Securing Data in MongoDB with Gazzang and 10gen July 10, 2012

MongoDB  Use  Cases   7/10/12 Gazzang - All rights reserved 2011 2 User  Data  Management   High  Volume  Data  Feeds     Content  Management   Opera9onal  Intelligence   E-­‐Commerce  

MongoDB  Security   7/10/12 Gazzang - All rights reserved 2011 3 Client   SSL encryption for client connection SSL encryption for inter-server traffic Admin  Users   Regular  Users   user1   user2   user3   User authentication Primary Secondary Data Files Data Files

MongoDB  Security   7/10/12 Gazzang - All rights reserved 2011 4 Client   Admin  Users   Regular  Users   user1   user2   user3   User authentication Primary Secondary Data Files Data Files SSL encryption for client connection SSL encryption for inter-server traffic

Data  Security  for  MongoDB   •  Protect  sensi9ve  data   –  What  type  of  data  are  you  storing  in  MongoDB?   –  Would  you  consider  this  data  to  be  toxic  to   your  organiza9on  if  exposed  publicly?   •  Cloud  security   –  Who  can  access  your  data?   –  Who’s  ul9mately  responsible  for  its  safekeeping?   •  Data  breach  mi9ga9on   –  If  your  data  were  breached,  would  you  lose  your  job?   •  Compliance   –  Do  you  encrypt  data  at  rest?   –  Do  you  enforce  9ght  access  control  policies?   7/10/12 Gazzang - All rights reserved 2011 5

Gazzang - All rights reserved 2011 A  Few  Compliance  Customers     HIPAA   FERPA   PCI-­‐DSS   NIST/FIPS  

Gazzang provides robust data encryption and key management solutions that help enterprises protect sensitive information and maintain performance in the cloud •  Based in Austin, Texas •  200+ customers •  Healthcare   •  Financial  Services   •  SaaS  vendors   •  Public  Sector   Gazzang - All rights reserved 2011 About  Gazzang  

Gazzang - All rights reserved 2011 10gen  and  Gazzang  Partnership   “10gen  and  Gazzang  Partner  to  Deliver  Enterprise-­‐Class  Data  Security  for  MongoDB“ •  Pre-built integration requires no changes to your application or database •  Leverages automation tools for distributed deployment •  World-class support available through 10gen and Gazzang  

Gazzang  Data  Security  SoluMon   zNcrypt   –  Transparent  data  encryp9on  and  advanced  key  management   for  MongoDB   •  High  performance   •  No  complex  changes  to  your  database  or  applica9on   •  Op9mized  for  cloud  environments   7/10/12 © Gazzang, Inc. -- CONFIDENTIAL -- 9

7/10/12 Gazzang - All rights reserved 2011 10 •  Encryp9on   –  Data  at  rest  /  AES-­‐256   –  File  level  encryp9on   –  Excellent  performance   •  Access  Control   –  Process-­‐based  ACL  rules   –  Transparent  data  encryp9on   –  Separate  from  users  &  groups   •  Key  Management   –  Off-­‐site  key  storage   –  In  the  cloud  /  on  premises   –  Hardened  &  highly  available   zNcrypt  Architecture    

Ease  of  Deployment   •  Install  zNcrypt   –  Package  managers  (yum,  apt-­‐get),  Chef,  Puppet,  JuJu,  etc   •  Create  master  encryp9on  key   –  Passphrase  method  (op9onal  “split  security”)   –  RSA  Key  file  method   •  Create  ACLs     –  Simple  command-­‐lines  (ALLOW/DENY  style)   –  Almost  any  process  or  script  allowed:   •  Virtually  any  applica9on,  process  or  script:    MongoDB,  MySQL,   Apache,  Tomcat,  backup  sogware,  document  management,  etc     •  Encrypt  data   –  Simple  command  line  calls,  down  to  the  file  level   7/10/12 11

ACL  Rules  and  EncrypMon   7/10/12 Gazzang - All rights reserved 2011 12 •  MongoDB  ACL  Rule     “ALLOW @mongodata * /home/mymongo/mongodb- linux/bin/mongod” This  says  that  mongod  is  a  trusted  applica9on,  using  the  category   @mongodata,  and  has  access  to  the  KSS  where  the  Master   Encryp9on  Key  is  stored.   •  MongoDB  data  node  directory  encryp9on     “ezncrypt --encrypt @mongodata /var/lib/ mongodb/data/db/” This  says  that  /data/db  directory  is  encrypted,  along  with  any  new   file  or  data  saved  to  it.    Only  the  MongoDB  process  will  be  able  to   “see”  the  data  by  linking  encryp9on  to  the  ACL  w/  @mongodata.  

7/10/12 Gazzang - All rights reserved 2011 13 Key  Management   •  zNcrypt  KSS  (Key  Storage  System)   –  Hardened  SaaS  offering  (or  within  enterprise  /  private  cloud)   –  Secure  access  from  zNcrypt  client,  mul9ple  layers  of  security   –  SaaS  KSS  configured  with  high  availability  /  failover                          

KSS  –  Key  Retrieval  Process   7/10/12 Gazzang - All rights reserved 2011 14 •  zNcrypt  makes  a  call  to  the  KSS   –  Restart  zNcrypt  service   –  Console  command   •  Must  pass  authen9ca9on  checks   –  Unique  client  fingerprint   –  Cer9ficate   –  One-­‐9me  use  secret   •  Release  key  -­‐  forward  to  zNcrypt   –  SSL  encrypted  communica9on   –  Generate  next  one-­‐9me  use  secret   •  Load  key  into  Linux  keyring   •  Encrypted  MongoDB  data   available  to  mongod  process  

MongoDB  Infrastructure  with  zNcrypt   7/10/12 Gazzang - All rights reserved 2011 15

Protect  Your  MongoDB  Data   For  more  informa9on     or  to  request  a  free  trial     contact  us:  info@gazzang.com     7/10/12 Gazzang - All rights reserved 2011 16

Thank  You   Q&A   7/10/12 Gazzang - All rights reserved 2011 17