Securing Data in MongoDB with Gazzang

Transcript

1. Securing Data in MongoDB with Gazzang and 10gen July 10,

   2012

2. MongoDB  Use  Cases   7/10/12 Gazzang - All rights reserved

   2011 2 User  Data  Management   High  Volume  Data  Feeds     Content  Management   Opera9onal  Intelligence   E-­‐Commerce  

3. MongoDB  Security   7/10/12 Gazzang - All rights reserved 2011

   3 Client   SSL encryption for client connection SSL encryption for inter-server traffic Admin  Users   Regular  Users   user1   user2   user3   User authentication Primary Secondary Data Files Data Files

4. MongoDB  Security   7/10/12 Gazzang - All rights reserved 2011

   4 Client   Admin  Users   Regular  Users   user1   user2   user3   User authentication Primary Secondary Data Files Data Files SSL encryption for client connection SSL encryption for inter-server traffic

5. Data  Security  for  MongoDB   •  Protect  sensi9ve  data  

   –  What  type  of  data  are  you  storing  in  MongoDB?   –  Would  you  consider  this  data  to  be  toxic  to   your  organiza9on  if  exposed  publicly?   •  Cloud  security   –  Who  can  access  your  data?   –  Who’s  ul9mately  responsible  for  its  safekeeping?   •  Data  breach  mi9ga9on   –  If  your  data  were  breached,  would  you  lose  your  job?   •  Compliance   –  Do  you  encrypt  data  at  rest?   –  Do  you  enforce  9ght  access  control  policies?   7/10/12 Gazzang - All rights reserved 2011 5

6. Gazzang - All rights reserved 2011 A  Few  Compliance  Customers

       HIPAA   FERPA   PCI-­‐DSS   NIST/FIPS  

7. Gazzang provides robust data encryption and key management solutions that

   help enterprises protect sensitive information and maintain performance in the cloud •  Based in Austin, Texas •  200+ customers •  Healthcare   •  Financial  Services   •  SaaS  vendors   •  Public  Sector   Gazzang - All rights reserved 2011 About  Gazzang  

8. Gazzang - All rights reserved 2011 10gen  and  Gazzang  Partnership

     “10gen  and  Gazzang  Partner  to  Deliver  Enterprise-­‐Class  Data  Security  for  MongoDB“ •  Pre-built integration requires no changes to your application or database •  Leverages automation tools for distributed deployment •  World-class support available through 10gen and Gazzang  

9. Gazzang  Data  Security  SoluMon   zNcrypt   –  Transparent  data

    encryp9on  and  advanced  key  management   for  MongoDB   •  High  performance   •  No  complex  changes  to  your  database  or  applica9on   •  Op9mized  for  cloud  environments   7/10/12 © Gazzang, Inc. -- CONFIDENTIAL -- 9

10. 7/10/12 Gazzang - All rights reserved 2011 10 •  Encryp9on

      –  Data  at  rest  /  AES-­‐256   –  File  level  encryp9on   –  Excellent  performance   •  Access  Control   –  Process-­‐based  ACL  rules   –  Transparent  data  encryp9on   –  Separate  from  users  &  groups   •  Key  Management   –  Off-­‐site  key  storage   –  In  the  cloud  /  on  premises   –  Hardened  &  highly  available   zNcrypt  Architecture    

11. Ease  of  Deployment   •  Install  zNcrypt   –  Package

     managers  (yum,  apt-­‐get),  Chef,  Puppet,  JuJu,  etc   •  Create  master  encryp9on  key   –  Passphrase  method  (op9onal  “split  security”)   –  RSA  Key  file  method   •  Create  ACLs     –  Simple  command-­‐lines  (ALLOW/DENY  style)   –  Almost  any  process  or  script  allowed:   •  Virtually  any  applica9on,  process  or  script:    MongoDB,  MySQL,   Apache,  Tomcat,  backup  sogware,  document  management,  etc     •  Encrypt  data   –  Simple  command  line  calls,  down  to  the  file  level   7/10/12 11

12. ACL  Rules  and  EncrypMon   7/10/12 Gazzang - All rights

    reserved 2011 12 •  MongoDB  ACL  Rule     “ALLOW @mongodata * /home/mymongo/mongodb- linux/bin/mongod” This  says  that  mongod  is  a  trusted  applica9on,  using  the  category   @mongodata,  and  has  access  to  the  KSS  where  the  Master   Encryp9on  Key  is  stored.   •  MongoDB  data  node  directory  encryp9on     “ezncrypt --encrypt @mongodata /var/lib/ mongodb/data/db/” This  says  that  /data/db  directory  is  encrypted,  along  with  any  new   file  or  data  saved  to  it.    Only  the  MongoDB  process  will  be  able  to   “see”  the  data  by  linking  encryp9on  to  the  ACL  w/  @mongodata.  

13. 7/10/12 Gazzang - All rights reserved 2011 13 Key  Management

      •  zNcrypt  KSS  (Key  Storage  System)   –  Hardened  SaaS  offering  (or  within  enterprise  /  private  cloud)   –  Secure  access  from  zNcrypt  client,  mul9ple  layers  of  security   –  SaaS  KSS  configured  with  high  availability  /  failover                          

14. KSS  –  Key  Retrieval  Process   7/10/12 Gazzang - All

    rights reserved 2011 14 •  zNcrypt  makes  a  call  to  the  KSS   –  Restart  zNcrypt  service   –  Console  command   •  Must  pass  authen9ca9on  checks   –  Unique  client  fingerprint   –  Cer9ficate   –  One-­‐9me  use  secret   •  Release  key  -­‐  forward  to  zNcrypt   –  SSL  encrypted  communica9on   –  Generate  next  one-­‐9me  use  secret   •  Load  key  into  Linux  keyring   •  Encrypted  MongoDB  data   available  to  mongod  process  

15. MongoDB  Infrastructure  with  zNcrypt   7/10/12 Gazzang - All rights

    reserved 2011 15

16. Protect  Your  MongoDB  Data   For  more  informa9on    

    or  to  request  a  free  trial     contact  us:  [email protected]     7/10/12 Gazzang - All rights reserved 2011 16

17. Thank  You   Q&A   7/10/12 Gazzang - All rights

    reserved 2011 17