MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
Automating a Secure MongoDB Deployment with Opscode and Gazzang
1. Automating a Secure
MongoDB Deployment
MongoDB Austin
Matt Ray, Senior Technical Evangelist at Opscode Feb. 15 2013
Eddie Garcia, Vice President of Development at Gazzang
2. What’s In Your Cloud?
What data are you storing?
3/15/2013 Gazzang - All rights reserved 2012
3. What’s In Your Cloud?
How are you protecting that data?
3/15/2013 Gazzang - All rights reserved 2012
4. What’s In Your Cloud?
How are you managing the keys?
3/15/2013 Gazzang - All rights reserved 2012
5. Student Record Breaches
• Since 2010, more than three million student records have been
compromised due to hack attacks or lost, stolen or missing files.
• This year alone…
• 23,000 SSN’s breached at the University of North Florida
• 16,000 SSN’s, birth dates and
student ID’s breached from
Eugene, Oregon school district
• 650,000 records breached from
University of Nebraska
• 350,000 records from UNC
Charlotte
• and more….
3/15/2013 Gazzang - All rights reserved 2012
6. Breaches Hit Every Industry
3/15/2013 Gazzang - All rights reserved 2012 6
7. Data Security For MongoDB
Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB
• Pre-built integration requires no changes to your
application or database
• Leverages automation tools for distributed
deployment
• World-class support available through Gazzang, 10gen
and Opscode
3/15/2013 Gazzang - All rights reserved 2012
8. MongoDB Use Cases
Content Management Operational Intelligence E-Commerce
User Data Management High Volume Data Feeds
3/15/2013 Gazzang - All rights reserved 2012 8
10. 3/15/2013 Gazzang - All rights reserved 2012 10
11. Documents in MongoDB
• Model richer objects using documents
• Arrays, sub-documents
• Data more closely matches how your apps use it
• Allows faster data model iteration
• Rich atomic updates
• Pushing/popping items from arrays, incrementing fields – can
replace some transaction operations
• Index on any field – including compound indexes
• Know what data your app needs for faster querying
• Schema-less
• Doesn’t mean schema free: find the right balance of collections
and structure for your data
3/15/2013 Gazzang - All rights reserved 2012
13. Operations in MongoDB
Replication App
• Redundancy and failover
• Can be used to scale read Replica
Replica
Replica
1
throughput 2 3
Auto-sharding App
• Partitions data based on a
defined key(s) e.g. lastname Shard Shard Shard
• Scales write throughput 1 2 3
3/15/2013 Gazzang - All rights reserved 2012
14. MongoDB Native Security
Admin Users Regular Users
User
user1 user2 authentication
user3
SSL encryption SSL encryption
for client for inter-server
connection traffic
Primary Secondary
Client
Data Files Data Files
3/15/2013 Gazzang - All rights reserved 2012 14
15. Education Use Case on MongoDB
Node 1 Node 2
Data Files Data Files
Teacher
Student
First Name Bob
First Name Alice
Last Name Jones
Last Name Smith
Email bob@xx.edu
Email alice@yy.edu
Phone 555-5555
Grade 5th
SSN XXX-XX-XXXX
Address 804 Congress
City Austin
State TX
3/15/2013 Gazzang - All rights reserved 2012 15
16. Cloud Security Challenges
• Protect Sensitive Data in the Cloud
– Ensure sensitive data and encryption keys are never
stored in plain text nor exposed publicly
– Maintain control of your encryption keys and your
proprietary data
• Ensure Big Data Security
– Harden Big Data infrastructures that have relatively
weak security and no encryption protection
– Maintain Big Data performance and availability
• Enable Compliance
– Encrypt data at rest and enforce tight access
control policies
– Protect your regulated data in the event of
a breach
3/15/2013 Gazzang - All rights reserved 2012 16
17. Gazzang zNcrypt™
zNcrypt sits between the file system and any database,
application or service running on Linux to encrypt data before
written to the disk.
• AES 256 encryption
• Process-based ACLs
• File and block encryption
• Multiple encrypted mount points
• Maximum performance
• Enterprise scalability
• Packaged support for MongoDB,
Cassandra, Hadoop, MySQL,
PostgreSQL
3/15/2013 Gazzang - All rights reserved 2012 17
18. zNcrypt Architecture
• Key Management
– Off-site key storage
– In the cloud / on premises
– Hardened & highly available
• Access Control
– Process-based ACL rules
– Transparent data encryption
– Separate from users & groups
• Encryption
– Data at rest / AES-256
– File level encryption
– Excellent performance
3/15/2013 Gazzang - All rights reserved 2012 18
19. ACL Rules and Encryption
• MongoDB ACL Rule
“ALLOW @mongodb * /usr/bin/mongod”
This defines mongod as a trusted application, to the data
namespace @mongodb, granting permissions to the cleartext data.
• MongoDB data node directory encryption
“zncrypt-move encrypt @mongodb
/var/lib/mongodb /var/lib/ezncrypt/ezncrypted”
This command encrypts the /var/lib/mongodb directory as well as
any new file or data saved to it. Only the MongoDB process will be
able to access the data permitted with ACL rule @mongodata.
The last argument is the target mount point for the encrypted data.
3/15/2013 Gazzang - All rights reserved 2012 19
20. Gazzang zTrustee™ – Controlling Authentication Objects
Securing “opaque objects” with policy management and adaptive
“trustee” authorization capabilities
• Time to live
• Number of retrievals
• URL
• Trustee approval
• Client
• Much more
API Library
• Java
• Python
• C library
Trustees must approve release of objects
in accordance with the deposit policy
3/15/2013 Gazzang - All rights reserved 2012 20
21. Ease of Deployment
• Install zNcrypt
– Package managers (yum, apt-get), Chef, Puppet, JuJu, etc
• Create master encryption key
– Passphrase method (optional “split security”)
– RSA Key file method
• Create ACLs
– Simple command-lines (ALLOW/DENY style)
– Almost any process or script allowed:
• Virtually any application, process or script: MongoDB, Hadoop,
Cassandra, MySQL, Apache, Tomcat, document management, etc…
• Encrypt data
– Simple command line calls, down to the file level
3/15/2013 Gazzang - All rights reserved 2012 21
22. Chef – Opscode Community
3/15/2013 Gazzang - All rights reserved 2012 22
23. 3/15/2013 Gazzang - All rights reserved 2012 23
24. 3/15/2013 Gazzang - All rights reserved 2012 24
25. 3/15/2013 Gazzang - All rights reserved 2012 25
26. 3/15/2013 Gazzang - All rights reserved 2012 26
27. 3/15/2013 Gazzang - All rights reserved 2012 27
28. Install MongoDB and zNcrypt with #chef-client
3/15/2013 Gazzang - All rights reserved 2012 28
29. Install MongoDB and zNcrypt with #chef-client
3/15/2013 Gazzang - All rights reserved 2012 29
30. Install MongoDB and zNcrypt with #chef-client
3/15/2013 Gazzang - All rights reserved 2012 30
31. zNcrypt Cookbook Source on github
https://github.com/gazzang/cookbooks/tree/master/
zncrypt
3/15/2013 Gazzang - All rights reserved 2012 31
32. Walk Through zNcrypt Cookbook
• Attributes
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/attribu
tes/default.rb
• Recipes
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe
s/zncrypt.rb
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe
s/activate.rb
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe
s/configdirs.rb
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe
s/default.rb
– https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipe
s/mongodb.rb
3/15/2013 Gazzang - All rights reserved 2012 32
33. Gazzang Overview
Gazzang provides big data security solutions that help
enterprises protect sensitive information and maintain
performance in the cloud or on premises
150+ Direct Customers
SaaS Healthcare Financial Services Technology Government
3/15/2013 Gazzang - All rights reserved 2012 33
34. Thank You
Q&A
3/15/2013 Gazzang - All rights reserved 2012 34
35. Protect Your MongoDB Data
For more information
contact us: info@gazzang.com
Eddie Garcia eddie.garcia@gazzang.com
3/15/2013 Gazzang - All rights reserved 2012 35