Architecting Secure and Compliant Applications with MongoDB
@jmimick
Senior Consulting Engineer – MongoDB Inc
9
Concepts
Authentication
Authorization
Validating a user is whothey say they are
Only letting a user do certain things
10
WARNING
Some features only supported in MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.xWill call out any specific 3.0.x features
11
Concepts
Auditing
Encryption
Tracking system activity
Encoding data so that only those with the key can read it
12
Authentication
password-based challenge-response mechanism - user/pwd – defined against a DB - Different auth mechanisms (changed in 3.0) - SCRAM-SHA-1, MONGO-CR - Kerberos, LDAP
x.509 certificates- validate members of replica set’s
and sharded cluster’s are who you think they are - also used in SSL connections
15
Localhost ExceptionThe localhost exception allows you to enable authorization before creating the first user in the system. When active, the localhost exception allows connections from the localhost interface to create the first user on the admin database. The exception applies only when there are no users created in the MongoDB instance.
Changed in version 3.0: The localhost exception changed so that these connections only have access to create the first user on the admin database. In previous versions, connections that gained access using the localhost exception had unrestricted access to the MongoDB instance.
16
Authorization
Role Based Access Controlbuilt-ins, and custom
var stockerRole = { “role” : “acme.store.stocker”, “privileges” : [ { “resource” : {
“db” : “products”, “collection” : “inventory” }, “actions” : [ “find”, “update” ] } ], “roles” : [ “acme.store.user” ]}use acmedb.createRole( stockerRole );
17
Auditing
Can audit on your mongod and mongosSend events to console, syslog, JSON or BSON file
mongod --dbpath data/db --auditDestination file \ --auditFormat JSON \ --auditPath data/db/auditLog.json
[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
18
EncryptionAt rest – recommend to always encrypt data on storage system
3rd party tools – more doc online:• Linux Unified Key Setup (LUKS) LUKS • IBM Guardium Data Encryption • Vormetric Data Security Platform • Bitlocker Drive Encryption (Windows)
Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
19
Best Practiceshttp://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist• Require Authentication• Configure Roles• Use SSL• Configure firewall – limit network exposure• Turn on auditing• Encrypt data on disk• Run mongod with dedicated user account• Set secure options
• --noscripting• Disable REST/HTTP
20
Demo
Building roles to support healthcare application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
21
Demo
Role Create Read Update Delete Index (Maintenance)
Physician
Billing Associate
Patient System Administrator