High-profile security breaches have become embarrassingly common, but ultimately avoidable. Now more than ever, database security is a critical component of any production application. In this talk you'll learn to secure your deployment in accordance with best practices and compliance regulations. We'll explore the MongoDB Enterprise features which ensure HIPAA and PCI compliance, and protect you against attack, data exposure and a damaged reputation.

2. Architecting Secure and Compliant
Applications with MongoDB
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.

3. 3
Major Security Alert

4. 4
Concepts
developer friendly production ready

5. 5
✓ Concepts
✓ Best Practices
✓ Demo
Agenda

6. 6
Authentication
Authorization
Validating a user
is who
they say they are
Only letting a user
do certain things
Concepts

7. 7
Auditing
Encryption
Tracking system
activity
Encoding data so
that only those
with the key can
read it
Concepts

8. 8
WARNING
Some features only supported in MongoDB Enterprise
Advanced versions!
Generally, functionality available in 2.6.x
Will call out any specific 3.x features

9. 9
password-based challenge-response mechanism
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3.0)
- SCRAM-SHA-1, MONGO-CR
- Kerberos, LDAP*
x.509 certificates
- validate members of replica set’s
and sharded cluster’s are who you think
they are
- also used in SSL connections
Authentication

10. How do you make MongoDB
authorize users?
$ mongod --dbpath ./db --auth

11. 11
Enables authorization before creating the first user on the
system. When auth is enabled, the localhost exception allows
connection from the local interface to create the first user on
the admin database.
This only applies when no users exist on the system
Changed in version 3.x
These connections only have access to create the first user on
the admin database. Previously, connections from the local
interface had unrestricted access to all MongoDB
Localhost Exception

12. 12
Role Based Access Control
built-in and custom roles
var stockerRole = {
“role” : “acme.store.stocker”,
“privileges” : [
{ “resource” : {
“db” : “products”,
“collection” : “inventory” },
“actions” : [ “find”, “update” ]
} ],
“roles” : [ “acme.store.user” ]
}
use acme
db.createRole( stockerRole );
Authorization

13. 13
Can audit on your mongod and mongos
Send events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --auditDestination file --auditFormat JSON
--auditPath data/db/auditLog.json
[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json
{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" :
"(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param"
: {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" :
"(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system",
"db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local"
: { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 },
"users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
Auditing*

14. 14
Encryption At Rest
✓ Encrypted Storage Engine*
✓ Whole Disk Encryption (through third party)
Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL
$ mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
Encryption In Transit
✓ Support for SSL/TSL for all communication
Required for HIPAA/PCI-DSS
Encryption

15. 15
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist
✓ Require Authentication
✓ Configure Roles
✓ Use SSL
✓ Configure firewall – limit network exposure
✓ Turn on auditing
✓ Encrypt data on disk
✓ Run mongod with dedicated user account
✓ Set secure options
✧ --noscripting
✧ Disable REST/HTTP
Best Practices

16. 16
Building roles to support healthcare
application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
Demo

17. 17
Role Create Read Update Delete Index
(Maintenance)
Physician
Billing
Associate
Patient System
Administrator
Demo

18. 18
MongoGeneral Application
✓ createFirstUser.js
✓ createRoles.js
✓ createUsers.js
Demo

19. Questions?

20. THANKS!
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.