SlideShare a Scribd company logo

Security Features in MongoDB 2.4

Download as PPTX, PDF
MongoDB
MongoDB
TechnologyEducation
1 of 37
Spencer Brody Software Engineer, 10gen @stbrody #mongodbdays Security in MongoDB
Agenda 1. History 2. Authentication 3. Authorization 4. Auditing 5. Transport Encryption – SSL 6. MongoDB Secure Development Lifecycle 7. Documentation and Notifications 8. Future Work Securing your MongoDB Implementation, Spencer Brody
History
History • Security features within mongoDB before 2.4 were limited • 2.4 offers a much better story around security • This is something we are investing in very heavily right now. Securing your MongoDB Implementation, Spencer Brody
The Three A’s Authentication – Who are you? Authorization – What can you do? Auditing – What have you done? Securing your MongoDB Implementation, Spencer Brody
Authentication
Authentication Authentication is about proving “who” you are. Securing your MongoDB Implementation, Spencer Brody
Password Authentication • This is the only authentication mechanism available in MongoDB version 2.2 and prior • Still the only version available in the free product • In 2.4+ this mechanism is called MONGODB- CR Securing your MongoDB Implementation, Spencer Brody
Password Authentication • Use one-way function F mongod I am “username”, let me in Prove it, here is a random # N Here is F(N, hash(<mypwd>)) Nobody else could know that, welcome back! Knows only my passwor d hash Hash never transmitted over the network! Securing your MongoDB Implementation, Spencer Brody
External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication – MongoDB uses the Cyrus sasl2 library Kerberos (available in the Enterprise Edition) – GSSAPI – driver support in python, java, C#, Node.js, perl Securing your MongoDB Implementation, Spencer Brody
Authentication with Kerberos KDC 1. I am “username@EXAMPLE.COM”, help me prove it to mongod (UDP:88) 2. Here is a TGT Mongod 3. TCP:27017 Here is a Kerberos TGT 4. Welcome, he re is a Service Ticket! { user: ”username@EXAMPLE.COM", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Spencer Brody Keytab
Granting privileges Securing your MongoDB Implementation, Spencer Brody # mongo mongodb.mycompany.com > use appDB; > db.system.users.find(); { "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "userSource": "$external", "roles": ["readWrite", "dbAdmin”] }
Authorization
Authorization Once MongoDB has established “who” you are, authorization is about determining “what” you are allowed to do. Securing your MongoDB Implementation, Spencer Brody
Authorization Roles in 2.2 and Prior – Database level read-only – Database level read-write – System-wide read-only – System-wide read-write Sample user document: > db.system.users.find().pretty() { "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "readOnly":false } Securing your MongoDB Implementation, Spencer Brody
Authorization Roles in 2.4 – read – readWrite – dbAdmin – userAdmin – readAnyDatabase – readWriteAnyDatabase – dbAdminAnyDatabase – userAdminAnyDatabase – clusterAdmin The roles that are bold can only be granted in the admin database. Securing your MongoDB Implementation, Spencer Brody
userAdmin The userAdmin role on database “foo” lets you grant any db-level role to any user from the “foo” database (including yourself). The userAdminAnyDatabase role lets you grant any role in the system to any user (including yourself). This means they can be used to grant yourself roles you didn’t previously have! This makes userAdmin effectively a super-user Access to these roles should be carefully controlled! Securing your MongoDB Implementation, Spencer Brody
Example Securing your MongoDB Implementation, Spencer Brody User Role Database(s) appUser readWrite app dba dbAdmin app seniorDBA dbAdminAnyDatabase, clusterAdmin admin readWrite config CTO userAdminAnyDatabas e admin
Auditing
Securing your MongoDB Implementation, Spencer Brody Auditing Monitor user activity: – userID added to standard output in 2.4 – No separate audit log – Much more coming in 2.6
Transport Encryption - SSL
Transport Encryption - SSL http://docs.mongodb.org/manual/administration/ssl/ Application SSL encryption for client connection SSL encryption for inter-server traffic Primary Secondary Data Files Data Files Securing your MongoDB Implementation, Spencer Brody
Outside MongoDB
Securing your MongoDB Implementation, Spencer Brody Outside MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc. File system – Encrypt (Gazzang) [HIPAA, PCI, SOX] Best Practices – Internal Policies (Password Reuse, Scan etc.)
Securing your MongoDB Implementation, Spencer Brody MongoDB Partners with Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD File System – All contents encrypted OS Gazzang Gazzang Key Mgmt
MongoDB SDL
MongoDB Secure Development Lifecycle • All contributions to the open source project are reviewed and tested by a member of the Core Server team • Peer code reviews of all commits • Automated functional and unit tests • Active monitoring of best practices and advisories for third party code • Static code analysis with Coverity run nightly against the Core Server and applicable driver projects Securing your MongoDB Implementation, Spencer Brody
Documentation & Notifications
Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Strategies • Tutorials • Vulnerability Notifications Securing your MongoDB Implementation, Spencer Brody
Potential Security Issues How do YOU find out? – MongoDBAlerts – Mongodb-announce Google group How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Spencer Brody
Future work
Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Spencer Brody
Future • User-defined roles • Collection level access control • Field level access control • Auditing • X.509 authentication, for both user and intra- cluster authentication. • External configuration of user’s roles (LDAP) Securing your MongoDB Implementation, Spencer Brody
Conclusion
Conclusion • 2.2 had rudimentary security support • 2.4 is much better & Enterprise-Level • Authentication & Authorization • Within & Outside Securing your MongoDB Implementation, Spencer Brody
Software Engineer, 10gen Spencer Brody #mongodbdays Thanks! If you liked my talk, please tweet about it! #MongoDBDays @stbrody
Securing your MongoDB Implementation, Spencer Brody Next Sessions at 11:00 5th Floor: West Side Ballroom 3&4: Schema Design West Side Ballroom 1&2 (this room): Data Processing and Aggregation Options Juilliard Complex: Business Track: Fireside Chat: IBM and MongoDB Set the Standard for Web and Mobile Development Lyceum Complex: Ask the Experts 7th Floor: Empire Complex: Performance Tuning and Monitoring Using MMS SoHo Complex: 10gen Polyglot Spatial with MongoDB

Recommended

MongoDB Security Introduction - Presentation
MongoDB Security Introduction - PresentationMongoDB Security Introduction - Presentation
MongoDB Security Introduction - Presentation
Habilelabs
 
MongoDB 2.4 Security Features
MongoDB 2.4 Security FeaturesMongoDB 2.4 Security Features
MongoDB 2.4 Security Features
MongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 

Recommended

MongoDB Security Introduction - Presentation
MongoDB Security Introduction - PresentationMongoDB Security Introduction - Presentation
MongoDB Security Introduction - Presentation
Habilelabs
 
MongoDB 2.4 Security Features
MongoDB 2.4 Security FeaturesMongoDB 2.4 Security Features
MongoDB 2.4 Security Features
MongoDB
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
MongoDB
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB Enterprise
MongoDB
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?
wurbanski
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
Francis Alexander
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
SecuRing
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
sghctoma
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
Francis Alexander
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
VMware Tanzu
 
MongoDB at Gilt Groupe
MongoDB at Gilt GroupeMongoDB at Gilt Groupe
MongoDB at Gilt Groupe
MongoDB
 
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
MongoDB
 

More Related Content

What's hot

Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 

What's hot (20)

Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB Enterprise
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
 

Similar to Security Features in MongoDB 2.4

MongoDB at Gilt Groupe
MongoDB at Gilt GroupeMongoDB at Gilt Groupe
MongoDB at Gilt Groupe
MongoDB
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB Data
MongoDB
 
Mongodb at-gilt-groupe-seattle-2012-09-14-final
Mongodb at-gilt-groupe-seattle-2012-09-14-finalMongodb at-gilt-groupe-seattle-2012-09-14-final
Mongodb at-gilt-groupe-seattle-2012-09-14-final
MongoDB
 
What's New in MongoDB 2.6
What's New in MongoDB 2.6What's New in MongoDB 2.6
What's New in MongoDB 2.6
MongoDB
 
Mongo db program_installation_guide
Mongo db program_installation_guideMongo db program_installation_guide
Mongo db program_installation_guide
Philip Zhong
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
Sahithi Naraparaju
 

Similar to Security Features in MongoDB 2.4 (20)

MongoDB at Gilt Groupe
MongoDB at Gilt GroupeMongoDB at Gilt Groupe
MongoDB at Gilt Groupe
 
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
MongoDB World 2019: Modern Data Backup and Recovery from On-premises to the P...
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB Data
 
Mongodb at-gilt-groupe-seattle-2012-09-14-final
Mongodb at-gilt-groupe-seattle-2012-09-14-finalMongodb at-gilt-groupe-seattle-2012-09-14-final
Mongodb at-gilt-groupe-seattle-2012-09-14-final
 
Mongo db report
Mongo db reportMongo db report
Mongo db report
 
What's New in MongoDB 2.6
What's New in MongoDB 2.6What's New in MongoDB 2.6
What's New in MongoDB 2.6
 
Conceptos básicos. Seminario web 6: Despliegue de producción
Conceptos básicos. Seminario web 6: Despliegue de producciónConceptos básicos. Seminario web 6: Despliegue de producción
Conceptos básicos. Seminario web 6: Despliegue de producción
 
MongoDB World 2018: Bumps and Breezes: Our Journey from RDBMS to MongoDB
MongoDB World 2018: Bumps and Breezes: Our Journey from RDBMS to MongoDBMongoDB World 2018: Bumps and Breezes: Our Journey from RDBMS to MongoDB
MongoDB World 2018: Bumps and Breezes: Our Journey from RDBMS to MongoDB
 
Content Mangement Systems and MongoDB
Content Mangement Systems and MongoDBContent Mangement Systems and MongoDB
Content Mangement Systems and MongoDB
 
Mongo db program_installation_guide
Mongo db program_installation_guideMongo db program_installation_guide
Mongo db program_installation_guide
 
MongoDB.local Atlanta: Modern Data Backup and Recovery from On-Premises to th...
MongoDB.local Atlanta: Modern Data Backup and Recovery from On-Premises to th...MongoDB.local Atlanta: Modern Data Backup and Recovery from On-Premises to th...
MongoDB.local Atlanta: Modern Data Backup and Recovery from On-Premises to th...
 
An introduction to MongoDB by César Trigo #OpenExpoDay 2014
An introduction to MongoDB by César Trigo #OpenExpoDay 2014An introduction to MongoDB by César Trigo #OpenExpoDay 2014
An introduction to MongoDB by César Trigo #OpenExpoDay 2014
 
An introduction to MongoDB
An introduction to MongoDBAn introduction to MongoDB
An introduction to MongoDB
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
MongoDB Developer's Notebook, March 2016 -- MongoDB Connector for Business In...
MongoDB Developer's Notebook, March 2016 -- MongoDB Connector for Business In...MongoDB Developer's Notebook, March 2016 -- MongoDB Connector for Business In...
MongoDB Developer's Notebook, March 2016 -- MongoDB Connector for Business In...
 
Pandora FMS: MongoDB plugin
Pandora FMS: MongoDB pluginPandora FMS: MongoDB plugin
Pandora FMS: MongoDB plugin
 
Techorama - Evolvable Application Development with MongoDB
Techorama - Evolvable Application Development with MongoDBTechorama - Evolvable Application Development with MongoDB
Techorama - Evolvable Application Development with MongoDB
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 
Philadelphia MongoDB User Group - Your First MongoDB Application
Philadelphia MongoDB User Group - Your First MongoDB ApplicationPhiladelphia MongoDB User Group - Your First MongoDB Application
Philadelphia MongoDB User Group - Your First MongoDB Application
 

More from MongoDB

MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 

More from MongoDB (20)

MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB AtlasMongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDBMongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series DataMongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB SoCal 2020: MongoDB Atlas Jump Start
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your MindsetMongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas JumpstartMongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & GolangMongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Security Features in MongoDB 2.4

  • 1. Spencer Brody Software Engineer, 10gen @stbrody #mongodbdays Security in MongoDB
  • 2. Agenda 1. History 2. Authentication 3. Authorization 4. Auditing 5. Transport Encryption – SSL 6. MongoDB Secure Development Lifecycle 7. Documentation and Notifications 8. Future Work Securing your MongoDB Implementation, Spencer Brody
  • 4. History • Security features within mongoDB before 2.4 were limited • 2.4 offers a much better story around security • This is something we are investing in very heavily right now. Securing your MongoDB Implementation, Spencer Brody
  • 5. The Three A’s Authentication – Who are you? Authorization – What can you do? Auditing – What have you done? Securing your MongoDB Implementation, Spencer Brody
  • 7. Authentication Authentication is about proving “who” you are. Securing your MongoDB Implementation, Spencer Brody
  • 8. Password Authentication • This is the only authentication mechanism available in MongoDB version 2.2 and prior • Still the only version available in the free product • In 2.4+ this mechanism is called MONGODB- CR Securing your MongoDB Implementation, Spencer Brody
  • 9. Password Authentication • Use one-way function F mongod I am “username”, let me in Prove it, here is a random # N Here is F(N, hash(<mypwd>)) Nobody else could know that, welcome back! Knows only my passwor d hash Hash never transmitted over the network! Securing your MongoDB Implementation, Spencer Brody
  • 10. External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication – MongoDB uses the Cyrus sasl2 library Kerberos (available in the Enterprise Edition) – GSSAPI – driver support in python, java, C#, Node.js, perl Securing your MongoDB Implementation, Spencer Brody
  • 11. Authentication with Kerberos KDC 1. I am “username@EXAMPLE.COM”, help me prove it to mongod (UDP:88) 2. Here is a TGT Mongod 3. TCP:27017 Here is a Kerberos TGT 4. Welcome, he re is a Service Ticket! { user: ”username@EXAMPLE.COM", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Spencer Brody Keytab
  • 12. Granting privileges Securing your MongoDB Implementation, Spencer Brody # mongo mongodb.mycompany.com > use appDB; > db.system.users.find(); { "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "userSource": "$external", "roles": ["readWrite", "dbAdmin”] }
  • 14. Authorization Once MongoDB has established “who” you are, authorization is about determining “what” you are allowed to do. Securing your MongoDB Implementation, Spencer Brody
  • 15. Authorization Roles in 2.2 and Prior – Database level read-only – Database level read-write – System-wide read-only – System-wide read-write Sample user document: > db.system.users.find().pretty() { "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "readOnly":false } Securing your MongoDB Implementation, Spencer Brody
  • 16. Authorization Roles in 2.4 – read – readWrite – dbAdmin – userAdmin – readAnyDatabase – readWriteAnyDatabase – dbAdminAnyDatabase – userAdminAnyDatabase – clusterAdmin The roles that are bold can only be granted in the admin database. Securing your MongoDB Implementation, Spencer Brody
  • 17. userAdmin The userAdmin role on database “foo” lets you grant any db-level role to any user from the “foo” database (including yourself). The userAdminAnyDatabase role lets you grant any role in the system to any user (including yourself). This means they can be used to grant yourself roles you didn’t previously have! This makes userAdmin effectively a super-user Access to these roles should be carefully controlled! Securing your MongoDB Implementation, Spencer Brody
  • 18. Example Securing your MongoDB Implementation, Spencer Brody User Role Database(s) appUser readWrite app dba dbAdmin app seniorDBA dbAdminAnyDatabase, clusterAdmin admin readWrite config CTO userAdminAnyDatabas e admin
  • 20. Securing your MongoDB Implementation, Spencer Brody Auditing Monitor user activity: – userID added to standard output in 2.4 – No separate audit log – Much more coming in 2.6
  • 22. Transport Encryption - SSL http://docs.mongodb.org/manual/administration/ssl/ Application SSL encryption for client connection SSL encryption for inter-server traffic Primary Secondary Data Files Data Files Securing your MongoDB Implementation, Spencer Brody
  • 24. Securing your MongoDB Implementation, Spencer Brody Outside MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc. File system – Encrypt (Gazzang) [HIPAA, PCI, SOX] Best Practices – Internal Policies (Password Reuse, Scan etc.)
  • 25. Securing your MongoDB Implementation, Spencer Brody MongoDB Partners with Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD File System – All contents encrypted OS Gazzang Gazzang Key Mgmt
  • 27. MongoDB Secure Development Lifecycle • All contributions to the open source project are reviewed and tested by a member of the Core Server team • Peer code reviews of all commits • Automated functional and unit tests • Active monitoring of best practices and advisories for third party code • Static code analysis with Coverity run nightly against the Core Server and applicable driver projects Securing your MongoDB Implementation, Spencer Brody
  • 29. Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Strategies • Tutorials • Vulnerability Notifications Securing your MongoDB Implementation, Spencer Brody
  • 30. Potential Security Issues How do YOU find out? – MongoDBAlerts – Mongodb-announce Google group How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Spencer Brody
  • 32. Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Spencer Brody
  • 33. Future • User-defined roles • Collection level access control • Field level access control • Auditing • X.509 authentication, for both user and intra- cluster authentication. • External configuration of user’s roles (LDAP) Securing your MongoDB Implementation, Spencer Brody
  • 35. Conclusion • 2.2 had rudimentary security support • 2.4 is much better & Enterprise-Level • Authentication & Authorization • Within & Outside Securing your MongoDB Implementation, Spencer Brody
  • 36. Software Engineer, 10gen Spencer Brody #mongodbdays Thanks! If you liked my talk, please tweet about it! #MongoDBDays @stbrody
  • 37. Securing your MongoDB Implementation, Spencer Brody Next Sessions at 11:00 5th Floor: West Side Ballroom 3&4: Schema Design West Side Ballroom 1&2 (this room): Data Processing and Aggregation Options Juilliard Complex: Business Track: Fireside Chat: IBM and MongoDB Set the Standard for Web and Mobile Development Lyceum Complex: Ask the Experts 7th Floor: Empire Complex: Performance Tuning and Monitoring Using MMS SoHo Complex: 10gen Polyglot Spatial with MongoDB

Editor's Notes

  1. I assume you have some security background, are familiar with industry standard security tech like SSL and Kerberos, are familiar with access control in RDBMS
  2. SDL = Secure Development Lifecycle
  3. Security before 2.4 was weakMost of our customers were small startups, we didn’t have much demand for security featuresOnce we got bigger customers who cared about security, we delivered.
  4. In 2.2 security was handled outside MongoDBWe want to enable anyone to build apps on MongoDB, even if they have strict security guidelines. We were finding that big orgs couldn’t use it b/c of their internal policies.
  5. GSSAPI = Generic Security Services Application Program InterfaceMeta protocol for negotiating authentication protocol
  6. MongoD never sees your password or even password hashYou can centralize your authentication serviceKDC = Key Distribution CenterIntra-cluster auth still uses MONGODB-CR!!!
  7. No separation of administrative operationsUse case: performance tuning dba who can profile, build indexes, dbStats, but not read data.
  8. dbAdmin = build indexes, compact, dbStats, profiling
  9. Best practice is to have 1 user with userAdminAnyDatabase and no other roles, and use it for all user administration.userAdmin is *effectively* (but not actually) a super-user.
  10. readWrite on configdb necessary for some sharding admin tasks (like stopping/starting the balancer)This is only one example – different companies will do this differently.
  11. New in 2.4 – certificate validation, windows support2.2 was a partial implementation, 2.4 is now fully implementedProvided encryption but not authentication. Keyfilestill used for intra-cluster authentication. SSL (with CA validation) ensures that the hosts are who they say they are, but that’s separate from user authentication within MongoDB
  12. Defense in Depth
  13. Netsh = network configuration tool for windowsDefense in Depth
  14. With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD&apos;s are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.