Best Practices: Securing a Couchbase Server Deployment: Couchbase Connect 2014
Webinar: Creating a Single View: Securing Your Deployment
-
Upload
mongodb -
Category
Technology
-
view
419 -
download
1
description
Transcript of Webinar: Creating a Single View: Securing Your Deployment
![Page 1: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/1.jpg)
Lead Security Engineer, MongoDB
Andreas Nilsson
Creating a single view:Securing the Application
![Page 2: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/2.jpg)
How can we make data accessible securely?
![Page 3: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/3.jpg)
Securing the Application: Agenda
Securing a Database Access Control
Data Protection Auditing
![Page 4: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/4.jpg)
The Art of Securing a System
“If you know the enemy and know yourself,
you need not fear the result of a hundred battles.
If you know yourself but not the enemy,
for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself,
you will succumb in every battle.”
Sun Tzu, The Art of War 500 BC
![Page 5: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/5.jpg)
Timeline
Plan and design security as early as possible.
ImplementDesign Test Deploy
YES! NO!
![Page 6: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/6.jpg)
Designing the Infrastructure
![Page 7: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/7.jpg)
Access Control
Configure Authentication and Authorization.
ImplementDesign Test Deploy
![Page 8: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/8.jpg)
Enable Access Control
Design
• Determine which types of users exist in the system.
• Match the users to MongoDB roles. Create any
customized roles.
Deployment
• Start/restart MongoDB with access control enabled.
• Create the desired users.
![Page 9: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/9.jpg)
MongoDB configuration
Authentication - Who are you in MongoDB?
• Application user, administrator, backup job,
monitoring agent.
Authorization - What can you do in MongoDB?
• CRUD operations, configure the database,
manage sharding, user management.
![Page 10: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/10.jpg)
Enable Authentication
Built-in authentication methods
• Password challenge response
• x.509 certificates
Or integrate with existing authentication
infrastructure
![Page 11: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/11.jpg)
Role Based Access Control
Builtin roles
• read, readWrite, dbAdmin, clusterAdmin, root, etc..
User defined roles
• Customized roles based on existing roles and
privileges.
![Page 12: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/12.jpg)
Internal Authentication
Server-server authentication use shared keyfile
or x.509.
![Page 13: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/13.jpg)
Field Level Redaction - $redact
$redact
• New aggregation framework operator
• Conditionally filter user documents
Use cases
• Implement user-based document level, content
filtering.
• Create egress filter, redacting sensitive information.
![Page 14: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/14.jpg)
Access Control - Field Level Redaction
Note: Need to understand the application better
![Page 15: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/15.jpg)
Data Protection
Encrypting data in transit (SSL) and data at rest.
ImplementDesign Test Deploy
![Page 16: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/16.jpg)
Data Protection End to End
![Page 17: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/17.jpg)
Transport Encryption with SSL
• Possible to protect client-server, server-server
communications with SSL.
• Support for commercially and internally issued x.509
certificates
• Possible to run the server in FIPS 140-2 mode.
• Support for mixed SSL and non-SSL clusters.
![Page 18: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/18.jpg)
Data Protection - Transport EncryptionEncrypt communications (SSL)
Authenticate connections (x.509)
![Page 19: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/19.jpg)
Data Protection - Encryption at rest
Alternatives
• Encrypt data client side
• Use partner solution for file and OS level encryption
![Page 20: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/20.jpg)
Security Auditing
![Page 21: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/21.jpg)
The Audit Log
• Security events can be written to either the console,
the syslog
or a file (JSON/BSON)
• By default, all security events are written to audit
log when enabled.• Events include Authentication failures and some
commands.
• Access control is not required for auditing.• They are separate components.
![Page 22: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/22.jpg)
Audit Log Properties
• Can filter based off of different criteria– Action Type, TimeFrame, IP Address/Port, Users
• Events Have Total Order Per Connection
• Audit Guarantees (AKA Writes/config)– Audit event written to disk BEFORE writing to the
journal– A write will not complete before it has been
audited
![Page 23: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/23.jpg)
Some final tips…
![Page 24: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/24.jpg)
Some tips along the way…
1. Do not directly expose database servers to the
Internet
2. Design and configure access control
3. Enable SSL
4. Disable any unnecessary interfaces
5. Lock down database files and minimize account
privileges
![Page 25: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/25.jpg)
What did we talk about?
Securing a Database Access Control
Data Protection Auditing
![Page 26: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/26.jpg)
Next steps
• MongoDB Security Manual -
http://docs.mongodb.org/manual/core/security-introduction
/
• MongoDB Security Whitepaper -
http://info.mongodb.com/rs/mongodb/images/MongoDB_Se
curity_Architecture_WP.pdf
![Page 27: Webinar: Creating a Single View: Securing Your Deployment](https://reader035.fdocuments.us/reader035/viewer/2022062418/555a3cd4d8b42ae1398b4bbc/html5/thumbnails/27.jpg)
Lead Security Engineer, MongoDB
Andreas Nilsson
#MongoDBWorld
Thank You