SlideShare a Scribd company logo

Enhancing the default MongoDB Security

Igor Donchovski
Igor Donchovski

1. The document discusses enhancing default MongoDB security by implementing access control, authentication, network hardening, encryption, and auditing. 2. It describes enabling authentication and authorization to control access, limiting network exposure through firewalls and VPNs, and using TLS/SSL encryption to protect data in transit. 3. Storage engine encryption and auditing are also covered to protect data at rest and track system activity.

Engineering
1 of 45
Download to read offline
May-30-2019 Enhancing the Default MongoDB Security
{"name": "Igor Donchovski", "live_in": "Skopje", "email": "donchovski@pythian.com", "current_role": "Lead database consultant", "education": [{"type": "College", "name": "FEIT", "graduated": "2008", "university": "UKIM"}, {"type": "Master", "name": "FINKI", "graduated": "2013", "university": "UKIM"}], "work": [{"role": "Web developer", "start": "2007", "end": "2012", "company": "Gord Systems"}, {"role": "DBA", "start": "2012", "end": "2014", "company": "NOVP"}, {"role": "Database consultant", "start": "2014", "end": "2016", "company": "Pythian"}, {"role": "Lead database consultant", "start": "2016", "company": "Pythian"}], "certificates": [{"name": "C100DBA", "year": "2016", "description": "MongoDB certified DBA"}], "social": [{"network": "LinkedIn", "url": "https://mk.linkedin.com/in/igorle"}, {"network": "Twitter", "url": "https://twitter.com/igorle"}], "interests": ["Hiking", "Biking", "Traveling"], "hobbies": ["Painting", "Photography", "Cooking"], "proud_of": ["Volunteering", "Helping the Community"]} About Me © 2019 Pythian. Confidential
Overview • Default security • Access control • Authentication and Authorization • Network hardening • Encryption in Transit • Encryption at REST • Auditing • QA © 2019 Pythian. Confidential
Security Incidents ● Data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so ● Industry analysts predict cybercrime will cost the global economy $6 trillion annually by 2021 © 2019 Pythian. Confidential
© 2019 Pythian. Confidential Defaults
• sudo yum install -y mongodb-org • sudo apt-get install -y mongodb-org • sudo zypper -n install mongodb-org sudo service mongod start • sudo tar -zxvf mongodb-linux-*-4.0.9.tgz sudo mongod --dbpath /data/db --logpath /log/mongod.log • mongo (shell to interact with the database) > use test > db.foo.find() Default Security © 2019 Pythian. Confidential
• before MongoDB 3.6 net.bindIP: 0.0.0.0 (if MongoDB installed from binaries) net.bindIP: 127.0.0.1 (if MongoDB installed from package after 2.6) Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... }
• after MongoDB 3.6 net.bindIP: 127.0.0.1 Default security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. Error: couldn't connect to server
• Users allowed to ssh to DB server net.bindIP: 127.0.0.1 Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... } 1. db.foo.findOne() 2. Error: couldn't connect to server
• Application and Database don’t usually run on same host • DBA need to change bindIP net.bindIP: 0.0.0.0 Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... }
© 2019 Pythian. Confidential Access Control
• security:authorization: enabled use admin db.createUser( { user: "UserAdmin", pwd: "123456", roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } ) Access Control © 2019 Pythian. Confidential 2. Who are you? 1. db.foo.findOne()
mongo --port 27017 -u "UserAdmin" --authenticationDatabase "admin" -p db.createUser( { user: "tester", pwd: "qwerty", roles: [ { role: "readWrite", db: "test" }, { role: "read", db: "reporting" } ] } ) Access Control © 2019 Pythian. Confidential 2. true 1. db.auth()
• SCRAM (default) • x.509 Certificate Authentication • LDAP • Kerberos Authentication © 2019 Pythian. Confidential 2. true 1. db.auth()
• Keyfile --keyFile • x.509 --clusterAuthMode --sslClusterFile • Enabling internal authentication also enables client authorization. Internal Authentication © 2019 Pythian. Confidential
createUser Drop Drop Drop findAndModify dropUser isMaster createUser Insert Find Authorization © 2019 Pythian. Confidential Update Delete Drop
Drop createUser createUser isMaster Insert Find createUser Find Authorization © 2019 Pythian. Confidential Delete Drop DropUpdate Reporting Application DBA
Authorization ● Role Based Access Control ○ Role - grants privileges to perform the specified actions on resource ○ Resource - database, collection, set of collections, or the cluster ○ Privilege - consists of a specified resource and the actions permitted on the resource ○ Action specifies the operation allowed on the resource ● Built-In roles and User-Defined roles ● Limit data access with custom views © 2019 Pythian. Confidential
• Database servers exposed to the internet • No Firewall, VPN or VPC Network Hardening © 2019 Pythian. Confidential
• No need for DB server to be exposed to the internet • Add Firewall rules, VPN or VPC Network Hardening © 2019 Pythian. Confidential VPC
Access Control Summary © 2019 Pythian. Confidential VPC VPNApplication 2. true 1. db.auth()
© 2019 Pythian. Confidential Encryption
● Attacker can access data by monitoring traffic between the application and the database or by reading files directly Why Encryption? Attacker © 2019 Pythian. Confidential 2. true 1. db.auth() Attacker
● Protect Personally Identifiable Information (PII) ○ PCI DSS for managing cardholder information ○ HIPAA standards for managing healthcare information ○ GDPR for the protection of EU citizen data privacy (May 2018) ○ FISMA to ensure the security of data in the federal government ○ FERPA to protect the privacy of student education records ○ The Asia Pacific Cross-border Privacy Enforcement Arrangement (CPEA) ○ Others Why Encryption? © 2019 Pythian. Confidential
Encryption with MongoDB ● Transport encryption ○ MongoDB network traffic is only readable by the intended client ● Encryption at REST ○ Application Level Encryption and Storage Encryption ○ Native encryption option for the WiredTiger storage engine* * Available in MongoDB Enterprise only © 2019 Pythian. Confidential
© 2019 Pythian. Confidential Transport Encryption
Transport Encryption ● TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB’s network traffic ● Certificate Authorities - valid certificates generated and signed by a single certificate authority ○ PEMKeyfile with the name of the .pem file that contains the signed TLS/SSL certificate and key ○ CAFile with the name of the .pem file that contains the root certificate chain from the Certificate Authority © 2019 Pythian. Confidential
Transport Encryption Configuration notes: Deploying a 3 node replica set MongoDB config file # /etc/mongod.conf systemLog: .................. path: /mongodb/logs/mongod.log storage: dbPath: /mongodb/data .................. net: port: 27017 ssl: mode: <disabled|allowSSL|preferSSL|requireSSL> PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem .................. replication: replSetName: production © 2019 Pythian. Confidential
Transport Encryption net.ssl.mode Value Description disabled The server does not use TLS/SSL allowSSL Connections between servers do not use TLS/SSL For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL preferSSL Connections between servers use TLS/SSL For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL requireSSL The server uses and accepts only TLS/SSL encrypted connections © 2019 Pythian. Confidential
Transport Encryption 1. Install MongoDB on each node* 2. Start each server with config file options for net.ssl.mode <allowSSL|preferSSL|requireSSL> 3. Initiate the replica set on the Primary node 4. Add the rest of the nodes by using FQDN * confirm your MongoDB legacy supports TLS/SSL Heartbeat © 2019 Pythian. Confidential
Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL © 2019 Pythian. Confidential
Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL • Upgrade to preferSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } ) © 2019 Pythian. Confidential
Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL • Upgrade to preferSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } ) • Upgrade to requireSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "requireSSL" } ) • Update the config file to persist the settings net: ssl: mode: requireSSL © 2019 Pythian. Confidential
© 2019 Pythian. Confidential Encryption at REST
Application Level Encryption ● Encryption on a per-field or per-document basis within the application layer ● Custom encryption and decryption routines to encrypt ○ Document ○ Field level data © 2019 Pythian. Confidential
Storage Engine Encryption • Native encryption option for the WiredTiger storage engine only • AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) via OpenSSL • AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt text © 2019 Pythian. Confidential
Encryption at REST ● Use of local key management via a keyfile ○ Create the base64 encoded keyfile with the 16 or 32 character string openssl rand -base64 32 > mongodb-keyfile ○ Assign permissions 600 chmod 600 mongodb-keyfile ○ Start mongod with the encryption options /usr/bin/mongod --enableEncryption --encryptionKeyFile mongodb-keyfile # /etc/mongod.conf security: enableEncryption: true encryptionKeyFile: /etc/mongodb_keyfile © 2019 Pythian. Confidential
Encryption at REST ● Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP) ○ Key manager must support the KMIP communication protocol ○ Must have a valid certificate issued by the key management appliance /usr/bin/mongod --enableEncryption --kmipServerName <KMIP Server HostName> --kmipPort <KMIP server port> --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem © 2019 Pythian. Confidential
Encryption with KMIP • Generating a master key • Generating keys for each database • Encrypting data with the database keys • Encrypting the database keys with the master key • Master key and database keys are not replicated © 2019 Pythian. Confidential
Disk Level Encryption • Amazon EBS encryption • Azure disk encryption • Google Compute Engine encrypts all data at rest (by default) • Linux hard disk encryption with LUKS • BitLocker encryption for Windows server © 2019 Pythian. Confidential
Auditing Track System Activity ● schema (DDL) ● replica set and sharded cluster ● authentication and authorization ● CRUD operations auditLog: destination: <syslog>, <console>, <file> format: <JSON>, <BSON> path: data/db/auditLog.<json>,<bson> filter: '{ atype: { $in: ["dropCollection"]}}' * Available in MongoDB Enterprise only © 2019 Pythian. Confidential > bsondump auditLog.bson {"atype":"authenticate","ts":{"$date":"2019-02-14T14:11:29.97 5+0100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"i p":"127.0.0.1","port":42634},"users":[],"roles":[],"param":{" user":"root","db":"admin","mechanism":"SCRAM-SHA-1"},"result" :18} {"atype":"authCheck","ts":{"$date":"2019-02-14T14:15:49.161+0 100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"ip": "127.0.0.1","port":42636},"users":[{"user":"test","db":"admin "}],"roles":[{"role":"read","db":"admin"}],"param":{"command" :"insert","ns":"test.orders","args":{"insert":"orders","docum ents":[{"_id":{"$oid":"58a3030507bd5e3486b1220d"},"id":1.0,"i tem":"paper clips"}],"ordered":true}},"result":13}
Security Features Comparison © 2018 Pythian. Confidential MongoDB Community MongoDB Enterprise Percona server for MongoDB LDAP Authentication LDAP Authorization Kerberos Storage engine encryption Auditing Log redaction
Summary • Security incidents and data breaches grow exponentially over the last 5 years • Enable access control by turning on authentication • Limit resources access by authorization and roles • Harden your database by limiting network exposure • Protect data in transit by using encryption with TLS/SSL • Protect data at rest by using encrypted storage engine • Track System activity with Auditing • Keep your database version up to date © 2019 Pythian. Confidential
Questions? © 2019 Pythian. Confidential
We’re Hiring! https://www.pythian.com/careers/ © 2019 Pythian. Confidential

Recommended

How to scale MongoDB
How to scale MongoDBHow to scale MongoDB
How to scale MongoDBIgor Donchovski
 
MongoDB HA - what can go wrong
MongoDB HA - what can go wrongMongoDB HA - what can go wrong
MongoDB HA - what can go wrongIgor Donchovski
 
Maintenance for MongoDB Replica Sets
Maintenance for MongoDB Replica SetsMaintenance for MongoDB Replica Sets
Maintenance for MongoDB Replica SetsIgor Donchovski
 
Exploring the replication and sharding in MongoDB
Exploring the replication and sharding in MongoDBExploring the replication and sharding in MongoDB
Exploring the replication and sharding in MongoDBIgor Donchovski
 
Working with MongoDB as MySQL DBA
Working with MongoDB as MySQL DBAWorking with MongoDB as MySQL DBA
Working with MongoDB as MySQL DBAIgor Donchovski
 
Exploring the replication in MongoDB
Exploring the replication in MongoDBExploring the replication in MongoDB
Exploring the replication in MongoDBIgor Donchovski
 
How To Connect Spark To Your Own Datasource
How To Connect Spark To Your Own DatasourceHow To Connect Spark To Your Own Datasource
How To Connect Spark To Your Own DatasourceMongoDB
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingMongoDB
 

Recommended

How to scale MongoDB
How to scale MongoDBHow to scale MongoDB
How to scale MongoDBIgor Donchovski
 
MongoDB HA - what can go wrong
MongoDB HA - what can go wrongMongoDB HA - what can go wrong
MongoDB HA - what can go wrongIgor Donchovski
 
Maintenance for MongoDB Replica Sets
Maintenance for MongoDB Replica SetsMaintenance for MongoDB Replica Sets
Maintenance for MongoDB Replica SetsIgor Donchovski
 
Exploring the replication and sharding in MongoDB
Exploring the replication and sharding in MongoDBExploring the replication and sharding in MongoDB
Exploring the replication and sharding in MongoDBIgor Donchovski
 
Working with MongoDB as MySQL DBA
Working with MongoDB as MySQL DBAWorking with MongoDB as MySQL DBA
Working with MongoDB as MySQL DBAIgor Donchovski
 
Exploring the replication in MongoDB
Exploring the replication in MongoDBExploring the replication in MongoDB
Exploring the replication in MongoDBIgor Donchovski
 
How To Connect Spark To Your Own Datasource
How To Connect Spark To Your Own DatasourceHow To Connect Spark To Your Own Datasource
How To Connect Spark To Your Own DatasourceMongoDB
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingMongoDB
 
MongoDB and Spark
MongoDB and SparkMongoDB and Spark
MongoDB and SparkNorberto Leite
 
MongodB Internals
MongodB InternalsMongodB Internals
MongodB InternalsNorberto Leite
 
Webinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage EngineWebinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage EngineMongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...MongoDB
 
MongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big ComputeMongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big ComputeMongoDB
 
Mongo db 3.4 Overview
Mongo db 3.4 OverviewMongo db 3.4 Overview
Mongo db 3.4 OverviewNorberto Leite
 
Introduction to Sharding
Introduction to ShardingIntroduction to Sharding
Introduction to ShardingMongoDB
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBWebinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBMongoDB
 
Challenges with MongoDB
Challenges with MongoDBChallenges with MongoDB
Challenges with MongoDBStone Gao
 
Python and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James BlackburnPython and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James BlackburnPyData
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...MongoDB
 
Cloud Backup Overview
Cloud Backup Overview Cloud Backup Overview
Cloud Backup Overview MongoDB
 
Mongo db dhruba
Mongo db dhrubaMongo db dhruba
Mongo db dhrubaDhrubaji Mandal ♛
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB
 
MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2MongoDB
 
Back to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDBBack to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDBMongoDB
 
Introducing Stitch
Introducing Stitch Introducing Stitch
Introducing Stitch MongoDB
 
Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack MongoDB
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 

More Related Content

What's hot

Webinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage EngineWebinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage EngineMongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...MongoDB
 
MongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big ComputeMongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big ComputeMongoDB
 
Introduction to Sharding
Introduction to ShardingIntroduction to Sharding
Introduction to ShardingMongoDB
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBWebinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBMongoDB
 
Challenges with MongoDB
Challenges with MongoDBChallenges with MongoDB
Challenges with MongoDBStone Gao
 
Python and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James BlackburnPython and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James BlackburnPyData
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...MongoDB
 
Cloud Backup Overview
Cloud Backup Overview Cloud Backup Overview
Cloud Backup Overview MongoDB
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB
 
MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2MongoDB
 
Back to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDBBack to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDBMongoDB
 
Introducing Stitch
Introducing Stitch Introducing Stitch
Introducing Stitch MongoDB
 
Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack MongoDB
 

What's hot (20)

MongoDB and Spark
MongoDB and SparkMongoDB and Spark
MongoDB and Spark
 
MongodB Internals
MongodB InternalsMongodB Internals
MongodB Internals
 
Webinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage EngineWebinar: Schema Patterns and Your Storage Engine
Webinar: Schema Patterns and Your Storage Engine
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
 
MongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big ComputeMongoDB Europe 2016 - Big Data meets Big Compute
MongoDB Europe 2016 - Big Data meets Big Compute
 
Mongo db 3.4 Overview
Mongo db 3.4 OverviewMongo db 3.4 Overview
Mongo db 3.4 Overview
 
Introduction to Sharding
Introduction to ShardingIntroduction to Sharding
Introduction to Sharding
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBWebinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
 
Challenges with MongoDB
Challenges with MongoDBChallenges with MongoDB
Challenges with MongoDB
 
Python and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James BlackburnPython and MongoDB as a Market Data Platform by James Blackburn
Python and MongoDB as a Market Data Platform by James Blackburn
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
 
Cloud Backup Overview
Cloud Backup Overview Cloud Backup Overview
Cloud Backup Overview
 
Mongo db dhruba
Mongo db dhrubaMongo db dhruba
Mongo db dhruba
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2MongoDB Days Silicon Valley: Introducing MongoDB 3.2
MongoDB Days Silicon Valley: Introducing MongoDB 3.2
 
Back to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDBBack to Basics 2017: Mí primera aplicación MongoDB
Back to Basics 2017: Mí primera aplicación MongoDB
 
Introducing Stitch
Introducing Stitch Introducing Stitch
Introducing Stitch
 
Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack Getting Started with MongoDB Using the Microsoft Stack
Getting Started with MongoDB Using the Microsoft Stack
 

Similar to Enhancing the default MongoDB Security

Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Denodo
 
IJSRED-V2I2P10
IJSRED-V2I2P10IJSRED-V2I2P10
IJSRED-V2I2P10IJSRED
 
Strategies for Context Data Persistence
Strategies for Context Data PersistenceStrategies for Context Data Persistence
Strategies for Context Data PersistenceFIWARE
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Mydbops
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...Cisco DevNet
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationDEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationCisco DevNet
 
Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesJean Da Silva
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
FIWARE Wednesday Webinars - Strategies for Context Data Persistence
FIWARE Wednesday Webinars - Strategies for Context Data PersistenceFIWARE Wednesday Webinars - Strategies for Context Data Persistence
FIWARE Wednesday Webinars - Strategies for Context Data PersistenceFIWARE
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshLayer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshMitchell Pronschinske
 
Simplify Cloud Applications using Spring Cloud
Simplify Cloud Applications using Spring CloudSimplify Cloud Applications using Spring Cloud
Simplify Cloud Applications using Spring CloudRamnivas Laddad
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
From localhost to the cloud: A Journey of Deployments
From localhost to the cloud: A Journey of DeploymentsFrom localhost to the cloud: A Journey of Deployments
From localhost to the cloud: A Journey of DeploymentsTegar Imansyah
 
MySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesMySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesHarin Vadodaria
 
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021StreamNative
 

Similar to Enhancing the default MongoDB Security (20)

Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
 
IJSRED-V2I2P10
IJSRED-V2I2P10IJSRED-V2I2P10
IJSRED-V2I2P10
 
Strategies for Context Data Persistence
Strategies for Context Data PersistenceStrategies for Context Data Persistence
Strategies for Context Data Persistence
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationDEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
 
Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security Features
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
 
FIWARE Wednesday Webinars - Strategies for Context Data Persistence
FIWARE Wednesday Webinars - Strategies for Context Data PersistenceFIWARE Wednesday Webinars - Strategies for Context Data Persistence
FIWARE Wednesday Webinars - Strategies for Context Data Persistence
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshLayer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
 
Simplify Cloud Applications using Spring Cloud
Simplify Cloud Applications using Spring CloudSimplify Cloud Applications using Spring Cloud
Simplify Cloud Applications using Spring Cloud
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
From localhost to the cloud: A Journey of Deployments
From localhost to the cloud: A Journey of DeploymentsFrom localhost to the cloud: A Journey of Deployments
From localhost to the cloud: A Journey of Deployments
 
MySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesMySQL 8.0 - Security Features
MySQL 8.0 - Security Features
 
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
A Pulsar Use Case In Federated Learning - Pulsar Summit NA 2021
 

Recently uploaded

HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 

Recently uploaded (20)

Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 

Enhancing the default MongoDB Security

  • 2. {"name": "Igor Donchovski", "live_in": "Skopje", "email": "donchovski@pythian.com", "current_role": "Lead database consultant", "education": [{"type": "College", "name": "FEIT", "graduated": "2008", "university": "UKIM"}, {"type": "Master", "name": "FINKI", "graduated": "2013", "university": "UKIM"}], "work": [{"role": "Web developer", "start": "2007", "end": "2012", "company": "Gord Systems"}, {"role": "DBA", "start": "2012", "end": "2014", "company": "NOVP"}, {"role": "Database consultant", "start": "2014", "end": "2016", "company": "Pythian"}, {"role": "Lead database consultant", "start": "2016", "company": "Pythian"}], "certificates": [{"name": "C100DBA", "year": "2016", "description": "MongoDB certified DBA"}], "social": [{"network": "LinkedIn", "url": "https://mk.linkedin.com/in/igorle"}, {"network": "Twitter", "url": "https://twitter.com/igorle"}], "interests": ["Hiking", "Biking", "Traveling"], "hobbies": ["Painting", "Photography", "Cooking"], "proud_of": ["Volunteering", "Helping the Community"]} About Me © 2019 Pythian. Confidential
  • 3. Overview • Default security • Access control • Authentication and Authorization • Network hardening • Encryption in Transit • Encryption at REST • Auditing • QA © 2019 Pythian. Confidential
  • 4. Security Incidents ● Data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so ● Industry analysts predict cybercrime will cost the global economy $6 trillion annually by 2021 © 2019 Pythian. Confidential
  • 5. © 2019 Pythian. Confidential Defaults
  • 6. • sudo yum install -y mongodb-org • sudo apt-get install -y mongodb-org • sudo zypper -n install mongodb-org sudo service mongod start • sudo tar -zxvf mongodb-linux-*-4.0.9.tgz sudo mongod --dbpath /data/db --logpath /log/mongod.log • mongo (shell to interact with the database) > use test > db.foo.find() Default Security © 2019 Pythian. Confidential
  • 7. • before MongoDB 3.6 net.bindIP: 0.0.0.0 (if MongoDB installed from binaries) net.bindIP: 127.0.0.1 (if MongoDB installed from package after 2.6) Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... }
  • 8. • after MongoDB 3.6 net.bindIP: 127.0.0.1 Default security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. Error: couldn't connect to server
  • 9. • Users allowed to ssh to DB server net.bindIP: 127.0.0.1 Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... } 1. db.foo.findOne() 2. Error: couldn't connect to server
  • 10. • Application and Database don’t usually run on same host • DBA need to change bindIP net.bindIP: 0.0.0.0 Default Security © 2019 Pythian. Confidential 1. db.foo.findOne() 2. { "_id" : ... }
  • 11. © 2019 Pythian. Confidential Access Control
  • 12. • security:authorization: enabled use admin db.createUser( { user: "UserAdmin", pwd: "123456", roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } ) Access Control © 2019 Pythian. Confidential 2. Who are you? 1. db.foo.findOne()
  • 13. mongo --port 27017 -u "UserAdmin" --authenticationDatabase "admin" -p db.createUser( { user: "tester", pwd: "qwerty", roles: [ { role: "readWrite", db: "test" }, { role: "read", db: "reporting" } ] } ) Access Control © 2019 Pythian. Confidential 2. true 1. db.auth()
  • 14. • SCRAM (default) • x.509 Certificate Authentication • LDAP • Kerberos Authentication © 2019 Pythian. Confidential 2. true 1. db.auth()
  • 15. • Keyfile --keyFile • x.509 --clusterAuthMode --sslClusterFile • Enabling internal authentication also enables client authorization. Internal Authentication © 2019 Pythian. Confidential
  • 17. Drop createUser createUser isMaster Insert Find createUser Find Authorization © 2019 Pythian. Confidential Delete Drop DropUpdate Reporting Application DBA
  • 18. Authorization ● Role Based Access Control ○ Role - grants privileges to perform the specified actions on resource ○ Resource - database, collection, set of collections, or the cluster ○ Privilege - consists of a specified resource and the actions permitted on the resource ○ Action specifies the operation allowed on the resource ● Built-In roles and User-Defined roles ● Limit data access with custom views © 2019 Pythian. Confidential
  • 19. • Database servers exposed to the internet • No Firewall, VPN or VPC Network Hardening © 2019 Pythian. Confidential
  • 20. • No need for DB server to be exposed to the internet • Add Firewall rules, VPN or VPC Network Hardening © 2019 Pythian. Confidential VPC
  • 21. Access Control Summary © 2019 Pythian. Confidential VPC VPNApplication 2. true 1. db.auth()
  • 22. © 2019 Pythian. Confidential Encryption
  • 23. ● Attacker can access data by monitoring traffic between the application and the database or by reading files directly Why Encryption? Attacker © 2019 Pythian. Confidential 2. true 1. db.auth() Attacker
  • 24. ● Protect Personally Identifiable Information (PII) ○ PCI DSS for managing cardholder information ○ HIPAA standards for managing healthcare information ○ GDPR for the protection of EU citizen data privacy (May 2018) ○ FISMA to ensure the security of data in the federal government ○ FERPA to protect the privacy of student education records ○ The Asia Pacific Cross-border Privacy Enforcement Arrangement (CPEA) ○ Others Why Encryption? © 2019 Pythian. Confidential
  • 25. Encryption with MongoDB ● Transport encryption ○ MongoDB network traffic is only readable by the intended client ● Encryption at REST ○ Application Level Encryption and Storage Encryption ○ Native encryption option for the WiredTiger storage engine* * Available in MongoDB Enterprise only © 2019 Pythian. Confidential
  • 26. © 2019 Pythian. Confidential Transport Encryption
  • 27. Transport Encryption ● TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB’s network traffic ● Certificate Authorities - valid certificates generated and signed by a single certificate authority ○ PEMKeyfile with the name of the .pem file that contains the signed TLS/SSL certificate and key ○ CAFile with the name of the .pem file that contains the root certificate chain from the Certificate Authority © 2019 Pythian. Confidential
  • 28. Transport Encryption Configuration notes: Deploying a 3 node replica set MongoDB config file # /etc/mongod.conf systemLog: .................. path: /mongodb/logs/mongod.log storage: dbPath: /mongodb/data .................. net: port: 27017 ssl: mode: <disabled|allowSSL|preferSSL|requireSSL> PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem .................. replication: replSetName: production © 2019 Pythian. Confidential
  • 29. Transport Encryption net.ssl.mode Value Description disabled The server does not use TLS/SSL allowSSL Connections between servers do not use TLS/SSL For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL preferSSL Connections between servers use TLS/SSL For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL requireSSL The server uses and accepts only TLS/SSL encrypted connections © 2019 Pythian. Confidential
  • 30. Transport Encryption 1. Install MongoDB on each node* 2. Start each server with config file options for net.ssl.mode <allowSSL|preferSSL|requireSSL> 3. Initiate the replica set on the Primary node 4. Add the rest of the nodes by using FQDN * confirm your MongoDB legacy supports TLS/SSL Heartbeat © 2019 Pythian. Confidential
  • 31. Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL © 2019 Pythian. Confidential
  • 32. Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL • Upgrade to preferSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } ) © 2019 Pythian. Confidential
  • 33. Transport Encryption Upgrade running Replica to Use TLS/SSL • Restart the processes with ssl.Mode allowSSL net: ssl: mode: allowSSL • Switch the clients to use TLS/SSL • Upgrade to preferSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } ) • Upgrade to requireSSL by issuing the command on each node db.adminCommand( { setParameter: 1, sslMode: "requireSSL" } ) • Update the config file to persist the settings net: ssl: mode: requireSSL © 2019 Pythian. Confidential
  • 34. © 2019 Pythian. Confidential Encryption at REST
  • 35. Application Level Encryption ● Encryption on a per-field or per-document basis within the application layer ● Custom encryption and decryption routines to encrypt ○ Document ○ Field level data © 2019 Pythian. Confidential
  • 36. Storage Engine Encryption • Native encryption option for the WiredTiger storage engine only • AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) via OpenSSL • AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt text © 2019 Pythian. Confidential
  • 37. Encryption at REST ● Use of local key management via a keyfile ○ Create the base64 encoded keyfile with the 16 or 32 character string openssl rand -base64 32 > mongodb-keyfile ○ Assign permissions 600 chmod 600 mongodb-keyfile ○ Start mongod with the encryption options /usr/bin/mongod --enableEncryption --encryptionKeyFile mongodb-keyfile # /etc/mongod.conf security: enableEncryption: true encryptionKeyFile: /etc/mongodb_keyfile © 2019 Pythian. Confidential
  • 38. Encryption at REST ● Integration with a third party key management appliance via the Key Management Interoperability Protocol (KMIP) ○ Key manager must support the KMIP communication protocol ○ Must have a valid certificate issued by the key management appliance /usr/bin/mongod --enableEncryption --kmipServerName <KMIP Server HostName> --kmipPort <KMIP server port> --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem © 2019 Pythian. Confidential
  • 39. Encryption with KMIP • Generating a master key • Generating keys for each database • Encrypting data with the database keys • Encrypting the database keys with the master key • Master key and database keys are not replicated © 2019 Pythian. Confidential
  • 40. Disk Level Encryption • Amazon EBS encryption • Azure disk encryption • Google Compute Engine encrypts all data at rest (by default) • Linux hard disk encryption with LUKS • BitLocker encryption for Windows server © 2019 Pythian. Confidential
  • 41. Auditing Track System Activity ● schema (DDL) ● replica set and sharded cluster ● authentication and authorization ● CRUD operations auditLog: destination: <syslog>, <console>, <file> format: <JSON>, <BSON> path: data/db/auditLog.<json>,<bson> filter: '{ atype: { $in: ["dropCollection"]}}' * Available in MongoDB Enterprise only © 2019 Pythian. Confidential > bsondump auditLog.bson {"atype":"authenticate","ts":{"$date":"2019-02-14T14:11:29.97 5+0100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"i p":"127.0.0.1","port":42634},"users":[],"roles":[],"param":{" user":"root","db":"admin","mechanism":"SCRAM-SHA-1"},"result" :18} {"atype":"authCheck","ts":{"$date":"2019-02-14T14:15:49.161+0 100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"ip": "127.0.0.1","port":42636},"users":[{"user":"test","db":"admin "}],"roles":[{"role":"read","db":"admin"}],"param":{"command" :"insert","ns":"test.orders","args":{"insert":"orders","docum ents":[{"_id":{"$oid":"58a3030507bd5e3486b1220d"},"id":1.0,"i tem":"paper clips"}],"ordered":true}},"result":13}
  • 42. Security Features Comparison © 2018 Pythian. Confidential MongoDB Community MongoDB Enterprise Percona server for MongoDB LDAP Authentication LDAP Authorization Kerberos Storage engine encryption Auditing Log redaction
  • 43. Summary • Security incidents and data breaches grow exponentially over the last 5 years • Enable access control by turning on authentication • Limit resources access by authorization and roles • Harden your database by limiting network exposure • Protect data in transit by using encryption with TLS/SSL • Protect data at rest by using encrypted storage engine • Track System activity with Auditing • Keep your database version up to date © 2019 Pythian. Confidential