MongoDB Europe 2016 - Distributed Ledgers, Blockchain + MongoDB
Securing Data in MongoDB with Gazzang and Chef
description
Transcript of Securing Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefRobert Linden, Sr. Solutions Architect at Gazzang
April 12, 2023
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
What data are you storing?
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
How are you protecting that data?
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
How are you managing the keys?
• Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files.
• This year alone…
• 23,000 SSN’s breached at the University of North Florida
• 16,000 SSN’s, birth dates and
student ID’s breached from
Eugene, Oregon school district
• 650,000 records breached from
University of Nebraska
• 350,000 records from UNC
Charlotte
• and more….
Student Record Breaches
Gazzang - All rights reserved 201204/12/2023
04/12/2023
6Gazzang - All rights reserved 2012
Breaches Hit Every Industry
Gazzang - All rights reserved 2012
Data Security For MongoDB
Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB
• Pre-built integration requires no changes to your application or database
• Leverages automation tools for distributed deployment
• World-class support available through Gazzang, 10gen and Opscode
04/12/2023
8
MongoDB Native Security
04/12/2023
Gazzang - All rights reserved 2012
Client
SSL encryption for client
connection
SSL encryption for inter-server
traffic
Admin Users Regular Users
user1 user2
user3
User authentication
Primary Secondary
Data Files Data Files
9
Education Use Case on MongoDB
04/12/2023
Gazzang - All rights reserved 2012
Node 1 Node 2
Data Files Data Files
Teacher
First Name Bob
Last Name Jones
Email [email protected]
Phone 555-5555
SSN XXX-XX-XXXX
Student
First Name Alice
Last Name Smith
Email [email protected]
Grade 5th
Address 804 Congress
City Austin
State TX
10
Cloud Security Challenges
• Protect Sensitive Data in the Cloud– Ensure sensitive data and encryption keys are never
stored in plain text nor exposed publicly – Maintain control of your encryption keys and your
proprietary data
• Ensure Big Data Security– Harden Big Data infrastructures that have relatively
weak security and no encryption protection– Maintain Big Data performance and availability
• Enable Compliance– Encrypt data at rest and enforce tight access
control policies– Protect your regulated data in the event of
a breach
04/12/2023 Gazzang - All rights reserved 2012
Gazzang - All rights reserved 2011
zNcrypt sits between the file system and ANY database, application or service running on Linux to encrypt data before it writes to the disk.
• AES 256 encryption• Process-based ACLs• Maximum performance• Transparent data encryption• Enterprise scalability• Packaged support for
MongoDB
04/12/2023
11
Gazzang zNcrypt™
12Gazzang - All rights reserved 2012
• Encryption
– Data at rest / AES-256
– File level encryption
– Excellent performance
• Access Control
– Process-based ACL rules
– Transparent data encryption
– Separate from users & groups
• Key Management
– Off-site key storage
– In the cloud / on premises
– Hardened & highly available
zNcrypt Architecture
04/12/2023
13
ACL Rules and Encryption
Gazzang - All rights reserved 2012
• MongoDB ACL Rule
“ALLOW @mongodata * /home/mymongo/mongodb-linux/bin/mongod”
This says that mongod is a trusted application, using the category @mongodata, and has access to the KSS where the Master Encryption Key is stored.
• MongoDB data node directory encryption
“ezncrypt --encrypt @mongodata /var/lib/mongodb/data/db/”
This says that /data/db directory is encrypted, along with any new file or data saved to it. Only the MongoDB process will be able to “see” the data by linking encryption to the ACL w/ @mongodata.
04/12/2023
14Gazzang - All rights reserved 2012
Key Management• zNcrypt KSS (Key Storage System)
– Hardened SaaS offering (or within enterprise / private cloud)– Secure access from zNcrypt client, multiple layers of security– SaaS KSS configured with high availability / failover
04/12/2023
15
Ease of Deployment
• Install zNcrypt– Package managers (yum, apt-get), Chef, Puppet, JuJu, etc
• Create master encryption key– Passphrase method (optional “split security”)– RSA Key file method
• Create ACLs – Simple command-lines (ALLOW/DENY style)– Almost any process or script allowed:
• Virtually any application, process or script: MongoDB, MySQL, Apache, Tomcat, backup software, document management, etc
• Encrypt data– Simple command line calls, down to the file level
Gazzang - All rights reserved 201204/12/2023
Chef – Opscode Community
Gazzang - All rights reserved 2012 1604/12/2023
Chef - GitHub
Gazzang - All rights reserved 2012 1704/12/2023
Live DemonstrationChef Using zNcrypt Cookbook
April 12, 2023
04/12/2023
19
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
04/12/2023
20
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
04/12/2023
21
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
22
Gazzang provides big data security and diagnostics solutions and that help enterprises protect sensitive information and maintain performance in cloud environments
– Based in Austin, Texas– Funded by Austin Ventures and Silver Creek Ventures– 225+ customers– SaaS, Healthcare, Financial Services, Government, Technology
04/12/2023 Gazzang - All rights reserved 2011
Gazzang Overview
23
Thank You
Q&A
04/12/2023
Gazzang - All rights reserved 2012
24
Protect Your MongoDB Data
For more information contact us: [email protected]
Robert Linden
04/12/2023
Gazzang - All rights reserved 2012