Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Webinar: Best Practices for Securing and Protecting MongoDB Data

1,186
views

Published on

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,186
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 2• Authentication• Authorization• Auditing• Encryption• IBM Guardium Integration
  • 2. 3• Basic challenge-response– Hashed password managed in MongoDB• Kerberos integration using SASL– Connects to an existing Kerberos infrastucture– Passwords managed in existing system, not MongoDB• Can combine these if desired in same server• Likely adding LDAP integration in 2.6
  • 3. 4• Roles assigned in MongoDB– Currently no 3rdparty integration for authorization• Usernames are in MongoDB and have role(s)assigned to them• You can add roles together to build permissioningyou need for a user
  • 4. 5Individual DBDB User Access•read•readWriteDatabase admin access•dbAdmin•userAdminIndividual DBDB User Access•read•readWriteDatabase admin access•dbAdmin•userAdminAdmin DB – Cluster-wideClusterAdminDatabase admin access• dbAdminAnyDatabase• userAdminAnyDatabaseDB User Access• readAnyDatabase• readWriteAnyDatabaseAdmin DB – Cluster-wideClusterAdminDatabase admin access• dbAdminAnyDatabase• userAdminAnyDatabaseDB User Access• readAnyDatabase• readWriteAnyDatabase
  • 5. 6Database Administrator (DBA)Administrator for all parts of the systemMongoDB roles:•clusterAdmin•dbAdminAnyDatabase•userAdminAnyDatabase•readWriteAnyDatabaseDatabase Administrator (DBA)Administrator for all parts of the systemMongoDB roles:•clusterAdmin•dbAdminAnyDatabase•userAdminAnyDatabase•readWriteAnyDatabaseDeveloper usersDevelopers in dev and test environmentsMongoDB role (in dev and test):•readWriteAnyDatabaseDeveloper usersDevelopers in dev and test environmentsMongoDB role (in dev and test):•readWriteAnyDatabaseApplication usersUsername for the application itselfacross databases in all environmentsMongoDB role:•readWriteAnyDatabaseApplication usersUsername for the application itselfacross databases in all environmentsMongoDB role:•readWriteAnyDatabase
  • 6. 7Central Permissioning GroupOnly manages users and theirpermissionsMongoDB role:•userAdminAnyDatabaseCentral Permissioning GroupOnly manages users and theirpermissionsMongoDB role:•userAdminAnyDatabaseDatabase AdministratorManages the cluster, databases,collections, and indexesMongoDB roles:•clusterAdmin•dbAdminAnyDatabaseDatabase AdministratorManages the cluster, databases,collections, and indexesMongoDB roles:•clusterAdmin•dbAdminAnyDatabaseDeveloper usersDevelopers in dev and test environmentsMongoDB role (in dev and test):•readWriteAnyDatabaseDeveloper usersDevelopers in dev and test environmentsMongoDB role (in dev and test):•readWriteAnyDatabaseApplication usersUsername for the application itselfacross databases in all environmentsMongoDB role:•readWriteAnyDatabaseApplication usersUsername for the application itselfacross databases in all environmentsMongoDB role:•readWriteAnyDatabase
  • 7. 8For each applicationFor each applicationCentral Permissioning GroupOnly manages users and their permissionsMongoDB role:•userAdminAnyDatabaseCentral Permissioning GroupOnly manages users and their permissionsMongoDB role:•userAdminAnyDatabaseDatabase AdministratorManages the architecture, databases,collections, and indexes for all DBsMongoDB roles:•clusterAdmin•dbAdminAnyDatabaseDatabase AdministratorManages the architecture, databases,collections, and indexes for all DBsMongoDB roles:•clusterAdmin•dbAdminAnyDatabaseDeveloper UsersDevelopers in dev and testenvironments for this DBMongoDB role (in dev and test):•readWriteDeveloper UsersDevelopers in dev and testenvironments for this DBMongoDB role (in dev and test):•readWriteApplication UsersUsername for theapplication itself to usefor the one DBMongoDB role:•readWriteApplication UsersUsername for theapplication itself to usefor the one DBMongoDB role:•readWriteApplication AdminManages one DB onlyMongoDB role•dbAdminApplication AdminManages one DB onlyMongoDB role•dbAdmin
  • 8. 9• Currently only a small set of operations arelogged• Logged in the main Mongo server log• In v2.6– Separate audit log– More operations will be logged (DB, collections, indexchanges, etc.)
  • 9. 10• Data in transit– SSL between all MongoDB components is in theEnterprise version– Or build in your own SSL library from the open sourceversion• Data at rest– Left to the customer for their preferred file systemencryption (e.g. IBM offers this)
  • 10. 11• Driven by a large mutual banking customer whowanted additional features– Integrating with their enterprise auditing platform(Guardium)– Policy-driven privileged user monitoring for ALLoperations (including reads)– Plus many more features that Kathy will talk about now
  • 11. © 2013 IBM CorporationInformation ManagementBest Practices for Securing and ProtectingMongoDB Data(Featuring IBM InfoSphere Guardium)Kathy Zeidenstein, IBM InfoSphere Guardium EvangelistSundari Voruganti, QA Lead and solutions architect29 May 2013
  • 12. © 2013 IBM Corporation13Information ManagementData Governance and Security are changing rapidlyData ExplosionEverything isEverywhereAttackSophisticationMoving from traditional perimeter-based security……to logical “perimeter” approach tosecurity—focusing on the data andwhere it residesFirewallAntivirusIPS• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently• Focus needs to shift from the perimeter to the data that needs to be protectedConsumerizationof IT
  • 13. © 2013 IBM Corporation14Information ManagementAddress key data security concernsThe gap: minutes to compromise, months to discover and remediatehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038Time span of events by percent of breaches14Patches, encryptionMonitoring
  • 14. © 2013 IBM Corporation15Information ManagementKeeping up with ever-changing global and industry regulationsCanada:Personal Information Protection& Electronics Document ActUSA:Federal, Financial & HealthcareIndustry Regulations & State LawsMexico:E-Commerce LawColombia:Political Constitution –Article 15Brazil:Constitution, Habeas Data &Code of Consumer Protection &DefenseChile:Protection ofPersonal Data ActArgentina:Habeas Data ActSouth Africa:Promotion of Accessto Information ActUnited Kingdom:Data ProtectionActEU:ProtectionDirectiveSwitzerland:Federal Law onData ProtectionGermany:Federal Data ProtectionAct & State LawsPoland:PolishConstitutionIsrael:Protection ofPrivacy LawPakistan:Banking CompaniesOrdinanceRussia:Computerization & Protection of Information/ Participation in Int’l Info ExchangeChinaCommercialBanking LawKorea:3 Acts for FinancialData PrivacyHong Kong:Privacy OrdinanceTaiwan:Computer- ProcessedPersonal DataProtection LawJapan:Guidelines for theProtection of ComputerProcessed Personal DataIndia:SEC Board ofIndia ActVietnam:Banking LawPhilippines:Secrecy of BankDeposit ActAustralia:Federal PrivacyAmendment BillSingapore:Monetary Authority ofSingapore ActIndonesia:Bank SecrecyRegulation 8New Zealand:Privacy Act
  • 15. © 2013 IBM Corporation16Information ManagementHelping Organizations Progress in Their Security MaturityPeople Data Applications Infrastructure SecurityIntelligenceOptimizedRole basedanalyticsIdentitygovernancePrivileged usercontrolsData flowanalyticsDatagovernanceSecure appengineeringprocessesFraud detectionAdvancednetworkmonitoringForensics / dataminingSecuring systemsAdvanced threatdetectionNetwork anomalydetectionPredictive riskmanagementProficientUser provisioningAccess mgmtStrongauthenticationAccessmonitoringData losspreventionApplicationfirewallSource codescanningVirtualizationsecurityAsset mgmtEndpoint /network securitymanagementReal-time eventcorrelationNetwork forensicsBasicCentralizeddirectoryEncryptionAccess controlApplicationscanningPerimeter securityAnti-virusLog managementCompliancereportingInfoSphereGuardiumDataEncryptionInfoSphereGuardiumActivityMonitoringStatic Data(at rest)Static Data(at rest)Dynamic Data(in motion)Dynamic Data(in motion)Validated by 10gen
  • 16. © 2013 IBM Corporation17Information ManagementMeta-Data(configuration)Meta-Data(configuration)Dynamic Data(in motion)Dynamic Data(in motion)Static Data(at rest)Static Data(at rest)17ApplicationsDatabases ServersNetwork Security MainframeNetworkInfrastructureAvailability Performance SecurityITDBAApplicationNetworkITDBAApp AdminNetwork AdminFocused on the Infrastructure It’s all about the DATAITDBAAppNetworkSecurityComplianceCISOClassificationDiscoveryPrivacy IntegrityComplianceSecurityVulnerability AssessmentConfiguration Audit SystemGuardium VAActivity MonitoringBlocking / MaskingGuardium DAMFlexible and heterogeneousdata encryptionGuardium EncryptionDefense in depth using InfoSphere Guardium
  • 17. © 2013 IBM Corporation18Information ManagementIBM InfoSphere Guardium Data Encryption• Protect sensitive enterpriseinformation and avoid databreaches• Minimize impact to production• Enforce separation of duties bykeeping security and dataadministration separate• Meet government and industryregulations (eg. PCI-DSS)Ensure compliance withdata encryptionEnsure compliance and protectenterprise data with encryptionData EncryptionStatic Data(at rest)Static Data(at rest)GuardiumDataEncyption
  • 18. © 2013 IBM Corporation19Information ManagementInfoSphere Guardium Data Encryption Architecture*communication is onlyrequired at system bootPolicy is used to restrict access tosensitive data by user and processinformation provided by the OS.UsersApplicationMongodFile SystemSAN, NAS,DAS StorageOSSSL/TLSFS AgentStatic Data(at rest)Static Data(at rest)
  • 19. © 2013 IBM Corporation20Information ManagementInfoSphere Guardium Activity Monitoringand Vulnerability AssessmentPrevent data breachesMitigate external and internal threats1133 Reduce cost of compliance- Automate and centralize controls- Simplify audit review processes22 Ensure the integrity of sensitive dataPrevent unauthorized changes todata, data infrastructure, configurationfiles and logsContinuously monitor access to sensitive data in SQL and NoSQLdatabases, data warehouses, Hadoop big data environments, and fileshares to:20Dynamic Data(in motion)Dynamic Data(in motion)Meta-Data(configuration)Meta-Data(configuration)
  • 20. © 2013 IBM Corporation21Information ManagementInfoSphere Guardium value proposition (cont.)Increase operational efficiencyAutomate & centralize internal controlsAcross heterogeneous & distributed environmentsIdentify and help resolve performance issues & application errorsHighly-scalable platform, proven in most demanding data centerenvironments worldwideNo degradation of infrastructure or business processesNon-invasive architectureNo changes required to applications or databasesDo it all in an efficient, scalable, andcost effective way4421Dynamic Data(in motion)Dynamic Data(in motion)Meta-Data(configuration)Meta-Data(configuration)
  • 21. © 2013 IBM Corporation22Information ManagementWhat Are The Different Methods for Data ActivityMonitoring?Process logsSPAN, Network Tap(appliance based)AgentGuardiumCollectorDatabaseServerApplicationServerSPANNetwork TAPDynamic Data(in motion)Dynamic Data(in motion)Agent
  • 22. © 2013 IBM Corporation23Information ManagementMongoDB ShardedCluster(Routing servers andShards)ClientsInfoSphere GuardiumCollectorMonitoring Reports, Textsearch, data martReal-time alerts can beintegrated with SIEM systemsS-TAPsMongosShardsHigh level architecture of the InfoSphere Guardium solution forMongoDBLightweight agent sits on MongoDB routing servers(mongos) and shards (mongod)Network traffic is copied and sent to a hardenedappliance where parsing, analysis, and loggingoccurs, minimizing overhead on the MongoDBclusterSeparation of duties is enforced – no direct accessto audit data
  • 23. © 2013 IBM CorporationInformation ManagementTechnical detailsInfoSphere Guardium
  • 24. © 2013 IBM Corporation25Information ManagementMongosS-TAP monitors access to shardsSecondaryMongodPrimary PrimaryOne Recommended ConfigurationDB Users,AdminsBusinessappsXMongoClientMongoClientMongoClientMongoClient1. Use firewall toprevent clientacccess to shards2. Configure S-TAP onshards to monitortraffic that does notcome throughmongosSecondaryPrimarySecondarySecondaryMongodSecondaryMongodSecondaryPrivilegeduserShard 1 Shard 2 Shard 3Config ServerConfig ServerConfig ServerConfig Server
  • 25. © 2013 IBM Corporation26Information Management26Capture and Parsing OverviewMongoClientGuardiumCollectorAnalysisenginetest.CreditCard.insert({"Name“ : "Sundari","profile“ : [{"CCN" : "11999002"},{"log" : ["new", "customer"]}],});test.CreditCard.insert(…Sessions CommandsObjectsColumns/FieldsRead OnlyHardened Repository(no direct access)SQL(message)INSERTJoe CreditCardNameprofile.CCNprofile.logParsecommandsthen logJoeMongosS-TAPtest.CreditCard.insert...test.CreditCard.insert({"Name“ : "Sundari","profile“ : [{"CCN" : "11999002"},{"log" : ["new", "customer"]}],});
  • 26. © 2013 IBM Corporation27Information ManagementReports/Query Builder271.1.1.1 23345 10.12.1.12 1433 test.CreditCard.insert ({ "Name“ : Sundari",….Network PacketParsed, analyzed,logged inrepositoryQuery builder for reportsSessionsCommandsObjectsExceptionsColumns/FieldsRead OnlyHardened RepositorySQLReturnedDataSessionsSessionsCommandsCommandsObjectsExceptionsExceptionsColumns/FieldsColumns/FieldsRead OnlyHardened RepositorySQLReturnedDataDrag anddropattributesFieldsConditionsAudit report
  • 27. © 2013 IBM Corporation28Information ManagementQuick searchHey, did someone drop a collection??
  • 28. © 2013 IBM CorporationInformation ManagementLive DemoInfoSphere Guardium
  • 29. © 2013 IBM Corporation30Information ManagementSome typical monitoring use cases Here’s just an example of some of the policy rules you can create See developerWorks article for more details (June 2013)
  • 30. © 2013 IBM Corporation31Information ManagementExamples – Alert when 5 or more failed logins in 3 minutes
  • 31. © 2013 IBM Corporation32Information ManagementExamples – Alert on anomalous behavior (#finds)Detect quickly when users are downloading more than allowed by policydb.credit_card.find()
  • 32. © 2013 IBM Corporation33Information ManagementDetects server-side JavaScript> db.customer.find( { $where: function() { return obj.credits == obj.debits; } } ); All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on theserver:$wheredb.eval()mapReducegroup“You must exercise care in these cases to prevent users from submitting maliciousJavaScript.”(http://docs.mongodb.org/manual/faq/developers/#how-does-mongodb-address-sql-or-query-injection)
  • 33. © 2013 IBM Corporation34Information ManagementReal-time Data Activity Monitoring, built to scaleIntegration withLDAP, IAM,SIEM, TSM,Remedy, …DATAInfoSphereBigInsights
  • 34. © 2013 IBM Corporation35Information ManagementInfoSphere Guardium for MongoDBHelping you maintain a safe and secure environmentDynamic Data(in motion)Dynamic Data(in motion)Monitor all activity, log what you needReal-time alerting to reduce time todiscoveryDetect use of possibly unsafe codingpractices (server-side JavaScript) Detect dropped indexes or collectionsthat can affect appsBlock users when required (Advanced)Highly-scalable platform, proven in mostdemanding data center environmentsworldwideValidated by 10gen!Static Data(at rest)Static Data(at rest)Protect data from misusePolicy-based encryptionSeparation of duties Scale to protect structured andunstructured data acrossheterogeneous environmentswithout enterprise changes
  • 35. © 2013 IBM Corporation36Information Management36For more information Join the InfoSphere Guardium community ondeveloperWorks. bit.ly/guardwiki Or click on Contact Us atIbm.com/software/data/guardium/database-activity-monitor/ Send an email to Kathy at krzeide@us.ibm.comLook for detailed article on IBM developerWorks– Part 1 publishes on June 6th.
  • 36. © 2013 IBM Corporation37Information ManagementGraciasMerciGrazieObrigadoDankeJapaneseFrenchRussianGermanItalianSpanishBrazilian PortugueseArabicTraditional ChineseSimplified ChineseThaiTackSwedishDankeDziękujęPolish