Security Best Practices Revisited

Andrew Racine


According to the just released 2016 Verizon Data Breach Investigations Report, 2015 saw 2,260 confirmed data breaches as well as over 100,000 reported security incidents. These are the highest numbers since the report began analyzing such incidents back in 2008.

The report does a fantastic job of describing the types of attacks organizations should be prepared to face in the coming year. While the sophistication level of each threat varies, the report points out that 63% of confirmed data breaches were very simple - they used weak, default, or stolen passwords. This is a strong reminder that even basic defenses are still lacking in many organizations.

At MongoDB, we take security very seriously. Our team is constantly working to deliver a world class database experience that addresses today’s ever-evolving security requirements.

  • As a reminder, here are some resources MongoDB customers can use to help ensure the security of their systems:
  • The most popular installer for MongoDB (RPM) limits network access to localhost by default.
  • Security is addressed in detail in our Security Manual. The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc).
  • MongoDB Atlas security features include TLS/SSL encryption, authentication, and authorization via SCRAM-SHA1; IP whitelists enforced with AWS Security Groups; optionally encrypted storage volumes; and the MongoDB Atlas console to manage database users.
  • Additionally, users of MongoDB Cloud Manager can enable alerts to detect if their deployment is internet exposed.
  • A discussion on security is provided in two parts. Part 1 covers Design and Configuration. Part II covers 10 mistakes that can compromise your database.
  • We encourage users who have experienced a security incident for MongoDB to create a vulnerability report.

If you are interested in learning more about security best practices watch our on demand webinar.
Securing your MongoDB deployment

About the Author - Andrew Racine

Andrew is Director, Demand Generation at MongoDB where he helps customers learn how to turn their giant ideas into reality. Prior to joining MongoDB, Andrew was the Director of Marketing at Conjur, an infrastructure security startup. Before Conjur, Andrew spent nearly 5 years at HubSpot in a variety of customer-focused roles.