MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB

#MDBlocal
Best practices:
How to secure your MongoDB
Christophe Locoge
Senior Solutions Architect
PARIS

#MDBLocal
• Security, security, security…
• Authentication
• Authorisation
• MongoDB Stitch QueryAnywhere
• Encryption
• Audit
• MongoDB Atlas & Security
Agenda

#MDBLocal
The world’s most valuable resource is no longer oil… but
data
https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

#MDBLocal
Every company is becoming a software company
Data-driven organizations are 23 times more likely to
acquire customers, 6 times as likely to retain customers,
and 19 times as likely to be profitable
McKinsey Global Institute
With great data comes great responsibility

#MDBLocal
Data Is Everywhere
75bn connected IoT
devices
by 2025
83% see AI as
strategic priority
in 2019
6tn+ in cyber-crime
damage
by 2021
by 2021
$4.9tn in
eCommerce sales
by 2021
20x faster, 120x lower
latency with 5G
by 2021
3.8bn smartphone
users

#MDBLocal
Increased Attack Surface Area
Data growth
• 40 trillion GBs (40 ZBs) generated by 2020. 6TB
for every person on earth (IDC)
Technology diversity
• Over 350 types of data stores available
High growth threats
• Researchers estimate attacks increasing by
50% year on year
• Nation states, organized crime, opportunists
• Less brute force, more phishing, malware &
ransomware

#MDBLocal
Tougher Regulations to Comply With
EU GDPR:
Legislation for the protection of all EU citizen data – so
major fines for all global orgs
FISMA:
US government security standards
PCI-DSS:
Retail, card-holder protection
HIPAA:
Healthcare, patient data
SOX:
Corporate governance, financial data controls
…

#MDBLocal
Great responsability
Reputation
damage
Emotional
damage
Regulatory
penalties
Compensating
affected
customers
Investigation
time & cost
Intellectual
property theft
Failing shares
pricing

#MDBLocal
Remember: No technology is “XYZ” compliant
Compliance = People + Process + Product
Security is applied in layers
• The database is just one layer in the stack
Common database security requirements
• Data access controls: Authentication
• Data permission: Authorization
• Data protection controls: Encryption, Backup
• Forensic analysis: Audit

#MDBLocal
MongoDB DB-level Security
Authentication
Database authentication
LDAP authentication
Kerberos authentication
x.509 authentication
Authorisation
Role-based access control
LDAP authorization
Field-level security
(R/O & Materialized views)
Log redaction
Encryption
Network encryption
Data at rest encryption
Client-side field level
encryption
Audit
Audit trail
Monitoring
Alert
Stitch
QueryAnywhere
Simple, streamlined syntax for data access,
robust access rules
Build full apps for iOS, Android, Web, and IoT

#MDBLocal
MongoDB DB Cluster-level Security
High availability
Data locality
(Regulations)
Network encryption between nodes
Backup storage (Continuous backup
& Queryable backup)

#MDBLocal
First... stop!
Always consult MongoDB’s Security Checklist
• Going live without doing this = dereliction of duty!
http://docs.mongodb.org/manual/administration/security-checklist/

#MDBLocal
Client Authentication Comparisons
Authentication Method Clear Text Password Identity Location
Salted Challenge Response
Authentication Mechanism
(SCRAM)
SHA-1: No
SHA-256: No
Internal
x.509 Certificate No (Digital Signature) External
LDAP Yes* External
Kerberos
No (KDC generated session key
encrypted with password)
External
* Can be protected via a transport-level security mechanism (in fact TLS should always be used,
regardless)

#MDBLocal
Required MongoDB User/Password
chef4life
******
chef4life
@!324
Thief Chef

#MDBLocal
LDAP Authentication
MongoDB Users
chef4life
employee1
employee2
LDAP server
LDAP users

#MDBLocal
Configuring LDAP in Atlas

#MDBLocal
LDAP Authentication in Atlas

#MDBLocal
IP Address Whitelisting
192.168.1.0/24
Application
Application
System Administrator
192.168.1.48
172.16.4.88
172.16.4.88
172.33.20.11
172.33.20.11
Restrict each user’s
authentication based on:
• Client IP Address Range
and/or
• Server IP Listen Address

#MDBLocal
Role Based Access Control
sauceMaker
Can read and edit sauce
recipe
burgerMaker
Can read burger recipes
MongoDB RolesMongoDB Users
chef4life
employee1
employee2

#MDBLocal
Defining Roles in Atlas
Best Practices:
§ No shared credentials!
§ Principle of least privilege

#MDBLocal
LDAP Authorization
LDAP server
LDAP user group
MongoDB Roles
burgerMaker
Can read burger
recipes

#MDBLocal
LDAP Authorization in Atlas

#MDBLocal
• Write generic requests from applications
• Rule-based Access set by Asset/Document
SDKs:
• JavaScript, Android, and iOS SDKs
• Integrated Authentication, Database, and Service
requests
Stitch Rules:
• Fine-grained access rules relating to all aspects of
Stitch
• Access to context from users, request, external
services, functions, etc.
Stitch
(Authentication & Access rules)
Application
(Stitch SDK)
MongoDB
Stitch QueryAnywhere

#MDBLocal
Authentication with
Stitch
Stitch provides built-in Authentication:
Anonymous
Email/Password
API Key
Facebook/Google/Apple
Custom JWT Authentication
Custom Function Authentication
Custom Authentication

#MDBLocal
Authentication with Stitch
StitchClientExternal Auth Provider
1 1-2. If using Facebook, Google,
Apple, Custom Auth… user
completes a separate auth flow.
3
2
3. Stitch receives the token/
credential and validates it.
4. Stitch returns an access/
refresh token to the client.
4

#MDBLocal
Authorization with
Stitch
Stitch provides Rule-based access
for:
• Read
• Write
• Authentication
• Function/Service call
Basic Rules & Advanced UI
• Fully editable JSON
• Advanced configuration options
• Maps directly to app structure

#MDBLocal
Data Access in Practice
{
"userid":"101",
"name": "Employee1",
"employeeId": 53164957,
"empStatus": "active"
"zip": 2082,
"position": ”BurgerMaker",
"manager": ”ChefManager",
"hiringDate": ISODate("2017-05-02"),
"employeeSource": ”referal",
"salary": 205000,
"gender": "female",
”ssn": "901-01-0001",
"dob": ISODate("1972-10-02"),
"citizenship": "Australia",
"email": "employee1@example.com",
"zip": 2082
}
Data managed
by user

#MDBLocal
Rules for Data Access
{
"filters": [{
"name": "ActiveOnly",
"apply_when": {"%%true" : true},
"query": {"empStatus":"active"}
}, … ],
"roles": [{
name: ”isUser"
apply_when: {"userid":"%%user.id"}
"fields": {
"citizenship": {"write": true},
"email": {"write": true},
"zip": {"write": true}
},
"additional fields": {
"read": true
}}, … ],
"schema": {…}
}
Filters
Roles
Rules
Schema

#MDBLocal
Finding Data
[{
"userid":"101",
"name": "Employee1",
"employeeId": 53164957,
"zip": 2082,
"position": "BurgerMaker",
"manager": "ChefManager",
"…": "…"
}]
"fields": {
"citizenship" :{"write": true},
"email":{"write": true} ,
"zip":{"write": true}
},
"additional_fields": {
"read": true
}
Employee1
userid: "101"
db.people.find({})

#MDBLocal
Encryption at Rest by Default on Atlas

#MDBLocal
Encryption at Rest with Your Key Management

#MDBLocal
Encryption at Rest in the Atlas UI
Project Configuration Cluster Configuration

#MDBLocal
Encryption at Rest in the Atlas UI

#MDBLocal
MongoDB Client-Side Field-Level Encryption
Today’s limitation?
• Traditionally, DB encryption has relied on server-side trust
• With a few caveats, the database operators typically have unrestricted
technical access, including:
• DBAs
• system admins
• hosting/infrastructure providers
• In a server-side encryption model, a leak or breach can be catastrophic
• This potentially includes: logs, backups, temp files, process memory…
• Those who hold the keys control the kingdom

#MDBLocal
Core design
• Enabled in drivers
• Drivers have expanded MQL awareness
• Extends existing JSON Schema with new “encrypt” property
• Adds JSON Schema validation to the client
• Individual fields within collections can be marked as encrypted
• Keys can be used on a per-field, per-document basis
• Content is opaque to server & server operators
• Right to be forgotten

#MDBLocal
View from application
{
name: ”Employee1",
position: "BurgerMaker",
ssn: "901-01-0001",
email: ”employee1@example.com",
salary: ”205000”,
hiringDate": ISODate("2017-05-02")
}
View from database (admin, server, DB logs, process memory)
{
name: "Employee1",
! ssn: "r6EaUcgZ4lGw…",
! email: "K4b5U3TlcIXh…",
! salary: "oR72CW4Wf5Ej…",
}

db.people.find(
{
ssn: "901-01-0001”
}
)
db.people.find(
{
ssn: "r6EaUcgZ4lGw…”
}
)
{
name: "Employee1",
}
{
_id: <ObjectId>,
name: "Employee1",
}
{
name: ”Employee1",
ssn: "901-01-0001",
email: ”employee1@example.com",
salary: ”205000”
}
people

#MDBLocal
JSON schema validation
"db.people" : {
"bsonType" : "object",
"properties" : {
"hiringDate" : { "bsonType" : "date" },
"name" : { "bsonType" : "string" },
"position" : { "bsonType" : "string" },
"ssn" : {
"encrypt" : {
"bsonType" : "string",
"algorithm" : encryption_mode,
"keyId" : [ key1 ]
}
},
"…" : …
}}
Deterministic Encryption
Randomized Encryption
"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
"AEAD_AES_256_CBC_HMAC_SHA_512-Random"
Key UUID

#MDBLocal
Audit log of actions taken
against the database
Configurable
Destination
Auditing

#MDBLocal
System Events CRUD Events
Default
(when enabled)
Enabling
Config
Parameter
auditLog -
destination
setParameter –
auditAuthorizationSuccess
Event Types
DDL
Auth failures
Users & Roles config
Replication & Sharding
config
Server Lifecycle actions
Inserts
Updates
Removes
Finds
Aggregations
Auditing Event Types

#MDBLocal
Filter on attributes of captured audit documents
• In config, set ‘auditFilter’ to a query expression
• Filter on: Action, User, Role, Command, Database, Collection, etc
Examples:
filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘
filter: ‘{roles: {role: "readWrite", db: "test“}}‘
filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘
Auditing Filters Are Key

#MDBLocal
Log Redaction
Redacts Client Data Shown in System Log Files
• All potentially sensitive user data omitted from logs
Trade-off:
• Harder to diagnose system & performance issues
Vs

MongoDB Atlas & Security
MongoDB’s DBaaS in the Cloud

#MDBLocal
MongoDB Atlas & Security
• TLS enforced
• IP whitelisting enforced
• SCRAM authentication enforced
• LDAP/AD authentication & authorization
• x.509 user authentication (GA)
• IDP supporting SAML / Federated authentication (GA)
• 2FA authentication for console access
• VPC Peering
• AWS PrivateLink integration (GA)
• Pre-defined roles against each database
• Encrypted data & backup storage (with ‘bring your own keys’)
• Auditing
• Automatic version upgrades

#MDBLocal
Summary
• Data Security Is More Important Now Than Ever Before
• Number & types of attacks is accelerating
• Regulatory compliance means it’s now more than just reputation at
stake
• MongoDB Has Flexible & Powerful Security Capabilities
• But security compliance is not just about product, it’s about people
& processes too
• Take advantage of these features
• Bake security into development process
• Remember: Consult the MongoDB Security Checklist!
• http://docs.mongodb.org/manual/administration/security-checklist/

MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB

MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB

More Related Content

What's hot (20)

Similar to MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB (20)

More from MongoDB (17)

Recently uploaded (20)

MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB