SlideShare uma empresa Scribd logo

MongoDB World 2018: Enterprise Cloud Security

MongoDB
MongoDB

Speaker: Davi Ottenheimer, Product Security, MongoDB

Tecnologia
1 de 39
Baixar para ler offline
Enterprise Security in the Cloud Davi Ottenheimer
MongoDB Product Security Making safety easier, faster, and more flexible
Davi Ottenheimer Product Security __ -=(o '. '.-. /| '| || __):,_
https://www.flickr.com/photos/39391550@N00/6116946646 Security in the Cloud
https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
SALT FOG
60,000 Rivets Per Plane 1. Normal - takeoff and landing routines 2. Emergency - minutes to make a critical decision “Life begins with a checklist...and it may end if you don’t use it” United States War Office Film 1-3301 How to Fly the B-26 http://www.flyingpenguin.com/?p=12965
Standards of Service Organization Control Compliance: Because even experienced, smart people get security wrong PRIVACY & SECURITY INTEGRITY AVAILABILITY CONFIDENTIALITY AICPA SOC 2
DIY Security - A Great Way to Learn! https://github.com/pkdone/MongoSecurityPlaypen WARNING: This project intentionally is NOT "production secure" SECURITY SERVICES
Let’s make security less complex with fewer errors... On-premises Database as a ServiceSelf-managed in a cloud Managed features with minimal configuration Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening
Enterprise Security Agenda in Cloud Identity and Access Auditing Encryption
Identity and Access
Secure Access in Cloud Default Role is Closed Multi-Factor Authentication (MFA) Integration Role-based Access Controls (RBAC) for Projects, Users and Teams
Secure Access in Cloud Basic Checks • TLS in-flight data encryption • SCRAM or LDAP for user login • Firewall (IP whitelist, default closed) Design Considerations • Dedicated VPC/Vnet: isolated single-tenant cluster nodes • Peering between AWS VPCs (in same AWS region)
Dedicated VPC (per project) • Network by default closed to public traffic • IP addresses must be explicitly whitelisted for inbound traffic • Username and password required to connect to database with configurable privileges • Encryption • TLS In-Transit (Network) • AES At-Rest (Volume) VPC per Atlas project Firewall User & Password Authorization At-rest encryption IP Whitelist Application server environments Application server environments TLS Encryption Secondary Secondary Primary
Peering Between VPC VPC per Atlas project Firewall At-rest encryption Application server environments VPC Peering connection Your VPC for app servers User & password authorization Secondary Secondary Primary • Network by default closed to public traffic • IP addresses must be explicitly whitelisted for inbound traffic • Username and password required to connect to database with configurable privileges • Encryption • TLS In-Transit (Network) • AES At-Rest (Volume) • Peering cluster VPC to app VPC = private network (can even reference VPC peered security groups)
Data Flow Diagrams Account Network Query Router (mongos) Config Servers Customer Replica Set Cluster Secondary Secondary Primary Zone 1 Zone 2 Zone 3 IaaS Shard 0 2 2 1 UnshardedSharded Each Shard Backup Service Shard 1 2 2 1 Shard 2 2 2 1
Auditing
Activity Logs • Records • Database Processes • Create, Read, Update, Delete (CRUD) • Live feeds on all actions for monitoring/alerts • User or role modifications • Cluster deploy • Scale • Termination operations
Fine-grained monitoring and alerts
Fine-grained monitoring and alerts ● Monitoring and alerts provide full metrics on the state of your cluster’s database and server usage ● Automatic notifications when your database operations or server usage reach defined thresholds that affect your cluster's performance ● Combining our automated alerting with the flexible scale-up-and-out options in MongoDB Atlas, we can keep your database-supported applications always performing as well as they should
Real-time activity panel
Real-time activity panel Insight by revealing what’s happening in your cluster live to diagnose: • Operations • Read/Writes • Network In/Out • Memory • Hottest Collections • Slowest Operations
Behavioral Advisor
Behavioral Advisor Always-on for dedicated clusters Delivers automated recommendations without perf overhead • Relevant stats on slow queries • Automated index suggestions • Existing indexes across clusters
Data Explorer Interact with data from within UI. Data Explorer convenient way to: • Run queries • See metadata about your databases & collections • View information about your indexes, including index usage statistics
Queryable Snapshots Query backup and restore data at document level in minutes Identify whether data of interest has been altered and pinpoint best time to restore database by comparing multiple snapshots
Encryption
Key Management
Partner Key Management Appliance: Master Keys Replica0 Replica Host (Linux, Windows…) Replica0 (mongod) Internal Keystore (Encrypted by Master Key) DB0 Embedded Key Management in Replicas Certificate PEM File CA Certificates File DB0 DB1 DBn KMIP via TLS (create / get) DB1 DBn Replica1 Replica2
Encryption Service Levels Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Customer Customer Customer More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service
Encryption Service Use Cases Regulated / Top Secret (PII/PHI/PCI) Encrypted Data Secret (IP, Internal) Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service Confidential
IaaS Key Service Differences Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP and CKM_RSA_PKCS N/A GCP KMS AES-GCM-256 N/A 64kB N/A N/A Azure KV AES-256 RSA-2048 with RSA-OAEP and CKM_RSA_PKCS Single 2048-bit RSA block RSA-OAEP and CKM_RSA_PKCS RSA-PSS and CKM_RSA_PKCS http://docs.aws.amazon.com/kms/latest/developerguide/overview.html https://cloud.google.com/kms/docs/ https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy
For Instance: Recent Migration Checklist • Log Review • Security Policies • Identity and Access Controls • Encryption and Key Management • Disaster Recovery / Backup • Redundancy / Resilience • Networked Workloads • Product Load / Scale • Patching Cycles Abstracted Service Architecture
https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
Security in the Cloud Identity and Access Auditing Encryption
Enterprise Security in the Cloud Davi Ottenheimer
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security

Recomendados

MongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB World 2018: What's Next? The Path to Sharded TransactionsMongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB
 
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case StudyMongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB
 
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB
 
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
DataStax
 
Helsinki Cassandra Meetup #2: From Postgres to Cassandra
Helsinki Cassandra Meetup #2: From Postgres to CassandraHelsinki Cassandra Meetup #2: From Postgres to Cassandra
Helsinki Cassandra Meetup #2: From Postgres to Cassandra
Bruno Amaro Almeida
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28
Xavier Lucas
 
Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com
confluent
 
Apache Incubator Samza: Stream Processing at LinkedIn
Apache Incubator Samza: Stream Processing at LinkedInApache Incubator Samza: Stream Processing at LinkedIn
Apache Incubator Samza: Stream Processing at LinkedIn
Chris Riccomini
 

Recomendados

MongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB World 2018: What's Next? The Path to Sharded TransactionsMongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB World 2018: What's Next? The Path to Sharded Transactions
MongoDB
 
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case StudyMongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB World 2018: Overnight to 60 Seconds: An IOT ETL Performance Case Study
MongoDB
 
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB World 2018: Active-Active Application Architectures: Become a MongoDB...
MongoDB
 
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
PlayStation and Searchable Cassandra Without Solr (Dustin Pham & Alexander Fi...
DataStax
 
Helsinki Cassandra Meetup #2: From Postgres to Cassandra
Helsinki Cassandra Meetup #2: From Postgres to CassandraHelsinki Cassandra Meetup #2: From Postgres to Cassandra
Helsinki Cassandra Meetup #2: From Postgres to Cassandra
Bruno Amaro Almeida
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28
Xavier Lucas
 
Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com
confluent
 
Apache Incubator Samza: Stream Processing at LinkedIn
Apache Incubator Samza: Stream Processing at LinkedInApache Incubator Samza: Stream Processing at LinkedIn
Apache Incubator Samza: Stream Processing at LinkedIn
Chris Riccomini
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Databricks
 
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to AtlasMongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
201809 DB tech showcase
201809 DB tech showcase201809 DB tech showcase
201809 DB tech showcase
Keisuke Suzuki
 
Always On: Building Highly Available Applications on Cassandra
Always On: Building Highly Available Applications on CassandraAlways On: Building Highly Available Applications on Cassandra
Always On: Building Highly Available Applications on Cassandra
Robbie Strickland
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
MongoDB
 
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB
 
DataStax and Esri: Geotemporal IoT Search and Analytics
DataStax and Esri: Geotemporal IoT Search and AnalyticsDataStax and Esri: Geotemporal IoT Search and Analytics
DataStax and Esri: Geotemporal IoT Search and Analytics
DataStax Academy
 
Counters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary TaleCounters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary Tale
Eric Lubow
 
Robust ha solutions with proxysql
Robust ha solutions with proxysqlRobust ha solutions with proxysql
Robust ha solutions with proxysql
Marco Tusa
 
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
MongoDB
 
Cassandra 2.0 (Introduction)
Cassandra 2.0 (Introduction)Cassandra 2.0 (Introduction)
Cassandra 2.0 (Introduction)
bigdatagurus_meetup
 
Instrumenting and Scaling Databases with Envoy
Instrumenting and Scaling Databases with EnvoyInstrumenting and Scaling Databases with Envoy
Instrumenting and Scaling Databases with Envoy
Daniel Hochman
 
Databricks clusters in autopilot mode
Databricks clusters in autopilot modeDatabricks clusters in autopilot mode
Databricks clusters in autopilot mode
Prakash Chockalingam
 
Store stream data on Data Lake
Store stream data on Data LakeStore stream data on Data Lake
Store stream data on Data Lake
Marcos Rebelo
 
Using Riak for Events storage and analysis at Booking.com
Using Riak for Events storage and analysis at Booking.comUsing Riak for Events storage and analysis at Booking.com
Using Riak for Events storage and analysis at Booking.com
Damien Krotkine
 
Realtime Data Analytics
Realtime Data AnalyticsRealtime Data Analytics
Realtime Data Analytics
Bo Yang
 
Dataservices: Processing (Big) Data the Microservice Way
Dataservices: Processing (Big) Data the Microservice WayDataservices: Processing (Big) Data the Microservice Way
Dataservices: Processing (Big) Data the Microservice Way
QAware GmbH
 
Exactly-once Data Processing with Kafka Streams - July 27, 2017
Exactly-once Data Processing with Kafka Streams - July 27, 2017Exactly-once Data Processing with Kafka Streams - July 27, 2017
Exactly-once Data Processing with Kafka Streams - July 27, 2017
confluent
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
MongoDB
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
Sai Kesavamatham
 

Mais conteúdo relacionado

Mais procurados

Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Databricks
 
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to AtlasMongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
MongoDB
 
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB
 

Mais procurados (20)

Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
 
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
Building a Versatile Analytics Pipeline on Top of Apache Spark with Mikhail C...
 
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to AtlasMongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
MongoDB .local Bengaluru 2019: Lift & Shift MongoDB to Atlas
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
201809 DB tech showcase
201809 DB tech showcase201809 DB tech showcase
201809 DB tech showcase
 
Always On: Building Highly Available Applications on Cassandra
Always On: Building Highly Available Applications on CassandraAlways On: Building Highly Available Applications on Cassandra
Always On: Building Highly Available Applications on Cassandra
 
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
How Thermo Fisher is Reducing Data Analysis Times from Days to Minutes with M...
 
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
MongoDB .local Bengaluru 2019: Becoming an Ops Manager Backup Superhero!
 
DataStax and Esri: Geotemporal IoT Search and Analytics
DataStax and Esri: Geotemporal IoT Search and AnalyticsDataStax and Esri: Geotemporal IoT Search and Analytics
DataStax and Esri: Geotemporal IoT Search and Analytics
 
Counters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary TaleCounters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary Tale
 
Robust ha solutions with proxysql
Robust ha solutions with proxysqlRobust ha solutions with proxysql
Robust ha solutions with proxysql
 
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
MongoDB .local Bengaluru 2019: Using MongoDB Services in Kubernetes: Any Plat...
 
Cassandra 2.0 (Introduction)
Cassandra 2.0 (Introduction)Cassandra 2.0 (Introduction)
Cassandra 2.0 (Introduction)
 
Instrumenting and Scaling Databases with Envoy
Instrumenting and Scaling Databases with EnvoyInstrumenting and Scaling Databases with Envoy
Instrumenting and Scaling Databases with Envoy
 
Databricks clusters in autopilot mode
Databricks clusters in autopilot modeDatabricks clusters in autopilot mode
Databricks clusters in autopilot mode
 
Store stream data on Data Lake
Store stream data on Data LakeStore stream data on Data Lake
Store stream data on Data Lake
 
Using Riak for Events storage and analysis at Booking.com
Using Riak for Events storage and analysis at Booking.comUsing Riak for Events storage and analysis at Booking.com
Using Riak for Events storage and analysis at Booking.com
 
Realtime Data Analytics
Realtime Data AnalyticsRealtime Data Analytics
Realtime Data Analytics
 
Dataservices: Processing (Big) Data the Microservice Way
Dataservices: Processing (Big) Data the Microservice WayDataservices: Processing (Big) Data the Microservice Way
Dataservices: Processing (Big) Data the Microservice Way
 
Exactly-once Data Processing with Kafka Streams - July 27, 2017
Exactly-once Data Processing with Kafka Streams - July 27, 2017Exactly-once Data Processing with Kafka Streams - July 27, 2017
Exactly-once Data Processing with Kafka Streams - July 27, 2017
 

Semelhante a MongoDB World 2018: Enterprise Cloud Security

Migrating Regulated Financial and Healthcare Data to a Trusted Cloud
Migrating Regulated Financial and Healthcare Data to a Trusted CloudMigrating Regulated Financial and Healthcare Data to a Trusted Cloud
Migrating Regulated Financial and Healthcare Data to a Trusted Cloud
MongoDB
 
KoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfastKoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfast
Tobias Koprowski
 

Semelhante a MongoDB World 2018: Enterprise Cloud Security (20)

Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud Architecture
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
KoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersKoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginners
 
Migrating Regulated Financial and Healthcare Data to a Trusted Cloud
Migrating Regulated Financial and Healthcare Data to a Trusted CloudMigrating Regulated Financial and Healthcare Data to a Trusted Cloud
Migrating Regulated Financial and Healthcare Data to a Trusted Cloud
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
 
KoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfastKoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfast
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 

Mais de MongoDB

MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 

Mais de MongoDB (20)

MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

MongoDB World 2018: Enterprise Cloud Security

  • 1. Enterprise Security in the Cloud Davi Ottenheimer
  • 2. MongoDB Product Security Making safety easier, faster, and more flexible
  • 5. https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
  • 7. 60,000 Rivets Per Plane 1. Normal - takeoff and landing routines 2. Emergency - minutes to make a critical decision “Life begins with a checklist...and it may end if you don’t use it” United States War Office Film 1-3301 How to Fly the B-26 http://www.flyingpenguin.com/?p=12965
  • 8. Standards of Service Organization Control Compliance: Because even experienced, smart people get security wrong PRIVACY & SECURITY INTEGRITY AVAILABILITY CONFIDENTIALITY AICPA SOC 2
  • 9. DIY Security - A Great Way to Learn! https://github.com/pkdone/MongoSecurityPlaypen WARNING: This project intentionally is NOT "production secure" SECURITY SERVICES
  • 10. Let’s make security less complex with fewer errors... On-premises Database as a ServiceSelf-managed in a cloud Managed features with minimal configuration Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening Download, install, configure management software Configure firewall and manage ports Encrypt network traffic for MongoDB deployment Encrypt network traffic to/from management software and your MongoDB deployment Enable and configure authentication Enable and configure RBAC Configure storage-level encryption Encrypt backup jobs Security hardening
  • 11. Enterprise Security Agenda in Cloud Identity and Access Auditing Encryption
  • 13. Secure Access in Cloud Default Role is Closed Multi-Factor Authentication (MFA) Integration Role-based Access Controls (RBAC) for Projects, Users and Teams
  • 14. Secure Access in Cloud Basic Checks • TLS in-flight data encryption • SCRAM or LDAP for user login • Firewall (IP whitelist, default closed) Design Considerations • Dedicated VPC/Vnet: isolated single-tenant cluster nodes • Peering between AWS VPCs (in same AWS region)
  • 15. Dedicated VPC (per project) • Network by default closed to public traffic • IP addresses must be explicitly whitelisted for inbound traffic • Username and password required to connect to database with configurable privileges • Encryption • TLS In-Transit (Network) • AES At-Rest (Volume) VPC per Atlas project Firewall User & Password Authorization At-rest encryption IP Whitelist Application server environments Application server environments TLS Encryption Secondary Secondary Primary
  • 16. Peering Between VPC VPC per Atlas project Firewall At-rest encryption Application server environments VPC Peering connection Your VPC for app servers User & password authorization Secondary Secondary Primary • Network by default closed to public traffic • IP addresses must be explicitly whitelisted for inbound traffic • Username and password required to connect to database with configurable privileges • Encryption • TLS In-Transit (Network) • AES At-Rest (Volume) • Peering cluster VPC to app VPC = private network (can even reference VPC peered security groups)
  • 17. Data Flow Diagrams Account Network Query Router (mongos) Config Servers Customer Replica Set Cluster Secondary Secondary Primary Zone 1 Zone 2 Zone 3 IaaS Shard 0 2 2 1 UnshardedSharded Each Shard Backup Service Shard 1 2 2 1 Shard 2 2 2 1
  • 19. Activity Logs • Records • Database Processes • Create, Read, Update, Delete (CRUD) • Live feeds on all actions for monitoring/alerts • User or role modifications • Cluster deploy • Scale • Termination operations
  • 21. Fine-grained monitoring and alerts ● Monitoring and alerts provide full metrics on the state of your cluster’s database and server usage ● Automatic notifications when your database operations or server usage reach defined thresholds that affect your cluster's performance ● Combining our automated alerting with the flexible scale-up-and-out options in MongoDB Atlas, we can keep your database-supported applications always performing as well as they should
  • 23. Real-time activity panel Insight by revealing what’s happening in your cluster live to diagnose: • Operations • Read/Writes • Network In/Out • Memory • Hottest Collections • Slowest Operations
  • 25. Behavioral Advisor Always-on for dedicated clusters Delivers automated recommendations without perf overhead • Relevant stats on slow queries • Automated index suggestions • Existing indexes across clusters
  • 26. Data Explorer Interact with data from within UI. Data Explorer convenient way to: • Run queries • See metadata about your databases & collections • View information about your indexes, including index usage statistics
  • 27. Queryable Snapshots Query backup and restore data at document level in minutes Identify whether data of interest has been altered and pinpoint best time to restore database by comparing multiple snapshots
  • 30. Partner Key Management Appliance: Master Keys Replica0 Replica Host (Linux, Windows…) Replica0 (mongod) Internal Keystore (Encrypted by Master Key) DB0 Embedded Key Management in Replicas Certificate PEM File CA Certificates File DB0 DB1 DBn KMIP via TLS (create / get) DB1 DBn Replica1 Replica2
  • 31. Encryption Service Levels Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data Customer Customer Customer More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service
  • 32. Encryption Service Use Cases Regulated / Top Secret (PII/PHI/PCI) Encrypted Data Secret (IP, Internal) Key Distribution Encrypted Data Key Store Key Distribution Encrypted Data More Control (Customer-Managed Keys) More Ease (Encryption by Default) Cloud Key Service Confidential
  • 33. IaaS Key Service Differences Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP and CKM_RSA_PKCS N/A GCP KMS AES-GCM-256 N/A 64kB N/A N/A Azure KV AES-256 RSA-2048 with RSA-OAEP and CKM_RSA_PKCS Single 2048-bit RSA block RSA-OAEP and CKM_RSA_PKCS RSA-PSS and CKM_RSA_PKCS http://docs.aws.amazon.com/kms/latest/developerguide/overview.html https://cloud.google.com/kms/docs/ https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy
  • 34. For Instance: Recent Migration Checklist • Log Review • Security Policies • Identity and Access Controls • Encryption and Key Management • Disaster Recovery / Backup • Redundancy / Resilience • Networked Workloads • Product Load / Scale • Patching Cycles Abstracted Service Architecture
  • 35. https://www.flickr.com/photos/39391550@N00/6116946646 Why Do We Trust 600,000 Rivet Towers Spanning a Salt Fog?
  • 36. Security in the Cloud Identity and Access Auditing Encryption
  • 37. Enterprise Security in the Cloud Davi Ottenheimer