It's a Dangerous World
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Andere mochten auch (20)
Ähnlich wie Webinar: Architecting Secure and Compliant Applications with MongoDB (20)
Weitere von MongoDB (20)
Aktuellste (20)
Webinar: Architecting Secure and Compliant Applications with MongoDB
- 1. Architecting Secure and Compliant Applications with MongoDB shawn.mccarthy@mongodb.com @sbmccarth Solutions Architect – MongoDB Inc.
- 2. 3 Major Security Alert
- 3. 4 Concepts developer friendly production ready
- 4. 5 ✓ Concepts ✓ Best Practices ✓ Demo Agenda
- 5. 6 Authentication Authorization Validating a user is who they say they are Only letting a user do certain things Concepts
- 6. 7 Auditing Encryption Tracking system activity Encoding data so that only those with the key can read it Concepts
- 7. 8 WARNING Some features only supported in MongoDB Enterprise Advanced versions! Generally, functionality available in 2.6.x Will call out any specific 3.x features
- 8. 9 password-based challenge-response mechanism - user/pwd – defined against a DB - Different auth mechanisms (changed in 3.0) - SCRAM-SHA-1, MONGO-CR - Kerberos, LDAP* x.509 certificates - validate members of replica set’s and sharded cluster’s are who you think they are - also used in SSL connections Authentication
- 9. How do you make MongoDB authorize users? $ mongod --dbpath ./db --auth
- 10. 11 Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database. This only applies when no users exist on the system Changed in version 3.x These connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB Localhost Exception
- 11. 12 Role Based Access Control built-in and custom roles var stockerRole = { “role” : “acme.store.stocker”, “privileges” : [ { “resource” : { “db” : “products”, “collection” : “inventory” }, “actions” : [ “find”, “update” ] } ], “roles” : [ “acme.store.user” ] } use acme db.createRole( stockerRole ); Authorization
- 12. 13 Can audit on your mongod and mongos Send events to console, syslog, JSON or BSON file $ mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json [ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json { "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 } { "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 } { "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 } Auditing*
- 13. 14 Encryption At Rest ✓ Encrypted Storage Engine* ✓ Whole Disk Encryption (through third party) Required for HIPAA/PCI-DSS Configure mongod and mongos for SSL $ mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem Encryption In Transit ✓ Support for SSL/TSL for all communication Required for HIPAA/PCI-DSS Encryption
- 14. 15 http://docs.mongodb.org/manual/administration/security-checklist/ Security Checklist ✓ Require Authentication ✓ Configure Roles ✓ Use SSL ✓ Configure firewall – limit network exposure ✓ Turn on auditing ✓ Encrypt data on disk ✓ Run mongod with dedicated user account ✓ Set secure options ✧ --noscripting ✧ Disable REST/HTTP Best Practices
- 15. 16 Building roles to support healthcare application and HIPAA requirements. In general for full details on HIPAA and PCI-DSS standards compliance see: http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf Demo
- 16. 17 Role Create Read Update Delete Index (Maintenance) Physician Billing Associate Patient System Administrator Demo
- 17. 18 MongoGeneral Application ✓ createFirstUser.js ✓ createRoles.js ✓ createUsers.js Demo
- 18. Questions?
- 19. THANKS! shawn.mccarthy@mongodb.com @sbmccarth Solutions Architect – MongoDB Inc.
