A MongoDB White Paper

MongoDB Security Architecture

July 2017
Table of Contents
Introduction 1

Requirements for Securing Modern Application Data 1

MongoDB Security Features 5

MongoDB Enterprise Advanced 5
MongoDB Authentication 5
MongoDB Authorization 7
MongoDB Auditing 8
MongoDB Encryption 9
Environment & Processes 10

MongoDB Atlas 13

Conclusion 13

We Can Help 13

Resources 14

MongoDB Security Checklist 15

Introduction

The frequency and severity of data breaches continues to

Requirements for Securing
escalate. Industry analysts predict cybercrime will cost the
global economy $6 trillion annually by 2021. Organizations Modern Application Data
face an onslaught of new threat classes and threat actors
with phishing, ransomware and intellectual property theft
In light of increasing threats over the past decade coupled
growing more than 50% year on year, and key
with heightened concern for individual privacy, industries
infrastructure subject to increased disruption. With
and governments around the world have embarked on a
databases storing an organizations most important
series of initiatives designed to increase security, reduce
information assets, securing them is top of mind for
fraud and protect personally identifiable information (PII),
administrators.
including:
Using the advanced security features available in
PCI DSS for managing cardholder information
MongoDB Enterprise Advanced and the MongoDB Atlas
database service in the cloud, organizations have extensive HIPAA standards for managing healthcare information
capabilities to defend, detect, and control access to GDPR for the protection of EU citizen data privacy
valuable data. These features, along with general security
FISMA to ensure the security of data in the federal
requirements, are discussed in this whitepaper and are
government
then summarized as a security configuration checklist in
the Appendix. FERPA to protect the privacy of student education
records

The Asia Pacific Cross-border Privacy Enforcement

Arrangement (CPEA), creating a framework for regional
cooperation in the enforcement of privacy laws

1
In addition to these initiatives, new regulations are being
developed every year to cope with emerging threats and
new demands for tighter controls governing data use.

Each set of regulations defines security and auditing

requirements which are unique to a specific industry or
application, and compliance is assessed on a per-project
basis. It is important to recognize that Compliance can be
achieved only by applying a combination of controls that
we can summarize as People, Processes, and Products:

People defines specific roles, responsibilities, and

accountability.

Processes defines operating principles and business

practices.

Products defines technologies used for data storage

and processing. Figur
Figuree1
1: MongoDB End to End Security Architecture

Despite differences between different regulations, there A holistic security architecture must cover the following:
are common foundational requirements across all of the
directives, including: User access management to restrict access to sensitive
data, implemented through authentication and
Restricting data access, enforced via predefined authorization controls
privileges and roles
Logging operations against the database in an audit
Measures to protect against the accidental or malicious trail for forensic analysis
disclosure, loss, destruction, or damage of personal data
Data protection via encryption of data in-motion over
The separation of duties when accessing and the network and at-rest in persistent storage
processing data
Environmental and process controls
Recording user, administrative staff, and application
activities with a database These requirements inform The requirements for each of these elements are
the security architecture of MongoDB, with best discussed below.
practices for the implementation of a secure, compliant
data management environment.
User Access Management -
Authentication
Authentication is designed to confirm the identity of
entities accessing the database. In this context, entities are
defined as:

Users who need access to the database as part of their

day-to-day business function

Administrators (i.e. sysadmins, DBAs, QA staff) and

developers

Software systems including application servers,

reporting tools, and management and backup suites

2
 Physical and logical nodes that the database runs on. security infrastructure enforces centralized and
Databases can be distributed across multiple nodes standardized control over user access. If, for example, a
both for scaling operations and to ensure continuous users access must be revoked, the update can be made
operation in the event of systems failure or in a single repository and enforced instantly across all
maintenance. systems, including MongoDB.

Best practices for authentication are as follows. Enfor

Enforce
ce Passwor
Password dPPolicies.
olicies. Passwords should adhere
to minimum complexity requirements established by the
Cr
Create
eate Security CrCredentials.
edentials. Create login credentials organization, and they should be reset periodically. Low
for each entity that will need access to the database, entropy passwords can be easy to break, even if they
and avoid creating a single admin login that every user are encrypted. High entropy passwords can be
shares. compromised given sufficient time.

By creating credentials it becomes easier to define,

manage, and track system access for each user. Should User Rights Management - Authorization
a users credentials become compromised, this
approach makes it easier to revoke the user without Once an entity has been authenticated, authorization
disrupting other users who need access to the governs what that entity is entitled to do in the database.
database. Privileges are assigned to user roles that define a specific
set of actions that can be performed against the database.
Developers, Administrators, and DBAs should all have Best practices include:
unique credentials to access the database. When logins
are shared it can be impossible to identify who Grant Minimal Access to Entities. Entities should be
attempted different operations, and it eliminates the provided with the minimal database access they need to
ability to assign fine-grained permissions. With unique perform their function. If an application requires access
logins, staff that move off of the project or leave the to a logical database, it should be restricted to
organization can have their access revoked without operations on that database alone, and prevented from
affecting other user accounts. accessing other logical databases. This helps protect
against both malicious and accidental access or
It is a best practice to create separate login credentials unauthorized modification of data.
for each application that will be accessing the database.
Gr
Group
oup Common Access Privileges into Roles.
As new applications are introduced and old applications
Entities can often be grouped into roles such as
are retired, this approach helps manage access. Some
DBA, Sysadmin, and App server. Permissions for a
MongoDB customers create multiple logins for different
role can be centrally managed and users can be added
services within a single application, which are then
or removed from roles as needed. Using roles helps
recorded in audit trails and query logs.
simplify management of access control by defining a
Authentication should be enforced between nodes. This single set of rules that apply to specific classes of
prevents unauthorized instances from joining a entities, rather than having to define them individually
database cluster, preventing the illicit copying or for each user.
movement of data to insecure nodes. Contr
Controlol W
Whic
hich
h Actions an Entity Can P Perform.
erform. When
Supporting In-Dat
In-Database
abase and Centralized User granting access to a database, consideration should be
made for which specific actions or commands each
Access Management. Databases should provide the
entity should have permission to run. For example, an
ability to manage user authentication either within the
application may need read/write permissions to the
database itself, typically via a Challenge/Response
database, whereas a reporting tool may be restricted to
mechanism, or through integration with
read-only permission. Some users may be granted
organization-wide identity management systems.
privileges that enable them to insert new data to the
Integrating MongoDB within the existing information
database, but not to update or delete existing data.

3
 Care should be taken to ensure that only the minimal Encrypt Connections to the Dat Database.
abase. All user or
set of privileges is provided. Credentials of the most application access to the database should be via
privileged accounts could compromise the entire encrypted channels including connections established
database if they are hacked internally or by an external through the drivers, command line or shell, as well as
intruder. remote access sessions to the database servers
themselves. Internal communications between database
Contr
Controlol Access to Sensitive DatData.
a. To prevent the
nodes should also be encrypted, i.e. traffic replicated
emergence of data silos, it should be possible to restrict
between nodes of a database cluster.
permissions to individual fields, based on security
privileges. For example, some fields of a record may be Encrypt Dat
Dataa at Rest. One of most common threats to
accessible to all users of the database, while others security comes from attacks that bypass the database
containing sensitive information, such as PII, should be itself and target the underlying Operating System and
restricted to users with specific security clearance. physical storage of production servers or backup
devices, in order to access raw data. On-disk encryption
of the databases data files and backups mitigates this
Auditing threat.
By creating audit trails, changes to data and database Sign and Rot
Rotate
ate Encryption K Keys.
eys. Encryption keys
configuration can be captured for each entity accessing for network and disk encryption should be periodically
the database, providing a log for compliance and forensic rotated. TLS encryption channels should use signed
analysis. Auditing can also detect attempts to access certificates to ensure that clients can certify the
unauthorized data. credentials they receive from server components.

Trac
rackk Changes to Dat
Database
abase Configuration. Any time Enfor
Enforce
ce Str
Strong
ong Encryption. The database should
a database configuration is changed, the action should support FIPS (Federal Information Processing
be recorded in an audit log which should include the Standard) 140-2 to ensure the implementation of
change action, the identity of the user and a timestamp. secure encryption algorithms.

Trac
rackk Changes to DatData.a. It should be possible to
configure the audit trail to capture every query or write Environmental and Process Control
operation to the database. Care, however, should be
exercised when configuring this rule for applications. The environment in which the database and underlying
For example, if the application is inserting tens of infrastructure is running should be protected with both
thousands of records per second, writing each physical and logical controls. These are enforced in the
operation to the audit log can impose a performance underlying deployment environment, rather than in the
overhead to the database. The project team should database itself, and include:
determine any tradeoffs between performance and
Installation of firewalls
auditing requirements. It should be possible to filter
events that are captured, for example only specific Network configurations
users, IP addresses or operations. Defining file system permissions

Creation of physical access controls to the IT

Encryption environment

Encryption is the encoding of critical data whenever it is in As configuration errors and unpatched systems are one of
transit or at rest, enabling only authorized entities to read it. the largest causes of attackers bypassing security
Data will be protected in the event that eavesdroppers or mechanisms, there are a series of operational processes
hackers gain access to the server, network, filesystem or that should be adopted to further promote and enforce
database. secure operation, including:

4
 Figur
Figure
e22: Integrating MongoDB with Centralized User Access Controls

DBA and developer training whitepaper to learn more about the specific security
architecture of the Atlas service.
Database provisioning, monitoring and backup

Database maintenance, i.e. applying the latest patches

Enable Access Control and Enforce
Authentication
MongoDB Security Features
The first step in securing your MongoDB database is to
enable access control. As new apps and services are in
With comprehensive controls for user rights management, development, it is typical that access control is not
auditing and encryption, coupled with best practices in enforced. But once these applications are ready for test
environmental protection, MongoDB can meet the best and QA, then it is important to specifically enable it, thus
practice requirements described earlier. requiring all clients and servers provide valid credentials
before they can connect to the database. This ensures that
The following section discusses MongoDBs security
you are not deploying exposed instances when you launch
architecture before presenting a checklist of those
your app into production. MongoDB 3.4 and beyond
capabilities needed to create a secure database
support a rolling transition to internal authentication
environment.
without database downtime.Refer to the documentation for
a tutorial stepping through how to configure authentication.

MongoDB Enterprise Advanced Ensure that MongoDB runs in a trusted network

environment and limit the interfaces on which MongoDB
MongoDB Enterprise Advanced is the certified and
instances listen for incoming connections. Allow only
supported production release of MongoDB, with advanced
trusted clients to access the network interfaces and ports
security features, including LDAP authentication and
on which MongoDB instances are available. See the
authorization, Kerberos support, encryption of data at-rest,
Security Hardening section of the documentation to learn
FIPS-compliance, and maintenance of audit logs. These
more about reducing the risk of exposure.
capabilities extend MongoDBs already comprehensive
security framework, which includes Role-Based Access
Control, PKI certificates, Read-Only views for field-level MongoDB Authentication
security, and TLS data transport encryption. You can get
MongoDB provides multiple authentication methods,
access to all of the features of MongoDB Enterprise free
allowing the approach best suited to meet the
of charge for evaluation and development environments.
requirements of different environments. Authentication can
MongoDB Enterprise Advanced is the focus of this paper.
be managed from the database itself, or through
MongoDB Atlas is a database as a service available on all integration with external authentication mechanisms.
of the major cloud platforms. The key capabilities of
MongoDB Atlas are summarized later in the paper.
Download the MongoDB Atlas Security Controls

5
In Database Authentication Users can be authenticated to MongoDB using client
certificates rather than self-maintained passwords.
MongoDB authenticates entities on a per-database level
using the SCRAM IETF RFC 5802 standard. Users are Inter-cluster authentication and communication between
authenticated via the authentication command, while MongoDB nodes can be secured with x.509 member
database nodes can be authenticated to the MongoDB certificates rather than keyfiles, ensuring stricter
cluster via keyfiles. membership controls with less administrative overhead, i.e.
by eliminating the shared password used by keyfiles. x.509
Review the authentication documentation to learn more.
certificates can be used by nodes to verify their
membership of MongoDB replica sets and sharded
LDAP Authentication clusters. A single Certificate Authority (CA) should issue all
the x.509 certificates for the members of a sharded cluster
LDAP is widely used by many organizations to standardize
or a replica set.
and simplify the way large numbers of users are managed
across internal systems and applications. In many cases, Instructions for configuration are described in the
LDAP is also used as the centralized authority for user MongoDB and x.509 certificates tutorial.
access control to ensure that internal security policies are
compliant with corporate and regulatory guidelines. With
MongoDB and Red Hat Identity Management
LDAP integration, MongoDB Enterprise Advanced can
both authenticate and authorize users directly against Red Hat Enterprise Linux (RHEL) is a popular environment
existing LDAP infrastructure to leverage centralised access for MongoDB deployments. Providing ease of use to
control architectures. administrators and security professionals working in these
environments, the MongoDB security features are
Review the LDAP integration documentation to learn more
integrated with the Identity Management (IdM) features of
about LDAP and MongoDB Enterprise Advanced.
RHEL. This integration provides central management of
individual entities and their authentication, authorization
Kerberos Authentication and privileges.

With MongoDB Enterprise Advanced, authentication using Review the Red Hat Linux Identity Management tutorial for
a Kerberos service is supported. Kerberos is an industry instruction on configuration with MongoDB.
standard authentication protocol for large client/server
Red Hat IdM integration is available with MongoDB
systems, allowing both the client and server to verify each
Enterprise Advanced and requires the database to be
others' identity. With Kerberos support, MongoDB can take
configured for Kerberos authentication.
advantage of existing authentication infrastructure and
processes, including Microsoft Windows Active Directory .
MongoDB and Microsoft Active Directory
Before users can authenticate to MongoDB using
Kerberos, they must first be created and granted privileges MongoDB Enterprise Advanced provides support for
within MongoDB. The process for doing this, along with a authentication using Microsoft Active Directory with both
full configuration checklist is described in the MongoDB Kerberos and LDAP. The Active Directory domain controller
and Kerberos tutorial. authenticates the MongoDB users and servers running in a
Windows network, again to leverage centralised access
control.
x.509 Certificate Authentication
With support for x.509 certificates MongoDB can be
integrated with existing information security infrastructure
and certificate authorities, supporting both user and
inter-node authentication.

6
 Figur
Figure
e33: MongoDB User Defined Roles Permit Separations of Duty

MongoDB Authorization DBAs may be assigned privileges that enable them to

create collections and indexes on the database, while
MongoDB allows administrators to define the specific developers are restricted to CRUD operations
permissions an application or user has, and what data they
Certain administrator roles may have cluster-wide
can see when querying the database.
privileges to build replica sets and configure sharding,
while others are restricted to creating new users or
Role-Based Access Control inspecting logs

Over ten predefined roles supporting common user and Processes for monitoring MongoDB clusters can be
administrator database privileges provide MongoDB's Role restricted to run just those commands that retrieve
Based Access Control (RBAC) capabilities. These can be server status, without having full administrative access
further customised through User Defined Roles, enabling to perform database operations
administrators to assign fine-grained privileges to clients, Within a multi-tenant environment, landlord developers
based on their respective data access and processing and administrators can be assigned permissions across
needs. To simplify account provisioning and maintenance, physical databases, while tenant developers and
roles can be delegated across teams, ensuring the administrators can be granted a more limited set of
enforcement of consistent policies across specific data actions across logical databases or individual
processing functions within the organization. MongoDB collections. This functionality enables a clear separation
provides the ability to specify user privileges with both of duties and control, both between and within
database and collection-level granularity. organizations.

Privileges are assigned to roles, and roles are in turn Review the Authorization section of the documentation to
assigned to users. For example: learn more about roles in MongoDB.

Classes of users and applications can be assigned When combined with the auditing capabilities available with
privileges to insert data, but not to update or delete data MongoDB Enterprise Advanced, customers can define
from the database specific administrative actions per role, and then log all of
those actions. As a result, the organization is able to

7
enforce end-to-end operational control and maintain As views are non-materialized, the view data is generated
insight of actions for compliance and reporting. dynamically by reading from the underlying collections
when a user queries the view. This reduces data duplication
in the database, and eliminates inconsistencies between
LDAP Authorization
the base data and view.
In addition to authentication, MongoDB Enterprise
Views are defined using the standard MongoDB Query
Advanced also support authorization via LDAP. This
Language and aggregation pipeline. They allow the
enables existing user privileges stored in the LDAP server
inclusion or exclusion of fields, masking of field values,
to be mapped to MongoDB roles, without users having to
filtering, schema transformation, grouping, sorting, limiting,
be recreated in MongoDB itself. When configured with an
and joining of data using $lookup and $graphLookup to
LDAP server for authorization, MongoDB will allow user
another collection.
authentication via LDAP, Active Directory, Kerberos, or
X.509 without requiring local user documents in the You can learn more about MongoDB read-only views from
$external database. When a user successfully the documentation.
authenticates, MongoDB will perform a query against the
LDAP server to retrieve all groups the LDAP user is a
member of, and will transform those groups into their
Log Redaction
equivalent MongoDB roles. LDAP authentication and MongoDB Enterprise Advanced can also be configured
authorization can be configured either via the command with log redaction to prevent potentially sensitive
line, or for additional administrative convenience, via the information, such as personal identifiers, from being written
Ops Manager GUI. to the databases diagnostic log. Developers and DBAs
who may need to access the logs for database
Field-Level Security with Read-Only Views performance optimization or maintenance tasks still get
visibility to metadata, such as error or operation codes, line
To enforce field-level security, DBAs can define numbers, and source file names, but are unable to see any
non-materialized views that expose only a subset of data personal data associated with database events.
from an underlying MongoDB collection, i.e. a view that
filters out specific fields, such as Personally Identifiable
Information (PII) from sales data or health records. As a MongoDB Auditing
result, risks of data exposure are dramatically reduced.
The MongoDB Enterprise Advanced auditing framework
DBAs can define a view of a collection that's generated
logs all access and actions executed against the database.
from an aggregation over another collection(s) or view.
The auditing framework captures administrative actions
Permissions granted against the view are specified
(DDL) such as schema operations as well as
separately from permissions granted to the underlying
authentication and authorization activities, along with read
collection(s). This capability allows organizations to more
and write (DML) operations to the database.
easily meet compliance standards in regulated industries
Administrators can construct and filter audit trails for any
by restricting access to sensitive data, without creating the
operation against MongoDB, whether DML, DCL or DDL
silos that emerge when data has to be broken apart to
without having to rely on third party tools. For example, it is
reflect different access privileges.
possible to log and audit the identities of users who
Views can also contain computed fields for example accessed specific documents, and any changes they made
summarizing total and average order value per region, to the database during their session.
without exposing underlying customer data. All of this can
be done without impacting the structure or content of the
original source collections. Developers and DBAs can
modify the underlying collections schema without
impacting applications using the view.

8
 entity capable of connecting to the MongoDB server,
including:

Users and administrators

Applications

MongoDB tools (e.g., mongodump, mongorestore,

mongotop)
Figur
Figuree4
4: MongoDB Maintains an Audit Trail of
Administrative Actions Against the Database Nodes that make up a MongoDB cluster, such as
replica set members, query routers and config servers.
Administrators can configure MongoDB to log all actions
It is possible to mix encrypted with non-encrypted
or apply filters to capture only specific events, users or
connections on the same port, which can be useful when
roles. The audit log can be written to multiple destinations
applying finer grained encryption controls for internal and
in a variety of formats including to the console and syslog
external traffic, as well as avoiding downtime when
(in JSON format), and to a file (JSON or BSON), which
upgrading a MongoDB cluster to support TLS/SSL.
can then be loaded to MongoDB and analyzed to identify
relevant events. Each MongoDB server writes events to its The TLS protocol is also supported with x.509 certificates.
attached storage. The DBA can then use their own tools to
merge these events into a single audit log, enabling a MongoDB Enterprise Advanced supports FIPS 140-2
cluster-wide view of operations that affected multiple encryption if run in FIPS Mode with a FIPS validated
nodes. Cryptographic module. The mongod and mongos
processes should be configured with the "sslFIPSMode"
MongoDB Enterprise Advanced also supports role-based setting. In addition, these processes should be deployed on
auditing. It is possible to log and report activities by specific systems with an OpenSSL library configured with the FIPS
role, such as userAdmin or dbAdmin coupled with any 140-2 module.
inherited roles each user has rather than having to
extract activity for each individual administrator. The MongoDB documentation includes a tutorial for
configuring TLS connections.
Auditing adds performance overhead to a MongoDB
system. The amount is dependent on several factors
including which events are logged and where the audit log
Disk Encryption
is maintained, such as on an external storage device and There are multiple ways to encrypt data at rest with
the audit log format. Users should consider the specific MongoDB. Encryption can implemented at the application
needs of their application for auditing and their level, or via external filesystem and disk encryption
performance goals in order to determine their optimal solutions. By introducing additional technology into the
configuration. stack, both of these approaches can add cost, performance
overhead and operational complexity.
Learn more from the MongoDB auditing documentation.
With the MongoDB Encrypted storage engine, protection
of data at-rest becomes an integral feature of the
MongoDB Encryption
database. By natively encrypting database files on disk,
Administrators can encrypt MongoDB data in transit over administrators eliminate both the management and
the network and at rest in permanent storage and backups. performance overhead of external encryption mechanisms.
This new storage engine provides an additional level of
defense, allowing only those staff with the appropriate
Network Encryption
database credentials access to encrypted data.
Support for TLS allows clients to connect to MongoDB
over an encrypted channel. Clients are defined as any

9
 avoiding the significant performance overhead imposed by
key rotation in other databases. Only the master key is
rotated, and the internal database keystore is re-encrypted.

The Encrypted storage engine is designed for operational

efficiency and performance:

Compatible with WiredTigers document level

concurrency control and compression.

Support for Intels AES-NI equipped CPUs for

acceleration of the encryption/decryption process.

As documents are modified, only updated storage

blocks need to be encrypted, rather than the entire
database.

Based on user testing, the Encrypted storage engine

Figur
Figuree 5: End to End Encryption Data In-Motion and minimizes performance overhead to around 15% (this can
Data At-Rest
vary, based on data types being encrypted), which can be
much less than the observed overhead imposed by some
Using the Encrypted storage engine, the raw database
filesystem encryption solutions.
content, referred to as plaintext, is encrypted using an
algorithm that takes a random encryption key as input and The Encrypted storage engine is based on WiredTiger and
generates ciphertext that can only be read if decrypted available as part of MongoDB Enterprise Advanced. Refer
with the decryption key. The process is entirely transparent to the documentation to learn more, and see a tutorial on
to the application. MongoDB supports a variety of how to configure the storage engine.
encryption schema, with AES-256 (256 bit encryption) in
CBC mode being the default. AES-256 in GCM mode is
also supported. The encryption schema can be configured Environment & Processes
for FIPS 140-2 compliance. Building on the database security controls discussed
The storage engine encrypts each database with a above, running MongoDB in a trusted environment,
separate key. The key-wrapping scheme in MongoDB implementing a secure development lifecycle, and
wraps all of the individual internal database keys with one enforcing deployment best practices further reduces the
external master key for each server. The Encrypted storage risk of security breaches.
engine supports two key management options in both A Defense in Depth approach is recommended to
cases, the only key being managed outside of MongoDB is complement secure MongoDB deployments, addressing a
the master key: number of different methods for managing risk and
Local key management via a keyfile. reducing exposure.

Integration with a third party key management appliance The intention of a Defense in Depth approach is to layer
via the KMIP protocol (recommended). your environment to ensure there are no exploitable single
points of failure that could allow an intruder or untrusted
Most regulatory requirements mandate that the encryption
party to access the data stored in the MongoDB database.
keys must be rotated and replaced with a new key at least
once annually. MongoDB can achieve key rotation without Secure environments use the following strategies to
incurring downtime by performing rolling restarts of the control access, with more detail available in the Network
replica set. When using a KMIP appliance, the database Exposure and Security section of the documentation.
files themselves do not need to be re-encrypted, thereby

10
 Network Filter
Filter.. By using filters such as firewalls and to mix JavaScript and BSON so that user-specified
router ACL rules, connections to MongoDB from values are evaluated as values and not as code.
unknown systems can be blocked.
MongoDB also allows the administrator to configure the
Firewalls should limit both incoming and outgoing traffic MongoDB server to prevent the execution of Javascript
to/from a specific port to trusted and untrusted scripts. This will prevent MapReduce jobs from running,
systems. For best results and to minimize overall but the aggregation pipeline can be used as an
exposure, ensure that only traffic from trusted sources alternative in many use cases.
can reach mongod and mongos instances and that the
Physic
Physical
al Access Contr
Controls.
ols. In addition to the logical
mongod and mongos instances can only connect to
controls discussed above, controlling physical access to
trusted outputs. In addition, unneeded system services
servers, storage and backup media provides critical
should be deactivated.
environmental protection.
Binding IIP
P Addr
Addresses.
esses. The bind_ip setting for mongod
and mongos instances limits the network interfaces on
Database Monitoring & Upgrading
which MongoDB programs will listen for incoming
connections. Proactive monitoring of all components within an IT
environment is always a best practice. System performance
Running in VP VPNs.
Ns. Limit MongoDB programs to
and availability depend on the timely detection and
non-public local networks and virtual private networks.
resolution of potential issues before they present problems
Virtual Private Networks (VPNs) make it possible to link
to users.
two networks over an encrypted and limited-access
trusted network. Typically MongoDB users configure From the perspective of database security, monitoring is
SSL rather than IPSEC protocols for performance critical to identifying potential exploits in real time, thereby
advantages. reducing the impact of any breach. For example, sudden
Dedic
Dedicated
ated OS User Account. A user account peaks in the CPU and memory loads of host systems and
dedicated to MongoDB should be created and used to high operations counters in the database can indicate a
run MongoDB executables. MongoDB should not run as Denial of Service attack. MongoDB ships with a variety of
the root user. tools including mongostat and mongotop that can be used
to monitor your database.
File System P Permissions.
ermissions. The servers running
MongoDB should employ filesystem permissions that The most comprehensive monitoring solution is provided by
prevent users from accessing the data files created by MongoDB Ops Manager, which is the simplest way to run
MongoDB. MongoDB configuration files and the cluster MongoDB on your own infrastructure. Ops Manager makes
keyfile should be protected to disallow access by it easy for operations teams to monitor, secure, back up,
unauthorized users. and scale MongoDB. Ops Manager is available with
MongoDB Enterprise Advanced. MongoDB Cloud Manager
Query Injection. As a client program assembles a
is a hosted management tool for MongoDB providing many
query in MongoDB, it builds a BSON object, not a string.
of the same capabilities as Ops Manager.
Thus traditional SQL injection attacks should not pose a
risk to the system for queries submitted as BSON
objects.

However, several MongoDB operations permit the

evaluation of arbitrary JavaScript expressions and care
should be taken to avoid malicious expressions.
Fortunately, most queries can be expressed in BSON
and for cases where Javascript is required, it is possible

11
 infrastructure, user error, malicious activity, or application
bugs. With a backup and recovery strategy in place,
administrators can restore business operations by quickly
recovering their data, enabling the organization to meet
regulatory and compliance obligations.

Ops Manager backups are maintained continuously, just a

few seconds behind the operational system. If MongoDB
experiences a failure, the most recent backup is only
moments behind, minimizing exposure to data loss. Ops
Manager and Cloud Manager offers point-in-time recovery
of replica sets and cluster-wide snapshots of sharded
Figur
Figuree6
6: Ops Manager Offers Charts, Custom clusters. You can restore to precisely the moment you
Dashboards & Automated Alerting
need, quickly and safely, allowing users to quickly recover
from attacks that corrupt underlying data.
Featuring charts, custom dashboards, and automated
alerting, Ops and Cloud Manager track 100+ key database
and systems health metrics including operations counters, Training & Consulting Services
memory and CPU utilization, replication status, open
MongoDB provides extensive training and consulting
connections, queues and any node status. Cloud Manager
services to help customers apply best security practices:
can also alert you if any host is internet-exposed.
The MongoDB Security course is a no-cost, 3-week
The metrics are securely reported to Ops Manager where
online training program delivered by MongoDB
they are processed, aggregated, alerted and visualized in a
University.
browser, letting administrators easily determine the health
of MongoDB in real time. Views can be based on explicit MongoDB University also offers a range of both public
permissions, so project team visibility can be restricted to and private training for developers and operations
their own applications, while systems administrators can teams, covering best practices in using and
monitor all MongoDB deployments across the organization. administering MongoDB.

MongoDB Global Consulting Services offer a range of

Ops Manager allows administrators to set custom alerts
packages covering Health Checks, Production
when key metrics are out of range. Alerts can be sent via
Readiness Assessments, and access to Dedicated
SMS and email or integrated into existing incident
Consulting Engineers. The MongoDB consulting
management systems such as PagerDuty, Slack, HipChat
engineers work directly with your teams to guide
and others to proactively warn of potential issues before
development and operations, ensuring skills transfer to
they escalate to costly outages.
your staff.
Ops Manager also enables administrators to roll out
upgrades and patches to the database without application
Keep up to Date
downtime. By using either the GUI or API, updated
packages can be pushed and applied to each server Always ensure you are running the latest
through a series of rolling restarts, all without operator production-certified release of both MongoDB and the
intervention. drivers, and have applied the latest set of patches. While
MongoDB Enterprise Advanced customers get access to
emergency patches, fixes for security vulnerabilities are
Disaster Recovery: Backups & Point-in-Time
available to all MongoDB users as soon as they are
Recovery
released.
Data can be compromised by a number of unforeseen
events: failure of the database or its underlying

12
MongoDB Atlas: Database as a Conclusion
Service For MongoDB
With databases storing an organizations most important
information assets, securing them is an essential first step
MongoDB can run the database for you! MongoDB Atlas
in countering new threat classes and actors.
provides all of the features of MongoDB, without the
operational heavy lifting required for any new application. As demonstrated in this white paper, with MongoDB
MongoDB Atlas is available on-demand through a Enterprise Advanced organizations benefit from extensive
pay-as-you-go model and billed on an hourly basis, letting capabilities to defend, detect and control access to
you focus on what you do best. valuable online big data. You can get started by reviewing
the MongoDB Security Documentation, and downloading
Its easy to get started use a simple GUI to select the
MongoDB Enterprise Advanced for evaluation today.
instance size, region, and features you need. MongoDB
Atlas provides:

Security features to protect access to your data We Can Help

Built in replication for always-on availability, tolerating
complete data center failure We are the MongoDB experts. Over 3,000 organizations
Backups and point in time recovery to protect against rely on our commercial products, including startups and
data corruption more than half of the Fortune 100. We offer software and
services to make your life easier:
Fine-grained monitoring to let you know when to scale.
Additional instances can be provisioned with the push MongoDB Enterprise Advanced is the best way to run
of a button MongoDB in your data center. It's a finely-tuned package
of advanced software, support, certifications, and other
Automated patching and one-click upgrades for new
services designed for the way you do business.
major versions of the database, enabling you to take
advantage of the latest and greatest MongoDB features MongoDB Atlas is a database as a service for MongoDB,
A choice of cloud providers, regions, and billing options letting you focus on apps instead of ops. With MongoDB
Atlas, you only pay for what you use with a convenient
MongoDB Atlas is versatile. Its great for everything from a hourly billing model. With the click of a button, you can
quick Proof of Concept, to test/QA environments, to scale up and down when you need to, with no downtime,
complete production clusters. If you decide you want to
full security, and high performance.
bring operations back under your control, it is easy to move
your databases onto your own infrastructure and manage MongoDB Stitch is a backend as a service (BaaS), giving
them using MongoDB Ops Manager or MongoDB Cloud developers full access to MongoDB, declarative read/write
Manager. The user experience across MongoDB Atlas, controls, and integration with their choice of services.
Cloud Manager, and Ops Manager is consistent, ensuring
MongoDB Cloud Manager is a cloud-based tool that helps
that disruption is minimal if you decide to migrate to your
you manage MongoDB on your own infrastructure. With
own infrastructure.
automated provisioning, fine-grained monitoring, and
MongoDB Atlas is automated, its easy, and its from the continuous backups, you get a full management suite that
creators of MongoDB. Learn more and take it for a spin. reduces operational overhead, while maintaining full control
over your databases.
Download the MongoDB Atlas Security Controls
whitepaper to learn more about the specific security MongoDB Professional helps you manage your
architecture of the Atlas service. deployment and keep it running smoothly. It includes
support from MongoDB engineers, as well as access to
MongoDB Cloud Manager.

13
Development Support helps you get up and running quickly.
Resources
It gives you a complete package of software and services
for the early stages of your project.
For more information, please visit mongodb.com or contact
MongoDB Consulting packages get you to production
us at sales@mongodb.com.
faster, help you tune performance in production, help you
scale, and free you up to focus on your next release. Case Studies (mongodb.com/customers)
Presentations (mongodb.com/presentations)
MongoDB Training helps you become a MongoDB expert,
Free Online Training (university.mongodb.com)
from design to operating mission-critical systems at scale.
Webinars and Events (mongodb.com/events)
Whether you're a developer, DBA, or architect, we can
Documentation (docs.mongodb.com)
make you better at MongoDB.
MongoDB Enterprise Download (mongodb.com/download)
MongoDB Atlas database as a service for MongoDB
(mongodb.com/cloud)
MongoDB Stitch backend as a service (mongodb.com/
cloud/stitch)

New York Palo Alto Washington, D.C. London Dublin Barcelona Sydney Tel Aviv
US 866-237-8815 INTL +1-650-440-4474 info@mongodb.com
2017 MongoDB, Inc. All rights reserved.

14
MongoDB Security Checklist

The checklist defines the steps, along with key resources, to creating a secure MongoDB deployment in your own
environment. Alternatively refer to the MongoDB Atlas section of the guide to learn more about using MongoDB as a
service.

Pr
Prepar
epare
e Secur
Secure
e Operating Envir
Environment
onment

Download MongoDB Enterprise Production-Certified release

Advanced

Configure network (firewall, bind IP Review platform-specific documentation

addresses, VPN, etc.) MongoDB network documentation

Create MongoDB user account & Review platform-specific and filesystem documentation for creating OS logins
permissions and permissions

Configure the Encrypted storage Prepare MongoDB Deployment

engine

Configure preferred authentication Kerberos documentation

Red Hat IdM documentation
Challenge / Response documentation

Configure inter-cluster authentication x.509 Certificate documentation

Setup TLS certificates TLS documentation

Enable FIPS Mode FIPS mode documentation

Configure auditing Auditing of DDL & DML operations

Define Users and Roles

Document roles that will access the Project team process

system

Create MongoDB admin account Add User to MongoDB

Configure permissions for each role Role-based access control

User defined roles

Field-Level Security Configure Read-Only Views

Monitor the Deployment

Configure MongoDB Management Ops Manager documentation

Monitor and apply latest patches Subscribe to the MongoDB Announcements Google Group for availability of
the latest releases and patches
Monitor patch alerts and updates for infrastructure (server, network and storage
components, OS, middleware, etc.)

15