Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
3. Cloud Trust Themes
Service: benefits of tighter configs by relinquishing some control
● Flexibility across clouds
● Meet industry standards
● Advantage in trusted bridge builders
4. Cloud Trust Themes
Common questions
● What can provider see (segregation of duties, AAA)
● What happens when provider detects a CVE or an incident
● How do we get operational logs
● Who is responsible for what
● Which key authorities can be used
● Where is the data really (can it disappear, can it not disappear)
5. Cloud Trust Themes
Why it is so important to get Enterprise Cloud Security right
● Cause of breaches - configuration flaws, unpatched vulns
● Reputation loss, regulatory oversight and fines increasing
https://www.computerweekly.com/news/450401190/UK-firms-could-face-122bn-in-data-breach-fines-in-2018
9. 60,000 Rivets - Per Plane
1. Normal Checklist - takeoff and landing routines
2. Emergency Checklist - minutes to make a critical decision
“Life begins with a checklist...and it may end if you don’t use it”
United States War Office Film 1-3301 How to Fly the B-26
http://www.flyingpenguin.com/?p=12965
11. DIY Checklists - Great Way to Learn!
https://github.com/pkdone/MongoSecurityPlaypen
WARNING:
This project
intentionally is NOT
"production secure"
The DIY
SECURITY
SERVICE
LAYER
12. “...as a Service” is Less Complex, Fewer Errors
On-premises Database as a ServiceSelf-managed in a cloud
Managed features with
minimal configuration
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
17. VPC Per
Atlas Project
AES At-Rest
Encryption
Secondary Secondary
Primary
Dedicated VPC
(per project)
● Network default closed to public
● IP addresses explicitly whitelisted for
inbound traffic
● User/password required to connect to
database with configurable privileges
● Encryption
○ TLS In-Transit (Network)
○ AES At-Rest (Volume)
Zone 1 Zone 2 Zone 3
Auth (SCRAM
or LDAPS)
IP Whitelist
TLS In-Flight
Encryption
Application
Server Environments
18. VPC Per
Atlas Project
AES At-Rest
Encryption
Secondary Secondary
Primary
● Network default closed to public
● IP addresses explicitly whitelisted for
inbound traffic
● User/password required to connect to
database with configurable privileges
● Encryption
○ TLS In-Transit (Network)
○ AES At-Rest (Volume)
● Peering cluster VPC to app VPC =
private network (can even reference
VPC peered security groups)
Zone 1 Zone 2 Zone 3
Auth (SCRAM
or LDAPS)
Your VPC for
Application Servers
VPC Peering
Connection
Peered VPC
(per project)
22. Activity Logs
● Records
○ Database Processes
○ Create, Read, Update, Delete (CRUD)
● Live feeds on all actions for monitoring/alerts
○ User or role modifications
○ Cluster deploy
○ Scale
○ Termination operations
24. Fine-grained monitoring and alerts
● Monitoring and alerts provide full metrics on the state of your cluster’s
database and server usage
● Automatic notifications when your database operations or server usage
reach defined thresholds that affect your cluster's performance
● Combining our automated alerting with the flexible scale-up-and-out
options in MongoDB Atlas, we can keep your database-supported
applications always performing as well as they should
28. Behavioral Advisor
● Always-on for dedicated clusters
● Delivers automated recommendations without perf overhead
○ Relevant stats on slow queries
○ Automated index suggestions
○ Existing indexes across clusters
29. Data Explorer
● Interact with data from within UI
● A convenient way to:
○ Run queries
○ See metadata about your databases
& collections
○ View information about your indexes,
including index usage statistics
30. Queryable Snapshots
Query backup and restore data at document level in minutes
○ Identify whether data of interest has been
○ altered and pinpoint best time to
○ restore database by comparing
○ multiple snapshots
32. Service Levels
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Customer Customer
Customer
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
33. Service Use Cases
Regulated /
Top Secret
(PII/PHI/PCI)
Encrypted Data
Secret
(IP, Internal)
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
Confidential
35. Partner Key
Management
Appliance:
Master Keys
Replica0
Replica Host (Linux, Windows…)
Replica0 (mongod)
Internal Keystore
(Encrypted by Master Key)
DB0
ESE Embedded Key Management
Certificate
PEM File
CA
Certificates
File
DB0 DB1 DBn
DB1 DBnReplica1
Replica2
KMIP
(create / get)
Key management and keystore
controlled by the organization, not
the cloud service provider
(https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tc-hybrid-sp1800-
19a-preliminary-draft.pdf)
36. IaaS Key Service Differences
Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify
AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP
and CKM_RSA_PKCS
N/A
GCP KMS AES-GCM-256 N/A 64kB N/A N/A
Azure KV AES-256 RSA-2048 with
RSA-OAEP
and CKM_RSA_PKCS
Single 2048-bit
RSA block
RSA-OAEP and
CKM_RSA_PKCS
RSA-PSS
and CKM_RSA_PKCS
http://docs.aws.amazon.com/kms/latest/developerguide/overview.html
https://cloud.google.com/kms/docs/
https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy
37. For Instance: Migration Checklist
Log Review
Security Policy Review
Identity and Access Control Configuration
Encryption Key Management
Disaster Recovery / Backup
Redundancy / Resilience
Networked Workloads
Product Load / Scale
Patching Cycles
Abstracted
Service
Architecture
38. “...as a Service” is Less Complex, Fewer Errors
On-premises Database as a ServiceSelf-managed in a cloud
Managed features with
minimal configuration
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening