Securing MongoDB Part 4: Environmental Control & Database Management

Mat Keep
February 24, 2016 | Updated: August 17, 2016
#Technical

Welcome back to the final installment of our 4-part blog series presenting the best practices and controls available in MongoDB to help you create a secure, compliant database platform.

In this concluding post, we’ll be discussing environmental control and database management.

As a quick recap, in part 1, we took a look at the general requirements for data security and regulatory compliance, and then in part 2, reviewed MongoDB access controls enforcing authentication and authorization. In part 3, we discussed auditing and encryption.

If you want to get a head-start and learn about all of these topics in one installment, just go ahead and download the MongoDB Security Architecture guide.

Environment & Processes

Building on the database security controls discussed in the previous posts, to further reduce the risk of exploitation, run MongoDB in a trusted environment, implement a secure development lifecycle, and enforce deployment best practices.

A “Defense in Depth” approach is recommended to complement secure MongoDB deployments, addressing a number of different methods for managing risk and reducing exposure.

The intention of a Defense in Depth approach is to layer your environment to ensure there are no exploitable single points of failure that could allow an intruder or untrusted party to access the data stored in the MongoDB database.

Secure environments use the following strategies to control access, with more detail available in the Network Exposure and Security section of the documentation.

  • Network Filter. By using filters such as firewalls and router ACL rules, connections to MongoDB from unknown systems can be blocked.

Firewalls should limit both incoming and outgoing traffic to/from a specific port to trusted and untrusted systems. For best results and to minimize overall exposure, ensure that only traffic from trusted sources can reach mongod and mongos instances and that the mongod and mongos instances can only connect to trusted outputs. In addition, unneeded system services should be deactivated.

  • Binding IP Addresses. The bind_ip setting for mongod and mongos instances limits the network interfaces on which MongoDB programs will listen for incoming connections.
  • Running in VPNs. Limit MongoDB programs to non-public local networks and virtual private networks. Virtual Private Networks (VPNs) make it possible to link two networks over an encrypted and limited-access trusted network. Typically MongoDB users configure SSL rather than IPSEC protocols for performance advantages.
  • Dedicated OS User Account. A user account dedicated to MongoDB should be created and used to run MongoDB executables. MongoDB should not run as the “root” user.
  • File System Permissions. The servers running MongoDB should employ filesystem permissions that prevent users from accessing the data files created by MongoDB. MongoDB configuration files and the cluster keyfile should be protected to disallow access by unauthorized users.
  • Query Injection. As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks should not pose a risk to the system for queries submitted as BSON objects. However, several MongoDB operations permit the evaluation of arbitrary JavaScript expressions and care should be taken to avoid malicious expressions. Fortunately, most queries can be expressed in BSON and for cases where Javascript is required, it is possible to mix JavaScript and BSON so that user-specified values are evaluated as values and not as code.

MongoDB also allows the administrator to configure the MongoDB server to prevent the execution of Javascript scripts. This will prevent MapReduce jobs from running, but the aggregation pipeline can be used as an alternative in many use cases.

  • Physical Access Controls. In addition to the logical controls discussed above, controlling physical access to servers, storage and backup media provides critical environmental protection.

MongoDB Atlas Security

As discussed earlier in this blog series, MongoDB Atlas is a database as a service for MongoDB, providing all of the features of the database, without the operational heavy lifting required for any application.

Data security has always been a top consideration for any organization evaluating public cloud platforms for application deployment. MongoDB Atlas has been engineered to deliver robust security controls for any instance you deploy:

  • IP Whitelisting. Clients are prevented from accessing the database unless their IP address has been added to the IP whitelist for your MongoDB Atlas group.
  • Access Control. Authentication is enforced for all MongoDB Atlas clients via the SCRAM-SHA-1 mechanism. User and administrator roles can be defined to ensure a separation of duties between different entities accessing the database and the MongoDB Atlas service.
  • End-to-End Encryption. MongoDB Atlas uses TLS/SSL to encrypt the connections to your databases. Data at rest can be protected using encrypted data volumes.

Review the MongoDB Atlas documentation for more information on configuring the in-built security controls.

Database Monitoring

Proactive monitoring of all components within an IT environment is always a best practice. System performance and availability depend on the timely detection and resolution of potential issues before they present problems to users.

From a database security perspective, monitoring is critical to identifying potential exploits in real time, thereby reducing the impact of any breach. For example, sudden peaks in the CPU and memory loads of host systems and high operations counters in the database can indicate a Denial of Service attack. MongoDB ships with a variety of tools including mongostat and mongotop that can be used to monitor your database.

The most comprehensive monitoring solution is provided by MongoDB Ops Manager, which is the simplest way to run MongoDB. Ops Manager makes it easy for operations teams to monitor, secure, back up, and scale MongoDB. Ops Manager is available with MongoDB Enterprise Advanced. MongoDB Cloud Manager is a hosted management platform for MongoDB providing many of the same capabilities as Ops Manager.

**Figure 1**: Ops Manager Offers Charts, Custom Dashboards & Automated Alerting

Featuring charts, custom dashboards, and automated alerting, Ops and Cloud Manager track 100+ key database and systems health metrics including operations counters, memory and CPU utilization, replication status, open connections, queues and any node status. Cloud Manager can also alert you if any host is internet-exposed.

The metrics are securely reported to Ops Manager where they are processed, aggregated, alerted and visualized in a browser, letting administrators easily determine the health of MongoDB in real time. Views can be based on explicit permissions, so project team visibility can be restricted to their own applications, while systems administrators can monitor all MongoDB deployments across the organization.

Ops Manager allows administrators to set custom alerts when key metrics are out of range. Alerts can be configured for a range of parameters affecting individual hosts, replica sets, agents, and backup. Alerts can be sent via SMS and email or integrated into existing incident management systems such as PagerDuty and HipChat to proactively warn of potential issues before they escalate to costly outages.

Disaster Recovery: Backups & Point-in-Time Recovery

Ops Manager backups are maintained continuously, just a few seconds behind the operational system. If MongoDB experiences a failure, the most recent backup is only moments behind, minimizing exposure to data loss. Ops Manager and Cloud Manager are the only MongoDB backup solutions that offers point-in-time recovery of replica sets and cluster-wide snapshots of sharded clusters. You can restore to precisely the moment you need, quickly and safely.

Training & Consulting Services

Investing in skills can ensure a more secure environment. MongoDB University offers courses for both developers and DBAs:

  • Free, web-based classes, delivered over 7 weeks, supported by lectures, homework and forums to interact with instructors and other students. Over 350,000 students have enrolled in these classes since they were first released.
  • 2-day public training events held at MongoDB facilities
  • Private training customized to an organization’s specific requirements - including best practices in secure development and deployment - delivered at your site.

In addition, MongoDB Global Consulting Services offers Health Checks and Production Readiness assessments, working with your team to evaluate and apply deployment best practices.

Keep up to Date

Always ensure you are running the latest production-certified release of both MongoDB and the drivers, and have applied the latest set of patches. While MongoDB Enterprise Advanced customers get access to emergency patches, fixes for security vulnerabilities are available to all MongoDB users as soon as they are released.

Wrapping Up

Its no surprise that with databases storing an organization’s most important information assets, securing them is top of mind for the business.

You can get started by reading the MongoDB Security Architecture guide. If you want to try them for yourself, [download MongoDB Enterprise](https://www.mongodb.com/download-center?#enterprise), free of charge for evaluation and development.
MongoDB security architecture guide

About the Author - Mat Keep

Mat is a director within the MongoDB product marketing team, responsible for building the vision, positioning and content for MongoDB’s products and services, including the analysis of market trends and customer requirements. Prior to MongoDB, Mat was director of product management at Oracle Corp. with responsibility for the MySQL database in web, telecoms, cloud and big data workloads. This followed a series of sales, business development and analyst / programmer positions with both technology vendors and end-user companies.

← Previous

What’s New In Cloud Manager?

We update MongoDB Cloud Manager regularly so that we can make it better for our customers. The latest version of Cloud Manager that was released on 2/22/16 introduced some significant changes and improvements. Continue reading below to learn more about the changes: Release of optimized navigation structure UI, including simplified Servers & Processes view. Take a look at the new Deployment tab to see the re-styled Servers and Processes tabs. Completely retooled user and roles management, giving users more flexibility over what is managed and what is not managed. You can find the users and roles under the “More” menu on the Deployment tab. Ability to convert a replica set to a sharded cluster If you have any feedback, feel free to send us an e-mail at beta-team@mongodb.com. Thanks for using Cloud Manager!

February 23, 2016
Next →

Being Latine in Tech: Two MongoDB Employees Share Their Advice on Building Careers in Engineering

Ashley Naranjo and Martin Bajana, members of MongoDB’s employee resource group QueLatine, share their career journeys and offer insight into how other members of the Latine community can build careers in tech. Jackie Denner: How did you make your way into the tech industry? Ashley Naranjo: I am a first-generation Latina with a passion for Information Technology and a knack for problem-solving. After graduating early from high school, I embarked on a career in Nursing. I chose Nursing initially because I wanted to make a difference and help others, but my path took an unexpected turn when COVID-19 reshaped our world. In light of the circumstances, I reevaluated my options and decided to seize an opportunity with a program called Year Up . During the intensive six-month training and deployment phase, I not only completed rigorous coursework but also obtained IT Google Coursera certifications and actively pursued CompTIA certifications. This experience allowed me to secure an internship at Meta (Facebook) as an Enterprise Operation IT Support Tech, where my love for technology blossomed. During my time at Meta, I had the privilege of assisting diverse Meta users worldwide with a wide range of technical issues, including troubleshooting, software and hardware support, internal access permissions, and more. The exposure to a global tech environment further fueled my passion for the field. When my internship concluded, I was offered a 1-year contract role with Meta to continue my work as a support tech for the same team. Throughout that year, I immersed myself in all aspects of technology, maximizing my learning opportunities and applying my networking skills. As time went on, I knew I needed a new challenge. This led me to embark on a search for an exciting role, which eventually brought me to MongoDB. I am passionate about driving technological innovation, and MongoDB is a place where I can make an impact. Martin Bajana: My interest in technology stems from a variety of sources. From a young age, I developed a strong passion for video games and exploring new technologies. Whether it was experimenting with the latest gaming consoles or delving into computer hardware, I relished the opportunity to learn and understand the inner workings of these technologies. In school, I discovered my affinity for mathematics, which further solidified my decision to pursue a career in the tech industry. Choosing to study computer science in college was a natural progression for me, as it allowed me to combine my love for technology with my aptitude for problem-solving. After completing my education, I was recruited by Verizon, where I worked on front-end applications and Android development. Although the transition was initially challenging, I persevered and regained my confidence. It was during this period that I realized a career in technology was my long-term aspiration. Throughout my tenure at Verizon, I embraced opportunities to work across various teams, acquiring valuable experience and honing my skills. Eventually, I made the decision to join MongoDB, which has provided me with an enriching journey and the chance to shape my career in the tech industry. JD: Have there been any challenges you've faced throughout your career? AN: Imposter syndrome has been a significant challenge for me throughout my career, and it's something I still deal with to this day. When surrounded by my talented colleagues, I would often compare myself to them and focus on my perceived weaknesses and flaws, leading to a lack of self-confidence. However, I tackled this issue by addressing my feelings with my manager. Her support and guidance helped me realize my own potential and acknowledge my accomplishments. Maintaining a positive mindset has enabled me to view myself as a competent engineer and recognize the value I bring to my team. I have learned to take ownership of my successes and embrace opportunities for growth. Stepping out of my comfort zone has become a regular practice, as personal and professional development often stems from embracing challenges and discomfort. By giving myself permission to take up space and be confident in my abilities, I have been able to overcome imposter syndrome and continue to thrive in my role. MB: I have been fortunate enough to work for companies and teams that value and respect me for the work I deliver. Being in the tech industry and growing up in a culturally diverse region of the country, I have had exposure to individuals from various backgrounds and identities, which has made me more comfortable as a Latinx individual in the industry. My personal goal is to promote a work environment where everyone is judged based on the contributions they bring to the team, rather than their identity. I believe in supporting and respecting the identities of my peers and coworkers while fostering a culture of inclusivity and equality. JD: How has MongoDB supported your career growth and development? AN: In my time working at MongoDB, I have experienced exceptional support that has greatly contributed to my professional development and growth. As an engineer at MongoDB, I have been provided with numerous opportunities to expand my knowledge and skills through participation in tech talks, hackathons, and continuous learning about emerging technologies. I am grateful for the proactive approach taken by my manager and team leaders in fostering my growth as an engineer. Additionally, MongoDB's commitment to diversity and inclusion is evident through the company's DEI initiatives. Platforms like our employee resource group “QueLatine” have made me feel a stronger sense of connection and belonging, particularly among my Latinx peers. By recognizing the power of our diverse backgrounds and experiences, MongoDB empowers us to have a meaningful impact in the industry. MB: I have experienced full support from my leader since day one. They have proactively sought to understand my career goals and have helped me create a clear career path to achieve those goals. This level of support has enabled me to take on challenging projects and initiatives within the company, allowing me to grow and develop in my career. Furthermore, MongoDB offers a wealth of learning and development resources to its employees, which I have fully utilized to continue learning and growing my skill set. JD: What is your advice for other Latines who want to begin careers in tech? AN: Having made a significant career change myself, I can empathize with the challenges that come with exploring new paths, particularly in the tech industry. As a Latina in tech, I feel a strong desire to encourage and raise awareness within our community about the incredible resources and opportunities that are available to us. My advice to others who may be considering a similar journey is to prioritize the continuous development of your technical skills, actively seek out mentoring opportunities, push yourself beyond your comfort zone by honing your networking abilities, and most importantly, believe in yourself and your ability to achieve great things! MB: Navigating the vast world of technology can certainly be overwhelming, but it's important not to fear feeling lost. Even after 12 years in this career, there are still days where I come across something I've never heard of before. Fortunately, we live in a world abundant with resources for continuous learning. My advice is to take the time to explore and ask questions. Seek out open-source projects that you can contribute to, and connect with other professionals in the tech industry who can share their experiences and provide guidance. Additionally, taking advantage of hackathons and other tech events can expose you to new technologies and ideas. Don't be afraid to make mistakes, and most importantly, don't give up! Join us in transforming the way developers work with data. Build your tech career at MongoDB .

September 20, 2023