Before adding sensitive data to your database, it’s imperative that you thoroughly consider security and implement measures to keep it safe. MongoDB Atlas strives to streamline this process for developers by integrating a growing set of core security features with our deployments. As an engineer on Atlas, I think about how to make these features comprehensive and easy to use, and observe how developers interact with them. In this talk, I’ll discuss why the features we provide are important, and how you can easily tune them to suit your particular needs as your application grows.

1. Pia Kochar
Atlas Security 101 For Developers
@MongoDB

2. Pia Kochar
Atlas Engineer

3. What is Atlas?
§ Scalability
§ Availability
§ Monitoring/Charts
§ Backups
§ Security

5. Overview
1. Network Security
2. Authentication and Authorization
3. Encryption at Rest
4. Security Operations

6. The Secret Sauce

7. Keep the Bad Guys Out
Your arch nemesis

8. Keep the Truck Secure
Network Security

9. Attacks to Prevent
§ Unwanted connections
§ Eavesdropping
§ Man-in-the-middle

10. TLS Encryption

11. IP Whitelisting
Best Practices:
§ Up to date
§ Narrowly defined

12. Atlas Alerts

13. Virtual Network

14. Virtual Network Peering
Where did
the chef go?

15. Adding an AWS Peer in Atlas

16. Adding an AWS Peer in Atlas

17. Screen the Consumers
Authentication and Authorization

18. Authentication
Verify Identity

19. Required MongoDB User/Password
chef4life
******
chef4life
@!324

20. LDAP Authentication
MongoDB Users
chef4life
employee1
employee2
LDAP server
LDAP users

21. Configuring LDAP in Atlas

22. LDAP Authentication in Atlas

23. Authorization
Manage Access to Resources

24. Role Based Access Control
Sauce-maker
Can read and edit
sauce recipe
Burger Chefs
Can read and edit
burger recipes
MongoDB RolesMongoDB Users
Guest Chef
Can read recipes for 1
day
chef4life
employee1
employee2
gordonRamsay

25. Connecting to the Database
Owner
Employee
chef4life
******
employee1
******

26. Defining Roles in Atlas
Best Practices:
§ No shared credentials!
§ Principle of least privilege

27. LDAP Authorization
LDAP server
LDAP user group
MongoDB Roles
Burger Chefs
Can read and edit
burger recipes

28. LDAP Authorization in Atlas

29. Use a Secret Language
Encryption at Rest

30. Encryption at Rest by Default

31. Encryption at Rest with Your Key Management

32. Encryption at Rest in the Atlas UI
Project Configuration Cluster Configuration

33. Encryption at Rest in the Atlas UI

34. Security Operations

35. Why do we care? How can Atlas help?
Your life is difficult enough, keeping systems patched and monitoring
them constantly…so let us help you!
§ Atlas supports the two latest versions of MongoDB Server, with automatic
patching and single-click upgrades
§ Instant visibility into the database and hardware metrics that matter to you!
§ Monitoring and Alerting: Stay ahead of any issues that could impact
performance and user experience
§ Strong “out of the box” security to protect your valuable data
§ High availability and Disaster recovery

36. Automatic Version Upgrades; Deprecation
§ MongoDB server
§ Cloud Provider OS
§ BI Connector
§ Agents
§ TLS

37. DB Auditing
§ Accountability
§ Forensics
Best Practices:
§ Again - each employee has
distinct credentials

38. Atlas Projects
Development Testing Production
Employee machines
All employees can
read and write
App servers
Only owner can
read and write
Test servers
Some employees
can read and write

39. Project Breakdown in UI

40. Takeaways

41. What We Do By Default
§ TLS
§ All resources provisioned in virtual networks
§ Required IP whitelist
§ Required user authentication
§ Encryption at Rest
§ Alerting
§ Automatic version upgrades

42. What We Enable You to Do
§ Virtual network peering
§ Fine-grained role-based access control
§ LDAP Authentication and Authorization
§ Encryption at Rest with your own Key Management
§ Advanced database auditing
§ Division of projects

43. Recommendations to Take Away
§ Take advantage of these features
§ Bake security into development process
§ Iterate

44. Upcoming User Requested Features
§ x.509 user auth
§ AWS PrivateLink integration

45. Atlas Security UI

46. Resources
MongoDB Atlas docs: https://docs.atlas.mongodb.com/
Trust center: https://www.mongodb.com/cloud/trust

48. Image sources
○ Data breach news: https://foundrylawgroup.com/wp-content/uploads/Data-Breach-Headlines.png
○ Hot sauce: https://images.sks-bottle.com/images/Hotsauce.jpg
○ Chef: https://cdn2.iconfinder.com/data/icons/resort-villa-hotel-tourist-worker-and-services/278/resort-holiday-hotel-011-512.png
○ Hacker: https://cdn3.iconfinder.com/data/icons/special-unusual-odd-jobs/265/weird-job-007-512.png
○ Spy: https://pngimg.com/uploads/spy/spy_PNG3.png
○ TLS Lock: https://cdn.pixabay.com/photo/2013/07/12/18/03/lock-152879__340.png
○ Open and closed doors: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTD6M8J3N5OHWoExe4D2RX1se6QBugFff8l5z1ADH-umRbCPr0
○ Waiter image: https://cdn0.iconfinder.com/data/icons/restaurant-6/253/restaurant002-512.png
○ Hamburger: https://d1nhio0ox7pgb.cloudfront.net/_img/g_collection_png/standard/256x256/hamburger.png
○ LDAP server icon: http://chittagongit.com/icon/ldap-icon-20.html
○ Bandaid: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRq_Ikv5dozACGR-_nhbWS36yA22dEvSevHI1JcdzSasoVdARLg
○ Yellow lock and key: https://cdn0.iconfinder.com/data/icons/misc-line-v1-color/512/key_lock_open_opening_padlock-512.png
○ Green lock: https://www.iconsdb.com/green-icons/padlock-icon.html
○ #1 badge: https://www.bergen.org/cms/lib/NJ02213295/Centricity/Domain/10/ranked1.png
○ Ghost: https://img.icons8.com/metro/420/ghost.png
○ Sunglasses: https://www.vexels.com/png-svg/preview/129118/yellow-sunglass-icon
○ Check mark: https://i2.wp.com/nahbnow.com/wp-content/uploads/2018/08/iStock-692279620.jpg
○ Red x: https://dumielauxepices.net/sites/default/files/red-cross-mark-clipart-round-736714-8292503.jpg
○ Magnifying glass: https://upload.wikimedia.org/wikipedia/commons/thumb/5/55/Magnifying_glass_icon.svg/600px-Magnifying_glass_icon.svg.png
○ Box; tools: https://www.vectorstock.com