is not
bulleted. Use bold or green
font treatment to place
emphasize on content.
54. Title four content
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
55. Title four content with subheads
Subhead
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
Subhead
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
Subhead
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
Subhead
First line of copy is not
bulleted. Use bold or
green font treatment to
place emphasize on
content.
56. Title with content and big
picture
First line of copy is not bulleted.
Use bold or green font
treatment to place emphasize
on content.
57. Title left
content right
First line of copy is not bulleted.
Use bold or green font
treatment to place emphasize on
content.
Subhead
60. Title with infographic – 1
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
TITLE GOES HERE
This is a sample text. You simply add your own text and
description here. This text is fully editable. It can be replaced
with your own style.
61. Title with build animation infographic – 2
TITLE GOES HERE
This is a sample text. You simply add your own text and description
here. This text is fully editable.
40%
TITLE GOES HERE
This is a sample text. You simply add your own text and description
here. This text is fully editable.
50%
TITLE GOES HERE
This is a sample text. You simply add your own text and description
here. This text is fully editable.
70%
TITLE GOES HERE
This is a sample text. You simply add your own text and description
here. This text is fully editable.
50%
TITLE GOES HERE
This is a sample text. You simply add your own text and description
here. This text is fully editable.
90%
83. Icons – generic
24/7 Support API API Tools Cloud Download Cluster Commercial
License
Community
Data Subset FlexibleFAQEnterprise Features Insight
Marketing Performance Presentation Pricing Quick Start Rocket Scale
Security Support Type
Conversion
University Use Cases User Visibility
Computer
Download
Flexible
Schema
Visualization
Webinar
Consistency
Management
Integration
Search
White Paper
Deployment
Flexibility