Automating a Secure MongoDB Deployment with Opscode and Gazzang

1,114 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,114
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Automating a Secure MongoDB Deployment with Opscode and Gazzang

  1. 1. Automating a SecureMongoDB DeploymentMongoDB AustinMatt Ray, Senior Technical Evangelist at Opscode Feb. 15 2013Eddie Garcia, Vice President of Development at Gazzang
  2. 2. What’s In Your Cloud? What data are you storing?3/15/2013 Gazzang - All rights reserved 2012
  3. 3. What’s In Your Cloud? How are you protecting that data?3/15/2013 Gazzang - All rights reserved 2012
  4. 4. What’s In Your Cloud? How are you managing the keys?3/15/2013 Gazzang - All rights reserved 2012
  5. 5. Student Record Breaches • Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files. • This year alone… • 23,000 SSN’s breached at the University of North Florida • 16,000 SSN’s, birth dates and student ID’s breached from Eugene, Oregon school district • 650,000 records breached from University of Nebraska • 350,000 records from UNC Charlotte • and more….3/15/2013 Gazzang - All rights reserved 2012
  6. 6. Breaches Hit Every Industry3/15/2013 Gazzang - All rights reserved 2012 6
  7. 7. Data Security For MongoDBGazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB • Pre-built integration requires no changes to your application or database • Leverages automation tools for distributed deployment • World-class support available through Gazzang, 10gen and Opscode 3/15/2013 Gazzang - All rights reserved 2012
  8. 8. MongoDB Use Cases Content Management Operational Intelligence E-Commerce User Data Management High Volume Data Feeds3/15/2013 Gazzang - All rights reserved 2012 8
  9. 9. 3/15/2013 Gazzang - All rights reserved 2012 9
  10. 10. 3/15/2013 Gazzang - All rights reserved 2012 10
  11. 11. Documents in MongoDB • Model richer objects using documents • Arrays, sub-documents • Data more closely matches how your apps use it • Allows faster data model iteration • Rich atomic updates • Pushing/popping items from arrays, incrementing fields – can replace some transaction operations • Index on any field – including compound indexes • Know what data your app needs for faster querying • Schema-less • Doesn’t mean schema free: find the right balance of collections and structure for your data3/15/2013 Gazzang - All rights reserved 2012
  12. 12. Example MongoDB Document { _id : ObjectId("4c4ba5c0672c685e5e8aabf3"), type: “student”, firstname: ”John", lastname: “Smith”, last_updated: ISODate("2012-02-02T11:52:27.442Z"), contacts: [ {parent1: “Dad Smith”, phone: “123-456-7890”}, {parent2: “Mom Smith”, phone: “234-567-8901”} ], classes: [“Biology”, “Algebra”, “Music”], }3/15/2013 Gazzang - All rights reserved 2012
  13. 13. Operations in MongoDB Replication App • Redundancy and failover • Can be used to scale read Replica Replica Replica 1 throughput 2 3 Auto-sharding App • Partitions data based on a defined key(s) e.g. lastname Shard Shard Shard • Scales write throughput 1 2 33/15/2013 Gazzang - All rights reserved 2012
  14. 14. MongoDB Native Security Admin Users Regular Users User user1 user2 authentication user3 SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Client Data Files Data Files3/15/2013 Gazzang - All rights reserved 2012 14
  15. 15. Education Use Case on MongoDB Node 1 Node 2 Data Files Data Files Teacher Student First Name Bob First Name Alice Last Name Jones Last Name Smith Email bob@xx.edu Email alice@yy.edu Phone 555-5555 Grade 5th SSN XXX-XX-XXXX Address 804 Congress City Austin State TX3/15/2013 Gazzang - All rights reserved 2012 15
  16. 16. Cloud Security Challenges • Protect Sensitive Data in the Cloud – Ensure sensitive data and encryption keys are never stored in plain text nor exposed publicly – Maintain control of your encryption keys and your proprietary data • Ensure Big Data Security – Harden Big Data infrastructures that have relatively weak security and no encryption protection – Maintain Big Data performance and availability • Enable Compliance – Encrypt data at rest and enforce tight access control policies – Protect your regulated data in the event of a breach3/15/2013 Gazzang - All rights reserved 2012 16
  17. 17. Gazzang zNcrypt™ zNcrypt sits between the file system and any database, application or service running on Linux to encrypt data before written to the disk. • AES 256 encryption • Process-based ACLs • File and block encryption • Multiple encrypted mount points • Maximum performance • Enterprise scalability • Packaged support for MongoDB, Cassandra, Hadoop, MySQL, PostgreSQL3/15/2013 Gazzang - All rights reserved 2012 17
  18. 18. zNcrypt Architecture • Key Management – Off-site key storage – In the cloud / on premises – Hardened & highly available • Access Control – Process-based ACL rules – Transparent data encryption – Separate from users & groups • Encryption – Data at rest / AES-256 – File level encryption – Excellent performance3/15/2013 Gazzang - All rights reserved 2012 18
  19. 19. ACL Rules and Encryption • MongoDB ACL Rule “ALLOW @mongodb * /usr/bin/mongod” This defines mongod as a trusted application, to the data namespace @mongodb, granting permissions to the cleartext data. • MongoDB data node directory encryption “zncrypt-move encrypt @mongodb /var/lib/mongodb /var/lib/ezncrypt/ezncrypted” This command encrypts the /var/lib/mongodb directory as well as any new file or data saved to it. Only the MongoDB process will be able to access the data permitted with ACL rule @mongodata. The last argument is the target mount point for the encrypted data.3/15/2013 Gazzang - All rights reserved 2012 19
  20. 20. Gazzang zTrustee™ – Controlling Authentication Objects Securing “opaque objects” with policy management and adaptive “trustee” authorization capabilities • Time to live • Number of retrievals • URL • Trustee approval • Client • Much more API Library • Java • Python • C library Trustees must approve release of objects in accordance with the deposit policy3/15/2013 Gazzang - All rights reserved 2012 20
  21. 21. Ease of Deployment • Install zNcrypt – Package managers (yum, apt-get), Chef, Puppet, JuJu, etc • Create master encryption key – Passphrase method (optional “split security”) – RSA Key file method • Create ACLs – Simple command-lines (ALLOW/DENY style) – Almost any process or script allowed: • Virtually any application, process or script: MongoDB, Hadoop, Cassandra, MySQL, Apache, Tomcat, document management, etc… • Encrypt data – Simple command line calls, down to the file level3/15/2013 Gazzang - All rights reserved 2012 21
  22. 22. Chef – Opscode Community3/15/2013 Gazzang - All rights reserved 2012 22
  23. 23. 3/15/2013 Gazzang - All rights reserved 2012 23
  24. 24. 3/15/2013 Gazzang - All rights reserved 2012 24
  25. 25. 3/15/2013 Gazzang - All rights reserved 2012 25
  26. 26. 3/15/2013 Gazzang - All rights reserved 2012 26
  27. 27. 3/15/2013 Gazzang - All rights reserved 2012 27
  28. 28. Install MongoDB and zNcrypt with #chef-client3/15/2013 Gazzang - All rights reserved 2012 28
  29. 29. Install MongoDB and zNcrypt with #chef-client3/15/2013 Gazzang - All rights reserved 2012 29
  30. 30. Install MongoDB and zNcrypt with #chef-client3/15/2013 Gazzang - All rights reserved 2012 30
  31. 31. zNcrypt Cookbook Source on github https://github.com/gazzang/cookbooks/tree/master/ zncrypt3/15/2013 Gazzang - All rights reserved 2012 31
  32. 32. Walk Through zNcrypt Cookbook • Attributes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/attribu tes/default.rb • Recipes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/zncrypt.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/activate.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/configdirs.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/default.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/mongodb.rb3/15/2013 Gazzang - All rights reserved 2012 32
  33. 33. Gazzang Overview Gazzang provides big data security solutions that help enterprises protect sensitive information and maintain performance in the cloud or on premises 150+ Direct CustomersSaaS Healthcare Financial Services Technology Government3/15/2013 Gazzang - All rights reserved 2012 33
  34. 34. Thank You Q&A3/15/2013 Gazzang - All rights reserved 2012 34
  35. 35. Protect Your MongoDB Data For more information contact us: info@gazzang.com Eddie Garcia eddie.garcia@gazzang.com3/15/2013 Gazzang - All rights reserved 2012 35

×