Webinar: Architecting Secure and Compliant Applications with MongoDB
-
Upload
mongodb -
Category
Technology
-
view
5.678 -
download
0
Transcript of Webinar: Architecting Secure and Compliant Applications with MongoDB
![Page 1: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/1.jpg)
![Page 2: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/2.jpg)
Architecting Secure and Compliant Applications with MongoDB
[email protected]@sbmccarth
Solutions Architect – MongoDB Inc.
![Page 3: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/3.jpg)
3
Major Security Alert
![Page 4: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/4.jpg)
4
Concepts
developer friendly production ready
![Page 5: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/5.jpg)
5
✓ Concepts✓ Best Practices✓ Demo
Agenda
![Page 6: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/6.jpg)
6
Authentication
Authorization
Validating a user is whothey say they are
Only letting a user do certain things
Concepts
![Page 7: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/7.jpg)
7
Auditing
Encryption
Tracking system activity
Encoding data so that only those with the key can read it
Concepts
![Page 8: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/8.jpg)
8
WARNINGSome features only supported in MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.xWill call out any specific 3.x features
![Page 9: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/9.jpg)
9
password-based challenge-response mechanism - user/pwd – defined against a DB - Different auth mechanisms (changed in 3.0) - SCRAM-SHA-1, MONGO-CR - Kerberos, LDAP*
x.509 certificates- validate members of replica set’s
and sharded cluster’s are who you think they are - also used in SSL connections
Authentication
![Page 10: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/10.jpg)
How do you make MongoDB authorize users?
$ mongod --dbpath ./db --auth
![Page 11: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/11.jpg)
11
Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database.This only applies when no users exist on the system
Changed in version 3.xThese connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB
Localhost Exception
![Page 12: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/12.jpg)
12
Role Based Access Controlbuilt-in and custom roles
var stockerRole = { “role” : “acme.store.stocker”, “privileges” : [ { “resource” : {
“db” : “products”, “collection” : “inventory” }, “actions” : [ “find”, “update” ] } ], “roles” : [ “acme.store.user” ]}
use acmedb.createRole( stockerRole );
Authorization
![Page 13: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/13.jpg)
13
Can audit on your mongod and mongosSend events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --auditDestination file --auditFormat JSON \ --auditPath data/db/auditLog.json[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
Auditing*
![Page 14: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/14.jpg)
14
Encryption At Rest✓ Encrypted Storage Engine*✓ Whole Disk Encryption (through third party)Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL $ mongod --sslMode requireSSL --sslPEMKeyFile
/etc/ssl/mongodb.pem
Encryption In Transit✓ Support for SSL/TSL for all communicationRequired for HIPAA/PCI-DSS
Encryption
![Page 15: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/15.jpg)
15
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist✓ Require Authentication✓ Configure Roles✓ Use SSL✓ Configure firewall – limit network exposure✓ Turn on auditing✓ Encrypt data on disk✓ Run mongod with dedicated user account✓ Set secure options
✧ --noscripting✧ Disable REST/HTTP
Best Practices
![Page 16: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/16.jpg)
16
Building roles to support healthcare application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
Demo
![Page 17: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/17.jpg)
17
Role Create Read Update Delete Index (Maintenance)
Physician
Billing Associate
Patient System Administrator
Demo
![Page 18: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/18.jpg)
18
MongoGeneral Application
✓ createFirstUser.js✓ createRoles.js✓ createUsers.js
Demo
![Page 19: Webinar: Architecting Secure and Compliant Applications with MongoDB](https://reader035.fdocuments.us/reader035/viewer/2022081513/586f6ee11a28ab10258b456f/html5/thumbnails/19.jpg)
Questions?