MongoDB.local DC 2018: Simplified Encryption & Key Management for MongoDB
•Download as PPTX, PDF•
2 likes•412 views
Is your private data secure? Encryption and key management has a reputation for being difficult. Not any more! After this session, you'll be able to go back to the office and say "What was I scared about?"
Recommended
Recommended
More Related Content
What's hot
What's hot (7)
Similar to MongoDB.local DC 2018: Simplified Encryption & Key Management for MongoDB
Similar to MongoDB.local DC 2018: Simplified Encryption & Key Management for MongoDB (20)
More from MongoDB
More from MongoDB (20)
Recently uploaded
Recently uploaded (20)
MongoDB.local DC 2018: Simplified Encryption & Key Management for MongoDB
- 1. Simplified Encryption & Key Management For MongoDB
- 2. Presenter: Luke Probasco Data security speaker, blogger 10+ years in data security Director of Marketing at Townsend Security
- 3. Presentation Agenda Encryption and importance of key management Meeting compliance requirements Key management best practices HANDS ON! Key management in MongoDB Resource guide
- 4. Part One Why You Need Encryption
- 5. Breaches Happen Equifax, Anthem, Yahoo! – just to name a few Hackers don’t just target credit cards Email addresses, phone numbers, etc. can be considered PII MongoDB is a repository for LOTS of PII
- 7. EU General Data Protection Regulation (GDPR) Article 32 – Security of Processing “… the controller and the processor shall implement appropriate technical and organisational measures to insure a level of security appropriate to the risk including inter alia as appropriate: … the pseudonymisation and encryption of personal data.”
- 8. Part Two Fundamentals of Encryption
- 9. MongoDB Enterprise Encryption – Done Right Encryption built right into the MongoDB database Strong 256-bit AES encryption Good performance with documented guidance Getting encryption key management right with KMIP Certifying key management vendors Good security guidance provided to developers You don’t need a 3rd party encryption solution
- 10. Impacts of Encryption Performance – Expect a 2-20% overhead Backup and Restore Operations – Can take longer as information is encrypted High Availability – In the event of an interruption, you need to easily restore your keys from a backup key management solution
- 11. Why is Key Management Important? Encryption keys are THE secret that must be protected (not the algorithm) There are industry standards and best practices for key management (FIPS 140-2) Compliance regulations (PCI, HIPAA, etc.) require proper key management Achieve Separation of Duties (SOD) Separate encryption control and ownership from the cloud provider aka Key Custody MongoDB highly recommends the use of a Key Manager to secure your encrypted MongoDB data!
- 13. Key Management Best Practices Ensure origin and quality of keys Use accepted and standards-based encryption algorithms Ensure that keys are security backed up, at all times Implement strong authentication mechanisms Protect and restrict access to encryption keys
- 14. Key Management Interoperability Protocol (KMIP) Standards always win Standards minimize risk Standards help reduce costs Standards support key custody (your ownership of keys) Good news! MongoDB Enterprise implements KMIP for key management integration.
- 15. Standard KMIP vs Proprietary KMS/KV KMIP KMS/KV 😄 Standards-based protocol on hardware, VM or any cloud 😠 Proprietary cloud-only SDK 😄 Deploy freedom, no lock-in 😠 Service provider lock-in 😄 Private keys kept secret 😠 Keys owned by provider
- 16. Part Three In The Weeds
- 17. Townsend Security + MongoDB Certified key management with MongoDB security team Certified on Intel and IBM Power Linux systems Member MongoDB Partner Advisory Council Key management pricing to match MongoDB model Lowering the cost barriers to security ! Customer support for MongoDB key management deployment
- 18. HANDS ON Key Management for MongoDB Introduction to Alliance Key Manager This is amazingly easy !
- 19. Launch Alliance Key Manager in AWS
- 20. Locate and Select Alliance Key Manager in AWS Marketplace
- 21. Select a memory/storage family
- 22. Create new access key pair for AKM and download
- 24. Complete! Alliance Key Manager is now an active instance
- 25. Configure Alliance Key Manager
- 26. SSH to AKM to configure the key manager, generate keys and certificates
- 27. Configure the key manager, generate keys and certificates
- 28. Configure the key manager, generate keys and certificates
- 29. Configure the key manager, generate keys and certificates
- 30. AKM Admin console: Get the key name and information
- 31. SSH: Get the certificates from AKM
- 32. Configure MongoDB for Key Management
- 33. Install certificates on the MongoDB server Create a new directory to hold the certificates, copy to the new directory, set ownership and permissions sudo mkdir /etc/mongodb-kmip Use FileZilla, SCP or similar application to upload the AKMClientAndKey,pem and AKMRootCACertificate.pem files to this directory. sudo chown -R mongodb:mongodb /etc/mongodb-kmip cd /etc/mongodb-kmip sudo chmod -R 600 *
- 34. Modify the <hosts> file to add the key manager Use nano or your favorite text editor to change the hosts file to add the key server sudo nano /etc/hosts
- 35. Now let’s configure the <mongod.conf> file for key management
- 36. Now let’s configure the <mongod.conf> file for key management
- 37. Now let’s configure the <mongod.conf> file for key management
- 38. Now let’s configure the <mongod.conf> file for key management
- 39. Now let’s configure the <mongod.conf> file for key management
- 40. Now let’s configure the <mongod.conf> file for key management
- 41. Launch MongoDB With Encryption Enabled
- 42. Application Level Encryption Protect at the field level before insert Software Development Kits (SDKs) Java, Python, PHP, Node.js, etc Talk to your key management vendor Great for GDPR “Right to be forgotten”
- 43. The Future Regulations are maturing (cloud, key management) More encryption keys Cross cloud (thank you KMIP!)
- 44. Evaluations are Easy No-charge evaluation process Download from our website Rapid deployment Full customer support during evaluation period Fully functional key management
- 45. Advanced Encryption Topics MongoDB migration – Unencrypted to Encrypted Business Continuity and Hot Failover Production and HA key mirroring Using a Load Balancer Hybrid deployments – On-Premise, cross-cloud VMware, Hardware Security Module (HSM), etc.
- 46. Resources Townsend Security documentation for MongoDB: http://docs.townsendsecurity.com/akm_guide_for_mongodb_enterprise_edition/#top Townsend Security documentation for AKM in AWS: http://docs.townsendsecurity.com/akm_for_aws_quick_start_guide/#top MongoDB Enterprise installation: https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-ubuntu/#install- mongodb- enterprise
- 47. MongoDB Security Blog post: https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your- data MongoDB Security Checklist: https://docs.mongodb.com/manual/administration/security-checklist/ MongoDB Encryption at Rest https://docs.mongodb.com/manual/core/security-encryption-at-rest/ Resources
- 48. Corporate Headquarters 724 Columbia St NW, Suite 400 Olympia, WA 98501 Phone: 360 359 4400 Online: townsendsecurity.com @townsendsecure Any Questions? Luke Probasco luke.probasco@townsendsecurity.com @geetarluke
Editor's Notes
- Welcome everyone. Thanks for coming And thanks MongoDB for having me. MongoDB makes encryption and key management easy You can do this, you got this I’ll show you how To get things started, I want to illustrate how hackers can get at encrypted data and what you can do to better protect it. This lock box represents your MongoDB database. I’m putting some sensitive data in (Amazon gift card) By the end of the session, I’ll show how a hacker will get in and someone in the room will walk away with the gift card.
- Have seen how encryption and key management projects have evolved over last 10 years No reason not to do this
- Who here has done an encryption project? Who here is working on an encryption project? Who needs to be? After this session you will see that encryption and key management has come a long way. No longer requires a crazy big budget or a team of people. MongoDB Enterprise has made it easy to do right I am sure you’ll be able to leave here today confident that you can “Try this at home” In today’s world, data security is more important than ever. Compliance requirements Security best practices Where are your encryption keys? There are ways to do it wrong! The last part of the presentation is going to be hands on and show you how easy it is to start encrypting data in MongoDB The MongoDB team has really thought out encryption and key management. At the very end, I’ll give a list of resources that you can check out for more information. I’ll divide this presentation into 3 sections where we will cover why you need encryption, fundamentals of encryption, and then get in the weeds.
- Encryption is part of a defense in depth approach to data security There is no silver bullet. Encryption is what keeps your and my data safe
- We are storing a lot of information in MongoDB. It important that we pay attention to what data is being store in the DB Generally we refer to Personally Identifiable information as PII. In healthcare it is referred to as Protected Health Information, or PHI (PII) is more than just a social security number or credit card. Aside from business data that you collect about your customers, what about the data that your marketing team collects? Emails, phone numbers, even names can be considered PII. And as we regularly see in the news, breaches happen. Sometimes multiple times. If you are a DBA and make it possible for your users to input data, you need to encrypt that data. You don’t know what kind of data is getting ingested. For example, look at the Equifax breach. After denying that passport numbers were involved in their data breach, they eventually admitted that there were. Equifax wasn’t lying. They just didn’t know that consumers were uploading passports to its platform. Final point I’d like to make on this slide. Many people like to think “oh, I am a small company, I am not a target.” You actually are more of a target than larger companies. Symantec: 3 out of 5 cyber-attacks target small and midsize companies Hackers know that large companies have security budgets and are a harder target. Cyber-attacks now cost businesses over $1M on average, can sink small companies
- Compliance regulations are global One misconception is that if you are a private company, you don’t fall under compliance. Not true. Some regulations are country specific, like HIPAA here in the US. Regulations like PCI are global. If you take credit cards, you fall under PCI. GDPR is getting a lot of buzz lately. It is interesting in the regard that it protects EU citizens and extends to their data that resides in other countries. We will get in to it more on the next slide
- GDPR is one of the most concerning regulations right now. Who here has had a GDPR conversation? Encryption can help you meet GDPR Under GDPR, data security requirements apply to both data controllers (those of us who accept information, with permission) as well as data processors (such as a cloud provider or other IaaS offering). Additionally, if data flows through your system, you are considered a data processor, even if you don’t use it. Article 17 - Right of Erasure, also known as Right to be Forgotten Deleting a key effectively deletes the data that is encrypted with that key. In the security world, this known as cryptographic zeroization and is very effective, as well as covered by standards.
- MongoDB has done a lot of things right with encryption and key management MongoDB built industry standard AES encryption right into the database Well recognized standard worldwide and has been for a number of years. If you have to meet compliance, especially in government agencies, standards are important Also, MongoDB has certified key management vendors, which we have done. More on key management soon
- People often worry about the performance impacts of encryption I personally hear this the most when I talk to people who need to deploy encryption – whether in SQL Server, Oracle, or MongoDB There is some good news here MongoDB has made it incredibly easy by including encryption in MongoDB Enterprise. Yes, there will be a performance impact, but it is really very manageable. Anyone running MongoDB Enterprise should feel comfortable using it. Other performance impacts include Backup and Restore operations. If you backup to virtual tape or cloud, for example, you will see it take longer Regarding High Availability, if you use a key manager, which we will talk more about soon, you need to make sure that your key manager is redundant. If that goes down, your data will be inaccessible.
- Hackers don’t break encryption, they find keys The keys are really what are important Without proper key management, it is like leaving the keys to your house under the welcome mat. Unfortunately, key management has a reputation of being expensive and difficult. There is good key management and BAD key management. Good key management is when you manage encryptions keys separately from the encrypted data Like with an encryption key manager. Bad key management is when you hide the keys in your database or burn them in your code. There are published standards by NIST, the national institute of standards and Technology MongoDB gives us two places to store keys. Where are they? On the disk next to the database in the clear or in a key manager You probably don’t have to think too hard about which of those is better.
- Don’t just take my word for it (I do work for a vendor after all) This is a screen shot straight from MongoDB’s documentation So I hope that when I say encryption, you also understand that I really mean encryption and proper key management. Sort of like a two part epoxy. You need to have both ingredients together for strength.
- Love the fact that MongoDB provides so many opportunities for education. As we saw on the last slide, MongoDB provides guidance on best practices Ensure the origin and quality of keys. DON’T USE A PASSWORD! From a cryptographic sense, passwords are week. A key manager will build you strong encryption keys. If you are using the AES encryption in MongoDB enterprise, you are using an encryption algorithm that is standards based, so you are good there Make sure that your keys are backed up and mirrored in your key management solution. If you lose your key, you lose your data. In addition to creating and storing keys, key managers need to give them back to your application or database. You need to make sure that is secure with a TLS connection.
- More kudos to MongoDB. They adopted the KMIP industry standard in version 3.2 KMIP is an open standard and NOT proprietary. Standards always win. It allows vendors like Townsend Security to easily plug in to MongoDB and provide proper key management In the long run, KMIP helps reduce cost Allows the flexibility to manage keys for multiple and different databases with a single key management solution
- PCI recently published Cloud Computing Guidelines: Describing services such as AWS KMS - Strong data-level encryption should be enforced on all sensitive or potentially sensitive data stored in a public cloud. Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located. Aside from that, there are several other reasons that a company should chose a KMIP key manager over a CSP solution If you want to position yourself for success, choose a standards based solution By the way, we aren’t the only one. We have competitors who have adopted the KMIP standard as well. It can look attractive to integrate a CSP proprietary solution, but buyer beware.
- We recently certified with MongoDB and are now a technology partner – both on Intel and Power Linux architectures Earlier this year we joined the Partner Advisory Council by invitation Unique pricing model for a key management vendor. We don’t charge by the number of client side applications or nodes Fundamentally believe that once you buy a piece of security software you shouldn’t have to pick and choose what you protect. Just have a very strong relationship with MongoDB
- Let’s get in to it. Show how to launch a key manager and connect it to MongoDB We’ll skip a few of the super simple steps, but you’ll get the basic idea
- First we are going to launch the key manager in AWS
- Log in to your EC2 console Our key manager is in the AWS marketplace Click Select
- You get asked a few questions Go ahead and select the default tier.
- Here, I am grabbing a specific set of keys. Not going to use my general keys to launch this instance In this instance we are asking Amazon to give us a unique set of keys
- I download them and we get it launched Just takes a few seconds
- And then you have an active instance running in EC2. You can see it running You now have an active key manager in AWS. It is that easy.
- Now let’s configure Alliance Key Manager. I am showing you ours, but it will be similar on any key manager.
- You SSH into the key manager And take option 1 to initialize Alliance Key Manager (or AKM as you see here)
- Notice you get the choice to initialize a primary or secondary Start your primary first If you are launching your secondary which will be in a different region, they will automatically connect with each other (after giving them the correct credentials)
- So now we are setting up the primary. You will be asked for some basic information Like the two-character code for your country State, etc. Can you guess what we are doing? We are building a PKI right within the key manager It is important to enter a unique name for the key manager In this case, it is AKMMongoDB This is the name that glues MongoDB to your key manager
- Once you press enter the PKI gets generated A unique set of keys get created And you are then ready to connect to MongoDB
- Next, launch our administrative console Which is authenticated with our PKI infrastructure You can see on the right that there is a set of keys
- Now that we have launched a key manager and built some keys (which BTW, 10 years ago would have been a 6 week project) We will download the credentials that MongoDB will need MongoDB is going to use certificates from the key manager to authenticate itself to the key manager when we fire it up.
- Now lets go over to the MongoDB side of things We’ll look at 3 slides
- Create a directory on the MongoDB instance – This happens to be a Linux instance This is where we are going to store the credentials that I downloaded from the key manager You can use Filezilla or whatever FTP tool you like I’m gonna change the ownership of them And then grant MongoDB access to them
- Next thing you need to do is tell MongoDB where to find the key manager
- In MongoDB security is not enabled by default When you open the mongod.conf file it is commented out You’ll need to remove the # character right before security
- Make sure that the “enableEncryption option” is set to True
- The servername is AKMMongoDB, which is what we set in the AKM Admin console. You will need to type that in
- The default port for KMIP is 5696. This should already be set
- The ServerCAFile and ClientCertificate files will be blank. You will need to set these with the certificates that you brought over from AKM
- The key identifier will also be blank, by default We recommend referring to our documentation on how to format the KeyIdentifier In AKM, it is known as the key instance name It will need to be converted to the special format for MongoDB. Our documentation shows how to do that. The resources section of this presentation will also point you towards our documentation
- Boom Start MongoDB That’s all it took This is the easiest, fastest implementation I have ever seen on any database – and we support a lot. It is not complicated or scary. We publish a user guide on our website that will walk you through all this This was just a demonstration on how easy it is to do
- At these MongoDB local events we often get the question “Can I encrypt at the application level and then put the data in to MongoDB Yes We provide SDKs that developers can use to integrate with applications At that level you can assign different encryption keys to different people or sets of data You get added flexibility at the application layer
- Let me pull out my crystal ball Within all my years of experience, I have never seen compliance regulations getting more lax Have you ever seen a compliance regulation say “Let’s do less security”? They are always getting more defined and asking for more security Suspect that GDPR is paving the road for more security regulations More encryption keys. Again, delete a key, the data is gone Cross cloud – people don’t want to be locked in to a CSP. People want flexibility to be on prem or in cloud
- A couple things that I want to mention before we wrap things up. When you turn on encryption, you must turn it on on an empty database – you can’t just turn it on with an existing database When you have existing data that you would like encrypted, you’ll have to pipe it in to the existing DB that has encryption on. Again, regarding business continuity, you want to make sure that you have a production and HA encryption key manager. If you don’t have an encryption key, you don’t have data In the cloud you’ll want to run key managers in multiple regions – mirroring in real-time We have customers who will run hybrid deployments – HSM, VMware, Cloud We even have a customer who has data in AWS and runs key management in Azure The KMIP interface gives us so much flexibility Currently in MongoDB you can define a single key manager, For failover, we recommend deploying a load balancer in front of the key manager. If there is a problem reaching the key manager, the load balancer redirects to the failover key manager.
- A couple pages or resources. I’m happy to share this presentation.
- Before we get to questions, let’s get back to how a hacker would get in to our encrypted database Remember when I said hackers don’t break encryption, they find the keys? Check under your seat and see if you can find the key