Request a Call Back
X
Fields marked with an * are required
Introduction to MongoDB Security and Authentication - Habilelabs

Security is very important for your online database or online business. We will discuss why you need to secure your database and then how can you secure your database with mongodb,

Security Attacks

first of all let’s discuss one security attack incident

Niall Merrigan, security researcher and Microsoft developer based in Norway, has been tracking the MongoDB ransom incidents, and in one day, he saw the number of attacks more than double from 12,000 to 27,633.

Why you need to secure Database

Data saved in database is really important for any organisation it can be confidential or very sensitive which you don’t want to share with people but there are lots of attacker who are always try to access your data without your permission or knowledge

Attackers have been accessing databases, copying files, deleting everything and leaving a ransom note promising the return of the data for a fee.

How you can secure Mongodb Database

Now lets discuss how to secure mongodb with attackers There are 4 ways you can use while secure your database

:

Authentication

Authentication and authorization are commonly interchanged with one another, but they’re actually two very different things. Authentication is the process by which we verify the identity of a user, whereas authorization is the process by which we verify the privileges of a user. The best way to think about it is that authentication answers the question, “Who are you?” Whereas authorization answers the question, “What do you have access to?” I can be authenticated to a system, but I might not be authorized to control a certain resource.

 

We can divide authentication mechanisms into two categories. There are client and user authentication, which deals with how clients of the database authenticate to MongoDB. And then there’s internal authentication, which is how different members of a replica set or sharded cluster authenticate with one another. Here are all of the different authentication mechanisms currently supported with MongoDB.

 

Authorization

MongoDB actually follows a very straightforward and common authorization model. And that model is role-based access control. Role Based Access Control as the name implies is a model where for any given User we’re going to go ahead and assign a Role to that User. And that Role is going to be assigned over a given namespace.

Why Role Base Access Control

The best way to describe why MongoDB uses role-based access control is to say that it gives us a high level of responsibility isolation for operational tasks. And what I mean by this is that across our organization, there are going to be a myriad of different people who are going to need access to our database, but each of these individuals has very different needs

Build in Role

MongoDB comes with a set of general purpose built-in roles. Roles that we know from experience are generally required by different individuals and therefore different responsibilities within an organization. These roles can be divided into the following categories

User Defined Role

That said, sometimes we have specific requirements that do not exactly fit a particular user. Let’s talk about the different parts that make up a user-defined role.

When we create a role, we create it on a specific database, so the role name and the database that it was created on define a unique role. After giving the role a name, you specify what over roles you’d like to inherit privileges from. It’s important to note that for any given role created on a specific database, we can only include resources and inherent roles defined on that same database. For example, if we define a role in the products database, we can’t inherit that role on the orders database.

Actions

You can think of actions as verbs while resources are the subjects of these verbs.Within MongoDB, we have several different types of actions

Resources

They are the subjects of our actions. Resources will eventually have their state or behaviour change in some form by an action. Mongo DB has four resources; collections, databases, clusters, and the special any resource. All of these resources will be defined by a resource document

Auditing

Auditing is an enterprise feature of MongoDB, and for certain organizations and administrators, auditing is a very important part of security infrastructure. Auditing can be used for a myriad of things, but from a security perspective, it is most often used for the following three things. First, it’s often used for accountability of users of our database. Auditing is also commonly used to investigate suspicious activity. And finally, it is used to monitor and gather data about specific database activities.

Encryption

Encryption plays an important part in any security infrastructure. In this series of videos, we’re going to discuss the different encryption options that MongoDB supports. There are two discrete categories of encryption with regards MongoDB. There’s transport encryption and then there’s also encryption at rest. Transport encryption, as the name implies, refers to encrypting information over network traffic between the client and the server.Encryption at rest concerns actually encrypting the data that we store on disk.

Encryption type

These are the two types of encryption:
1. Transport Encryption
2. Encryption at rest

Transport Encryption

Transport encryption, as the name implies, refers to encrypting information over network traffic between the client and the server.Encryption at rest concerns actually encrypting the data that we store on disk.

Encryption at Rest

Storage engine encryption with MongoDB is a four-step process. All the steps are abstracted away from you as a database administrator but are important to understanding to deliver a secure implementation. First, a master key is generated. This key will be used to encrypt each individual database key. The second step, like I mentioned in the last step, is to generate a key for each database. After a key has been generated for a particular database, that key can be used to encrypt that actual database.

 Application level Encryption is not an actual feature of MongoDB. To encrypt a document or field within our data, we can write a custom encryption and decryption routine for our application. Or, of course, we can use a commercial solution for encryption within our application.

I explained some common but important factors for database security with MongoDB, try it and tell us in the comment what challenges you face with your database security.