Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Architecting Secure and Compliant
Applications with MongoDB
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – Mo...
3
Major Security Alert
4
Concepts
developer friendly production ready
5
✓ Concepts
✓ Best Practices
✓ Demo
Agenda
6
Authentication
Authorization
Validating a user
is who
they say they are
Only letting a user
do certain things
Concepts
7
Auditing
Encryption
Tracking system
activity
Encoding data so
that only those
with the key can
read it
Concepts
8
WARNING
Some features only supported in MongoDB Enterprise
Advanced versions!
Generally, functionality available in 2.6....
9
password-based challenge-response mechanism
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3....
How do you make MongoDB
authorize users?
$ mongod --dbpath ./db --auth
11
Enables authorization before creating the first user on the
system. When auth is enabled, the localhost exception allow...
12
Role Based Access Control
built-in and custom roles
var stockerRole = {
“role” : “acme.store.stocker”,
“privileges” : [...
13
Can audit on your mongod and mongos
Send events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --audit...
14
Encryption At Rest
✓ Encrypted Storage Engine*
✓ Whole Disk Encryption (through third party)
Required for HIPAA/PCI-DSS...
15
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist
✓ Require Authentication
✓ Configu...
16
Building roles to support healthcare
application and HIPAA requirements.
In general for full details on HIPAA and PCI-D...
17
Role Create Read Update Delete Index
(Maintenance)
Physician
Billing
Associate
Patient System
Administrator
Demo
18
MongoGeneral Application
✓ createFirstUser.js
✓ createRoles.js
✓ createUsers.js
Demo
Questions?
THANKS!
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.
Webinar: Architecting Secure and Compliant Applications with MongoDB
Prochain SlideShare
Chargement dans…5
×

Webinar: Architecting Secure and Compliant Applications with MongoDB

9 760 vues

Publié le

High-profile security breaches have become embarrassingly common, but ultimately avoidable. Now more than ever, database security is a critical component of any production application. In this talk you'll learn to secure your deployment in accordance with best practices and compliance regulations. We'll explore the MongoDB Enterprise features which ensure HIPAA and PCI compliance, and protect you against attack, data exposure and a damaged reputation.

Publié dans : Technologie
  • Soyez le premier à commenter

Webinar: Architecting Secure and Compliant Applications with MongoDB

  1. 1. Architecting Secure and Compliant Applications with MongoDB shawn.mccarthy@mongodb.com @sbmccarth Solutions Architect – MongoDB Inc.
  2. 2. 3 Major Security Alert
  3. 3. 4 Concepts developer friendly production ready
  4. 4. 5 ✓ Concepts ✓ Best Practices ✓ Demo Agenda
  5. 5. 6 Authentication Authorization Validating a user is who they say they are Only letting a user do certain things Concepts
  6. 6. 7 Auditing Encryption Tracking system activity Encoding data so that only those with the key can read it Concepts
  7. 7. 8 WARNING Some features only supported in MongoDB Enterprise Advanced versions! Generally, functionality available in 2.6.x Will call out any specific 3.x features
  8. 8. 9 password-based challenge-response mechanism - user/pwd – defined against a DB - Different auth mechanisms (changed in 3.0) - SCRAM-SHA-1, MONGO-CR - Kerberos, LDAP* x.509 certificates - validate members of replica set’s and sharded cluster’s are who you think they are - also used in SSL connections Authentication
  9. 9. How do you make MongoDB authorize users? $ mongod --dbpath ./db --auth
  10. 10. 11 Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database. This only applies when no users exist on the system Changed in version 3.x These connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB Localhost Exception
  11. 11. 12 Role Based Access Control built-in and custom roles var stockerRole = { “role” : “acme.store.stocker”, “privileges” : [ { “resource” : { “db” : “products”, “collection” : “inventory” }, “actions” : [ “find”, “update” ] } ], “roles” : [ “acme.store.user” ] } use acme db.createRole( stockerRole ); Authorization
  12. 12. 13 Can audit on your mongod and mongos Send events to console, syslog, JSON or BSON file $ mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json [ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json { "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 } { "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 } { "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 } Auditing*
  13. 13. 14 Encryption At Rest ✓ Encrypted Storage Engine* ✓ Whole Disk Encryption (through third party) Required for HIPAA/PCI-DSS Configure mongod and mongos for SSL $ mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem Encryption In Transit ✓ Support for SSL/TSL for all communication Required for HIPAA/PCI-DSS Encryption
  14. 14. 15 http://docs.mongodb.org/manual/administration/security-checklist/ Security Checklist ✓ Require Authentication ✓ Configure Roles ✓ Use SSL ✓ Configure firewall – limit network exposure ✓ Turn on auditing ✓ Encrypt data on disk ✓ Run mongod with dedicated user account ✓ Set secure options ✧ --noscripting ✧ Disable REST/HTTP Best Practices
  15. 15. 16 Building roles to support healthcare application and HIPAA requirements. In general for full details on HIPAA and PCI-DSS standards compliance see: http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf Demo
  16. 16. 17 Role Create Read Update Delete Index (Maintenance) Physician Billing Associate Patient System Administrator Demo
  17. 17. 18 MongoGeneral Application ✓ createFirstUser.js ✓ createRoles.js ✓ createUsers.js Demo
  18. 18. Questions?
  19. 19. THANKS! shawn.mccarthy@mongodb.com @sbmccarth Solutions Architect – MongoDB Inc.

×