- 1. Automating a SecureMongoDB DeploymentMongoDB AustinMatt Ray,
Senior Technical Evangelist at Opscode Feb. 15 2013Eddie Garcia,
Vice President of Development at Gazzang
2. Whats In Your Cloud?What data are you storing?3/15/2013
Gazzang - All rights reserved 2012 3. Whats In Your Cloud?How are
you protecting that data?3/15/2013 Gazzang - All rights reserved
2012 4. Whats In Your Cloud?How are you managing the keys?3/15/2013
Gazzang - All rights reserved 2012 5. Student Record Breaches Since
2010, more than three million student records have been compromised
due to hack attacks or lost, stolen or missing files. This year
alone23,000 SSNs breached at the University of North Florida16,000
SSNs, birth dates and student IDs breached from Eugene, Oregon
school district650,000 records breached from University of
Nebraska350,000 records from UNC Charlotteand more.3/15/2013
Gazzang - All rights reserved 2012 6. Breaches Hit Every
Industry3/15/2013 Gazzang - All rights reserved 2012 6 7. Data
Security For MongoDBGazzang, 10gen and Opscode Partner to Deliver
Automated Enterprise-Class Data Security for MongoDB Pre-built
integration requires no changes to yourapplication or database
Leverages automation tools for distributeddeployment World-class
support available through Gazzang, 10genand Opscode 3/15/2013
Gazzang - All rights reserved 2012 8. MongoDB Use Cases Content
ManagementOperational Intelligence E-CommerceUser Data Management
High Volume Data Feeds3/15/2013 Gazzang - All rights reserved 20128
9. 3/15/2013 Gazzang - All rights reserved 2012 9 10. 3/15/2013
Gazzang - All rights reserved 2012 10 11. Documents in MongoDB
Model richer objects using documents Arrays, sub-documents Data
more closely matches how your apps use it Allows faster data model
iteration Rich atomic updates Pushing/popping items from arrays,
incrementing fields canreplace some transaction operations Index on
any field including compound indexes Know what data your app needs
for faster querying Schema-less Doesnt mean schema free: find the
right balance of collectionsand structure for your data3/15/2013
Gazzang - All rights reserved 2012 12. Example MongoDB Document
{_id : ObjectId("4c4ba5c0672c685e5e8aabf3"),type:
student,firstname: John",lastname: Smith,last_updated:
ISODate("2012-02-02T11:52:27.442Z"),contacts: [ {parent1: Dad
Smith, phone: 123-456-7890}, {parent2: Mom Smith, phone:
234-567-8901}],classes: [Biology, Algebra, Music], }3/15/2013
Gazzang - All rights reserved 2012 13. Operations in
MongoDBReplication App Redundancy and failover Can be used to scale
read Replica Replica Replica 1 throughput2 3Auto-sharding App
Partitions data based on a defined key(s) e.g. lastnameShard
ShardShard Scales write throughput 1 233/15/2013 Gazzang - All
rights reserved 2012 14. MongoDB Native Security Admin UsersRegular
UsersUser user1user2 authenticationuser3SSL encryptionSSL
encryptionfor clientfor inter-server connectiontraffic
PrimarySecondaryClient Data Files Data Files3/15/2013 Gazzang - All
rights reserved 2012 14 15. Education Use Case on MongoDB Node
1Node 2 Data FilesData Files Teacher Student First NameBob First
Name Alice Last Name Jones Last NameSmith Email [email protected]
[email protected] Phone 555-5555 Grade5th SSN XXX-XX-XXXX
Address804 Congress City Austin StateTX3/15/2013 Gazzang - All
rights reserved 2012 15 16. Cloud Security Challenges Protect
Sensitive Data in the Cloud Ensure sensitive data and encryption
keys are neverstored in plain text nor exposed publicly Maintain
control of your encryption keys and yourproprietary data Ensure Big
Data Security Harden Big Data infrastructures that have
relativelyweak security and no encryption protection Maintain Big
Data performance and availability Enable Compliance Encrypt data at
rest and enforce tight accesscontrol policies Protect your
regulated data in the event ofa breach3/15/2013 Gazzang - All
rights reserved 2012 16 17. Gazzang zNcryptzNcrypt sits between the
file system and any database,application or service running on
Linux to encrypt data beforewritten to the disk. AES 256 encryption
Process-based ACLs File and block encryption Multiple encrypted
mount points Maximum performance Enterprise scalability Packaged
support for MongoDB,Cassandra, Hadoop, MySQL,PostgreSQL3/15/2013
Gazzang - All rights reserved 201217 18. zNcrypt Architecture Key
Management Off-site key storage In the cloud / on premises Hardened
& highly available Access Control Process-based ACL rules
Transparent data encryption Separate from users & groups
Encryption Data at rest / AES-256 File level encryption Excellent
performance3/15/2013 Gazzang - All rights reserved 2012 18 19. ACL
Rules and Encryption MongoDB ACL RuleALLOW @mongodb *
/usr/bin/mongodThis defines mongod as a trusted application, to the
datanamespace @mongodb, granting permissions to the cleartext data.
MongoDB data node directory encryptionzncrypt-move encrypt
@mongodb/var/lib/mongodb /var/lib/ezncrypt/ezncryptedThis command
encrypts the /var/lib/mongodb directory as well asany new file or
data saved to it. Only the MongoDB process will beable to access
the data permitted with ACL rule @mongodata.The last argument is
the target mount point for the encrypted data.3/15/2013 Gazzang -
All rights reserved 2012 19 20. Gazzang zTrustee Controlling
Authentication Objects Securing opaque objects with policy
management and adaptive trustee authorization capabilities Time to
live Number of retrievals URL Trustee approval Client Much moreAPI
Library Java Python C library Trustees must approve release of
objects in accordance with the deposit policy3/15/2013 Gazzang -
All rights reserved 201220 21. Ease of Deployment Install zNcrypt
Package managers (yum, apt-get), Chef, Puppet, JuJu, etc Create
master encryption key Passphrase method (optional split security)
RSA Key file method Create ACLs Simple command-lines (ALLOW/DENY
style) Almost any process or script allowed: Virtually any
application, process or script: MongoDB, Hadoop, Cassandra, MySQL,
Apache, Tomcat, document management, etc Encrypt data Simple
command line calls, down to the file level3/15/2013 Gazzang - All
rights reserved 201221 22. Chef Opscode Community3/15/2013 Gazzang
- All rights reserved 2012 22 23. 3/15/2013 Gazzang - All rights
reserved 2012 23 24. 3/15/2013 Gazzang - All rights reserved 2012
24 25. 3/15/2013 Gazzang - All rights reserved 2012 25 26.
3/15/2013 Gazzang - All rights reserved 2012 26 27. 3/15/2013
Gazzang - All rights reserved 2012 27 28. Install MongoDB and
zNcrypt with #chef-client3/15/2013 Gazzang - All rights reserved
2012 28 29. Install MongoDB and zNcrypt with #chef-client3/15/2013
Gazzang - All rights reserved 2012 29 30. Install MongoDB and
zNcrypt with #chef-client3/15/2013 Gazzang - All rights reserved
2012 30 31. zNcrypt Cookbook Source on github
https://github.com/gazzang/cookbooks/tree/master/ zncrypt3/15/2013
Gazzang - All rights reserved 2012 31 32. Walk Through zNcrypt
Cookbook Attributes
https://github.com/gazzang/cookbooks/blob/master/zncrypt/attributes/default.rb
Recipes
https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipes/zncrypt.rb
https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipes/activate.rb
https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipes/configdirs.rb
https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipes/default.rb
https://github.com/gazzang/cookbooks/blob/master/zncrypt/recipes/mongodb.rb3/15/2013
Gazzang - All rights reserved 2012 32 33. Gazzang Overview Gazzang
provides big data security solutions that help enterprises protect
sensitive information and maintain performance in the cloud or on
premises 150+ Direct CustomersSaaS Healthcare Financial Services
Technology Government3/15/2013 Gazzang - All rights reserved 201233
34. Thank You Q&A3/15/2013 Gazzang - All rights reserved 2012
34 35. Protect Your MongoDB DataFor more information contact us:
[email protected] Garcia [email protected]/15/2013
Gazzang - All rights reserved 201235
![Gazzang pci v1[1]](https://img.pdfslide.net/doc/110x75/54b8778e4a79593c328b45db/gazzang-pci-v11.jpg)