Is your private data secure? Encryption and key management has a reputation for being difficult. Not any more! After this session, you'll be able to go back to the office and say "What was I scared about?"
5. Breaches Happen
Equifax, Anthem, Yahoo! – just to name a few
Hackers don’t just target credit cards
Email addresses, phone numbers, etc. can be considered PII
MongoDB is a repository for LOTS of PII
6.
7. EU General Data Protection
Regulation (GDPR)
Article 32 – Security of Processing
“… the controller and the processor shall
implement appropriate technical and
organisational measures to insure a level of
security appropriate to the risk including inter
alia as appropriate:
… the pseudonymisation and encryption of
personal data.”
9. MongoDB Enterprise Encryption – Done Right
Encryption built right into the MongoDB database
Strong 256-bit AES encryption
Good performance with documented guidance
Getting encryption key management right with KMIP
Certifying key management vendors
Good security guidance provided to developers
You don’t need a 3rd party encryption solution
10. Impacts of Encryption
Performance – Expect a 2-20% overhead
Backup and Restore Operations – Can take longer as information
is encrypted
High Availability – In the event of an interruption, you need to
easily restore your keys from a backup key management solution
11. Why is Key Management Important?
Encryption keys are THE secret that must be protected (not the algorithm)
There are industry standards and best practices for key management (FIPS 140-2)
Compliance regulations (PCI, HIPAA, etc.) require proper key management
Achieve Separation of Duties (SOD)
Separate encryption control and ownership from the cloud provider
aka Key Custody
MongoDB highly recommends the use of a Key Manager to secure your
encrypted MongoDB data!
12.
13. Key Management Best Practices
Ensure origin and quality of keys
Use accepted and standards-based encryption algorithms
Ensure that keys are security backed up, at all times
Implement strong authentication mechanisms
Protect and restrict access to encryption keys
14. Key Management Interoperability Protocol
(KMIP)
Standards always win
Standards minimize risk
Standards help reduce costs
Standards support key custody (your ownership of keys)
Good news! MongoDB Enterprise implements KMIP
for key management integration.
15. Standard KMIP vs Proprietary KMS/KV
KMIP KMS/KV
😄 Standards-based protocol on hardware,
VM or any cloud
😠 Proprietary cloud-only SDK
😄 Deploy freedom, no lock-in 😠 Service provider lock-in
😄 Private keys kept secret 😠 Keys owned by provider
17. Townsend Security + MongoDB
Certified key management with MongoDB security team
Certified on Intel and IBM Power Linux systems
Member MongoDB Partner Advisory Council
Key management pricing to match MongoDB model
Lowering the cost barriers to security !
Customer support for MongoDB key management deployment
18. HANDS ON
Key Management for MongoDB
Introduction to Alliance Key Manager
This is amazingly easy !
33. Install certificates on the MongoDB server
Create a new directory to hold the certificates, copy to the new directory, set ownership and
permissions
sudo mkdir /etc/mongodb-kmip
Use FileZilla, SCP or similar application to upload the AKMClientAndKey,pem and
AKMRootCACertificate.pem files to this directory.
sudo chown -R mongodb:mongodb /etc/mongodb-kmip
cd /etc/mongodb-kmip
sudo chmod -R 600 *
34. Modify the <hosts> file to add the key manager
Use nano or your favorite text editor to change the hosts file to add the key server
sudo nano /etc/hosts
42. Application Level
Encryption
Protect at the field level before insert
Software Development Kits (SDKs)
Java, Python, PHP, Node.js, etc
Talk to your key management vendor
Great for GDPR “Right to be forgotten”
43. The Future
Regulations are maturing (cloud, key management)
More encryption keys
Cross cloud (thank you KMIP!)
44. Evaluations are Easy
No-charge evaluation process
Download from our website
Rapid deployment
Full customer support during evaluation period
Fully functional key management
45. Advanced Encryption Topics
MongoDB migration – Unencrypted to Encrypted
Business Continuity and Hot Failover
Production and HA key mirroring
Using a Load Balancer
Hybrid deployments – On-Premise, cross-cloud
VMware, Hardware Security Module (HSM), etc.
46. Resources
Townsend Security documentation for MongoDB:
http://docs.townsendsecurity.com/akm_guide_for_mongodb_enterprise_edition/#top
Townsend Security documentation for AKM in AWS:
http://docs.townsendsecurity.com/akm_for_aws_quick_start_guide/#top
MongoDB Enterprise installation:
https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-ubuntu/#install-
mongodb- enterprise
47. MongoDB Security Blog post:
https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-
data
MongoDB Security Checklist:
https://docs.mongodb.com/manual/administration/security-checklist/
MongoDB Encryption at Rest
https://docs.mongodb.com/manual/core/security-encryption-at-rest/
Resources
48. Corporate Headquarters
724 Columbia St NW, Suite 400
Olympia, WA 98501
Phone:
360 359 4400
Online:
townsendsecurity.com
@townsendsecure
Any Questions?
Luke Probasco
luke.probasco@townsendsecurity.com
@geetarluke
Editor's Notes
Welcome everyone.
Thanks for coming
And thanks MongoDB for having me.
MongoDB makes encryption and key management easy
You can do this, you got this
I’ll show you how
To get things started, I want to illustrate how hackers can get at encrypted data and what you can do to better protect it.
This lock box represents your MongoDB database. I’m putting some sensitive data in (Amazon gift card)
By the end of the session, I’ll show how a hacker will get in and someone in the room will walk away with the gift card.
Have seen how encryption and key management projects have evolved over last 10 years
No reason not to do this
Who here has done an encryption project? Who here is working on an encryption project? Who needs to be?
After this session you will see that encryption and key management has come a long way.
No longer requires a crazy big budget or a team of people. MongoDB Enterprise has made it easy to do right
I am sure you’ll be able to leave here today confident that you can “Try this at home”
In today’s world, data security is more important than ever.
Compliance requirements
Security best practices
Where are your encryption keys? There are ways to do it wrong!
The last part of the presentation is going to be hands on and show you how easy it is to start encrypting data in MongoDB
The MongoDB team has really thought out encryption and key management.
At the very end, I’ll give a list of resources that you can check out for more information.
I’ll divide this presentation into 3 sections where we will cover why you need encryption, fundamentals of encryption, and then get in the weeds.
Encryption is part of a defense in depth approach to data security
There is no silver bullet.
Encryption is what keeps your and my data safe
We are storing a lot of information in MongoDB.
It important that we pay attention to what data is being store in the DB
Generally we refer to Personally Identifiable information as PII. In healthcare it is referred to as Protected Health Information, or PHI
(PII) is more than just a social security number or credit card.
Aside from business data that you collect about your customers, what about the data that your marketing team collects? Emails, phone numbers, even names can be considered PII.
And as we regularly see in the news, breaches happen. Sometimes multiple times.
If you are a DBA and make it possible for your users to input data, you need to encrypt that data.
You don’t know what kind of data is getting ingested.
For example, look at the Equifax breach. After denying that passport numbers were involved in their data breach, they eventually admitted that there were.
Equifax wasn’t lying. They just didn’t know that consumers were uploading passports to its platform.
Final point I’d like to make on this slide. Many people like to think “oh, I am a small company, I am not a target.”
You actually are more of a target than larger companies.
Symantec: 3 out of 5 cyber-attacks target small and midsize companies
Hackers know that large companies have security budgets and are a harder target.
Cyber-attacks now cost businesses over $1M on average, can sink small companies
Compliance regulations are global
One misconception is that if you are a private company, you don’t fall under compliance. Not true.
Some regulations are country specific, like HIPAA here in the US.
Regulations like PCI are global. If you take credit cards, you fall under PCI.
GDPR is getting a lot of buzz lately. It is interesting in the regard that it protects EU citizens and extends to their data that resides in other countries.
We will get in to it more on the next slide
GDPR is one of the most concerning regulations right now.
Who here has had a GDPR conversation?
Encryption can help you meet GDPR
Under GDPR, data security requirements apply to both data controllers (those of us who accept information, with permission) as well as data processors (such as a cloud provider or other IaaS offering). Additionally, if data flows through your system, you are considered a data processor, even if you don’t use it.
Article 17 - Right of Erasure, also known as Right to be Forgotten
Deleting a key effectively deletes the data that is encrypted with that key. In the security world, this known as cryptographic zeroization and is very effective, as well as covered by standards.
MongoDB has done a lot of things right with encryption and key management
MongoDB built industry standard AES encryption right into the database
Well recognized standard worldwide and has been for a number of years.
If you have to meet compliance, especially in government agencies, standards are important
Also, MongoDB has certified key management vendors, which we have done.
More on key management soon
People often worry about the performance impacts of encryption
I personally hear this the most when I talk to people who need to deploy encryption – whether in SQL Server, Oracle, or MongoDB
There is some good news here
MongoDB has made it incredibly easy by including encryption in MongoDB Enterprise.
Yes, there will be a performance impact, but it is really very manageable.
Anyone running MongoDB Enterprise should feel comfortable using it.
Other performance impacts include Backup and Restore operations. If you backup to virtual tape or cloud, for example, you will see it take longer
Regarding High Availability, if you use a key manager, which we will talk more about soon, you need to make sure that your key manager is redundant. If that goes down, your data will be inaccessible.
Hackers don’t break encryption, they find keys
The keys are really what are important
Without proper key management, it is like leaving the keys to your house under the welcome mat.
Unfortunately, key management has a reputation of being expensive and difficult.
There is good key management and BAD key management.
Good key management is when you manage encryptions keys separately from the encrypted data
Like with an encryption key manager.
Bad key management is when you hide the keys in your database or burn them in your code.
There are published standards by NIST, the national institute of standards and Technology
MongoDB gives us two places to store keys. Where are they?
On the disk next to the database in the clear or in a key manager
You probably don’t have to think too hard about which of those is better.
Don’t just take my word for it (I do work for a vendor after all)
This is a screen shot straight from MongoDB’s documentation
So I hope that when I say encryption, you also understand that I really mean encryption and proper key management.
Sort of like a two part epoxy. You need to have both ingredients together for strength.
Love the fact that MongoDB provides so many opportunities for education.
As we saw on the last slide, MongoDB provides guidance on best practices
Ensure the origin and quality of keys. DON’T USE A PASSWORD! From a cryptographic sense, passwords are week.
A key manager will build you strong encryption keys.
If you are using the AES encryption in MongoDB enterprise, you are using an encryption algorithm that is standards based, so you are good there
Make sure that your keys are backed up and mirrored in your key management solution.
If you lose your key, you lose your data.
In addition to creating and storing keys, key managers need to give them back to your application or database. You need to make sure that is secure with a TLS connection.
More kudos to MongoDB. They adopted the KMIP industry standard in version 3.2
KMIP is an open standard and NOT proprietary.
Standards always win.
It allows vendors like Townsend Security to easily plug in to MongoDB and provide proper key management
In the long run, KMIP helps reduce cost
Allows the flexibility to manage keys for multiple and different databases with a single key management solution
PCI recently published Cloud Computing Guidelines:
Describing services such as AWS KMS - Strong data-level encryption should be enforced on all sensitive or potentially sensitive data stored in a public cloud.
Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located.
Aside from that, there are several other reasons that a company should chose a KMIP key manager over a CSP solution
If you want to position yourself for success, choose a standards based solution
By the way, we aren’t the only one. We have competitors who have adopted the KMIP standard as well.
It can look attractive to integrate a CSP proprietary solution, but buyer beware.
We recently certified with MongoDB and are now a technology partner – both on Intel and Power Linux architectures
Earlier this year we joined the Partner Advisory Council by invitation
Unique pricing model for a key management vendor. We don’t charge by the number of client side applications or nodes
Fundamentally believe that once you buy a piece of security software you shouldn’t have to pick and choose what you protect.
Just have a very strong relationship with MongoDB
Let’s get in to it.
Show how to launch a key manager and connect it to MongoDB
We’ll skip a few of the super simple steps, but you’ll get the basic idea
First we are going to launch the key manager in AWS
Log in to your EC2 console
Our key manager is in the AWS marketplace
Click Select
You get asked a few questions
Go ahead and select the default tier.
Here, I am grabbing a specific set of keys.
Not going to use my general keys to launch this instance
In this instance we are asking Amazon to give us a unique set of keys
I download them and we get it launched
Just takes a few seconds
And then you have an active instance running in EC2.
You can see it running
You now have an active key manager in AWS. It is that easy.
Now let’s configure Alliance Key Manager.
I am showing you ours, but it will be similar on any key manager.
You SSH into the key manager
And take option 1 to initialize Alliance Key Manager (or AKM as you see here)
Notice you get the choice to initialize a primary or secondary
Start your primary first
If you are launching your secondary which will be in a different region, they will automatically connect with each other (after giving them the correct credentials)
So now we are setting up the primary.
You will be asked for some basic information
Like the two-character code for your country
State, etc.
Can you guess what we are doing? We are building a PKI right within the key manager
It is important to enter a unique name for the key manager
In this case, it is AKMMongoDB
This is the name that glues MongoDB to your key manager
Once you press enter the PKI gets generated
A unique set of keys get created
And you are then ready to connect to MongoDB
Next, launch our administrative console
Which is authenticated with our PKI infrastructure
You can see on the right that there is a set of keys
Now that we have launched a key manager and built some keys (which BTW, 10 years ago would have been a 6 week project)
We will download the credentials that MongoDB will need
MongoDB is going to use certificates from the key manager to authenticate itself to the key manager when we fire it up.
Now lets go over to the MongoDB side of things
We’ll look at 3 slides
Create a directory on the MongoDB instance – This happens to be a Linux instance
This is where we are going to store the credentials that I downloaded from the key manager
You can use Filezilla or whatever FTP tool you like
I’m gonna change the ownership of them
And then grant MongoDB access to them
Next thing you need to do is tell MongoDB where to find the key manager
In MongoDB security is not enabled by default
When you open the mongod.conf file it is commented out
You’ll need to remove the # character right before security
Make sure that the “enableEncryption option” is set to True
The servername is AKMMongoDB, which is what we set in the AKM Admin console.
You will need to type that in
The default port for KMIP is 5696.
This should already be set
The ServerCAFile and ClientCertificate files will be blank.
You will need to set these with the certificates that you brought over from AKM
The key identifier will also be blank, by default
We recommend referring to our documentation on how to format the KeyIdentifier
In AKM, it is known as the key instance name
It will need to be converted to the special format for MongoDB.
Our documentation shows how to do that.
The resources section of this presentation will also point you towards our documentation
Boom
Start MongoDB
That’s all it took
This is the easiest, fastest implementation I have ever seen on any database – and we support a lot.
It is not complicated or scary.
We publish a user guide on our website that will walk you through all this
This was just a demonstration on how easy it is to do
At these MongoDB local events we often get the question “Can I encrypt at the application level and then put the data in to MongoDB
Yes
We provide SDKs that developers can use to integrate with applications
At that level you can assign different encryption keys to different people or sets of data
You get added flexibility at the application layer
Let me pull out my crystal ball
Within all my years of experience, I have never seen compliance regulations getting more lax
Have you ever seen a compliance regulation say “Let’s do less security”?
They are always getting more defined and asking for more security
Suspect that GDPR is paving the road for more security regulations
More encryption keys. Again, delete a key, the data is gone
Cross cloud – people don’t want to be locked in to a CSP.
People want flexibility to be on prem or in cloud
A couple things that I want to mention before we wrap things up.
When you turn on encryption, you must turn it on on an empty database – you can’t just turn it on with an existing database
When you have existing data that you would like encrypted, you’ll have to pipe it in to the existing DB that has encryption on.
Again, regarding business continuity, you want to make sure that you have a production and HA encryption key manager.
If you don’t have an encryption key, you don’t have data
In the cloud you’ll want to run key managers in multiple regions – mirroring in real-time
We have customers who will run hybrid deployments – HSM, VMware, Cloud
We even have a customer who has data in AWS and runs key management in Azure
The KMIP interface gives us so much flexibility
Currently in MongoDB you can define a single key manager,
For failover, we recommend deploying a load balancer in front of the key manager. If there is a problem reaching the key manager, the load balancer redirects to the failover key manager.
A couple pages or resources. I’m happy to share this presentation.
Before we get to questions, let’s get back to how a hacker would get in to our encrypted database
Remember when I said hackers don’t break encryption, they find the keys?
Check under your seat and see if you can find the key