Webinar: Best Practices for Securing and Protecting MongoDB Data

2
• Authentication
• Authorization
• Auditing
• Encryption
• IBM Guardium Integration

3
• Basic challenge-response
– Hashed password managed in MongoDB
• Kerberos integration using SASL
– Connects to an existing Kerberos infrastucture
– Passwords managed in existing system, not MongoDB
• Can combine these if desired in same server
• Likely adding LDAP integration in 2.6

4
• Roles assigned in MongoDB
– Currently no 3rd
party integration for authorization
• Usernames are in MongoDB and have role(s)
assigned to them
• You can add roles together to build permissioning
you need for a user

5
Individual DB
DB User Access
•read
•readWrite
Database admin access
•dbAdmin
•userAdmin
Individual DB
DB User Access
•read
•readWrite
•dbAdmin
•userAdmin
Admin DB – Cluster-wide
ClusterAdmin
• dbAdminAnyDatabase
• userAdminAnyDatabase
DB User Access
• readAnyDatabase
• readWriteAnyDatabase
Admin DB – Cluster-wide
ClusterAdmin
• dbAdminAnyDatabase
• userAdminAnyDatabase
DB User Access
• readAnyDatabase
• readWriteAnyDatabase

6
Database Administrator (DBA)
Administrator for all parts of the system
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
•userAdminAnyDatabase
•readWriteAnyDatabase
Database Administrator (DBA)
Administrator for all parts of the system
MongoDB roles:
•clusterAdmin
Developer users
Developers in dev and test environments
MongoDB role (in dev and test):
Developer users
Application users
Username for the application itself
across databases in all environments
MongoDB role:
Application users
MongoDB role:

7
Central Permissioning Group
Only manages users and their
permissions
MongoDB role:
Only manages users and their
permissions
MongoDB role:
Database Administrator
Manages the cluster, databases,
collections, and indexes
MongoDB roles:
•clusterAdmin
Manages the cluster, databases,
collections, and indexes
MongoDB roles:
•clusterAdmin
Developer users
Developer users
Application users
MongoDB role:
Application users
MongoDB role:

8
For each applicationFor each application
Only manages users and their permissions
MongoDB role:
Only manages users and their permissions
MongoDB role:
Manages the architecture, databases,
collections, and indexes for all DBs
MongoDB roles:
•clusterAdmin
Manages the architecture, databases,
collections, and indexes for all DBs
MongoDB roles:
•clusterAdmin
Developer Users
Developers in dev and test
environments for this DB
•readWrite
Developer Users
Developers in dev and test
environments for this DB
•readWrite
Application Users
Username for the
application itself to use
for the one DB
MongoDB role:
•readWrite
Application Users
Username for the
application itself to use
for the one DB
MongoDB role:
•readWrite
Application Admin
Manages one DB only
MongoDB role
•dbAdmin
Application Admin
Manages one DB only
MongoDB role
•dbAdmin

9
• Currently only a small set of operations are
logged
• Logged in the main Mongo server log
• In v2.6
– Separate audit log
– More operations will be logged (DB, collections, index
changes, etc.)

10
• Data in transit
– SSL between all MongoDB components is in the
Enterprise version
– Or build in your own SSL library from the open source
version
• Data at rest
– Left to the customer for their preferred file system
encryption (e.g. IBM offers this)

11
• Driven by a large mutual banking customer who
wanted additional features
– Integrating with their enterprise auditing platform
(Guardium)
– Policy-driven privileged user monitoring for ALL
operations (including reads)
– Plus many more features that Kathy will talk about now

© 2013 IBM Corporation
Information Management
Best Practices for Securing and Protecting
MongoDB Data
(Featuring IBM InfoSphere Guardium)
Kathy Zeidenstein, IBM InfoSphere Guardium Evangelist
Sundari Voruganti, QA Lead and solutions architect
29 May 2013

13
Data Governance and Security are changing rapidly
Data Explosion
Everything is
Everywhere
Attack
Sophistication
Moving from traditional perimeter-
based security…
…to logical “perimeter” approach to
security—focusing on the data and
where it resides
Firewall
Antivirus
IPS
• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
• Focus needs to shift from the perimeter to the data that needs to be protected
Consumerization
of IT

14
Address key data security concerns
The gap: minutes to compromise, months to discover and remediate
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Time span of events by percent of breaches
14
Patches, encryption
Monitoring

15
Keeping up with ever-changing global and industry regulations
Canada:
Personal Information Protection
& Electronics Document Act
USA:
Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:
E-Commerce Law
Colombia:
Political Constitution –
Article 15
Brazil:
Constitution, Habeas Data &
Code of Consumer Protection &
Defense
Chile:
Protection of
Personal Data Act
Argentina:
Habeas Data Act
South Africa:
Promotion of Access
to Information Act
United Kingdom:
Data Protection
Act
EU:
Protection
Directive
Switzerland:
Federal Law on
Data Protection
Germany:
Federal Data Protection
Act & State Laws
Poland:
Polish
Constitution
Israel:
Protection of
Privacy Law
Pakistan:
Banking Companies
Ordinance
Russia:
Computerization & Protection of Information
/ Participation in Int’l Info Exchange
China
Commercial
Banking Law
Korea:
3 Acts for Financial
Data Privacy
Hong Kong:
Privacy Ordinance
Taiwan:
Computer- Processed
Personal Data
Protection LawJapan:
Guidelines for the
Protection of Computer
Processed Personal Data
India:
SEC Board of
India Act
Vietnam:
Banking Law
Philippines:
Secrecy of Bank
Deposit Act
Australia:
Federal Privacy
Amendment Bill
Singapore:
Monetary Authority of
Singapore Act
Indonesia:
Bank Secrecy
Regulation 8
New Zealand:
Privacy Act

16
Helping Organizations Progress in Their Security Maturity
People Data Applications Infrastructure Security
Intelligence
Optimized
Role based
analytics
Identity
governance
Privileged user
controls
Data flow
analytics
Data
governance
Secure app
engineering
processes
Fraud detection
Advanced
network
monitoring
Forensics / data
mining
Securing systems
Advanced threat
detection
Network anomaly
detection
Predictive risk
management
Proficient
User provisioning
Access mgmt
Strong
authentication
Access
monitoring
Data loss
prevention
Application
firewall
Source code
scanning
Virtualization
security
Asset mgmt
Endpoint /
network security
management
Real-time event
correlation
Network forensics
Basic
Centralized
directory
Encryption
Access control
Application
scanning
Perimeter security
Anti-virus
Log management
Compliance
reporting
InfoSphere
Guardium
Data
Encryption
InfoSphere
Guardium
Activity
Monitoring
Static Data
(at rest)
Static Data
(at rest)
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Validated by 10gen

17
Meta-Data
(configuration)
Meta-Data
(configuration)
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Static Data
(at rest)
Static Data
(at rest)
17
ApplicationsDatabases ServersNetwork Security Mainframe
Network
Infrastructure
Availability Performance Security
IT
DBA
Application
Network
IT
DBA
App Admin
Network Admin
Focused on the Infrastructure It’s all about the DATA
IT
DBA
App
Network
Security
Compliance
CISO
ClassificationDiscovery
Privacy Integrity
Compliance
Security
Vulnerability Assessment
Configuration Audit System
Guardium VA
Activity Monitoring
Blocking / Masking
Guardium DAM
Flexible and heterogeneous
data encryption
Guardium Encryption
Defense in depth using InfoSphere Guardium

18
IBM InfoSphere Guardium Data Encryption
• Protect sensitive enterprise
information and avoid data
breaches
• Minimize impact to production
• Enforce separation of duties by
keeping security and data
administration separate
• Meet government and industry
regulations (eg. PCI-DSS)
Ensure compliance with
data encryption
Ensure compliance and protect
enterprise data with encryption
Data Encryption
Static Data
(at rest)
Static Data
(at rest)
Guardium
Data
Encyption

19
InfoSphere Guardium Data Encryption Architecture
*communication is only
required at system boot
Policy is used to restrict access to
sensitive data by user and process
information provided by the OS.
Users
Application
Mongod
File System
SAN, NAS,
DAS Storage
OS
SSL/TLSFS Agent
Static Data
(at rest)
Static Data
(at rest)

20
InfoSphere Guardium Activity Monitoring
and Vulnerability Assessment
Prevent data breaches
Mitigate external and internal threats
11
33 Reduce cost of compliance
- Automate and centralize controls
- Simplify audit review processes
22 Ensure the integrity of sensitive data
Prevent unauthorized changes to
data, data infrastructure, configuration
files and logs
Continuously monitor access to sensitive data in SQL and NoSQL
databases, data warehouses, Hadoop big data environments, and file
shares to:
20
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Meta-Data
(configuration)
Meta-Data
(configuration)

21
InfoSphere Guardium value proposition (cont.)
Increase operational efficiency
Automate & centralize internal controls
Across heterogeneous & distributed environments
Identify and help resolve performance issues & application errors
Highly-scalable platform, proven in most demanding data center
environments worldwide
No degradation of infrastructure or business processes
Non-invasive architecture
No changes required to applications or databases
Do it all in an efficient, scalable, and
cost effective way
44
21
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Meta-Data
(configuration)
Meta-Data
(configuration)

22
What Are The Different Methods for Data Activity
Monitoring?
Process logs
SPAN, Network Tap
(appliance based)
Agent
Guardium
Collector
Database
Server
Application
Server
SPAN
Network TAP
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Agent

23
MongoDB Sharded
Cluster
(Routing servers and
Shards)
Clients
InfoSphere Guardium
Collector
Monitoring Reports, Text
search, data mart
Real-time alerts can be
integrated with SIEM systems
S-TAPsMongos
Shards
High level architecture of the InfoSphere Guardium solution for
MongoDB
Lightweight agent sits on MongoDB routing servers
(mongos) and shards (mongod)
Network traffic is copied and sent to a hardened
appliance where parsing, analysis, and logging
occurs, minimizing overhead on the MongoDB
cluster
Separation of duties is enforced – no direct access
to audit data

Technical details
InfoSphere Guardium

25
Mongos
S-TAP monitors access to shards
Secondary
Mongod
Primary Primary
One Recommended Configuration
DB Users,
Admins
Business
apps
X
Mongo
Client
Mongo
Client
Mongo
Client
Mongo
Client
1. Use firewall to
prevent client
acccess to shards
2. Configure S-TAP on
shards to monitor
traffic that does not
come through
mongos
Secondary
Primary
Secondary
Secondary
Mongod
Secondary
Mongod
Secondary
Privileged
user
Shard 1 Shard 2 Shard 3
Config Server
Config Server
Config Server
Config Server

26
26
Capture and Parsing Overview
Mongo
Client
Guardium
Collector
Analysis
engine
test.CreditCard.insert({
"Name“ : "Sundari",
"profile“ : [
{"CCN" : "11999002"},
{"log" : ["new", "customer"]}
],
});
test.CreditCard.insert(
…
Sessions CommandsObjects
Columns/Fields
Read Only
Hardened Repository
(no direct access)
SQL
(message)
INSERTJoe CreditCard
Name
profile.CCN
profile.log
Parse
commands
then log
Joe
Mongos
S-TAP
test.CreditCard.insert
...
test.CreditCard.insert({
"Name“ : "Sundari",
"profile“ : [
{"CCN" : "11999002"},
{"log" : ["new", "customer"]}
],
});

27
Reports/Query Builder
27
1.1.1.1 23345 10.12.1.12 1433 test.CreditCard.insert ({ "Name“ : Sundari",….
Network Packet
Parsed, analyzed,
logged in
repository
Query builder for reports
Sessions
Commands
Objects
Exceptions
Columns/Fields
Read Only
Hardened Repository
SQL
Returned
Data
SessionsSessions
CommandsCommands
Objects
ExceptionsExceptions
Columns/FieldsColumns/Fields
Read Only
Hardened Repository
SQL
Returned
Data
Drag and
drop
attributes
Fields
Conditions
Audit report

28
Quick search
Hey, did someone drop a collection??

Live Demo
InfoSphere Guardium

30
Some typical monitoring use cases
 Here’s just an example of some of the policy rules you can create
 See developerWorks article for more details (June 2013)

31
Examples – Alert when 5 or more failed logins in 3 minutes

32
Examples – Alert on anomalous behavior (#finds)
Detect quickly when users are downloading more than allowed by policy
db.credit_card.find()

33
Detects server-side JavaScript
> db.customer.find( { $where: function() { return obj.credits == obj.debits; } } );
All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on the
server:
$where
db.eval()
mapReduce
group
“You must exercise care in these cases to prevent users from submitting malicious
JavaScript.”
(http://docs.mongodb.org/manual/faq/developers/#how-does-mongodb-address-sql-or-query-injection)

34
Real-time Data Activity Monitoring, built to scale
Integration with
LDAP, IAM,
SIEM, TSM,
Remedy, …
DATA
InfoSphere
BigInsight
s

35
InfoSphere Guardium for MongoDB
Helping you maintain a safe and secure environment
Dynamic Data
(in motion)
Dynamic Data
(in motion)
Monitor all activity, log what you need
Real-time alerting to reduce time to
discovery
Detect use of possibly unsafe coding
practices (server-side JavaScript)
 Detect dropped indexes or collections
that can affect apps
Block users when required (Advanced)
Highly-scalable platform, proven in most
demanding data center environments
worldwide
Validated by 10gen!
Static Data
(at rest)
Static Data
(at rest)
Protect data from misuse
Policy-based encryption
Separation of duties
 Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes

36
36
For more information
 Join the InfoSphere Guardium community on
developerWorks. bit.ly/guardwiki
 Or click on Contact Us at
Ibm.com/software/data/guardium/database-activity-
monitor/
 Send an email to Kathy at krzeide@us.ibm.com
Look for detailed article on IBM developerWorks
– Part 1 publishes on June 6th
.

37
Gracias
Merc
i
Grazie
Obrigado
Danke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
Tack
Swedish
Danke
Dziękuję
Polish

Webinar: Best Practices for Securing and Protecting MongoDB Data

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Webinar: Best Practices for Securing and Protecting MongoDB Data

Similar a Webinar: Best Practices for Securing and Protecting MongoDB Data (20)

Más de MongoDB

Más de MongoDB (20)

Último

Último (20)

Webinar: Best Practices for Securing and Protecting MongoDB Data