6.1 Security Introduction
Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and applications have access to only the data that they require. MongoDB provides features that allow administrators to implement these controls and restrictions for any MongoDB deployment.
- Authentication – MongoDB supports a number of authentication mechanisms that clients can use to verify their identity. MongoDB supports two mechanisms: a password-based challenge and response protocol and x.509 certificates.
- Role Based Access Control – MongoDB’s role-based access control system allows administrators to control all access and ensure that all granted access applies as narrowly as possible.Access control, i.e. authorization , determines a user’s access to resources and operations.
- Auditing – Auditing provides administrators with the ability to verify that the implemented security policies are controlling activity in the system. Retaining audit information ensures that administrators have enough information to perform forensic investigations and comply with regulations and polices that require audit data.
- Encryption – There are two broad classes of approaches to encrypting data at rest with MongoDB: Application Level Encryption and Storage Encryption. You can use these solutions together or independently. Application Level Encryption provides encryption on a per-field or per-document basis within the application layer. To encrypt document or field level data, write custom encryption and decryption routines or use a commercial solution such as the Vormetric Data Security Platform. Storage Encryption encrypts all MongoDB data on the storage or operating system to ensure that only authorized processes can access protected data.
6.2 Security Concepts
6..2.1 Network Security
These documents introduce and address concepts and strategies related to authentication, authorization and encryption.
- Authentication – Mechanisms for verifying user and instance access to MongoDB.
- Network Exposure and Security – Discusses potential security risks related to the network and strategies for decreasing possible network-based attack vectors for MongoDB.
- Kerberos Authentication- Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos allows MongoDB and applications to take advantage of existing authentication infrastructure and processes.
6.2.2 Access Control
These documents introduce and address concepts and strategies related to Role Based Access Control in MongoDB.
- Authorization – Introduction to Role Based Access Control used in MongoDB
- Collection-Level Access Control – Specify collection-level access control.
MongoDB Enterprise includes an auditing capability for mongod and mongos instances. The auditing facility allows administrators and users to track system activity for deployments with multiple users and applications. The auditing facility can write audit events to the console, the syslog, a JSON file, or a BSON file.
6.3 Security Checklist
- Require Authentication – Enable MongoDB authentication and specify the authentication mechanism. You can use the MongoDB authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system.
- Configure Role-Based Access Control – Create a user administrator first, then create additional users. Create a unique MongoDB user for each person and application that accesses the system. Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.
- Encrypt Communication – Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB client as well as between all applications and MongoDB.
- Limit Network Exposure – Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.
- Audit System Activity – Track access and changes to database configurations and data. MongoDB Enterprise95 includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls.
- Encrypt and Protect Data – Encrypt MongoDB data on each host using file-system, device, or physical encryption. Protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.
- Run MongoDB with a Dedicated User – Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.
- Request a Security Technical Implementation Guide (where applicable) – The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request, for situations where it is required.
Learn more about Cassandra Versus MongoDB in this insightful blog now!