Upload
mongodb
View
707
Download
0
Tags:
Embed Size (px)
Citation preview
1© 2014 Cisco and/or its affiliates. All rights reserved.
Securing MongoDB to serve anAWS basedmulti tenant
security fanaticSaaS application
Doron Levari, Data Architect, Cisco
© 2014 Cisco and/or its affiliates. All rights reserved. 2
About me
2
$15M
6’5”
1975 4
1997 2004
2010
© 2014 Cisco and/or its affiliates. All rights reserved. 3
My project
FW1
FW2
FW4
Cloud
Customer Datacenter(s)
Onboard CustomerDiscover CPENormalize configuration and PolicyAdd new DeviceOrchestrate
FW3
Simplify, unify, and orchestrate policy for Cisco security products from the cloud
© 2014 Cisco and/or its affiliates. All rights reserved. 4
Birds Eye Architecture
REST API
Micro Services
Device pluginsConfigurationClassificationNormalization
© 2014 Cisco and/or its affiliates. All rights reserved. 5
Agenda
• Why MongoDB?
• Why security?
• Security considerations
• Tenant isolation considerations
• Implementation of security with MongoDBEncryption of data at rest and at flight
Strong authentication
Fine grained authorization
Audit trail
© 2014 Cisco and/or its affiliates. All rights reserved. 6
Why MongoDB?
• Agile development, agile deployments
• Data requirements are decent1000s of corporates, 10Ks of registered users, 1M of devices
Size ~5 TB
• Store raw config filesTag inside config files
full text search
• JSON is all over the appREST APIs, JavaScript, D3.JS
• Simplicity! MMS is awesome!
© 2014 Cisco and/or its affiliates. All rights reserved. 7
Why Data Security?
• Our clientsCorporates and their sysadmins, security admins
Security experts
• Sell more products, $$$Convince our customers to let us keep the keys to their kingdom
Meet security compliance (such as PCI-DSS)
• Stay alive as a business
• Address threatsLeaked or hijacked passwords, impersonation
Network sniffing
Memory or storage dumping
• Isolate, detect, prevention
© 2014 Cisco and/or its affiliates. All rights reserved. 8
Security requirements
• Encryption of data at rest and at flight
• Strong authentication
• Fine grained authorization
• Audit trail
• We need all of the above in a multi tenant application
• Tenant isolation
© 2014 Cisco and/or its affiliates. All rights reserved. 9
Tenant Isolation Practices
Mongod Replica Set
Mongod Replica Set
Acme Foo Bar
Acme Foo Bar
Mongod Replica Set
All Data
Mongod Replica Set
Acme
Mongod Replica Set
Foo
Mongod Replica Set
Bar
Database per tenant
Collection(s) per tenant
Shared collections
Cluster per tenant
Isolated Shared
© 2014 Cisco and/or its affiliates. All rights reserved. 10
Tenant Isolation Analysis
Isolated SharedCluster per tenant Database per tenant Collections per tenant Shared collections
Less Prone to query injection and bugs
Disk, memory, CPU isolation
Data at rest encryption done storage level, key per tenant
Tenant Portability (carve out a tenant to another stack)
Scale out by horizontal partitioning by tenant ID Sharding by tenant ID
Sharding big tenants by a secondary key
Cross-tenant queriesProgrammatic aggregation or ETL to an analytical platform
Database level RBAC and Audit
No resource isolationDisk, memory isolation
Application-level encryption would blind the database
Common database user conn
Per tenant connection with x.509 Certificate, key per tenant Common database user conn
Diminishing low cost per tenantHigh constant cost per tenant
Se
curit
yO
pe
ratio
ns
$
© 2014 Cisco and/or its affiliates. All rights reserved. 11
We went with "Database per tenant”
• It was a happy medium when it came to operations and cost-effectiveness
• We’re B2B aiming for customers in the Ks not Ms
• We just care too much about securityNeed to exceed our customers expectations
• We don’t care much about cross-tenant queriesOur customers would see it as a security risk!
• Now, we have to implement these ---->
https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0
© 2014 Cisco and/or its affiliates. All rights reserved. 12
Encryption
• At reststorage.directoryPerDB
Stores files of each database in its own folder in the data directory
With simple Linux gymnastics we can:
Create multiple volumes, encrypt each one with a different key
Mount those volumes as directories under the data root directories
• At flightnet.ssl.mode = requireSSL
SSL for Client Server communications
SSL for Server Server communications (replica set)
http://docs.mongodb.org/manual/reference/configuration-options/#storage.directoryPerDBhttp://docs.mongodb.org/manual/tutorial/configure-ssl/
© 2014 Cisco and/or its affiliates. All rights reserved. 13
Authentication
• I need each tenant to authenticate with different credentials to MongoDB
• This means: every working thread connects to MongoDB with different database credentials
• Hmm…
• Will I still be able to leverage connection pools‽
• Will I be able to make it generic in a low-layer app infrastructure?
© 2014 Cisco and/or its affiliates. All rights reserved. 14
Standard Connection Pool
App Server
Connection Pool
Workerthreads
Mongod Replica Set
All Data
REST Call
Spr
ing
Fra
mew
ork
Browser/Client
Authorization Server
Authenticate GetOAuth Token
REST Call
Send OAuth Token
Browser/Client
© 2014 Cisco and/or its affiliates. All rights reserved. 15
Authentication in MongoDB
• MongoDB completely separated the actions of "connect” and “authenticate”
Connect: heavy operation of creating the channel to the database
Authenticate: lightweight operation of creating an authenticated context
• Leverage connection poolsUpon appserver startup, a pool of “blank” connections is created
A connection borrowed from the pool is authenticated as the current tenant
• Result: each database session is authenticated when-needed, and with different credentials
http://docs.mongodb.org/manual/reference/method/db.auth
© 2014 Cisco and/or its affiliates. All rights reserved. 16
Benchmarks – Results
• Creating and closing of blank connections to Mongo:Repetitions: 10000: Connection avg (ms): 0.580, Close avg (ms): 0.218
Repetitions: 10000: Connection avg (ms): 0.539, Close avg (ms): 0.196
Repetitions: 10000: Connection avg (ms): 0.604, Close avg (ms): 0.223
• Authentication (creating MongoTemplate serial random context switches between 5 tenants):
Repetitions: 10000: MongoTemplate avg (ms): 0.171, Read avg (ms): 0.309
Repetitions: 10000: MongoTemplate avg (ms): 0.166, Read avg (ms): 0.306
Repetitions: 10000: MongoTemplate avg (ms): 0.174, Read avg (ms): 0.309
© 2014 Cisco and/or its affiliates. All rights reserved. 17
Tenant Authentication Infrastructure
Mongod Replica Set
Acme Foo Bar
API Server
Connection Pool
Workerthreads
MT Infrastructure
Authorization Server
Authenticate GetOAuth Token
REST Call
Spr
ing
Fra
mew
ork
Send OAuth Token
KeyManager
Use Oauth token to retrieve a key to authenticate to the database and encrypt traffic.
Connections in the connection pool are unauthenticated. Requires key to access DB.
Browser/Client
© 2014 Cisco and/or its affiliates. All rights reserved. 18
Tenant Authentication Infrastructure
• Mongo object hold the pool of blank connections
• A MongoTemplate object is created with the Mongo object and with a database name and UserCredentials
MongoTemplate object is used to access the database
MongoTemplate object is discarded at the end of use, blank connection is returned to pool
http://docs.spring.io/spring-data/mongodb/docs/current/api/org/springframework/data/mongodb/core/MongoTemplate.html
<mongo:mongo replica-set="mongo0:27000,mongo1:27000,mongo2:27000"> <mongo:options connections-per-host="8" threads-allowed-to-block-for-connection-multiplier="4" connect-timeout="1000" max-wait-time="1500" socket-keep-alive="true" slave-ok="true" write-number="1" write-timeout="0" write-fsync="true"/></mongo:mongo>----@Autowired private Mongo mongo;
MongoTemplate mongoTemplate = new MongoTemplate(mongo, tenantDatabase, new UserCredentials(tenantUser, tenantPassword));
© 2014 Cisco and/or its affiliates. All rights reserved. 19
Authorization
• Ah with authenticated users – it’s easy!
• MongoDB employs Role-Based Access Control (RBAC)
• A user is granted one or more roles that determine the user’s access to database resources and operations
http://docs.mongodb.org/manual/core/authorization/
db.createRole(
{
role: "accessSomeColls",
privileges: [
{ resource: { db: "acme", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "acme", collection: "orders" }, actions: [ "find" ] }
],
roles: []
}
)
db.grantRolesToUser( "acme", [ "accessSomeColls" ])
© 2014 Cisco and/or its affiliates. All rights reserved. 20
Audit
• Cool important feature in MongoDB Enterprise
• Can audit everythingschema (DDL)
replica set
authentication and authorization
general operations
• Audit GuaranteeBefore adding an operation to the journal, MongoDB writes all audit events on the connection that triggered the operation
• By default, the auditing system records all these operationsFilters are set up to restrict events captured
http://docs.mongodb.org/manual/core/auditing/http://docs.mongodb.org/manual/reference/audit-message/http://docs.mongodb.org/manual/reference/audit-message/#audit-event-actions-details-and-results
Audit Message Structure:{ atype: <String>, ts : { "$date": <timestamp> }, local: { ip: <String>, port: <int> }, remote: { ip: <String>, port: <int> }, users : [ { user: <String>, db: <String> }, ... ], roles: [ { role: <String>, db: <String> }, ... ], param: <document>, result: <int>}
© 2014 Cisco and/or its affiliates. All rights reserved. 21
Audit
• Sample config
• Additional atype examples:authenticate, authCheck, createCollection, createDatabase, createIndex, renameCollection, createUser, grantRolesToUser, createRole, grantPrivilegesToRole, replSetReconfig, shardCollection, addShard, shutdown
http://docs.mongodb.org/manual/tutorial/configure-auditing/#audit-filter
security:
authorization: enabled
auditLog:
destination: file
format: JSON
path: data/db/auditLog.json
filter: '{ atype: "authCheck", "param.command": { $in: [ "insert", ”remove" ] } , “param.ns”: ”acme.devices” }'
setParameter: { auditAuthorizationSuccess: true }
© 2014 Cisco and/or its affiliates. All rights reserved. 22
Summary
• Why MongoDB?
• Why security?
• Security considerations
• Tenant isolation considerations
• Implementation of security with MongoDBEncryption of data at rest and at flight
Strong authentication
Fine grained authorization
Audit trail
© 2014 Cisco and/or its affiliates. All rights reserved. 23
Doron Levarihttps://www.linkedin.com/in/doronlevari @doron_levari