MongoDB Security Part II: 10 mistakes that can compromise your database



Update: Watch our webinar on Securing Your MongoDB Deployment for further information on this topic.

This is the second in our 2-part series on MongoDB Security by Andreas Nilsson, Lead Security Engineer at MongoDB

This post outlines 10 best practices for hardening your MongoDB deployment. Failure to follow these best practices can lead to the loss of sensitive data, disrupted operations and have the potential to put entire companies out of business. These recommendations are based on my experience working with MongoDB users, and building security systems for databases and financial services organizations. Items are ordered by a combination of severity and frequency.

#1 Enable Access Control and Enforce Authentication

Enable access control and specify the authentication mechanism. You can use the default MongoDB authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system. In clustered deployments, enable authentication for each MongoDB server. See Authentication and Enable Client Access Control.

#2 Configure Role-Based Access Control

Create a user administrator first, then create additional users. Create a unique MongoDB user for each person and application that accesses the system. Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application. See Role-Based Access Control and Manage User and Roles.

#3 Encrypt Communication

Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB client as well as between all applications and MongoDB. See Configure mongod and mongos for TLS/SSL.

#4 Limit Network Exposure

Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available. See Security Hardening and the bindIp setting.

#5 Audit System Activity

Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls. See Auditing and Configure Auditing.

#6 Encrypt and Protect Data

Encrypt MongoDB data at-rest. Configure the encrypted storage engine, or use application-level or 3rd party storage encryption.

#7 Run MongoDB with a Dedicated User

Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions. See Install MongoDB for more information on running MongoDB.

#8 Run MongoDB with Secure Configuration Options

MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce,group, and $where. If you do not use these operations, disable server-side scripting by using the –noscripting option on the command line. Use only the MongoDB wire protocol on production deployments. Do not enable the following, all of which enable the web server interface: net.http.enabled, net.http.JSONPEnabled, and net.http.RESTInterfaceEnabled. Leave these disabled, unless required for backwards compatibility. Note that the HTTP interface has been deprecated for MongoDB 3.2 and above Keep input validation enabled. MongoDB enables input validation by default through the wireObjectCheck setting. This ensures that all documents stored by the mongod instance are valid BSON. See Security Hardening for more information on hardening the MongoDB configuration.

#9 Consider Security Standards Compliance

For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture to learn more about how you can use the key security capabilities to build compliant application infrastructure.

#10 Don’t Ignore Security Best Practices

A guaranteed way to create an insecure system is to ignore the topic altogether, or hope someone else thinks about it. Before deploying a MongoDB instance with sensitive data, please consult the MongoDB Security Manual and the MongoDB Security Tutorials and stay conscious about potential threats to your application.

MongoDB Enterprise Advanced provides access to enterprise grade capabilities. It includes all the ease-of-use, broad driver support, and scalability features of MongoDB, while addressing the more demanding security and certification requirements of corporate and government information security environments. To try it out, download an evaluation version of MongoDB Enterprise.