Correctly configure MongoDB to protect corporate data security

As the leader of NoSQL databases, MongoDB not only provides rich features in terms of data consistency, performance and scalability, but also provides a variety of flexible configurations in terms of security to ensure user data

span>Safety. However, in actual applications, data leaks often occur due to improper configuration of MongoDB users. As the National Internet Center reported earlier, due to improper configuration of MongoDB users, some MongoDB users are at risk of information leakage. Therefore, How to correctly configure MongoDB to ensure the security of enterprise data is particularly important.

So how should it be configured specifically? You can enable network protection and database audit from User authentication and authorization, encryption during data transmission, data encryption at rest, Start with other aspects：

Enable access control and mandatory authentication

MongoDB enables access control and will force authentication for accessing users. Authentication, which will prevent anonymous users or some illegal users from accessing. In order to reduce the complexity of configuration, many users do not enable access control. This puts data at great risk and may even lead to data leakage, causing huge losses to the enterprise. MongoDB supports multiple authentication methods and can authenticate access users. MongoDB uses the SCRAM authentication method by default after version 4.0. Before 4.0, MongoDB used the MongoDB Challenge-Response (MONGODB-CR) authentication mechanism; users can also use the x.509 certificate authentication method. In addition, MongoDB Enterprise Edition also supports authentication methods integrated with LDAP and Kerberos. Users can choose according to enterprise security requirements.

Configuring role-based access control

MongoDB uses role-based access control to control user access. This way, users can only perform actions consistent with their role. A user can be assigned one or more roles, which determine which database resources the user can access and what operations they can perform. MongoDB has a variety of built-in roles, and also allows users to customize roles to flexibly control user access rights. In actual enterprise applications, the permissions of MongoDB users should be reasonably planned to prevent data loss and leakage.

Enable TLS/SSL communication encryption

MongoDB supports TLS/SSL to encrypt all MongoDB network traffic to ensure the security of data in transit. Encrypted communication is not limited to the application side and the database side, communication between MongoDB nodes can also be encrypted. If your database traffic flows through the public network or corporate external network, it is strongly recommended to enable TLS/SSL to ensure the security of data transmission.

Encrypt static data to ensure data security

Encryption of static data is only supported in MongoDB Enterprise Edition. MongoDB uses encryption keys to encrypt and store data. Users can also rotate encryption keys periodically to comply with certain security regulations. For information on how to configure encryption, see the manual

https://docs.mongodb.com/manual/tutorial/configure-encryption/

Restrict access to the network where MongoDB is located

Network security issues are One of the most important factors affecting MongoDB security. Users should ensure that MongoDB is running in a trusted network environment and properly set up network firewalls to control inbound and outbound traffic. Only trusted clients are allowed to access the network and port where MongoDB is located.

MongoDB is bound to localhost by default starting from version 3.6, and only allows local access to MongoDB by default (before 3.6 In the version, only the MongoDB RPM or DEB installation package is bound to localhost by default. For other installation methods, special attention should be paid to the network binding configuration of MongoDB.The other version 3.6 will stop supporting in April 2021. It is recommended that users upgrade as soon as possible. For the upgrade steps, please see:

https://docs.mongodb.com/manual/release-notes/4.0-upgrade-replica-set/

The default access port of MongoDB is 27017. Users should pay attention to the access protection of this port. Of course, users of this port can also Make changes.

In addition, users should pay special attention to the security protection of the host where MongoDB is located. They can adopt network firewall protection, operating system user identity management, and disable root User access and other measures ensure the security of the MongoDB operating environment.

Client-side field-level encryption

MongoDB 4.2 and above supports client-side field-level encryption. When client-side field-level encryption is enabled, only applications with correct access to the encryption keys can decrypt and read protected data. In this way, only MongoDB users with encryption keys can “correctly” read the protected data, further ensuring the security of sensitive data. For a detailed introduction and use of client-side field-level encryption, please refer to the manual:

https://docs.mongodb.com/drivers/security/client-side-field-level -encryption-guide/

Database Audit

MongoDB Enterprise Edition provides database auditing functions. This feature allows administrators and users to track all related activities of users and applications accessing the system. Users can write audit events to the console, syslog, JSON file or BSON file to track any suspicious behavior. This feature is also one of the requirements of many regulations. For information on how to configure auditing, see

https://docs.mongodb.com/manual/tutorial/configure-auditing/

Attachment: MongoDB Statement

Add Little Mango WeChat (ID: mongingcom) to enter the Chinese user group technical exchange group.

MongoDB database

MongoDB official WeChat public account

Scan and follow to get more exciting content

China official website www.mongodb.com/zh