2. Presenter: Patrick Townsend
▪ CEO of Townsend Security
▪ Leading data security expert
▪ 30 years IT industry experience
3. Presentation Agenda
▪ Encryption and importance of key management
▪ Meeting compliance requirements
▪ Key management best practices
▪ Encryption and key management in MongoDB
▪ Resource guide
4. Breaches Happen
▪ Equifax, River City Media, Yahoo! – just this year!
▪ Hackers don’t just target credit cards
▪ Email addresses, phone numbers, etc. can be considered PII
MongoDB is a respository for LOTS of PII
5.
6. Why is Key Management Important?
▪ Encryption keys are THE secret that must be protected (not the algorithm)
▪ There are industry standards and best practices for key management (FIPS 140-2)
▪ Compliance regulations (PCI, HIPAA, etc.) require proper key management
▪ Achieve Separation of Duties (SOD)
▪ Separate encryption control and ownership from the cloud provider
▪ aka Key Custody
MongoDB highly recommends the use of a Key Manager to secure your
encrypted MongoDB data!
7. Impacts of Encryption
Performance – Expect a 2-20% overhead
Backup and Restore Operations – Can take longer as information
is encrypted
High Availability – In the event of an interruption, you need to
easily restore your keys from a backup key management solution
8. High Availability (HA) & Disaster Recovery
▪ Manage encryption keys from a centralized location
▪ Secure and authenticated TLS sessions for administrators
▪ Manage local and remote key servers
Key Mirroring
▪ Real-time mirroring of encryption keys and access policy
▪ Active-Active mirroring for failover
▪ Secure, authenticated server-to-server connections
▪ One-to-Many, Many-to-Many
9. Key Management Best Practices
▪ Ensure origin and quality of keys
▪ Use accepted and standards-based encryption algorithms
▪ Ensure that keys are securely backed up, at all times
▪ Implement strong authentication mechanisms
▪ Protect and restrict access to encryption keys
10. Encryption and Key Management in the Cloud
Challenges, Best Practices & What to Know:
▪ Cloud provider is NOT responsible for YOUR breach (read the SLA)
▪ Public vs. Private Cloud (managing multi-tenancy)
▪ Business recovery – Production and High Availability
▪ Geographic redundancy for key management services
▪ Key custody: Who has access to your keys?
11. MongoDB Enterprise Encryption – Done Right
▪ Encryption built right into the MongoDB database
▪ Strong 256-bit AES encryption
▪ Good performance with documented guidance
▪ Getting encryption key management right with KMIP
▪ Certifying key management vendors
▪ Good security guidance provided to developers
You don’t need a 3rd party encryption solution
12. Key Management for MongoDB
Introduction to Alliance Key Manager
This is amazingly easy !
27. Install certificates on the MongoDB server
Create a new directory to hold the certificates, copy to the new directory, set ownership and
permissions
sudo mkdir /etc/mongodb-kmip
Use FileZilla, SCP or similar application to upload the AKMClientAndKey,pem and
AKMRootCACertificate.pem files to this directory.
sudo chown -R mongodb:mongodb /etc/mongodb-kmip
cd /etc/mongodb-kmip
sudo chmod -R 600 *
28. Modify the <hosts> file to add the key manager
Use nano or your favorite text editor to change the hosts file to add the key server
sudo nano /etc/hosts
31. Community or Enterprise ?
▪ Advanced security
▪ Encryption and key management
▪ Advanced audit
▪ Advanced memory management
32. Advanced Topics
▪ MongoDB migration – Unencrypted to Encrypted
▪ Business Continuity and Hot Failover
▪ Production and HA key mirroring
▪ Using a Load Balancer
▪ Hybrid deployments – On-Premise, cross-cloud
▪ VMware, Hardware Security Module (HSM), etc.
33. Townsend Security + MongoDB
▪ Formerly certified key management with MongoDB security team
▪ Certified on Intel and IBM Power systems
▪ Joined MongoDB Partner Advisory Council
▪ Key management pricing to match MongoDB model
▪ Lowering the barriers to security !
▪ Customer support for MongoDB key management deployment
34. MongoDB Upgrades and Options
▪ Upgrading from MongoDB Community Edition?
▪ We can bring a MongoDB Expert to help with sizing, planning, and migration
▪ Considering IBM Power Linux?
▪ We can bring a Power Linux Expert to help with sizing, pricing, and deployment
▪ Full support for Nutanix!
▪ Great for high performance, on-premise MongoDB deployments
35. Evaluations are Easy
▪ No-charge evaluation process
▪ Rapid deployment
▪ Full customer support during evaluation period
▪ Fully functional key management
36. Resources
Townsend Security documentation for MongoDB:
http://docs.townsendsecurity.com/akm_guide_for_mongodb_enterprise_edition/#top
Townsend Security documentation for AKM in AWS:
http://docs.townsendsecurity.com/akm_for_aws_quick_start_guide/#top
MongoDB Enterprise installation:
https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-ubuntu/#install-
mongodb-enterprise
37. MongoDB Security Blog post:
https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-
data
MongoDB Security Checklist:
https://docs.mongodb.com/manual/administration/security-checklist/
MongoDB Encryption at Rest
https://docs.mongodb.com/manual/core/security-encryption-at-rest/
Resources
38. Corporate Headquarters
724 Columbia St NW, Suite 400
Olympia, WA 98501
Phone:
360 359 4400
Online:
townsendsecurity.com
@townsendsecure
Any Questions?
Patrick Townsend
patrick.townsend@townsendsecurity.com
@patricksecurity
Editor's Notes
To do:
Describe difference between Community and Enterprise Editions of MongoDB.