7. “...as a Service” is Less Complex, Fewer Errors
On-premises Database as a ServiceSelf-managed in a cloud
Managed features with
minimal configuration
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
12. VPC Per
Atlas Project
AES At-Rest
Encryption
Secondary Secondary
Primary
Dedicated VPC
(per project)
● Network default closed to public
● IP addresses explicitly whitelisted for
inbound traffic
● User/password required to connect to
database with configurable privileges
● Encryption
○ TLS In-Transit (Network)
○ AES At-Rest (Volume)
Zone 1 Zone 2 Zone 3
Auth (SCRAM
or LDAPS)
IP Whitelist
TLS (AES In-Flight
Encryption)
Application
Server Environments
13. Peered VPC
(per project)
VPC Per
Atlas Project
AES At-Rest
Encryption
Secondary Secondary
Primary
● Network default closed to public
● IP addresses explicitly whitelisted for
inbound traffic
● User/password required to connect to
database with configurable privileges
● Encryption
○ TLS In-Transit (Network)
○ AES At-Rest (Volume)
● Peering cluster VPC to app VPC =
private network (can even reference
VPC peered security groups)
Zone 1 Zone 2 Zone 3
Auth (SCRAM
or LDAPS)
Your VPC for
Application Servers
VPC Peering
Connection (AEAD
In-Flight Encryption)
15. Partner Key
Management
Appliance
Master Keys
Replica0
Replica Host (Linux, Windows…)
Replica0 (mongod)
Internal Keystore
(Encrypted by Master Key)
DB0
Embedded Key Management
Certificate
PEM File
CA
Certificates
File
DB0 DB1 DBn
DB1 DBnReplica1
Replica2
KMIP
(create / get)
Key management and keystore
controlled by the organization, not
the cloud service provider
(https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tc-hybrid-sp1800-
19a-preliminary-draft.pdf)
16. Service Levels
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Customer Customer
Customer
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
17. Service Use Cases
Regulated /
Top Secret
(PII/PHI/PCI)
Encrypted Data
Secret
(IP, Internal)
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
Confidential
18. IaaS Key Service Differences
Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify
AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP
and CKM_RSA_PKCS
N/A
GCP KMS AES-GCM-256 N/A 64kB N/A N/A
Azure KV AES-256 RSA-2048 with RSA-
OAEP
and CKM_RSA_PKCS
Single 2048-bit
RSA block
RSA-OAEP and
CKM_RSA_PKCS
RSA-PSS
and CKM_RSA_PKCS
http://docs.aws.amazon.com/kms/latest/developerguide/overview.html
https://cloud.google.com/kms/docs/
https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy
20. Activity Logs
● Records
○ Database Processes
○ Create, Read, Update, Delete (CRUD)
● Live feeds on all actions for monitoring/alerts
○ User or role modifications
○ Cluster deploy
○ Scale
○ Termination operations
24. Data Explorer
● Interact with data from within UI
● A convenient way to:
○ Run queries
○ See metadata about your databases
& collections
○ View information about your indexes,
including index usage statistics
25. Queryable Snapshots
Query backup and restore data at document level in minutes
○ Identify whether data of interest has been
○ altered and pinpoint best time to
○ restore database by comparing
○ multiple snapshots
26. Example: Regulated Data
Log Review
Security Policy Review
Identity and Access Control Configuration
Encryption Key Management
Disaster Recovery / Backup
Redundancy / Resilience
Networked Workloads
Product Load / Scale
Patching Cycles
Abstracted
Service
Architecture