SlideShare a Scribd company logo

Achieving compliance With MongoDB Security

Mydbops
Mydbops

Achieving PCI, HIPPA, and GDPR compliance are interesting challenges that MongoDB DBAs encounter throughout all firms, am I right? Available MongoDB Security features such as authentication, access control, and encryption, to secure your MongoDB deployments with Opensource choices.

1 of 56
Download to read offline
Achieving Compliances with MongoDB Security Presented by MADHU SAI VAVILALA Associate DB Engineer Mydbops
Agenda ➔ Importance of Data Security ➔ Security Triad (C.I.A) ➔ A.A.A. ➔ Data Encryption at Rest ➔ TLS & SSL ➔ CSFLE ➔ Queryable Encryption ➔ MongoDB Security Recommendations
History Of DataBase ➔ Ancient data storage techniques ◆ Examples: Cave painting, Stone crafting, Pen and Paper, Punched cards ➔ Necessity of data storage devices ◆ To avoid drawback with traditional data storage techniques ● Latency to get required data ● Less security ● Need more space to store ➔ First non-electronic storage device ◆ Punch cards in Jaccard machines ➔ The first 'real' electronic storage device in 1947 (Manchester Mark I Williams-Kilburn tube)
Importance of Data Security ➔ Ransomware Attack on 22,000 DB’s in 2020 ➔ Security less MongoDB instances 308,000 at Q1 2021 ➔ Q1 of 2022, 12 % instances peaked in the list ➔ IOT - Security = Internet Of Threats ➔ “ Privacy is not a right, it is an absolute necessity. ” ➔ Data is a costlier assert ➔ Avoid illegal access ➔ Protect from data corruption
Data Security Triad (C.I.A) ➔ Confidentiality: Protection of data against the unauthorized user. ➔ Integrity: Prevention of unauthorized and improper data modification. ➔ Availability: An authorized user can able to access the data without any interruption. Confidentiality Integrity Availability C A I Data Security Triad
A.A.A ➔ Authentication ◆ Verify Identity of User ◆ Internal Authentication ◆ External Authentication ➔ Authorization ◆ Actions performed by the user ◆ Inbuilt Roles ◆ Customized Roles ➔ Auditing ◆ Logging the activities of a user Auditing A u t h e n t i c a t i o n A u t h o r i z a t i o n A3 Security
Brief Info About MongoDB ➔ NoSql DataBase ➔ Schema less ➔ Document-oriented ➔ JSON structure ➔ Supports BSON structure ➔ Terminology b/w RDBMS and MongoDB ◆ Table = Collection ◆ Row = Document ◆ Column = Key ➔ Scalability MongoDB
Authentication ➔ Purposes of Authentication ◆ Connect a valid user ◆ Verify the proof of user ◆ Safe from the attackers ➔ Authentication Mechanisms ◆ SCRAM (Default) ◆ x.509 Certificate ◆ LDAP ◆ Kerberos
Enable Authentication in MongoDB ➔ Start MongoDB without authentication option in config file. ➔ Connect to the server using the mongo shell ➔ Create an administrator in the admin database with a root access. ➔ Exit from the mongo shell. ➔ Restart the MongoDB after adding the authentication option in MongoDB config file.
Methods To Authenticate User in MongoDB ❖ mongo "mongodb://User:Password@<host>:<port>/admin" ❖ mongo -u User -p Password --authenticationDatabase admin ❖ db.auth("User", "Password") ➔ Validate user, password and AuthDB. ➔ Check port number ➔ Verify the method of authentication mechanism. Validations If Authentication Failed
Authentication with x.509 Mechanism ➔ Certificate based authentication Mechanism ➔ Use certificates instead of traditional username and pwd ➔ Provides both Internal and External Authentication ➔ x.509 Certificate need a secure TLS/SSL connection ➔ $external is the authenticationDatabase ➔ The subject of client certificate is added in the $external DB ➔ $external is having only user details
Configuration x.509 Mechanism ➔ Create a root CA file in PEM format ➔ Create a TLS/SSL certificate ➔ Edit the config file ➔ Get the subject of a client PEM certificate ◆ openssl x509 -inform PEM -subject -in <Clent PEM file> ➔ Create a user with the above subject in $external Database net: tls: mode: requireTLS CAFile: <path to root CA PEM file> certificateKeyFile: < TLS/SSL key PEM file> URI: mongo --tls --tlsCertificateKeyFile <path to client PEM file> --tlsCAFile <path to root CA PEM file> --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
Authorization ➔ Given who you are, what can you do? ➔ Allows user to perform the specified actions. ➔ Advantage ◆ Improved efficiency. ➔ Role Based Access Control ◆ Provide access to the user based on the actions performed.
Why Role Based Access control ? Developer Insert Data DBA Create Users Data Scientist Read Data ➔ Various users are perform different actions ➔ No need to provide root access to all users ➔ Never trust users
Roles in MongoDB Role: A detailed object consists of Actions with privileges performed on resources. Actions: Performable Activities. Resources: The data on which the User going to do activities. > use admin > db.createRole( { role: "dropCollectionUser", privileges: [ { actions: [ "dropCollection" ], resource: { db: "DB", collection: "" } } ], roles: [] } )
Built-In Roles in MongoDB DataBase User [ read, readWrite ] DataBase Admin [ dbAdmin, userAdmin, dbOwner ] SuperUser [ root ] Cluster Admin [ ClusterManager, ClusterMonitor, hostManager, ClusterAdmin ] BackUp/Restore [ backup, restore ] All Database [ readAnyDatabase, readWriteAnyDatabase ]
DEMO For Authentication & Authentication
Key File Authentication ➔ Internal Authentication Mechanism ➔ Security between members of the replica set ➔ Shared key for each member ➔ To use keyfile authentication we need to create database admin users Host OS Key File Key Challenge/ Response Host OS Key File MongoDB Host OS Key File MongoDB MongoDB Key Challenge/ Response Key Challenge/ Response
Steps to Configure KeyFile Authentication ➔ Create a Key file ◆ openssl rand -base64 756 > <path-to-keyfile> ◆ chmod 400 <path-to-keyfile> ➔ Copy the keyfile to each replica set member. ➔ Modify the config file in each mongodb replica member. ◆ > vi /etc/mongod.conf ➔ Restart the mongod process. ◆ > systemctl restart mongod security: keyFile: <path-to-keyfile> replication: replSetName: <replicaSetName>
It’s Nice To Know. Is There Any Feature Available in MONGODB For Monitoring The Users Activities ?
Auditing in MongoDB ➔ Track system activity. ➔ Recording user, system, and application activities. ➔ Audit information must be reviewed. Auditing Records Authentication And Authorization Replica set And Sharded Cluster CRUD Operations ➔ Add accountability. ➔ Instigate Suspesious Activity. ➔ Monitor dataBase Activity. Advantages
➔ Yaml Format. ➔ Feature included in the MongoDB Enterprise Only. ➔ compressionMode ◆ none (default) ◆ zstd ➔ destination ◆ file ◆ syslog ◆ console ➔ format ◆ JSON ◆ BSON ➔ path ◆ File Location Configure File Options for Auditing auditLog: compressionMode: <string> destination: <string> format: <string> path: <string> filter: <string>
➔ Filter limit the types of operations ➔ Use Query selectors ➔ Allows regular Expressions ➔ Syntax filter: { <field>: <expression1> } Filter Option In Auditing filter:{ atype: "authCheck", "param.command":{ $in: [ "find", "insert", "delete", "update", "findandmodify"]} }, auditAuthorizationSuccess: true All Operations Filtered Operations Stored to Destination File Example
Audit Message Structure { atype: <string>, # Action type ts : { $date: <timestamp> }, uuid : { $binary: <string>, $type: <string> }, local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, users : [ { user: <string>, db: <string> }, ... ], roles: [ { role: <string>, db: <string> }, ... ], param: <document>, result: <int> }
Versions vs Features ➔ Available from 2.6v ➔ MongoDB Enterprise and Atlas ➔ Filter option available from 3.0v ➔ Starting 5.0 a feature available that runtime audit configuration and filter management. ➔ Starting 5.0 a UUID is added to the audit message. ➔ 5.3v auditLog.compressionMode → used to compress audit log. ➔ 6.0v onwards audit log encryption is available.
Achieving Auditing Feature with Community ➔ Percona server for MongoDB ➔ All features are same with MongoDB Enterprise server ➔ Only Difference is UUID is not added in percona MongoDB ➔ Free of cost
Even if the Data is Locked by the Users with PWD, Is the data really safe
Data Encryption ➔ A mechanism that Protects the Data ➔ An information is converted into cipher Text ➔ Hides the exact Meaning ➔ Only authorized parties can understand MongoDB involves three types of data: ➔ Data at rest ➔ Data in transit ➔ Data in use
Base Of Encryption Science Mathematics Cryptography Encryption Science ∩ Mathematics = Cryptography Encryption ⊆ Cryptography Key PlainText CryptoAnalysis Ciphertext Terminology Crypto = Secret Graphy = Write
Data Encryption at Rest ➔ WiredTiger storage engine have native encryption. ➔ cipher algorithm i.e AES256-GCM ➔ This cipher algorithm support for linux. ➔ Involve symmetric key ➔ Options for sourcing master key ◆ Via 3rd party Key Management Appliance using KMIP (Key Management Interoperability Protocol ) ◆ Keyfile on local system (Not recommendable) ➔ Use unique individual keys for every node in a replica set.
Configure Data Encryption At Rest on Community ➔ Create a key file ◆ Base64 and 16 or 32 characters ➔ Edit the config file ➔ Add the encryption options ➔ Restart the mongod security: enableEncryption: true encryptionKeyFile: <Certificate file> encryptionCipherMode: "AES256-GCM" {"t":{"$date":"2022-11-21T09:39:37.741+00:00"},"s":"I", "c":"STORAGE", "id":29039, "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"} Validate Configuring Steps Note: It is configured in the percona mongo grep "Encryption" < log file >
Ok!! Now the data is safe at rest. But what about safety while Transit ?
Encrypting Data in Transit Data is transacted through ➔ Transport Layer Security (TLS) ➔ Secure Socket Layer (SSL) TLS/SSL are uses Certificates ➔ PEM files ➔ Issued by the certificate authority ➔ Self-signed certificate
Configure TSL/SSL and Connecting ➔ Create CA file ➔ Create PEM key file ➔ Edit the config file ➔ Add the TLS options ➔ Restart the mongod net: tls: mode: requireSSL PEMKeyFile: <pem file> CAFile: <Certificate file> mongo --tls --tlsPEMKeyFile <pem file> --tlsCAFile <CA file> --host <host name> Connection URI Configuring Steps
A sample Demo To Implement Transit Encryption with Percona MongoDB
Ok!! Good ! Now the data is safe at transit. But what about safety while Using ?
Client Side Field Level Encryption ➔ Simple Definition ◆ The Client will deal with Encryption and Decryption of Data using a secure key. ◆ Selectively encrypt individual document fields. ◆ End-to-end encryption Doctor’s prescription saves the life of patient, Same way the Encryptions saves the information from the data breaches.
Why CSFLE Is Important ? ➔ In-flight encryption protects all data traversing the network. ◆ But does not encrypt data in-memory or at-rest. ➔ At-rest encryption protects all stored data. ◆ But does not encrypt data in-memory or in-flight. ➔ With client-side encryption, the most sensitive data never leaves applications in plain text. ➔ All encrypted fields on the client-side remain encrypted over ◆ stored in-memory, ◆ in system logs, at-rest, ◆ in backups – are rendered as ciphertext
Keys Involved ➔ Customer Master Key ◆ A root key ◆ Used to Encrypt or Decrypt the DEK ◆ Must be secured with KMS ➔ The Data Encryption Key ◆ A key generated by libmongocrypt ◆ Encrypted using the CMK ◆ Used to encrypt and decrypt data. This Strategy is based on Envelope Encryption.
Process Of FLE User KMS MongoDB Driver MongoDB MongoDB Server 1 2 3 4 5 6 db.coll.find({ Pin: “123” }) Encrypted Search Key:“***” { Name: ‘A’, age: 16 Pin: “***” } { Name: ‘A’, age: 16 Pin: “123” }
Process Of FLE ➔ When the application submits the query, the MongoDB driver first analyzes it to determine if any encrypted fields are involved in the filter. ➔ Recognizing that the query is against an encrypted field, the driver requests the field's encryption key from the external key manager. ➔ The key manager returns the keys to the MongoDB driver, which then encrypts the queired field. ➔ The driver submits the query to the MongoDB server with the encrypted fields rendered as ciphertext. ➔ The MongoDB server returns the encrypted results of the query to the driver. ➔ The query results are decrypted with the keys held by the driver, and returned to the authenticated client as readable plaintext.
Availability of CSFLE ➔ Versions: 4.2v + ➔ Divers: 20 + platforms of multiple languages (Node. Js, C, C#, Python, Java etc.) ➔ Automatic Encryption: MongoDB Atlas and Enterprise versions. ➔ Manual Encryption: MongoDB Atlas and Enterprise versions and community versions
Configure CSFLE on MongoDB Community ➔ Create a key file i.e CMK ➔ Assine the CMK value to LOCAL_KEY variable ➔ Frame ClientSideFieldLevelEncryptionOptions ➔ Connect to the mongo with above options ➔ Creation of Data Encryption Key ➔ Insert a document and encrypt the any field with encrypt() function. Configuring Steps
A sample Demo To Implement CSFLE with MongoDB Community Server
The data field is encrypted, well and Good. Then How to query on the particular Field even it is having less cardinality ?
Queryable Encryption ➔ Allows user to search their data while it remains encrypted ➔ Data remains encrypted at insert, storage, and query. ➔ A Public Preview Feature ➔ Not recommended for production Magical Features of Queryable Encryption ➔ Fully randomized encryption ➔ Expressive queries on encrypted data ➔ Client-side encryption ➔ Customer-managed encryption keys ➔ Industry standard cryptography primitives ➔ Field-level encryption
Scope of Necessity For QE With the proliferation of different types of data being transmitted and stored in the cloud, protecting data is increasingly important for companies. ➔ Bank Applications ➔ Stock brokerage firm ➔ Hospitals ➔ Human Resources ➔ Government Applications ➔ E-commerce applications etc.
Encrypted Collection Management Queryable Encryption uses four data structures: ➔ Three metadata collections When you create an encrypted collection using Queryable Encryption, MongoDB creates three metadata collections: ● enxcol_.<collectionName>.esc, referred to as ESC ● enxcol_.<collectionName>.ecc, referred to as ECC ● enxcol_.<collectionName>.ecoc, referred to as ECOC ➔ A field in every document in the encrypted collection called __safeContent__ Note: It is critical that these data structures are not modified or deleted.
Write Operations Vs Metadata Collections When writing a document, each indexed field requires writes to metadata collections along with one write on the encrypted collection. Operation ESC ECC ECOC Insert 1 0 1 Update 1 1 2 Delete 0 1 1
Storage Issue with QE ➔ 2x or 3x times extra storage ➔ Depends on the number of indexed fields per document ➔ For every write Associated metadata collections will update IndexCompaction ➔ A process that prunes the metadata collections ➔ Should run when the size of ECOC exceeds 1 GB. ➔ To run index compaction, db.collection.compactStructuredEncryptionData()
Availability of Queryable Encryption ➔ Versions: 6.0v ➔ Divers: 20 + platforms of multiple languages (Node.Js, C, C#, Python, Java etc.) ➔ Automatic Encryption: MongoDB Atlas and Enterprise versions. ➔ Manual Encryption: MongoDB Atlas and Enterprise versions and community versions.
Limitations of QE: ➔ Fully randomized encryption ➔ Manually create a unique Data Encryption Key for each field ➔ Manually run index compaction ➔ Standalone deployments are not supported ➔ Secondary reads are not supported ➔ Encrypted field names are immutable. ➔ Ignores collations ➔ Unique indexes and TTl indexes are not supported. ➔ Don’t support Views, Time Series Collections, or capped collection. ➔ Can’t encrypt _Id
Encryption Performance in MongoDB ➔ Data size α Latency ➔ Consider High load condition ◆ Writes 10% to 20% latency ◆ Reads < 5% (negligible) ➔ Encrypting and decrypting require more resources ➔ WiredTiger storage engine is more suitable. Because ◆ Page level encryption ◆ Throughput operations performs on the exact page only ◆ High performance, scalability, and security
MongoDB Security Recommendations ➔ Don’t directly expose the DB servers to the internet ➔ Avoid using the default port ➔ Use strong passwords ➔ Authenticate with db.auth() ➔ Never use the security.transitionToAuth option in config file. ➔ Limit the user actions, Use customized roles. ➔ Maintain data encryption.
Any Queries More questions and queries info@mydbops.com
THANK YOU

Recommended

Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops TeamTop-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Mydbops
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
NeoClova
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
I Goo Lee
 
Galera cluster for high availability
Galera cluster for high availability Galera cluster for high availability
Galera cluster for high availability
Mydbops
 
Evolution of MySQL Parallel Replication
Evolution of MySQL Parallel Replication Evolution of MySQL Parallel Replication
Evolution of MySQL Parallel Replication
Mydbops
 
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
Jean-François Gagné
 
RocksDB compaction
RocksDB compactionRocksDB compaction
RocksDB compaction
MIJIN AN
 
Parallel Replication in MySQL and MariaDB
Parallel Replication in MySQL and MariaDBParallel Replication in MySQL and MariaDB
Parallel Replication in MySQL and MariaDB
Mydbops
 

Recommended

Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops TeamTop-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Top-10-Features-In-MySQL-8.0 - Vinoth Kanna RS - Mydbops Team
Mydbops
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
NeoClova
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
I Goo Lee
 
Galera cluster for high availability
Galera cluster for high availability Galera cluster for high availability
Galera cluster for high availability
Mydbops
 
Evolution of MySQL Parallel Replication
Evolution of MySQL Parallel Replication Evolution of MySQL Parallel Replication
Evolution of MySQL Parallel Replication
Mydbops
 
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
MySQL Parallel Replication: All the 5.7 and 8.0 Details (LOGICAL_CLOCK)
Jean-François Gagné
 
RocksDB compaction
RocksDB compactionRocksDB compaction
RocksDB compaction
MIJIN AN
 
Parallel Replication in MySQL and MariaDB
Parallel Replication in MySQL and MariaDBParallel Replication in MySQL and MariaDB
Parallel Replication in MySQL and MariaDB
Mydbops
 
Intro to HBase
Intro to HBaseIntro to HBase
Intro to HBase
alexbaranau
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)
Colin Charles
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
DataStax Academy
 
MySQL Performance for DevOps
MySQL Performance for DevOpsMySQL Performance for DevOps
MySQL Performance for DevOps
Sveta Smirnova
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
SrirakshaSrinivasan2
 
Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )
Mydbops
 
Introduction to Cassandra Architecture
Introduction to Cassandra ArchitectureIntroduction to Cassandra Architecture
Introduction to Cassandra Architecture
nickmbailey
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
Jesmar Cannao'
 
Understanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStoreUnderstanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStore
MariaDB plc
 
MyRocks Deep Dive
MyRocks Deep DiveMyRocks Deep Dive
MyRocks Deep Dive
Yoshinori Matsunobu
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
Amazon Web Services
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
Karwin Software Solutions LLC
 
ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016Derek Downey
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
Ji-Woong Choi
 
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized EnvironmentsBest Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Jignesh Shah
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
MariaDB plc
 
The consequences of sync_binlog != 1
The consequences of sync_binlog != 1The consequences of sync_binlog != 1
The consequences of sync_binlog != 1
Jean-François Gagné
 
Introducing MongoDB Atlas
Introducing MongoDB AtlasIntroducing MongoDB Atlas
Introducing MongoDB Atlas
MongoDB
 
[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기
NHN FORWARD
 
RivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and HistogramsRivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and Histograms
Frederic Descamps
 
Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security Features
Jean Da Silva
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB
 

More Related Content

What's hot

Intro to HBase
Intro to HBaseIntro to HBase
Intro to HBase
alexbaranau
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)
Colin Charles
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
DataStax Academy
 
MySQL Performance for DevOps
MySQL Performance for DevOpsMySQL Performance for DevOps
MySQL Performance for DevOps
Sveta Smirnova
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
SrirakshaSrinivasan2
 
Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )
Mydbops
 
Introduction to Cassandra Architecture
Introduction to Cassandra ArchitectureIntroduction to Cassandra Architecture
Introduction to Cassandra Architecture
nickmbailey
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
Jesmar Cannao'
 
Understanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStoreUnderstanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStore
MariaDB plc
 
MyRocks Deep Dive
MyRocks Deep DiveMyRocks Deep Dive
MyRocks Deep Dive
Yoshinori Matsunobu
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
Amazon Web Services
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
Karwin Software Solutions LLC
 
ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016Derek Downey
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
Ji-Woong Choi
 
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized EnvironmentsBest Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Jignesh Shah
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
MariaDB plc
 
The consequences of sync_binlog != 1
The consequences of sync_binlog != 1The consequences of sync_binlog != 1
The consequences of sync_binlog != 1
Jean-François Gagné
 
Introducing MongoDB Atlas
Introducing MongoDB AtlasIntroducing MongoDB Atlas
Introducing MongoDB Atlas
MongoDB
 
[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기
NHN FORWARD
 
RivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and HistogramsRivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and Histograms
Frederic Descamps
 

What's hot (20)

Intro to HBase
Intro to HBaseIntro to HBase
Intro to HBase
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
MySQL Performance for DevOps
MySQL Performance for DevOpsMySQL Performance for DevOps
MySQL Performance for DevOps
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
 
Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )Percona XtraDB Cluster ( Ensure high Availability )
Percona XtraDB Cluster ( Ensure high Availability )
 
Introduction to Cassandra Architecture
Introduction to Cassandra ArchitectureIntroduction to Cassandra Architecture
Introduction to Cassandra Architecture
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
 
Understanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStoreUnderstanding the architecture of MariaDB ColumnStore
Understanding the architecture of MariaDB ColumnStore
 
MyRocks Deep Dive
MyRocks Deep DiveMyRocks Deep Dive
MyRocks Deep Dive
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
 
ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016ProxySQL Tutorial - PLAM 2016
ProxySQL Tutorial - PLAM 2016
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
 
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized EnvironmentsBest Practices of HA and Replication of PostgreSQL in Virtualized Environments
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
 
The consequences of sync_binlog != 1
The consequences of sync_binlog != 1The consequences of sync_binlog != 1
The consequences of sync_binlog != 1
 
Introducing MongoDB Atlas
Introducing MongoDB AtlasIntroducing MongoDB Atlas
Introducing MongoDB Atlas
 
[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기
 
RivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and HistogramsRivieraJUG - MySQL Indexes and Histograms
RivieraJUG - MySQL Indexes and Histograms
 

Similar to Achieving compliance With MongoDB Security

Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security Features
Jean Da Silva
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
MongoDB
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
Severalnines
 
Eagle6 mongo dc revised
Eagle6 mongo dc revisedEagle6 mongo dc revised
Eagle6 mongo dc revisedMongoDB
 
Eagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational AwarenessEagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational Awareness
MongoDB
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
cgmonroe
 
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage EngineEngineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
MongoDB
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Document Validation in MongoDB 3.2
Document Validation in MongoDB 3.2Document Validation in MongoDB 3.2
Document Validation in MongoDB 3.2
MongoDB
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
DoiT International
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB
 
Mojo – Simple REST Server
Mojo – Simple REST ServerMojo – Simple REST Server
Mojo – Simple REST Server
hendrikvb
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 

Similar to Achieving compliance With MongoDB Security (20)

Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security Features
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Eagle6 mongo dc revised
Eagle6 mongo dc revisedEagle6 mongo dc revised
Eagle6 mongo dc revised
 
Eagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational AwarenessEagle6 Enterprise Situational Awareness
Eagle6 Enterprise Situational Awareness
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage EngineEngineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
 
Document Validation in MongoDB 3.2
Document Validation in MongoDB 3.2Document Validation in MongoDB 3.2
Document Validation in MongoDB 3.2
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
 
Mojo – Simple REST Server
Mojo – Simple REST ServerMojo – Simple REST Server
Mojo – Simple REST Server
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 

More from Mydbops

Efficient MySQL Indexing and what's new in MySQL Explain
Efficient MySQL Indexing and what's new in MySQL ExplainEfficient MySQL Indexing and what's new in MySQL Explain
Efficient MySQL Indexing and what's new in MySQL Explain
Mydbops
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
Mydbops
 
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
Mydbops
 
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
Mydbops
 
Mastering Aurora PostgreSQL Clusters for Disaster Recovery
Mastering Aurora PostgreSQL Clusters for Disaster RecoveryMastering Aurora PostgreSQL Clusters for Disaster Recovery
Mastering Aurora PostgreSQL Clusters for Disaster Recovery
Mydbops
 
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
Mydbops
 
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
Mydbops
 
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE EventData-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
Mydbops
 
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
Mydbops
 
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
Mydbops
 
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
Mydbops
 
Data Organisation: Table Partitioning in PostgreSQL
Data Organisation: Table Partitioning in PostgreSQLData Organisation: Table Partitioning in PostgreSQL
Data Organisation: Table Partitioning in PostgreSQL
Mydbops
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Mydbops
 
Data High Availability With TIDB
Data High Availability With TIDBData High Availability With TIDB
Data High Availability With TIDB
Mydbops
 
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
Mydbops
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
Mydbops
 
Exploring the Fundamentals of YugabyteDB - Mydbops
Exploring the Fundamentals of YugabyteDB - Mydbops Exploring the Fundamentals of YugabyteDB - Mydbops
Exploring the Fundamentals of YugabyteDB - Mydbops
Mydbops
 
Time series in MongoDB - Mydbops
Time series in MongoDB - Mydbops Time series in MongoDB - Mydbops
Time series in MongoDB - Mydbops
Mydbops
 
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - MydbopsTiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
Mydbops
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQL
Mydbops
 

More from Mydbops (20)

Efficient MySQL Indexing and what's new in MySQL Explain
Efficient MySQL Indexing and what's new in MySQL ExplainEfficient MySQL Indexing and what's new in MySQL Explain
Efficient MySQL Indexing and what's new in MySQL Explain
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
PostgreSQL Schema Changes with pg-osc - Mydbops @ PGConf India 2024
 
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
Choosing the Right Database: Exploring MySQL Alternatives for Modern Applicat...
 
Mastering Aurora PostgreSQL Clusters for Disaster Recovery
Mastering Aurora PostgreSQL Clusters for Disaster RecoveryMastering Aurora PostgreSQL Clusters for Disaster Recovery
Mastering Aurora PostgreSQL Clusters for Disaster Recovery
 
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
Navigating Transactions: ACID Complexity in Modern Databases- Mydbops Open So...
 
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
AWS RDS in MySQL 2023 Vinoth Kanna @ Mydbops OpenSource Database Meetup 15
 
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE EventData-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
Data-at-scale-with-TIDB Mydbops Co-Founder Kabilesh PR at LSPE Event
 
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
MySQL Transformation Case Study: 80% Cost Savings & Uninterrupted Availabilit...
 
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
Scaling-MongoDB-with-Horizontal-and-Vertical-Sharding Mydbops Opensource Data...
 
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
Mastering MongoDB Atlas: Essentials of Diagnostics and Debugging in the Cloud...
 
Data Organisation: Table Partitioning in PostgreSQL
Data Organisation: Table Partitioning in PostgreSQLData Organisation: Table Partitioning in PostgreSQL
Data Organisation: Table Partitioning in PostgreSQL
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
 
Data High Availability With TIDB
Data High Availability With TIDBData High Availability With TIDB
Data High Availability With TIDB
 
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
Mastering Database Migration_ Native replication (8.0) to InnoDB Cluster (8.0...
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
 
Exploring the Fundamentals of YugabyteDB - Mydbops
Exploring the Fundamentals of YugabyteDB - Mydbops Exploring the Fundamentals of YugabyteDB - Mydbops
Exploring the Fundamentals of YugabyteDB - Mydbops
 
Time series in MongoDB - Mydbops
Time series in MongoDB - Mydbops Time series in MongoDB - Mydbops
Time series in MongoDB - Mydbops
 
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - MydbopsTiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
TiDB in a Nutshell - Power of Open-Source Distributed SQL Database - Mydbops
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQL
 

Recently uploaded

Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
zwunae
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
Fundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptxFundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptx
manasideore6
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
drwaing
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
zwunae
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
camseq
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
An Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering TechniquesAn Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering Techniques
ambekarshweta25
 
Water billing management system project report.pdf
Water billing management system project report.pdfWater billing management system project report.pdf
Water billing management system project report.pdf
Kamal Acharya
 
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
dxobcob
 

Recently uploaded (20)

Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
Fundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptxFundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptx
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
digital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdfdigital fundamental by Thomas L.floydl.pdf
digital fundamental by Thomas L.floydl.pdf
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
An Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering TechniquesAn Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering Techniques
 
Water billing management system project report.pdf
Water billing management system project report.pdfWater billing management system project report.pdf
Water billing management system project report.pdf
 
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
一比一原版(Otago毕业证)奥塔哥大学毕业证成绩单如何办理
 

Achieving compliance With MongoDB Security

  • 1. Achieving Compliances with MongoDB Security Presented by MADHU SAI VAVILALA Associate DB Engineer Mydbops
  • 2. Agenda ➔ Importance of Data Security ➔ Security Triad (C.I.A) ➔ A.A.A. ➔ Data Encryption at Rest ➔ TLS & SSL ➔ CSFLE ➔ Queryable Encryption ➔ MongoDB Security Recommendations
  • 3. History Of DataBase ➔ Ancient data storage techniques ◆ Examples: Cave painting, Stone crafting, Pen and Paper, Punched cards ➔ Necessity of data storage devices ◆ To avoid drawback with traditional data storage techniques ● Latency to get required data ● Less security ● Need more space to store ➔ First non-electronic storage device ◆ Punch cards in Jaccard machines ➔ The first 'real' electronic storage device in 1947 (Manchester Mark I Williams-Kilburn tube)
  • 4. Importance of Data Security ➔ Ransomware Attack on 22,000 DB’s in 2020 ➔ Security less MongoDB instances 308,000 at Q1 2021 ➔ Q1 of 2022, 12 % instances peaked in the list ➔ IOT - Security = Internet Of Threats ➔ “ Privacy is not a right, it is an absolute necessity. ” ➔ Data is a costlier assert ➔ Avoid illegal access ➔ Protect from data corruption
  • 5. Data Security Triad (C.I.A) ➔ Confidentiality: Protection of data against the unauthorized user. ➔ Integrity: Prevention of unauthorized and improper data modification. ➔ Availability: An authorized user can able to access the data without any interruption. Confidentiality Integrity Availability C A I Data Security Triad
  • 6. A.A.A ➔ Authentication ◆ Verify Identity of User ◆ Internal Authentication ◆ External Authentication ➔ Authorization ◆ Actions performed by the user ◆ Inbuilt Roles ◆ Customized Roles ➔ Auditing ◆ Logging the activities of a user Auditing A u t h e n t i c a t i o n A u t h o r i z a t i o n A3 Security
  • 7. Brief Info About MongoDB ➔ NoSql DataBase ➔ Schema less ➔ Document-oriented ➔ JSON structure ➔ Supports BSON structure ➔ Terminology b/w RDBMS and MongoDB ◆ Table = Collection ◆ Row = Document ◆ Column = Key ➔ Scalability MongoDB
  • 8. Authentication ➔ Purposes of Authentication ◆ Connect a valid user ◆ Verify the proof of user ◆ Safe from the attackers ➔ Authentication Mechanisms ◆ SCRAM (Default) ◆ x.509 Certificate ◆ LDAP ◆ Kerberos
  • 9. Enable Authentication in MongoDB ➔ Start MongoDB without authentication option in config file. ➔ Connect to the server using the mongo shell ➔ Create an administrator in the admin database with a root access. ➔ Exit from the mongo shell. ➔ Restart the MongoDB after adding the authentication option in MongoDB config file.
  • 10. Methods To Authenticate User in MongoDB ❖ mongo "mongodb://User:Password@<host>:<port>/admin" ❖ mongo -u User -p Password --authenticationDatabase admin ❖ db.auth("User", "Password") ➔ Validate user, password and AuthDB. ➔ Check port number ➔ Verify the method of authentication mechanism. Validations If Authentication Failed
  • 11. Authentication with x.509 Mechanism ➔ Certificate based authentication Mechanism ➔ Use certificates instead of traditional username and pwd ➔ Provides both Internal and External Authentication ➔ x.509 Certificate need a secure TLS/SSL connection ➔ $external is the authenticationDatabase ➔ The subject of client certificate is added in the $external DB ➔ $external is having only user details
  • 12. Configuration x.509 Mechanism ➔ Create a root CA file in PEM format ➔ Create a TLS/SSL certificate ➔ Edit the config file ➔ Get the subject of a client PEM certificate ◆ openssl x509 -inform PEM -subject -in <Clent PEM file> ➔ Create a user with the above subject in $external Database net: tls: mode: requireTLS CAFile: <path to root CA PEM file> certificateKeyFile: < TLS/SSL key PEM file> URI: mongo --tls --tlsCertificateKeyFile <path to client PEM file> --tlsCAFile <path to root CA PEM file> --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
  • 13. Authorization ➔ Given who you are, what can you do? ➔ Allows user to perform the specified actions. ➔ Advantage ◆ Improved efficiency. ➔ Role Based Access Control ◆ Provide access to the user based on the actions performed.
  • 14. Why Role Based Access control ? Developer Insert Data DBA Create Users Data Scientist Read Data ➔ Various users are perform different actions ➔ No need to provide root access to all users ➔ Never trust users
  • 15. Roles in MongoDB Role: A detailed object consists of Actions with privileges performed on resources. Actions: Performable Activities. Resources: The data on which the User going to do activities. > use admin > db.createRole( { role: "dropCollectionUser", privileges: [ { actions: [ "dropCollection" ], resource: { db: "DB", collection: "" } } ], roles: [] } )
  • 16. Built-In Roles in MongoDB DataBase User [ read, readWrite ] DataBase Admin [ dbAdmin, userAdmin, dbOwner ] SuperUser [ root ] Cluster Admin [ ClusterManager, ClusterMonitor, hostManager, ClusterAdmin ] BackUp/Restore [ backup, restore ] All Database [ readAnyDatabase, readWriteAnyDatabase ]
  • 17. DEMO For Authentication & Authentication
  • 18. Key File Authentication ➔ Internal Authentication Mechanism ➔ Security between members of the replica set ➔ Shared key for each member ➔ To use keyfile authentication we need to create database admin users Host OS Key File Key Challenge/ Response Host OS Key File MongoDB Host OS Key File MongoDB MongoDB Key Challenge/ Response Key Challenge/ Response
  • 19. Steps to Configure KeyFile Authentication ➔ Create a Key file ◆ openssl rand -base64 756 > <path-to-keyfile> ◆ chmod 400 <path-to-keyfile> ➔ Copy the keyfile to each replica set member. ➔ Modify the config file in each mongodb replica member. ◆ > vi /etc/mongod.conf ➔ Restart the mongod process. ◆ > systemctl restart mongod security: keyFile: <path-to-keyfile> replication: replSetName: <replicaSetName>
  • 20. It’s Nice To Know. Is There Any Feature Available in MONGODB For Monitoring The Users Activities ?
  • 21. Auditing in MongoDB ➔ Track system activity. ➔ Recording user, system, and application activities. ➔ Audit information must be reviewed. Auditing Records Authentication And Authorization Replica set And Sharded Cluster CRUD Operations ➔ Add accountability. ➔ Instigate Suspesious Activity. ➔ Monitor dataBase Activity. Advantages
  • 22. ➔ Yaml Format. ➔ Feature included in the MongoDB Enterprise Only. ➔ compressionMode ◆ none (default) ◆ zstd ➔ destination ◆ file ◆ syslog ◆ console ➔ format ◆ JSON ◆ BSON ➔ path ◆ File Location Configure File Options for Auditing auditLog: compressionMode: <string> destination: <string> format: <string> path: <string> filter: <string>
  • 23. ➔ Filter limit the types of operations ➔ Use Query selectors ➔ Allows regular Expressions ➔ Syntax filter: { <field>: <expression1> } Filter Option In Auditing filter:{ atype: "authCheck", "param.command":{ $in: [ "find", "insert", "delete", "update", "findandmodify"]} }, auditAuthorizationSuccess: true All Operations Filtered Operations Stored to Destination File Example
  • 24. Audit Message Structure { atype: <string>, # Action type ts : { $date: <timestamp> }, uuid : { $binary: <string>, $type: <string> }, local: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, remote: { ip: <string>, port: <int> || isSystemUser: <boolean> || unix: <string> }, users : [ { user: <string>, db: <string> }, ... ], roles: [ { role: <string>, db: <string> }, ... ], param: <document>, result: <int> }
  • 25. Versions vs Features ➔ Available from 2.6v ➔ MongoDB Enterprise and Atlas ➔ Filter option available from 3.0v ➔ Starting 5.0 a feature available that runtime audit configuration and filter management. ➔ Starting 5.0 a UUID is added to the audit message. ➔ 5.3v auditLog.compressionMode → used to compress audit log. ➔ 6.0v onwards audit log encryption is available.
  • 26. Achieving Auditing Feature with Community ➔ Percona server for MongoDB ➔ All features are same with MongoDB Enterprise server ➔ Only Difference is UUID is not added in percona MongoDB ➔ Free of cost
  • 27. Even if the Data is Locked by the Users with PWD, Is the data really safe
  • 28. Data Encryption ➔ A mechanism that Protects the Data ➔ An information is converted into cipher Text ➔ Hides the exact Meaning ➔ Only authorized parties can understand MongoDB involves three types of data: ➔ Data at rest ➔ Data in transit ➔ Data in use
  • 29. Base Of Encryption Science Mathematics Cryptography Encryption Science ∩ Mathematics = Cryptography Encryption ⊆ Cryptography Key PlainText CryptoAnalysis Ciphertext Terminology Crypto = Secret Graphy = Write
  • 30. Data Encryption at Rest ➔ WiredTiger storage engine have native encryption. ➔ cipher algorithm i.e AES256-GCM ➔ This cipher algorithm support for linux. ➔ Involve symmetric key ➔ Options for sourcing master key ◆ Via 3rd party Key Management Appliance using KMIP (Key Management Interoperability Protocol ) ◆ Keyfile on local system (Not recommendable) ➔ Use unique individual keys for every node in a replica set.
  • 31. Configure Data Encryption At Rest on Community ➔ Create a key file ◆ Base64 and 16 or 32 characters ➔ Edit the config file ➔ Add the encryption options ➔ Restart the mongod security: enableEncryption: true encryptionKeyFile: <Certificate file> encryptionCipherMode: "AES256-GCM" {"t":{"$date":"2022-11-21T09:39:37.741+00:00"},"s":"I", "c":"STORAGE", "id":29039, "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"} Validate Configuring Steps Note: It is configured in the percona mongo grep "Encryption" < log file >
  • 32. Ok!! Now the data is safe at rest. But what about safety while Transit ?
  • 33. Encrypting Data in Transit Data is transacted through ➔ Transport Layer Security (TLS) ➔ Secure Socket Layer (SSL) TLS/SSL are uses Certificates ➔ PEM files ➔ Issued by the certificate authority ➔ Self-signed certificate
  • 34. Configure TSL/SSL and Connecting ➔ Create CA file ➔ Create PEM key file ➔ Edit the config file ➔ Add the TLS options ➔ Restart the mongod net: tls: mode: requireSSL PEMKeyFile: <pem file> CAFile: <Certificate file> mongo --tls --tlsPEMKeyFile <pem file> --tlsCAFile <CA file> --host <host name> Connection URI Configuring Steps
  • 35. A sample Demo To Implement Transit Encryption with Percona MongoDB
  • 36. Ok!! Good ! Now the data is safe at transit. But what about safety while Using ?
  • 37. Client Side Field Level Encryption ➔ Simple Definition ◆ The Client will deal with Encryption and Decryption of Data using a secure key. ◆ Selectively encrypt individual document fields. ◆ End-to-end encryption Doctor’s prescription saves the life of patient, Same way the Encryptions saves the information from the data breaches.
  • 38. Why CSFLE Is Important ? ➔ In-flight encryption protects all data traversing the network. ◆ But does not encrypt data in-memory or at-rest. ➔ At-rest encryption protects all stored data. ◆ But does not encrypt data in-memory or in-flight. ➔ With client-side encryption, the most sensitive data never leaves applications in plain text. ➔ All encrypted fields on the client-side remain encrypted over ◆ stored in-memory, ◆ in system logs, at-rest, ◆ in backups – are rendered as ciphertext
  • 39. Keys Involved ➔ Customer Master Key ◆ A root key ◆ Used to Encrypt or Decrypt the DEK ◆ Must be secured with KMS ➔ The Data Encryption Key ◆ A key generated by libmongocrypt ◆ Encrypted using the CMK ◆ Used to encrypt and decrypt data. This Strategy is based on Envelope Encryption.
  • 40. Process Of FLE User KMS MongoDB Driver MongoDB MongoDB Server 1 2 3 4 5 6 db.coll.find({ Pin: “123” }) Encrypted Search Key:“***” { Name: ‘A’, age: 16 Pin: “***” } { Name: ‘A’, age: 16 Pin: “123” }
  • 41. Process Of FLE ➔ When the application submits the query, the MongoDB driver first analyzes it to determine if any encrypted fields are involved in the filter. ➔ Recognizing that the query is against an encrypted field, the driver requests the field's encryption key from the external key manager. ➔ The key manager returns the keys to the MongoDB driver, which then encrypts the queired field. ➔ The driver submits the query to the MongoDB server with the encrypted fields rendered as ciphertext. ➔ The MongoDB server returns the encrypted results of the query to the driver. ➔ The query results are decrypted with the keys held by the driver, and returned to the authenticated client as readable plaintext.
  • 42. Availability of CSFLE ➔ Versions: 4.2v + ➔ Divers: 20 + platforms of multiple languages (Node. Js, C, C#, Python, Java etc.) ➔ Automatic Encryption: MongoDB Atlas and Enterprise versions. ➔ Manual Encryption: MongoDB Atlas and Enterprise versions and community versions
  • 43. Configure CSFLE on MongoDB Community ➔ Create a key file i.e CMK ➔ Assine the CMK value to LOCAL_KEY variable ➔ Frame ClientSideFieldLevelEncryptionOptions ➔ Connect to the mongo with above options ➔ Creation of Data Encryption Key ➔ Insert a document and encrypt the any field with encrypt() function. Configuring Steps
  • 44. A sample Demo To Implement CSFLE with MongoDB Community Server
  • 45. The data field is encrypted, well and Good. Then How to query on the particular Field even it is having less cardinality ?
  • 46. Queryable Encryption ➔ Allows user to search their data while it remains encrypted ➔ Data remains encrypted at insert, storage, and query. ➔ A Public Preview Feature ➔ Not recommended for production Magical Features of Queryable Encryption ➔ Fully randomized encryption ➔ Expressive queries on encrypted data ➔ Client-side encryption ➔ Customer-managed encryption keys ➔ Industry standard cryptography primitives ➔ Field-level encryption
  • 47. Scope of Necessity For QE With the proliferation of different types of data being transmitted and stored in the cloud, protecting data is increasingly important for companies. ➔ Bank Applications ➔ Stock brokerage firm ➔ Hospitals ➔ Human Resources ➔ Government Applications ➔ E-commerce applications etc.
  • 48. Encrypted Collection Management Queryable Encryption uses four data structures: ➔ Three metadata collections When you create an encrypted collection using Queryable Encryption, MongoDB creates three metadata collections: ● enxcol_.<collectionName>.esc, referred to as ESC ● enxcol_.<collectionName>.ecc, referred to as ECC ● enxcol_.<collectionName>.ecoc, referred to as ECOC ➔ A field in every document in the encrypted collection called __safeContent__ Note: It is critical that these data structures are not modified or deleted.
  • 49. Write Operations Vs Metadata Collections When writing a document, each indexed field requires writes to metadata collections along with one write on the encrypted collection. Operation ESC ECC ECOC Insert 1 0 1 Update 1 1 2 Delete 0 1 1
  • 50. Storage Issue with QE ➔ 2x or 3x times extra storage ➔ Depends on the number of indexed fields per document ➔ For every write Associated metadata collections will update IndexCompaction ➔ A process that prunes the metadata collections ➔ Should run when the size of ECOC exceeds 1 GB. ➔ To run index compaction, db.collection.compactStructuredEncryptionData()
  • 51. Availability of Queryable Encryption ➔ Versions: 6.0v ➔ Divers: 20 + platforms of multiple languages (Node.Js, C, C#, Python, Java etc.) ➔ Automatic Encryption: MongoDB Atlas and Enterprise versions. ➔ Manual Encryption: MongoDB Atlas and Enterprise versions and community versions.
  • 52. Limitations of QE: ➔ Fully randomized encryption ➔ Manually create a unique Data Encryption Key for each field ➔ Manually run index compaction ➔ Standalone deployments are not supported ➔ Secondary reads are not supported ➔ Encrypted field names are immutable. ➔ Ignores collations ➔ Unique indexes and TTl indexes are not supported. ➔ Don’t support Views, Time Series Collections, or capped collection. ➔ Can’t encrypt _Id
  • 53. Encryption Performance in MongoDB ➔ Data size α Latency ➔ Consider High load condition ◆ Writes 10% to 20% latency ◆ Reads < 5% (negligible) ➔ Encrypting and decrypting require more resources ➔ WiredTiger storage engine is more suitable. Because ◆ Page level encryption ◆ Throughput operations performs on the exact page only ◆ High performance, scalability, and security
  • 54. MongoDB Security Recommendations ➔ Don’t directly expose the DB servers to the internet ➔ Avoid using the default port ➔ Use strong passwords ➔ Authenticate with db.auth() ➔ Never use the security.transitionToAuth option in config file. ➔ Limit the user actions, Use customized roles. ➔ Maintain data encryption.
  • 55. Any Queries More questions and queries info@mydbops.com