Flat 10% & upto 50% off + Free additional Courses. Hurry up!



6.1 Security Introduction

Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and applications have access to only the data that they require. MongoDB provides features that allow administrators to implement these controls and restrictions for any MongoDB deployment.

  • Authentication – MongoDB supports a number of authentication mechanisms that clients can use to verify their identity. MongoDB supports two mechanisms: a password-based challenge and response protocol and x.509 certificates.
  • Role Based Access Control – MongoDB’s role-based access control system allows administrators to control all access and ensure that all granted access applies as narrowly as possible.Access control, i.e. authorization , determines a user’s access to resources and operations.
  • AuditingAuditing provides administrators with the ability to verify that the implemented security policies are controlling activity in the system. Retaining audit information ensures that administrators have enough information to perform forensic investigations and comply with regulations and polices that require audit data.
  • Encryption – There are two broad classes of approaches to encrypting data at rest with MongoDB: Application Level Encryption and Storage Encryption. You can use these solutions together or independently. Application Level Encryption provides encryption on a per-field or per-document basis within the application layer. To encrypt document or field level data, write custom encryption and decryption routines or use a commercial solution such as the Vormetric Data Security Platform. Storage Encryption encrypts all MongoDB data on the storage or operating system to ensure that only authorized processes can access protected data.


6.2 Security Concepts

6..2.1 Network Security

These documents introduce and address concepts and strategies related to authentication, authorization and encryption.

  • Authentication – Mechanisms for verifying user and instance access to MongoDB.
  • Network Exposure and Security – Discusses potential security risks related to the network and strategies for decreasing possible network-based attack vectors for MongoDB.
  • Kerberos Authentication- Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos allows MongoDB and applications to take advantage of existing authentication infrastructure and processes.


6.2.2 Access Control

These documents introduce and address concepts and strategies related to Role Based Access Control in MongoDB.

  • Authorization – Introduction to Role Based Access Control used in MongoDB
  • Collection-Level Access Control – Specify collection-level access control.


6.2.3 Auditing

MongoDB Enterprise includes an auditing capability for mongod and mongos instances. The auditing facility allows administrators and users to track system activity for deployments with multiple users and applications. The auditing facility can write audit events to the console, the syslog, a JSON file, or a BSON file.


6.3 Security Checklist

  • Require Authentication – Enable MongoDB authentication and specify the authentication mechanism. You can use the MongoDB authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system.
  • Configure Role-Based Access ControlCreate a user administrator first, then create additional users. Create a unique MongoDB user for each person and application that accesses the system. Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.
  • Encrypt CommunicationConfigure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB client as well as between all applications and MongoDB.
  • Limit Network ExposureEnsure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.
  • Audit System ActivityTrack access and changes to database configurations and data. MongoDB Enterprise95 includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls.
  • Encrypt and Protect DataEncrypt MongoDB data on each host using file-system, device, or physical encryption. Protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.
  • Run MongoDB with a Dedicated UserRun MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.
  • Run MongoDB with Secure Configuration OptionsMongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, and $where. If you do not use these operations, disable server-side scripting by using the –noscripting option on the command line. Use only the MongoDB wire protocol on production deployments. Do not enable the following, all of which enable the web server interface: enabled, http.JSONPEnabled, and net.http.RESTInterfaceEnabled. Leave these disabled, unless required for backwards compatibility. Keep input validation enabled. MongoDB enables input validation by default through the wireObjectCheck setting. This ensures that all documents stored by the mongod instance are valid BSON.
  • Request a Security Technical Implementation Guide (where applicable)The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request, for situations where it is required.

Learn more about Cassandra Versus MongoDB in this insightful blog now!

"0 Responses on Security"

Leave a Message

100% Secure Payments. All major credit & debit cards accepted Or Pay by Paypal.

Sales Offer

  • To avail this offer, enroll before 21st February 2017.
  • This offer cannot be combined with any other offer.
  • This offer is valid on selected courses only.
  • Please use coupon codes mentioned below to avail the offer

Sign Up or Login to view the Free Security.