7. 60,000 Rivets Per Plane
1. Normal - takeoff and landing routines
2. Emergency - minutes to make a critical decision
“Life begins with a checklist...and it may end if you don’t use it”
United States War Office Film 1-3301 How to Fly the B-26
http://www.flyingpenguin.com/?p=12965
8. Standards of Service Organization Control
Compliance: Because even
experienced, smart people
get security wrong
PRIVACY & SECURITY
INTEGRITY
AVAILABILITY
CONFIDENTIALITY
AICPA
SOC 2
9. DIY Security - A Great Way to Learn!
https://github.com/pkdone/MongoSecurityPlaypen
WARNING: This
project intentionally is
NOT "production
secure"
SECURITY
SERVICES
10. Let’s make security less complex with fewer errors...
On-premises Database as a ServiceSelf-managed in a cloud
Managed features with
minimal configuration
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
Download, install,
configure management software
Configure firewall and manage ports
Encrypt network traffic
for MongoDB deployment
Encrypt network traffic to/from management
software and your MongoDB deployment
Enable and configure authentication
Enable and configure RBAC
Configure storage-level encryption
Encrypt backup jobs
Security hardening
13. Secure Access in Cloud
Default Role is Closed
Multi-Factor Authentication (MFA)
Integration
Role-based Access Controls (RBAC)
for Projects, Users and Teams
14. Secure Access in Cloud
Basic Checks
• TLS in-flight data encryption
• SCRAM or LDAP for user login
• Firewall (IP whitelist, default closed)
Design Considerations
• Dedicated VPC/Vnet: isolated single-tenant cluster nodes
• Peering between AWS VPCs (in same AWS region)
15. Dedicated VPC (per project)
• Network by default closed to public traffic
• IP addresses must be explicitly whitelisted
for inbound traffic
• Username and password required to
connect to database with configurable
privileges
• Encryption
• TLS In-Transit (Network)
• AES At-Rest (Volume)
VPC per Atlas project
Firewall
User & Password
Authorization
At-rest encryption
IP Whitelist
Application server
environments
Application server
environments
TLS
Encryption
Secondary Secondary
Primary
16. Peering Between VPC
VPC per Atlas project
Firewall
At-rest encryption
Application server
environments
VPC Peering
connection
Your VPC for app servers
User & password
authorization
Secondary Secondary
Primary
• Network by default closed to public traffic
• IP addresses must be explicitly whitelisted
for inbound traffic
• Username and password required to
connect to database with configurable
privileges
• Encryption
• TLS In-Transit (Network)
• AES At-Rest (Volume)
• Peering cluster VPC to app VPC = private
network (can even reference VPC peered
security groups)
17. Data Flow Diagrams
Account
Network
Query Router (mongos)
Config
Servers
Customer
Replica Set
Cluster
Secondary Secondary
Primary
Zone 1 Zone 2 Zone 3
IaaS
Shard 0
2 2
1
UnshardedSharded
Each Shard
Backup
Service
Shard 1
2 2
1
Shard 2
2 2
1
19. Activity Logs
• Records
• Database Processes
• Create, Read, Update, Delete (CRUD)
• Live feeds on all actions for monitoring/alerts
• User or role modifications
• Cluster deploy
• Scale
• Termination operations
21. Fine-grained monitoring and alerts
● Monitoring and alerts provide full metrics on the state of your cluster’s
database and server usage
● Automatic notifications when your database operations or server
usage reach defined thresholds that affect your cluster's performance
● Combining our automated alerting with the flexible scale-up-and-out
options in MongoDB Atlas, we can keep your database-supported
applications always performing as well as they should
25. Behavioral Advisor
Always-on for dedicated clusters
Delivers automated recommendations without perf overhead
• Relevant stats on slow queries
• Automated index suggestions
• Existing indexes across clusters
26. Data Explorer
Interact with data from within UI.
Data Explorer convenient way to:
• Run queries
• See metadata about your databases &
collections
• View information about your indexes,
including index usage statistics
27. Queryable Snapshots
Query backup and restore data at document level in minutes
Identify whether data of interest has been
altered and pinpoint best time to
restore database by comparing
multiple snapshots
31. Encryption Service Levels
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
Customer Customer
Customer
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
32. Encryption Service Use Cases
Regulated /
Top Secret
(PII/PHI/PCI)
Encrypted Data
Secret
(IP, Internal)
Key Distribution
Encrypted Data
Key Store
Key Distribution
Encrypted Data
More Control (Customer-Managed Keys) More Ease (Encryption by Default)
Cloud Key Service
Confidential
33. IaaS Key Service Differences
Key Service Symmetric Asymmetric Data Size Unwrap keys Sign/verify
AWS KMS AES-GCM-256 N/A 4kB RSA-OAEP
and CKM_RSA_PKCS
N/A
GCP KMS AES-GCM-256 N/A 64kB N/A N/A
Azure KV AES-256 RSA-2048 with
RSA-OAEP
and CKM_RSA_PKCS
Single 2048-bit
RSA block
RSA-OAEP and
CKM_RSA_PKCS
RSA-PSS
and CKM_RSA_PKCS
http://docs.aws.amazon.com/kms/latest/developerguide/overview.html
https://cloud.google.com/kms/docs/
https://docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest#key-hierarchy