SlideShare uma empresa Scribd logo

Automating a Secure MongoDB Deployment with Opscode and Gazzang

Transferir como PPTX, PDF
MongoDB
MongoDB
1 de 35
Automating a Secure MongoDB Deployment MongoDB Austin Matt Ray, Senior Technical Evangelist at Opscode Feb. 15 2013 Eddie Garcia, Vice President of Development at Gazzang
What’s In Your Cloud? What data are you storing? 3/15/2013 Gazzang - All rights reserved 2012
What’s In Your Cloud? How are you protecting that data? 3/15/2013 Gazzang - All rights reserved 2012
What’s In Your Cloud? How are you managing the keys? 3/15/2013 Gazzang - All rights reserved 2012
Student Record Breaches • Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files. • This year alone… • 23,000 SSN’s breached at the University of North Florida • 16,000 SSN’s, birth dates and student ID’s breached from Eugene, Oregon school district • 650,000 records breached from University of Nebraska • 350,000 records from UNC Charlotte • and more…. 3/15/2013 Gazzang - All rights reserved 2012
Breaches Hit Every Industry 3/15/2013 Gazzang - All rights reserved 2012 6
Data Security For MongoDB Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB • Pre-built integration requires no changes to your application or database • Leverages automation tools for distributed deployment • World-class support available through Gazzang, 10gen and Opscode 3/15/2013 Gazzang - All rights reserved 2012
MongoDB Use Cases Content Management Operational Intelligence E-Commerce User Data Management High Volume Data Feeds 3/15/2013 Gazzang - All rights reserved 2012 8
3/15/2013 Gazzang - All rights reserved 2012 9
3/15/2013 Gazzang - All rights reserved 2012 10
Documents in MongoDB • Model richer objects using documents • Arrays, sub-documents • Data more closely matches how your apps use it • Allows faster data model iteration • Rich atomic updates • Pushing/popping items from arrays, incrementing fields – can replace some transaction operations • Index on any field – including compound indexes • Know what data your app needs for faster querying • Schema-less • Doesn’t mean schema free: find the right balance of collections and structure for your data 3/15/2013 Gazzang - All rights reserved 2012
Example MongoDB Document { _id : ObjectId("4c4ba5c0672c685e5e8aabf3"), type: “student”, firstname: ”John", lastname: “Smith”, last_updated: ISODate("2012-02-02T11:52:27.442Z"), contacts: [ {parent1: “Dad Smith”, phone: “123-456-7890”}, {parent2: “Mom Smith”, phone: “234-567-8901”} ], classes: [“Biology”, “Algebra”, “Music”], } 3/15/2013 Gazzang - All rights reserved 2012
Operations in MongoDB Replication App • Redundancy and failover • Can be used to scale read Replica Replica Replica 1 throughput 2 3 Auto-sharding App • Partitions data based on a defined key(s) e.g. lastname Shard Shard Shard • Scales write throughput 1 2 3 3/15/2013 Gazzang - All rights reserved 2012
MongoDB Native Security Admin Users Regular Users User user1 user2 authentication user3 SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Client Data Files Data Files 3/15/2013 Gazzang - All rights reserved 2012 14
Education Use Case on MongoDB Node 1 Node 2 Data Files Data Files Teacher Student First Name Bob First Name Alice Last Name Jones Last Name Smith Email bob@xx.edu Email alice@yy.edu Phone 555-5555 Grade 5th SSN XXX-XX-XXXX Address 804 Congress City Austin State TX 3/15/2013 Gazzang - All rights reserved 2012 15
Cloud Security Challenges • Protect Sensitive Data in the Cloud – Ensure sensitive data and encryption keys are never stored in plain text nor exposed publicly – Maintain control of your encryption keys and your proprietary data • Ensure Big Data Security – Harden Big Data infrastructures that have relatively weak security and no encryption protection – Maintain Big Data performance and availability • Enable Compliance – Encrypt data at rest and enforce tight access control policies – Protect your regulated data in the event of a breach 3/15/2013 Gazzang - All rights reserved 2012 16
Gazzang zNcrypt™ zNcrypt sits between the file system and any database, application or service running on Linux to encrypt data before written to the disk. • AES 256 encryption • Process-based ACLs • File and block encryption • Multiple encrypted mount points • Maximum performance • Enterprise scalability • Packaged support for MongoDB, Cassandra, Hadoop, MySQL, PostgreSQL 3/15/2013 Gazzang - All rights reserved 2012 17
zNcrypt Architecture • Key Management – Off-site key storage – In the cloud / on premises – Hardened & highly available • Access Control – Process-based ACL rules – Transparent data encryption – Separate from users & groups • Encryption – Data at rest / AES-256 – File level encryption – Excellent performance 3/15/2013 Gazzang - All rights reserved 2012 18
ACL Rules and Encryption • MongoDB ACL Rule “ALLOW @mongodb * /usr/bin/mongod” This defines mongod as a trusted application, to the data namespace @mongodb, granting permissions to the cleartext data. • MongoDB data node directory encryption “zncrypt-move encrypt @mongodb /var/lib/mongodb /var/lib/ezncrypt/ezncrypted” This command encrypts the /var/lib/mongodb directory as well as any new file or data saved to it. Only the MongoDB process will be able to access the data permitted with ACL rule @mongodata. The last argument is the target mount point for the encrypted data. 3/15/2013 Gazzang - All rights reserved 2012 19
Gazzang zTrustee™ – Controlling Authentication Objects Securing “opaque objects” with policy management and adaptive “trustee” authorization capabilities • Time to live • Number of retrievals • URL • Trustee approval • Client • Much more API Library • Java • Python • C library Trustees must approve release of objects in accordance with the deposit policy 3/15/2013 Gazzang - All rights reserved 2012 20
Ease of Deployment • Install zNcrypt – Package managers (yum, apt-get), Chef, Puppet, JuJu, etc • Create master encryption key – Passphrase method (optional “split security”) – RSA Key file method • Create ACLs – Simple command-lines (ALLOW/DENY style) – Almost any process or script allowed: • Virtually any application, process or script: MongoDB, Hadoop, Cassandra, MySQL, Apache, Tomcat, document management, etc… • Encrypt data – Simple command line calls, down to the file level 3/15/2013 Gazzang - All rights reserved 2012 21
Chef – Opscode Community 3/15/2013 Gazzang - All rights reserved 2012 22
3/15/2013 Gazzang - All rights reserved 2012 23
3/15/2013 Gazzang - All rights reserved 2012 24
3/15/2013 Gazzang - All rights reserved 2012 25
3/15/2013 Gazzang - All rights reserved 2012 26
3/15/2013 Gazzang - All rights reserved 2012 27
Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 28
Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 29
Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 30
zNcrypt Cookbook Source on github https://github.com/gazzang/cookbooks/tree/master/ zncrypt 3/15/2013 Gazzang - All rights reserved 2012 31
Walk Through zNcrypt Cookbook • Attributes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/attribu tes/default.rb • Recipes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/zncrypt.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/activate.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/configdirs.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/default.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/mongodb.rb 3/15/2013 Gazzang - All rights reserved 2012 32
Gazzang Overview Gazzang provides big data security solutions that help enterprises protect sensitive information and maintain performance in the cloud or on premises 150+ Direct Customers SaaS Healthcare Financial Services Technology Government 3/15/2013 Gazzang - All rights reserved 2012 33
Thank You Q&A 3/15/2013 Gazzang - All rights reserved 2012 34
Protect Your MongoDB Data For more information contact us: info@gazzang.com Eddie Garcia eddie.garcia@gazzang.com 3/15/2013 Gazzang - All rights reserved 2012 35

Recomendados

Mongo db security guide
Mongo db security guideMongo db security guide
Mongo db security guideDeysi Gmarra
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4MongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
MongoDB Administration 101
MongoDB Administration 101MongoDB Administration 101
MongoDB Administration 101MongoDB
 
Securing Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefSecuring Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefMongoDB
 
Encrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted CloudEncrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted Cloudn|u - The Open Security Community
 

Recomendados

Mongo db security guide
Mongo db security guideMongo db security guide
Mongo db security guideDeysi Gmarra
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4MongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
MongoDB Administration 101
MongoDB Administration 101MongoDB Administration 101
MongoDB Administration 101MongoDB
 
Securing Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefSecuring Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefMongoDB
 
Encrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted CloudEncrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted Cloudn|u - The Open Security Community
 
Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Sumant Tambe
 
Data Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud ComputingData Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud ComputingIJERA Editor
 
State of the art logging
State of the art loggingState of the art logging
State of the art loggingBalaBit
 
Java concurrecny
Java concurrecnyJava concurrecny
Java concurrecnynadeembtech
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataMongoDB
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionGerardo Pardo-Castellote
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
10g sql e book
10g sql e book10g sql e book
10g sql e bookMansoor Abd Algadir
 
Diffrence between dbms and rdbms
Diffrence between dbms and rdbmsDiffrence between dbms and rdbms
Diffrence between dbms and rdbmsJitendra Thakur
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVMIRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVMIRJET Journal
 
An Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in CloudAn Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in CloudIRJET Journal
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
OMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionOMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionGerardo Pardo-Castellote
 
L01246974
L01246974L01246974
L01246974IOSR Journals
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batchtimfanelli
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
 
0001 introduction to database management system
0001 introduction to database management system0001 introduction to database management system
0001 introduction to database management systemJugdambay S
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is importantBalaBit
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB
 

Mais conteúdo relacionado

Semelhante a Automating a Secure MongoDB Deployment with Opscode and Gazzang

Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Sumant Tambe
 
Data Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud ComputingData Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud ComputingIJERA Editor
 
State of the art logging
State of the art loggingState of the art logging
State of the art loggingBalaBit
 
Java concurrecny
Java concurrecnyJava concurrecny
Java concurrecnynadeembtech
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataMongoDB
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
Diffrence between dbms and rdbms
Diffrence between dbms and rdbmsDiffrence between dbms and rdbms
Diffrence between dbms and rdbmsJitendra Thakur
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVMIRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVMIRJET Journal
 
An Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in CloudAn Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in CloudIRJET Journal
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batchtimfanelli
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
 
0001 introduction to database management system
0001 introduction to database management system0001 introduction to database management system
0001 introduction to database management systemJugdambay S
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is importantBalaBit
 

Semelhante a Automating a Secure MongoDB Deployment with Opscode and Gazzang (20)

Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++
 
Data Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud ComputingData Leakage Detection and Security Using Cloud Computing
Data Leakage Detection and Security Using Cloud Computing
 
State of the art logging
State of the art loggingState of the art logging
State of the art logging
 
Java concurrecny
Java concurrecnyJava concurrecny
Java concurrecny
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB Data
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised Submission
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
10g sql e book
10g sql e book10g sql e book
10g sql e book
 
Diffrence between dbms and rdbms
Diffrence between dbms and rdbmsDiffrence between dbms and rdbms
Diffrence between dbms and rdbms
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale
 
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVMIRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
IRJET- Efficient Privacy-Preserving using Novel Based Secure Protocol in SVM
 
An Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in CloudAn Approach towards Shuffling of Data to Avoid Tampering in Cloud
An Approach towards Shuffling of Data to Avoid Tampering in Cloud
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
OMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionOMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submission
 
L01246974
L01246974L01246974
L01246974
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batch
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
 
0001 introduction to database management system
0001 introduction to database management system0001 introduction to database management system
0001 introduction to database management system
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
 

Mais de MongoDB

MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump StartMongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB
 

Mais de MongoDB (20)

MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
 

Automating a Secure MongoDB Deployment with Opscode and Gazzang

  • 1. Automating a Secure MongoDB Deployment MongoDB Austin Matt Ray, Senior Technical Evangelist at Opscode Feb. 15 2013 Eddie Garcia, Vice President of Development at Gazzang
  • 2. What’s In Your Cloud? What data are you storing? 3/15/2013 Gazzang - All rights reserved 2012
  • 3. What’s In Your Cloud? How are you protecting that data? 3/15/2013 Gazzang - All rights reserved 2012
  • 4. What’s In Your Cloud? How are you managing the keys? 3/15/2013 Gazzang - All rights reserved 2012
  • 5. Student Record Breaches • Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files. • This year alone… • 23,000 SSN’s breached at the University of North Florida • 16,000 SSN’s, birth dates and student ID’s breached from Eugene, Oregon school district • 650,000 records breached from University of Nebraska • 350,000 records from UNC Charlotte • and more…. 3/15/2013 Gazzang - All rights reserved 2012
  • 6. Breaches Hit Every Industry 3/15/2013 Gazzang - All rights reserved 2012 6
  • 7. Data Security For MongoDB Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB • Pre-built integration requires no changes to your application or database • Leverages automation tools for distributed deployment • World-class support available through Gazzang, 10gen and Opscode 3/15/2013 Gazzang - All rights reserved 2012
  • 8. MongoDB Use Cases Content Management Operational Intelligence E-Commerce User Data Management High Volume Data Feeds 3/15/2013 Gazzang - All rights reserved 2012 8
  • 9. 3/15/2013 Gazzang - All rights reserved 2012 9
  • 10. 3/15/2013 Gazzang - All rights reserved 2012 10
  • 11. Documents in MongoDB • Model richer objects using documents • Arrays, sub-documents • Data more closely matches how your apps use it • Allows faster data model iteration • Rich atomic updates • Pushing/popping items from arrays, incrementing fields – can replace some transaction operations • Index on any field – including compound indexes • Know what data your app needs for faster querying • Schema-less • Doesn’t mean schema free: find the right balance of collections and structure for your data 3/15/2013 Gazzang - All rights reserved 2012
  • 12. Example MongoDB Document { _id : ObjectId("4c4ba5c0672c685e5e8aabf3"), type: “student”, firstname: ”John", lastname: “Smith”, last_updated: ISODate("2012-02-02T11:52:27.442Z"), contacts: [ {parent1: “Dad Smith”, phone: “123-456-7890”}, {parent2: “Mom Smith”, phone: “234-567-8901”} ], classes: [“Biology”, “Algebra”, “Music”], } 3/15/2013 Gazzang - All rights reserved 2012
  • 13. Operations in MongoDB Replication App • Redundancy and failover • Can be used to scale read Replica Replica Replica 1 throughput 2 3 Auto-sharding App • Partitions data based on a defined key(s) e.g. lastname Shard Shard Shard • Scales write throughput 1 2 3 3/15/2013 Gazzang - All rights reserved 2012
  • 14. MongoDB Native Security Admin Users Regular Users User user1 user2 authentication user3 SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Client Data Files Data Files 3/15/2013 Gazzang - All rights reserved 2012 14
  • 15. Education Use Case on MongoDB Node 1 Node 2 Data Files Data Files Teacher Student First Name Bob First Name Alice Last Name Jones Last Name Smith Email bob@xx.edu Email alice@yy.edu Phone 555-5555 Grade 5th SSN XXX-XX-XXXX Address 804 Congress City Austin State TX 3/15/2013 Gazzang - All rights reserved 2012 15
  • 16. Cloud Security Challenges • Protect Sensitive Data in the Cloud – Ensure sensitive data and encryption keys are never stored in plain text nor exposed publicly – Maintain control of your encryption keys and your proprietary data • Ensure Big Data Security – Harden Big Data infrastructures that have relatively weak security and no encryption protection – Maintain Big Data performance and availability • Enable Compliance – Encrypt data at rest and enforce tight access control policies – Protect your regulated data in the event of a breach 3/15/2013 Gazzang - All rights reserved 2012 16
  • 17. Gazzang zNcrypt™ zNcrypt sits between the file system and any database, application or service running on Linux to encrypt data before written to the disk. • AES 256 encryption • Process-based ACLs • File and block encryption • Multiple encrypted mount points • Maximum performance • Enterprise scalability • Packaged support for MongoDB, Cassandra, Hadoop, MySQL, PostgreSQL 3/15/2013 Gazzang - All rights reserved 2012 17
  • 18. zNcrypt Architecture • Key Management – Off-site key storage – In the cloud / on premises – Hardened & highly available • Access Control – Process-based ACL rules – Transparent data encryption – Separate from users & groups • Encryption – Data at rest / AES-256 – File level encryption – Excellent performance 3/15/2013 Gazzang - All rights reserved 2012 18
  • 19. ACL Rules and Encryption • MongoDB ACL Rule “ALLOW @mongodb * /usr/bin/mongod” This defines mongod as a trusted application, to the data namespace @mongodb, granting permissions to the cleartext data. • MongoDB data node directory encryption “zncrypt-move encrypt @mongodb /var/lib/mongodb /var/lib/ezncrypt/ezncrypted” This command encrypts the /var/lib/mongodb directory as well as any new file or data saved to it. Only the MongoDB process will be able to access the data permitted with ACL rule @mongodata. The last argument is the target mount point for the encrypted data. 3/15/2013 Gazzang - All rights reserved 2012 19
  • 20. Gazzang zTrustee™ – Controlling Authentication Objects Securing “opaque objects” with policy management and adaptive “trustee” authorization capabilities • Time to live • Number of retrievals • URL • Trustee approval • Client • Much more API Library • Java • Python • C library Trustees must approve release of objects in accordance with the deposit policy 3/15/2013 Gazzang - All rights reserved 2012 20
  • 21. Ease of Deployment • Install zNcrypt – Package managers (yum, apt-get), Chef, Puppet, JuJu, etc • Create master encryption key – Passphrase method (optional “split security”) – RSA Key file method • Create ACLs – Simple command-lines (ALLOW/DENY style) – Almost any process or script allowed: • Virtually any application, process or script: MongoDB, Hadoop, Cassandra, MySQL, Apache, Tomcat, document management, etc… • Encrypt data – Simple command line calls, down to the file level 3/15/2013 Gazzang - All rights reserved 2012 21
  • 22. Chef – Opscode Community 3/15/2013 Gazzang - All rights reserved 2012 22
  • 23. 3/15/2013 Gazzang - All rights reserved 2012 23
  • 24. 3/15/2013 Gazzang - All rights reserved 2012 24
  • 25. 3/15/2013 Gazzang - All rights reserved 2012 25
  • 26. 3/15/2013 Gazzang - All rights reserved 2012 26
  • 27. 3/15/2013 Gazzang - All rights reserved 2012 27
  • 28. Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 28
  • 29. Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 29
  • 30. Install MongoDB and zNcrypt with #chef-client 3/15/2013 Gazzang - All rights reserved 2012 30
  • 31. zNcrypt Cookbook Source on github https://github.com/gazzang/cookbooks/tree/master/ zncrypt 3/15/2013 Gazzang - All rights reserved 2012 31
  • 32. Walk Through zNcrypt Cookbook • Attributes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/attribu tes/default.rb • Recipes – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/zncrypt.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/activate.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/configdirs.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/default.rb – https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe s/mongodb.rb 3/15/2013 Gazzang - All rights reserved 2012 32
  • 33. Gazzang Overview Gazzang provides big data security solutions that help enterprises protect sensitive information and maintain performance in the cloud or on premises 150+ Direct Customers SaaS Healthcare Financial Services Technology Government 3/15/2013 Gazzang - All rights reserved 2012 33
  • 34. Thank You Q&A 3/15/2013 Gazzang - All rights reserved 2012 34
  • 35. Protect Your MongoDB Data For more information contact us: info@gazzang.com Eddie Garcia eddie.garcia@gazzang.com 3/15/2013 Gazzang - All rights reserved 2012 35