mongodb europe 2016 - who’s helping themselves to your data? demystifying mongodb’s security...
TRANSCRIPT
Who’s Helping Themselves To Your Data? Demystifying MongoDB’s Security Features
@TheDonester
#MDBE16
Complexity is the Enemy of Security
Security holes resulting from misconfiguration? Under ‘time-to-market’ pressures, neglecting to apply a security layer due to complexity?
@TheDonester
#MDBE16
Need Clearer Path To [Secure] Success
• Technologies need to keep things simple
• Especially around Security
• MongoDB’s security features are orthogonal yet complimentary
• Using one feature doesn’t require learning and configuring all other features
@TheDonester
#MDBE16
MongoDB DB-level Security
Standards-based Minimal inter-dependencies
• Authorization mandates Authentication, to identify roles
• Certificate-based Authentication mandates In-Flight Encryption (TLS)
• Client Authentication mandates Internal Authentication
Authentication
At-Rest Encryption
In-Flight Encryption
Authorization Auditing
@TheDonester
#MDBE16
Quick reminder....
http://docs.mongodb.org/manual/administration/security-checklist/Ensure you consult MongoDB’s Security Checklist
Remember: • Apply security in layers, for defence in depth
• Many of these layers are not MongoDB specific
@TheDonester
#MDBE16
MongoSecurityPlaypen Github Project
NOT PRODUCTION SECURE For learning/demoing purposes only
https://github.com/pkdone/MongoSecurityPlaypen
@TheDonester
Authentication
@TheDonester
#MDBE16
Client Authentication Options
1. Challenge/Response (SCRAM-SHA-1)
2. LDAP (inc. Active Directory)
3. x.509 Certificate 4. Kerberos
Remote Directory
Server
Username / Password
Username / Password
Authentication Service Request (1)
(2)
(3)
Pre-Established Trust with KDC
Local CA Certificates
File
Key Distribution Center (KDC)
Certificate
#MDBW16
Client Authentication Examples SCRAM-SHA-1
LDAP
x.509 Certificate
Kerberos FQDNs
@TheDonester
#MDBW16
LDAP Authentication Options
@TheDonester
LDAP Integration MongoDB Versions Operating Systems External Dependencies
Proxy 2. 6 + Linux Simple Authentication & Security Layer (SASL)
Direct 3. 4 + Linux & Windows n/a
DB Host Directory Host
Directory Server mongod
saslauthd
proxy
direct
#MDBE16
Internal Authentication Options
MongoD Replica
Host OS Keyfile
MongoD Replica
Keyfile
MongoD Replica
Keyfile
Key Challenge / Response
Key Challenge / Response
Key Challenge / Response
MongoD Replica
Key+Cert
MongoD Replica
MongoD Replica
Host OS Host OS
x.509 Certificates
Host OS
Host OS Host OS
CA Certs
CA Certs
CA Certs
Key+Cert
Key+Cert
@TheDonester
Key Files (SCRAM-SHA-1)
Authorization (Role Based Access Control)
@TheDonester
#MDBE16
Role Based Access Control
Built-in roles • read, readWrite, dbAdmin,
clusterAdmin, root, etc..
User-defined roles • Based on actions that can be
defined for a resource
@TheDonester
#MDBE16
Defining & Using a Custom Role Example: “Append-only” role
Define The Role & User Try Inserting & Querying Data
@TheDonester
#MDBW16
LDAP Authorization* MongoDB Roles Mapped to LDAP Groups
@TheDonester
* New in 3.4
Role membership is fluid & managed dynamically in the LDAP Directory (rather than granting roles to users in MongoDB)
LDAP Authorization is an optional feature, if LDAP Direct Authentication is enabled
#MDBW16
Read-Only Views* + Roles For Record-level Access Control
@TheDonester
Define a View (uses Agg Fwk) Lock Down User to Only the View
* New in 3.4
In-Flight Encryption
@TheDonester
#MDBE16
TLS (supersedes SSL)
CRUD API calls over TLS
Internal Traffic over TLS
CA Certificates File
Server Key & Certificate PEM File
Server Machine 1
Driv
er
Client Machine
CA Certificates File
CA Certificates File
Server Key & Certificate PEM File
Server Machine 3
CA Certificates File
Server Key & Certificate PEM File
Server Machine 2
@TheDonester
#MDBE16
TLS
• Can apply to client traffic or internal traffic or both
• Supported on all Drivers and MongoDB Tools
• Client Certificate authentication not mandated • Any client and internal authentication methods can be used • Can even have authentication / authorization completely disabled
@TheDonester
At-Rest Encryption
@TheDonester
#MDBE16
Encrypted Storage Engine
• Native encryption inside the database • Single-digit % overhead • Based on WiredTiger
• Two Key Types for easy key rotation • Master Key per replica • Internal Key per database
• Options for sourcing Master Key: • Via 3rd Party Key Management Appliance using KMIP
(Key Management Interoperability Protocol) • Keyfile on local file-system (not recommended for
Production)
@TheDonester
#MDBE16
Encryption-at-Rest with KMIP
3rd Party Key Management Appliance
Replica1 Host OS
DBa DBb DBc
Replica1’s Master Key
Replica2’s Master Key
Replica3’s Master Key CA Certificates File DBd
Internal Key Manager Keystore (encrypted by Master Key)
DBa Key DBb Key
DBc Key DBd Key
Encrypts & Decrypts
Replica1 mongod
Replica1 Key & Certificate PEM File
@TheDonester
#MDBE16
MongoDB Encryption-at-Rest
Symmetric Keys • Same key to encrypt & decrypt • AES256-CBC (256-bit AES Cipher Block Chaining mode)
• AES256-GCM (256-bit AES Galois/Counter Mode)
• FIPS 140-2 encryption option
Encryption Alternatives • Partner solution for file & OS level encryption (eg. Vormetric) • Application code performs field-level encryption
DEFAULT
BUT HOW TO INDEX?
@TheDonester
Auditing
@TheDonester
#MDBE16
Auditing
Audit log of actions taken against the database
Configurable Destination
@TheDonester
#MDBE16
Auditing Event Types
System Events CRUD Events
Default (when enabled)
Enabling Config Parameter
auditLog - destination
setParameter – auditAuthorizationSuccess
Event Types
DDL Auth failures Users & Roles config Replication &Sharding config Server Lifecycle actions
Inserts Updates Removes Finds Aggregations
@TheDonester
#MDBE16
Auditing Filters Are Key
• Filter on attributes of captured audit documents • In config, set ‘auditFilter’ to a query expression • Filter on: Action, User, Role, Command, Database, Collection, etc
• Examples: filter:'{atype:{$in:["createCollection","dropCollection"]}}‘filter:‘{roles:{role:"readWrite",db:"test“}}‘filter:'{atype:"authCheck","param.command":{$in:["find","insert"]}}‘
@TheDonester
Atlas Security
@TheDonester
#MDBE16
Atlas & Security
• SCRAM-SHA-1 authentication enforced • TLS/SSL enforced • Pre-defined roles against each database • IP white-listing enforced • VPC Peering option with application tier • 2FA authentication for admin console • Option for encrypted data volumes
@TheDonester
Summary
@TheDonester
#MDBE16
Summary
• MongoDB keeps things simple • Clearly separates out different security
concerns
• Reduce complexity • Decreases risk of security holes
• Remember to Consult the MongoDB Security Checklist!
@TheDonester
Appendices
@TheDonester
Extended Extras
@TheDonester
#MDBW16
Client Authentication Comparisons
Authentication Method Clear Text Password Identity Location
Challenge/Response (SCRAM-SHA-1) No (Digest) Internal
x.509 Certificate No (Digital Signature) External
LDAP Yes * External
Kerberos No (KDC generated session key encrypted with password) External
* Can be protected via a transport-level security mechanism
@TheDonester
#MDBE16
Internal Authentication Comparisons
• x.509 Cert Auth mandates use of TLS/SSL • Keyfile Auth can be used with TLS/SSL
• x.509 Cert Auth has smaller attack surface area • No need for a ‘shared secret’
• x.509 Cert Auth allows for centralized key management
@TheDonester
#MDBE16
TLS & FIPS 140-2 US government security standard to accredit cryptographic modules
• OpenSSL “FIPS Object Module” • Certified component optionally used via
OpenSSL • Ensures source code not tampered with
(checks signature against original certified version)
• MongoDB configurable option FIPSMode:true
• Also applies to Encryption-at-Rest
FIPS 140-2 : Federal Information Processing Standard (FIPS) Publication 140-2
@TheDonester
Log Redaction
@TheDonester
#MDBE16
Log Redaction* Redact Client Data Shown in System Log Files
@TheDonester
• All potentially sensitive user data omitted from logs Vs • Harder to diagnose system & performance issues
* New in 3.4
Trade-off:
Diagram Source Graphics
@TheDonester
Python Client Application
client VM
centralit VM
OpenLDAP Server
Py KMIP Server
MIT Kerberos KDC
dbnode1 VM
dbnode2 VM
dbnode3 VM
Mon
goD
B R
eplic
a Se
t mongod
mongod
mongod