Date post: | 06-Jan-2017 |
Category: |
Technology |
Upload: | mongodb |
View: | 5,671 times |
Download: | 0 times |
Architecting Secure and Compliant Applications with MongoDB
[email protected]@sbmccarth
Solutions Architect – MongoDB Inc.
3
Major Security Alert
4
Concepts
developer friendly production ready
5
✓ Concepts✓ Best Practices✓ Demo
Agenda
6
Authentication
Authorization
Validating a user is whothey say they are
Only letting a user do certain things
Concepts
7
Auditing
Encryption
Tracking system activity
Encoding data so that only those with the key can read it
Concepts
8
WARNINGSome features only supported in MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.xWill call out any specific 3.x features
9
password-based challenge-response mechanism - user/pwd – defined against a DB - Different auth mechanisms (changed in 3.0) - SCRAM-SHA-1, MONGO-CR - Kerberos, LDAP*
x.509 certificates- validate members of replica set’s
and sharded cluster’s are who you think they are - also used in SSL connections
Authentication
How do you make MongoDB authorize users?
$ mongod --dbpath ./db --auth
11
Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database.This only applies when no users exist on the system
Changed in version 3.xThese connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB
Localhost Exception
12
Role Based Access Controlbuilt-in and custom roles
var stockerRole = { “role” : “acme.store.stocker”, “privileges” : [ { “resource” : {
“db” : “products”, “collection” : “inventory” }, “actions” : [ “find”, “update” ] } ], “roles” : [ “acme.store.user” ]}
use acmedb.createRole( stockerRole );
Authorization
13
Can audit on your mongod and mongosSend events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --auditDestination file --auditFormat JSON \ --auditPath data/db/auditLog.json[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
Auditing*
14
Encryption At Rest✓ Encrypted Storage Engine*✓ Whole Disk Encryption (through third party)Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL $ mongod --sslMode requireSSL --sslPEMKeyFile
/etc/ssl/mongodb.pem
Encryption In Transit✓ Support for SSL/TSL for all communicationRequired for HIPAA/PCI-DSS
Encryption
15
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist✓ Require Authentication✓ Configure Roles✓ Use SSL✓ Configure firewall – limit network exposure✓ Turn on auditing✓ Encrypt data on disk✓ Run mongod with dedicated user account✓ Set secure options
✧ --noscripting✧ Disable REST/HTTP
Best Practices
16
Building roles to support healthcare application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
Demo
17
Role Create Read Update Delete Index (Maintenance)
Physician
Billing Associate
Patient System Administrator
Demo
18
MongoGeneral Application
✓ createFirstUser.js✓ createRoles.js✓ createUsers.js
Demo
Questions?