#mongodbworld Securing @mongodb

I managed to catch the latter part of the session on securing MongoDB. It was good to see that Gazzang is available to support at rest encryption.

Vormetric (licensed by IBM is also na option.

FIPS 140-2 is possible when using SSL Encryption.

Audit Logging.

Audit guarantees – Event is written DEFORE writing to the journal
A write will not complete before being audited.

This is important because otherwise you might miss writes to the database.

Don’t forget to configure your audit logs to write to another machine, preferably not accessible by the same sys admins that manage the MongoDB servers themselves.

CRUD Auditing is coming in Release 2.8. Available as experimental code at the moment.

No IP Filtering on the database. Implement this at the server level.

Important Tips from Andreas Nilsson:

Don’t expose Database servers to the Internet! No. Never. DON’T DO IT! There is NO GODD USE CASE.

Design and configure Access Control.
Enable SSL
Disable and unnecessary interfaces
Lock down database files and minimize account privileges. ie. Don’t run DB, Web or other service as Root!

I would also add – Do Not use Standard or Default Accounts.

The MongoDB Security Manual and Whitepaper are available at Mongodb.com

Lots of questions in this session indicate that this is an area of incredible interest.

See the session details below:

Creating a Single View Part 3: Securing Your Deployment

Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We’ll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Topics will include general security tools and how to configure those for MongoDB, an overview of security features available in MongoDB, including LDAP, SSL, x.509 and Authentication.

Buzz Moschetti

Enterprise Architect, Financial Services at MongoDB

Buzz started his career in software solutions after abandoning the idea of going to medical school. Contrary to popular lore, he does not have the patent on the little light on the CapsLock key. After a very brief stint at Salomon Brothers, he moved to Bear Stearns. As Chief Architect at Bear Stearns and JPMorganChase investment bank, he coded his brains out for 25 years while also keeping about 9000 IT staff moving in roughly the same direction. Buzz enjoys fast cars, cycling, scuba diving, single malts, and writing and recording music in his home studio a.k.a. closet with an outlet and a PC running ProTools.

Brian Goodman

Enterprise Architect at MongoDB

Prior to joining MongoDB, Brian led JPMorgan’s predictive analytics and innovation team. He is an IBM Distinguished Engineer and Master Inventor, having led a variety of teams in advanced and emerging technology. Brian has over 15 years of diverse experiences and client exposure in cloud computing, grassroots collaboration, social software, technology adoption and expertise location. Brian is currently on a hybrid-photo journey mixing analogue and digital photography.

Andreas Nilson

Software Security Engineer at MongoDB

Andreas is a Software Security Engineer working on the core server team. Prior to joining MongoDB, Andreas was a Security Architect at NASDAQ OMX responsible for the security architecture of the trading systems. Past employment includes Check Point Software Technologies and Certezza. Andreas holds an MS degree in Computer Security from Columbia University and an MS degree in Engineering Physics from KTH Stockholm.

[tag health cloud BigData MongoDB MongoDBWorld NoSQL]

Mark Scrimshire
Health & Cloud Technology Consultant

Mark is available for challenging assignments at the intersection of Health and Technology using Big Data, Mobile and Cloud Technologies. If you need help to move, or create, your health applications in the cloud let’s talk.
Blog: http://blog.ekivemark.com
email: mark@ekivemark.com
Stay up-to-date: Twitter @ekivemark
Disclosure: I began as a Patient Engagement Advisor and am now CTO to Personiform, Inc. and their Medyear.com platform. Medyear is a powerful free tool that helps you collect, organize and securely share health information, however you want. Manage your own health records today. Medyear: The Power Grid for your Health.

Leave a Reply

Your email address will not be published. Required fields are marked *