Download MongoDB Security Architecture WP PDF

TitleMongoDB Security Architecture WP
File Size1.8 MB
Total Pages16
Table of Contents
                            Table of Contents
Requirements for Securing Online Big Data1
	User Rights Management - Authentication2
	User Rights Management - Authorization3
	Environmental and Process Control4
MongoDB Security Features5
	MongoDB Enterprise Advanced5
	MongoDB Authentication5
		In Database Authentication5
		LDAP Authentication5
		Kerberos Authentication6
		x.509 Certificate Authentication6
		MongoDB and Red Hat Identity Management6
		MongoDB and Microsoft Active Directory6
		A Note About Passwords6
	MongoDB Authorization6
		User Defined Roles7
		MongoDB Field Level Redaction8
	MongoDB Auditing8
	MongoDB Encryption9
		Network Encryption9
		Disk Encryption10
	Environment & Processes10
		Database Monitoring11
		Disaster Recovery: Backups & Point-in-Time Recovery12
		Database Maintenance12
We Can Help12
Appendix: MongoDB Security Checklist14
Requirements for Securing Online Big Data
	User Rights Management - Authentication
	User Rights Management - Authorization
	Environmental and Process Control
MongoDB Security Features
	MongoDB Enterprise Advanced
	MongoDB Authentication
		In Database Authentication
		LDAP Authentication
		Kerberos Authentication
		x.509 Certificate Authentication
		MongoDB and Red Hat Identity Management
		MongoDB and Microsoft Active Directory
	MongoDB Authorization
		User Defined Roles
		MongoDB Field Level Redaction
	MongoDB Auditing
	MongoDB Encryption
		Network Encryption
		Disk Encryption
	Environment & Processes
		Database Monitoring
		Disaster Recovery: Backups & Point-in-Time Recovery
		Database Maintenance
We Can Help
MongoDB Security Checklist
Document Text Contents
Page 8

across internal systems and applications. In many cases,

LDAP is also used as the centralized authority for user

access control to ensure that internal security policies are

compliant with corporate and regulatory guidelines.

With LDAP integration, MongoDB can authenticate users

directly against corporate LDAP infrastructure, eliminating

the need to duplicate password management between

LDAP directories and MongoDB’s internal authentication

controls. Note that MongoDB currently supports LDAP

authentication, and not authorization. See the following

section of the whitepaper to learn more about the

authorization controls available in MongoDB.

Administrators can conSgure MongoDB to authenticate

users via Linux PAM or by proxying authentication requests

to a speciSed LDAP service. LDAP integration is available

in MongoDB.

Kerberos Authentication

With MongoDB Enterprise Advanced, authentication using

a Kerberos service is supported. Kerberos is an industry

standard authentication protocol for large client/server

systems, allowing both the client and server to verify each

others' identity. With Kerberos support, MongoDB can take

advantage of existing authentication infrastructure and

processes, including Microsoft Windows Active Directory .

As with LDAP and x.509 certiScates, before users can

authenticate to MongoDB using Kerberos, they must Srst

be created and granted privileges within MongoDB. The

process for doing this, along with a full conSguration

checklist is described in the MongoDB and Kerberos


x.509 CertiScate Authentication

With support for x.509 certiScates MongoDB can be

integrated with existing information security infrastructure

and certiScate authorities, supporting both user and

inter-node authentication.

Users can be authenticated to MongoDB using client

certiScates rather than self-maintained and potentially

vulnerable passwords.

Inter-cluster authentication and communication between

MongoDB nodes can be secured with x.509 member

certiScates rather than keySles, ensuring stricter

membership controls with less administrative overhead, i.e.

by eliminating the shared password used by keySles. x.509

certiScates can be used by nodes to verify their

membership of MongoDB replica sets and sharded

clusters. A single CertiScate Authority (CA) should issue all

the x.509 certiScates for the members of a sharded cluster

or a replica set.

Instructions for conSguration are described in the

MongoDB and x.509 certiScates tutorial.

MongoDB and Red Hat Identity Management

Red Hat Enterprise Linux (RHEL) is a popular environment

for MongoDB deployments. Providing ease of use to

administrators and security professionals working in these

environments, the MongoDB enterprise security features

are integrated with the Identity Management (IdM) features

of RHEL. This integration provides central management of

individual entities and their authentication, authorization

and privileges.

Review the Red Hat Linux Identity Management tutorial for

instruction on conSguration with MongoDB.

Red Hat IdM integration is available with MongoDB and

requires the database to be conSgured for Kerberos


MongoDB and Microsoft Active Directory

MongoDB Enterprise Advanced provides support for

authentication using Microsoft Active Directory and

Kerberos. The Active Directory domain controller

authenticates the MongoDB users and servers running in a

Windows network.

MongoDB Authorization

MongoDB allows administrators to deSne the permissions

an application or user has, and what data they can see

when querying the database.


Page 15

MongoDB Training helps you become a MongoDB expert,

from design to operating mission-critical systems at scale.

Whether you’re a developer, DBA, or architect, we can

make you better at MongoDB.


For more information, please visit or contact

us at [email protected]

Case Studies (

Presentations (

Free Online Training (

Webinars and Events (

Documentation (

MongoDB Enterprise Download (

New York • Palo Alto • Washington, D.C. • London • Dublin • Barcelona • Sydney • Tel Aviv
US 866-237-8815 • INTL +1-650-440-4474 • [email protected]
© 2015 MongoDB, Inc. All rights reserved.

mailto:[email protected]

Page 16

MongoDB Security Checklist

The checklist deSnes the steps, along with key resources, to creating a secure MongoDB deployment.

PrPreparepare Secure Secure Operating Envire Operating Environmentonment

Download MongoDB Enterprise Production release

ConSgure network (Srewall, bind IP
addresses, VPN, etc.)

Review platform-speciSc documentation
MongoDB network documentation

Create MongoDB user account &

Review platform-speciSc and Slesystem documentation for creating OS
logins and permissions

ConSgure encrypted Sle system Linux: LUKS Cross-Platform: Vormetric Data Security Platform Windows:
BitLocker Drive Encryption

PrPreparepare MongoDB Deploymente MongoDB Deployment

ConSgure preferred external

LDAP documentation
Kerberos documentation
Red Hat IdM documentation

ConSgure inter-cluster authentication x.509 CertiScate documentation

Setup SSL certiScates SSL documentation

Enable FIPS Mode FIPS mode documentation

ConSgure auditing Auditing of administrative actions (MongoDB)

De7ne Users and RolesDe7ne Users and Roles

Document roles that will access the

Project team process

Create MongoDB admin account Add User to MongoDB

ConSgure permissions for each role Built-in (standard) MongoDB roles
User deSned roles

Optional Advanced ConSguration:
Implement Seld level redaction

Redaction documentation

Monitor the DeploymentMonitor the Deployment

ConSgure MMS MMS documentation

Monitor and apply latest patches Subscribe to the MongoDB Announcements Google Group for availability of
the latest releases and patches
Monitor patch alerts and updates for infrastructure (server, network and
storage components, OS, middleware, etc.)


Similer Documents