April 28, 2014
Data security and privacy is a critical concern in today’s connected world. Data analyzed from new sources such as social media, logs, mobile devices and sensor networks has become as sensitive as traditional transaction data generated by back-office systems. For this reason, big data technologies are evolving to meet the regulatory compliance standards demanded by industry and government.
MongoDB 2.6 extends capabilities to defend, detect and control access to online big data with the most complete security controls of any NoSQL database. These capabilities are discussed in the post below, and you can learn more for them in our live webinar on Thursday 1st May. Registration is open!
Building upon existing Kerberos protocol support, the MongoDB 2.6 Enterprise subscription adds support for LDAP, enabling integration with centralized identity management policies, avoiding the need to duplicate credentials across multiple systems.
In addition, support for x.509 certificates allows the authentication of clients and cluster nodes without using potentially vulnerable passwords and keyfiles.
MongoDB allows administrators to define permissions for a user or application, and what data it can see when querying the database. MongoDB has offered a number of built-in roles, and now extends this with the ability to configure granular user-defined roles. With such Role Based Access Control, administrators can enforce a separation of duties between different entities accessing and managing the database.
Additionally, using the new redact operator offered within MongoDB Aggregation pipeline, applications can implement field-level access control using trusted middleware.
By managing control at the field level, a single document can contain data with multiple security levels, avoiding the complexity of separating information with different security levels across multiple databases.Permissions can be based on both the content of the document and on specific user privileges, based on security labels. Access control policies are described using the MongoDB query language, making it simple for developers to implement the required controls.
Since data is redacted before it is returned to the application, exposure of sensitive information is reduced. Field level redaction is applicable to a wide range of sensitive data including personally identifiable information such as names, social security numbers, birthdates and bank account numbers.
Security Administrators can use MongoDB native audit log to track access and administrative actions taken against the database, with events written to the console, syslog or a file. The DBA can then merge these events into a single log, enabling a cluster-wide view of operations that affected multiple nodes.
MongoDB 2.6 delivers enhanced SSL support. Now a single port can mix both SSL and non-SSL connections, enabling simpler upgrades to SSL-based clusters and the creation of more flexible encryption policies, ie internal vs external traffic. Tools such as mongodump, mongorestore, mongostat, etc. now support SSL connections. mongod and mongos processes can now prompt for a SSL certificate passphrase at start-up.
MongoDB supports FIPS 140-2 encryption when run in FIPS Mode with a FIPS validated Cryptographic module.
Monitoring and Backup
Database monitoring and backup are critical in identifying and protecting against potential exploits, reducing the impact of any attempted breach. For example, sudden peaks in the CPU and memory loads of host systems and high operations counters in the database can indicate a Denial of Service attack. MongoDB ships with a variety of tools including mongostat and mongotop that can be used to monitor your database. The most comprehensive monitoring solution is provided by the MongoDB Management Service (MMS).
MongoDB Management Service (MMS) is an application for managing MongoDB deployments, making it easier to operate MongoDB securely at any scale. MMS provides automation, monitoring, backup and recovery, helping users optimize clusters and mitigate operational risk. MMS users can visualize database performance and set custom alerts that notify when particular metrics are out of normal range. MMS is also the only continuous backup solution for MongoDB, providing point-in-time recovery for replica sets and cluster-wide snapshots of sharded systems. With the release of MMS 1.4 alongside MongoDB 2.6, Backup is now available for on-premise deployment, as part of a MongoDB subscription.
Resources to Learn More
- Tune into our live webinar, Thursday 1st May
- Download our whitepaper: MongoDB Security Architecture (opens a pdf)
- Review step by step guides in our tutorial: MongoDB Security Introduction