2. #MDBE16
Complexity is the Enemy of Security
Security holes resulting from
misconfiguration?
Under ‘time-to-market’ pressures,
neglecting to apply a security layer
due to complexity?
@TheDonester
3. #MDBE16
Need Clearer Path To [Secure] Success
• Technologies need to keep things
simple
• Especially around Security
• MongoDB’s security features are
orthogonal yet complimentary
• Using one feature doesn’t require
learning and configuring all other
features
@TheDonester
13. #MDBE16
Role Based Access Control
Built-in roles
• read, readWrite, dbAdmin,
clusterAdmin, root, etc..
User-defined roles
• Based on actions that can be
defined for a resource
@TheDonester
14. #MDBE16
Defining & Using a Custom Role
Example: “Append-only” role
Define The Role & User Try Inserting & Querying Data
@TheDonester
15. #MDBW16
LDAP Authorization*
MongoDB Roles Mapped to LDAP Groups
@TheDonester
* New in 3.4
Role membership is fluid & managed
dynamically in the LDAP Directory
(rather than granting roles to users
in MongoDB)
LDAP Authorization is an optional feature,
if LDAP Direct Authentication is enabled
16. #MDBW16
Read-Only Views* + Roles
For Record-level Access Control
@TheDonester
Define a View (uses Agg Fwk) Lock Down User to Only the View
* New in 3.4
18. #MDBE16
TLS (supersedes SSL)
CRUD API calls over TLS
Internal Traffic over TLS
CA Certificates File
Server Key &
Certificate PEM File
Server Machine 1
DriverClient Machine
CA Certificates File
CA Certificates File
Server Key &
Certificate PEM File
Server Machine 3
CA Certificates File
Server Key &
Certificate PEM File
Server Machine 2
@TheDonester
19. #MDBE16
TLS
• Can apply to client traffic or internal traffic or both
• Supported on all Drivers and MongoDB Tools
• Client Certificate authentication not mandated
• Any client and internal authentication methods can be used
• Can even have authentication / authorization completely disabled
@TheDonester
21. #MDBE16
Encrypted Storage Engine
• Native encryption inside the database
• Single-digit % overhead
• Based on WiredTiger
• Two Key Types for easy key rotation
• Master Key per replica
• Internal Key per database
• Options for sourcing Master Key:
• Via 3rd Party Key Management Appliance using KMIP
(Key Management Interoperability Protocol)
• Keyfile on local file-system (not recommended for
Production)
@TheDonester
35. #MDBW16
Client Authentication Comparisons
Authentication Method Clear Text Password Identity Location
Challenge/Response
(SCRAM-SHA-1)
No (Digest) Internal
x.509 Certificate No (Digital Signature) External
LDAP Yes * External
Kerberos
No (KDC generated session key
encrypted with password)
External
* Can be protected via a transport-level security mechanism
@TheDonester
36. #MDBE16
Internal Authentication Comparisons
• x.509 Cert Auth mandates use of TLS/SSL
• Keyfile Auth can be used with TLS/SSL
• x.509 Cert Auth has smaller attack surface area
• No need for a ‘shared secret’
• x.509 Cert Auth allows for centralized key management
@TheDonester
37. #MDBE16
TLS & FIPS 140-2
US government security standard to accredit cryptographic modules
• OpenSSL “FIPS Object Module”
• Certified component optionally used via
OpenSSL
• Ensures source code not tampered with
(checks signature against original certified
version)
• MongoDB configurable option
FIPSMode: true
• Also applies to Encryption-at-Rest
FIPS 140-2 : Federal Information Processing Standard (FIPS) Publication 140-2
@TheDonester
39. #MDBE16
Log Redaction*
Redact Client Data Shown in System Log Files
@TheDonester
• All potentially sensitive user data omitted from logs
Vs
• Harder to diagnose system & performance issues
* New in 3.4
Trade-off: