Securing Data in MongoDB with Gazzang and Chef

Securing Data in MongoDB with Gazzang and ChefRobert Linden, Sr. Solutions Architect at Gazzang

April 12, 2023

What’s in your Cloud?

Gazzang - All rights reserved 201204/12/2023

What data are you storing?



How are you protecting that data?



How are you managing the keys?

• Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files.

• This year alone…

• 23,000 SSN’s breached at the University of North Florida

• 16,000 SSN’s, birth dates and

student ID’s breached from

Eugene, Oregon school district

• 650,000 records breached from

University of Nebraska

• 350,000 records from UNC

Charlotte

• and more….

Student Record Breaches


04/12/2023

6Gazzang - All rights reserved 2012

Breaches Hit Every Industry

Gazzang - All rights reserved 2012

Data Security For MongoDB

Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB

• Pre-built integration requires no changes to your application or database

• Leverages automation tools for distributed deployment

• World-class support available through Gazzang, 10gen and Opscode

04/12/2023

8

MongoDB Native Security

04/12/2023


Client

SSL encryption for client

connection

SSL encryption for inter-server

traffic

Admin Users Regular Users

user1 user2

user3

User authentication

Primary Secondary

Data Files Data Files

9

Education Use Case on MongoDB

04/12/2023


Node 1 Node 2

Data Files Data Files

Teacher

First Name Bob

Last Name Jones

Email [email protected]

Phone 555-5555

SSN XXX-XX-XXXX

Student

First Name Alice

Last Name Smith

Email [email protected]

Grade 5th

Address 804 Congress

City Austin

State TX

10

Cloud Security Challenges

• Protect Sensitive Data in the Cloud– Ensure sensitive data and encryption keys are never

stored in plain text nor exposed publicly – Maintain control of your encryption keys and your

proprietary data

• Ensure Big Data Security– Harden Big Data infrastructures that have relatively

weak security and no encryption protection– Maintain Big Data performance and availability

• Enable Compliance– Encrypt data at rest and enforce tight access

control policies– Protect your regulated data in the event of

a breach

04/12/2023 Gazzang - All rights reserved 2012


zNcrypt sits between the file system and ANY database, application or service running on Linux to encrypt data before it writes to the disk.

• AES 256 encryption• Process-based ACLs• Maximum performance• Transparent data encryption• Enterprise scalability• Packaged support for

MongoDB

04/12/2023

11

Gazzang zNcrypt™


• Encryption

– Data at rest / AES-256

– File level encryption

– Excellent performance

• Access Control

– Process-based ACL rules

– Transparent data encryption

– Separate from users & groups

• Key Management

– Off-site key storage

– In the cloud / on premises

– Hardened & highly available

zNcrypt Architecture

04/12/2023

13

ACL Rules and Encryption


• MongoDB ACL Rule

“ALLOW @mongodata * /home/mymongo/mongodb-linux/bin/mongod”

This says that mongod is a trusted application, using the category @mongodata, and has access to the KSS where the Master Encryption Key is stored.

• MongoDB data node directory encryption

“ezncrypt --encrypt @mongodata /var/lib/mongodb/data/db/”

This says that /data/db directory is encrypted, along with any new file or data saved to it. Only the MongoDB process will be able to “see” the data by linking encryption to the ACL w/ @mongodata.

04/12/2023


Key Management• zNcrypt KSS (Key Storage System)

– Hardened SaaS offering (or within enterprise / private cloud)– Secure access from zNcrypt client, multiple layers of security– SaaS KSS configured with high availability / failover

04/12/2023

15

Ease of Deployment

• Install zNcrypt– Package managers (yum, apt-get), Chef, Puppet, JuJu, etc

• Create master encryption key– Passphrase method (optional “split security”)– RSA Key file method

• Create ACLs – Simple command-lines (ALLOW/DENY style)– Almost any process or script allowed:

• Virtually any application, process or script: MongoDB, MySQL, Apache, Tomcat, backup software, document management, etc

• Encrypt data– Simple command line calls, down to the file level


Chef – Opscode Community

Gazzang - All rights reserved 2012 1604/12/2023

Live DemonstrationChef Using zNcrypt Cookbook

April 12, 2023

04/12/2023

19

Install MongoDB and zNcrypt with #chef-client


04/12/2023

20



04/12/2023

21



22

Gazzang provides big data security and diagnostics solutions and that help enterprises protect sensitive information and maintain performance in cloud environments

– Based in Austin, Texas– Funded by Austin Ventures and Silver Creek Ventures– 225+ customers– SaaS, Healthcare, Financial Services, Government, Technology

04/12/2023 Gazzang - All rights reserved 2011

Gazzang Overview

23

Thank You

Q&A

04/12/2023


24

Protect Your MongoDB Data

For more information contact us: [email protected]

Robert Linden

[email protected]

04/12/2023


mailto:[email protected]




Securing Data in MongoDB with Gazzang and Chef

Documents

Transcript of Securing Data in MongoDB with Gazzang and Chef