MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying MongoDB’s Security Capabilities
2 likes1,059 views
The document discusses MongoDB's security features including authentication, authorization, encryption, and auditing. It emphasizes that MongoDB's security features have minimal dependencies and keep the path to secure success clear. The key features are authentication using passwords, LDAP, certificates or Kerberos; role-based authorization; encryption of data in transit using TLS and at rest using the encrypted storage engine; and auditing of operations to a configurable destination.
![#MDBE16
Need Clearer Path To [Secure] Success
• Technologies need to keep things
simple
• Especially around Security
• MongoDB’s security features are
orthogonal yet complimentary
• Using one feature doesn’t require
learning and configuring all other
features
@TheDonester](https://image.slidesharecdn.com/pauldone-mongodbsecurityfeaturesv181-161117110608/85/MongoDB-Europe-2016-Who-s-Helping-Themselves-To-Your-Data-Demystifying-MongoDB-s-Security-Capabilities-3-320.jpg)
![#MDBE16
Auditing Filters Are Key
• Filter on attributes of captured audit documents
• In config, set ‘auditFilter’ to a query expression
• Filter on: Action, User, Role, Command, Database, Collection, etc
• Examples:
filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘
filter: ‘{roles: {role: "readWrite", db: "test“}}‘
filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘
@TheDonester](https://image.slidesharecdn.com/pauldone-mongodbsecurityfeaturesv181-161117110608/85/MongoDB-Europe-2016-Who-s-Helping-Themselves-To-Your-Data-Demystifying-MongoDB-s-Security-Capabilities-27-320.jpg)
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying MongoDB’s Security Capabilities
- 1. Who’s Helping Themselves To Your Data? Demystifying MongoDB’s Security Features @TheDonester
- 2. #MDBE16 Complexity is the Enemy of Security Security holes resulting from misconfiguration? Under ‘time-to-market’ pressures, neglecting to apply a security layer due to complexity? @TheDonester
- 3. #MDBE16 Need Clearer Path To [Secure] Success • Technologies need to keep things simple • Especially around Security • MongoDB’s security features are orthogonal yet complimentary • Using one feature doesn’t require learning and configuring all other features @TheDonester
- 4. #MDBE16 MongoDB DB-level Security Standards-based Minimal inter-dependencies • Authorization mandates Authentication, to identify roles • Certificate-based Authentication mandates In-Flight Encryption (TLS) • Client Authentication mandates Internal Authentication Authentication At-Rest Encryption In-Flight Encryption AuthorizationAuditing @TheDonester
- 5. #MDBE16 Quick reminder.... http://docs.mongodb.org/manual/administration/security-checklist/ Ensure you consult MongoDB’s Security Checklist Remember: • Apply security in layers, for defence in depth • Many of these layers are not MongoDB specific @TheDonester
- 6. #MDBE16 MongoSecurityPlaypen Github Project NOT PRODUCTION SECURE For learning/demoing purposes only https://github.com/pkdone/MongoSecurityPlaypen @TheDonester
- 8. #MDBE16 Client Authentication Options 1. Challenge/Response (SCRAM-SHA-1) 2. LDAP (inc. Active Directory) 3. x.509 Certificate 4. Kerberos Remote Directory Server Username / Password Username / Password Authentication Service Request (1) (2) (3) Pre- Established Trust with KDC Local CA Certificates File Key Distribution Center (KDC) Certificate
- 9. #MDBW16 Client Authentication Examples SCRAM-SHA-1 LDAP x.509 Certificate Kerberos FQDNs @TheDonester
- 10. #MDBW16 LDAP Authentication Options @TheDonester LDAP Integration MongoDB Versions Operating Systems External Dependencies Proxy 2. 6 + Linux Simple Authentication & Security Layer (SASL) Direct 3. 4 + Linux & Windows n/a DB Host Directory Host Directory Servermongod saslauthd proxy direct
- 11. #MDBE16 Internal Authentication Options MongoD Replica Host OS Keyfile MongoD Replica Keyfile MongoD Replica Keyfile Key Challenge / Response Key Challenge / Response Key Challenge / Response MongoD Replica Key +Cer t MongoD Replica MongoD Replica Host OS Host OS x.509 Certificates Host OS Host OS Host OS CA Certs CA Certs CA Certs Key +Cer t Key +Cer t @TheDonester Key Files (SCRAM-SHA-1)
- 12. Authorization (Role Based Access Control) @TheDonester
- 13. #MDBE16 Role Based Access Control Built-in roles • read, readWrite, dbAdmin, clusterAdmin, root, etc.. User-defined roles • Based on actions that can be defined for a resource @TheDonester
- 14. #MDBE16 Defining & Using a Custom Role Example: “Append-only” role Define The Role & User Try Inserting & Querying Data @TheDonester
- 15. #MDBW16 LDAP Authorization* MongoDB Roles Mapped to LDAP Groups @TheDonester * New in 3.4 Role membership is fluid & managed dynamically in the LDAP Directory (rather than granting roles to users in MongoDB) LDAP Authorization is an optional feature, if LDAP Direct Authentication is enabled
- 16. #MDBW16 Read-Only Views* + Roles For Record-level Access Control @TheDonester Define a View (uses Agg Fwk) Lock Down User to Only the View * New in 3.4
- 18. #MDBE16 TLS (supersedes SSL) CRUD API calls over TLS Internal Traffic over TLS CA Certificates File Server Key & Certificate PEM File Server Machine 1 DriverClient Machine CA Certificates File CA Certificates File Server Key & Certificate PEM File Server Machine 3 CA Certificates File Server Key & Certificate PEM File Server Machine 2 @TheDonester
- 19. #MDBE16 TLS • Can apply to client traffic or internal traffic or both • Supported on all Drivers and MongoDB Tools • Client Certificate authentication not mandated • Any client and internal authentication methods can be used • Can even have authentication / authorization completely disabled @TheDonester
- 21. #MDBE16 Encrypted Storage Engine • Native encryption inside the database • Single-digit % overhead • Based on WiredTiger • Two Key Types for easy key rotation • Master Key per replica • Internal Key per database • Options for sourcing Master Key: • Via 3rd Party Key Management Appliance using KMIP (Key Management Interoperability Protocol) • Keyfile on local file-system (not recommended for Production) @TheDonester
- 22. #MDBE16 Encryption-at-Rest with KMIP 3rd Party Key Management Appliance Replica1 Host OS DBa DBb DBc Replica1’s Master Key Replica2’s Master Key Replica3’s Master Key CA Certificates File DBd Internal Key Manager Keystore (encrypted by Master Key) DBa Key DBb Key DBc Key DBd Key Encrypts & Decrypts Replica1 mongod Replica1 Key & Certificate PEM File @TheDonester
- 23. #MDBE16 MongoDB Encryption-at-Rest Symmetric Keys • Same key to encrypt & decrypt • AES256-CBC (256-bit AES Cipher Block Chaining mode) • AES256-GCM (256-bit AES Galois/Counter Mode) • FIPS 140-2 encryption option Encryption Alternatives • Partner solution for file & OS level encryption (eg. Vormetric) • Application code performs field-level encryption DEFAULT BUT HOW TO INDEX? @TheDonester
- 25. #MDBE16 Auditing Audit log of actions taken against the database Configurable Destination @TheDonester
- 26. #MDBE16 Auditing Event Types System Events CRUD Events Default (when enabled) Enabling Config Parameter auditLog - destination setParameter – auditAuthorizationSuccess Event Types DDL Auth failures Users & Roles config Replication &Sharding config Server Lifecycle actions Inserts Updates Removes Finds Aggregations @TheDonester
- 27. #MDBE16 Auditing Filters Are Key • Filter on attributes of captured audit documents • In config, set ‘auditFilter’ to a query expression • Filter on: Action, User, Role, Command, Database, Collection, etc • Examples: filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘ filter: ‘{roles: {role: "readWrite", db: "test“}}‘ filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘ @TheDonester
- 29. #MDBE16 Atlas & Security • SCRAM-SHA-1 authentication enforced • TLS/SSL enforced • Pre-defined roles against each database • IP white-listing enforced • VPC Peering option with application tier • 2FA authentication for admin console • Option for encrypted data volumes @TheDonester
- 31. #MDBE16 Summary • MongoDB keeps things simple • Clearly separates out different security concerns • Reduce complexity • Decreases risk of security holes • Remember to Consult the MongoDB Security Checklist! @TheDonester
- 35. #MDBW16 Client Authentication Comparisons Authentication Method Clear Text Password Identity Location Challenge/Response (SCRAM-SHA-1) No (Digest) Internal x.509 Certificate No (Digital Signature) External LDAP Yes * External Kerberos No (KDC generated session key encrypted with password) External * Can be protected via a transport-level security mechanism @TheDonester
- 36. #MDBE16 Internal Authentication Comparisons • x.509 Cert Auth mandates use of TLS/SSL • Keyfile Auth can be used with TLS/SSL • x.509 Cert Auth has smaller attack surface area • No need for a ‘shared secret’ • x.509 Cert Auth allows for centralized key management @TheDonester
- 37. #MDBE16 TLS & FIPS 140-2 US government security standard to accredit cryptographic modules • OpenSSL “FIPS Object Module” • Certified component optionally used via OpenSSL • Ensures source code not tampered with (checks signature against original certified version) • MongoDB configurable option FIPSMode: true • Also applies to Encryption-at-Rest FIPS 140-2 : Federal Information Processing Standard (FIPS) Publication 140-2 @TheDonester
- 39. #MDBE16 Log Redaction* Redact Client Data Shown in System Log Files @TheDonester • All potentially sensitive user data omitted from logs Vs • Harder to diagnose system & performance issues * New in 3.4 Trade-off:
- 41. Python Client Application client VM centralit VM OpenLDAP Server Py KMIP Server MIT Kerberos KDC dbnode1 VM dbnode2 VM dbnode3 VM MongoDBReplicaSet mongod mongod mongod