Speaker: Patrick Townsend Encryption and key management have a reputation for being difficult. Not anymore! After this session, you'll be able to go back to the office and say "What was I scared about?" Since the release of MongoDB Enterprise 3.2 with KMIP support, Townsend Security has been helping MongoDB users meet compliance (PCI DSS, HIPAA, etc.) and security best practices with external key management. In this session, Patrick Townsend, Founder & CEO of Townsend Security, discusses: - Encryption & Key Management without application modification - Meeting compliance requirements (PCI DSS, HIPAA, etc.) - Deploying external key management with MongoDB Enterprise - In-the-weeds presentation of encrypting data and deploying a key manager"

1. Simplified Encryption & Key Management
For MongoDB

2. Presenter: Patrick Townsend
 CEO of Townsend Security
 Leading data security expert
 30 years IT industry experience

3. Presentation Agenda
 Encryption and importance of key management
 Meeting compliance requirements
 Key management best practices
 Encryption and key management in MongoDB
 Resource guide

4. Breaches Happen
 Equifax, River City Media, Yahoo! – just this year!
 Hackers don’t just target credit cards
 Email addresses, phone numbers, etc. can be considered PII

7. Why is Key Management Important?
 Encryption keys are THE secret that must be protected (not the algorithm)
 There are industry standards and best practices for key management (FIPS 140-2)
 Compliance regulations (PCI, HIPAA, etc.) require proper key management
 Separate encryption control and ownership from the cloud provider
 aka Key Custody

8. Impacts of Encryption
Performance – Expect a 2-20% overhead
Backup and Restore Operations – Can take longer as information
is encrypted
High Availability – In the event of an interruption, you need to
easily restore your keys from a backup key management solution

9. High Availability (HA) & Disaster Recovery
 Manage encryption keys from a centralized location
 Secure and authenticated TLS sessions for administrators
 Manage local and remote key servers
Key Mirroring
 Real time mirroring of encryption keys and access policy
 Active-Active mirroring for failover
 Secure, authenticated server-to-server connections
 One-to-Many, Many-to-Many

10. Backup and Restore
 Scheduled and automated backups
 Secure backup connections
 Separate backups for data encryption keys (DEK) and key
encryption keys (KEK)
 Full audit trail

12. Key Management Best Practices
 Ensure origin and quality of keys
 Use accepted and standards-based encryption algorithms
 Ensure that keys are security backed up, at all times
 Implement strong authentication mechanisms
 Protect and restrict access to encryption keys

13. Key Management Regulatory Requirements
Dual Control - Two or more people control a single process
Separation of Duties - Different people control different procedures so that
no one person controls multiple procedures
Split Knowledge - Prevents any one person from knowing the complete
value of an encryption key or passcode

14. Encryption and Key Management in the Cloud
Challenges, Best Practices & What to Know:
 Cloud provider is NOT responsible for YOUR breach (read the SLA)
 Public vs. Private Cloud (managing multi-tenancy)
 Business recovery – Production and High Availability
 Geographic redundancy for key management services
 Key custody: Who has access to your keys?

15. When to Encrypt - Scenarios
IoT – Device info often contains geo-location information. Hackers are also
great data aggregators (IP address, location, individuals).
HealthCare – Sensitive patient data (PHI) needs protection.
Credential Storage – Email addresses, KBAs and almost everything else
needs protection.
Transportation – Scheduling and equipment information aggregate to
driver information PII.

16. Key Management for MongoDB
Introduction to Alliance Key Manager
This is amazingly easy !

17. Create an Ubuntu instance on AWS

18. Let’s launch an Ubuntu instance from the EC2 console

19. Let’s launch an Ubuntu instance

20. Let’s launch an Ubuntu instance

21. Let’s launch an Ubuntu instance

22. Install MongoDB Enterprise

23. Let’s install MongoDB Enterprise (simple install)

24. Let’s install MongoDB Enterprise (simple install)

25. Let’s install MongoDB Enterprise (simple install)

26. Launch Alliance Key Manager in AWS

27. Let’s spin up Alliance Key Manager for AWS

28. Let’s spin up Alliance Key Manager for AWS

29. Let’s spin up Alliance Key Manager for AWS

30. Let’s spin up Alliance Key Manager for AWS

31. Configure Alliance Key Manager

32. Configure the key manager, generate keys and certificates

33. Configure the key manager, generate keys and certificates

34. Configure the key manager, generate keys and certificates

35. Configure the key manager, generate keys and certificates

36. Admin console: Get the key name and information

37. Configure MongoDB for Key Management

38. Now let’s configure MongoDB key management

39. Launch MongoDB With Encryption Enabled

40. Viola !!!

41. Advanced Topics
• MongoDB replication – Unencrypted to Encrypted
• Production and HA key mirroring
• Business Continuity and Hot Failover
• Load Balancing
• Hybrid deployments – On-Premise, cross-cloud
• VMware, Hardware Security Module (HSM), etc.

42. Resources
Townsend Security documentation for MongoDB:
http://docs.townsendsecurity.com/akm_guide_for_mongodb_enterprise_edition/#top
Townsend Security documentation for AKM in AWS:
http://docs.townsendsecurity.com/akm_for_aws_quick_start_guide/#top
MongoDB Enterprise installation:
https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-
ubuntu/#install-mongodb-enterprise

43. Resources
MongoDB Security Blog post:
https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-
your-data
MongoDB Security Checklist:
https://docs.mongodb.com/manual/administration/security-checklist/
MongoDB Encryption at Rest
https://docs.mongodb.com/manual/core/security-encryption-at-rest/

44. Corporate Headquarters
724 Columbia St NW, Suite 400
Olympia, WA 98501
Phone:
360 359 4400
Online:
townsendsecurity.com
@townsendsecure
Any Questions?
Patrick Townsend
patrick.townsend@townsendsecurity.com
@patricksecurity