1© 2014 Cisco and/or its affiliates. All rights reserved.

Securing MongoDB to serve anAWS basedmulti tenant

security fanaticSaaS application

Doron Levari, Data Architect, Cisco

© 2014 Cisco and/or its affiliates. All rights reserved. 2

About me

2

$15M

6’5”

1975 4

1997 2004

2010

© 2014 Cisco and/or its affiliates. All rights reserved. 3

My project

FW1

FW2

FW4

Cloud

Customer Datacenter(s)

Onboard CustomerDiscover CPENormalize configuration and PolicyAdd new DeviceOrchestrate

FW3

Simplify, unify, and orchestrate policy for Cisco security products from the cloud

© 2014 Cisco and/or its affiliates. All rights reserved. 4

Birds Eye Architecture

REST API

Micro Services

Device pluginsConfigurationClassificationNormalization

© 2014 Cisco and/or its affiliates. All rights reserved. 5

Agenda

• Why MongoDB?

• Why security?

• Security considerations

• Tenant isolation considerations

• Implementation of security with MongoDBEncryption of data at rest and at flight

Strong authentication

Fine grained authorization

Audit trail

© 2014 Cisco and/or its affiliates. All rights reserved. 6

Why MongoDB?

• Agile development, agile deployments

• Data requirements are decent1000s of corporates, 10Ks of registered users, 1M of devices

Size ~5 TB

• Store raw config filesTag inside config files

full text search

• JSON is all over the appREST APIs, JavaScript, D3.JS

• Simplicity! MMS is awesome!

© 2014 Cisco and/or its affiliates. All rights reserved. 7

Why Data Security?

• Our clientsCorporates and their sysadmins, security admins

Security experts

• Sell more products, $$$Convince our customers to let us keep the keys to their kingdom

Meet security compliance (such as PCI-DSS)

• Stay alive as a business

• Address threatsLeaked or hijacked passwords, impersonation

Network sniffing

Memory or storage dumping

• Isolate, detect, prevention

© 2014 Cisco and/or its affiliates. All rights reserved. 8

Security requirements

• Encryption of data at rest and at flight

• Strong authentication

• Fine grained authorization

• Audit trail

• We need all of the above in a multi tenant application

• Tenant isolation

© 2014 Cisco and/or its affiliates. All rights reserved. 9

Tenant Isolation Practices

Mongod Replica Set

Mongod Replica Set

Acme Foo Bar

Acme Foo Bar

Mongod Replica Set

All Data

Mongod Replica Set

Acme

Mongod Replica Set

Foo

Mongod Replica Set

Bar

Database per tenant

Collection(s) per tenant

Shared collections

Cluster per tenant

Isolated Shared

© 2014 Cisco and/or its affiliates. All rights reserved. 10

Tenant Isolation Analysis

Isolated SharedCluster per tenant Database per tenant Collections per tenant Shared collections

Less Prone to query injection and bugs

Disk, memory, CPU isolation

Data at rest encryption done storage level, key per tenant

Tenant Portability (carve out a tenant to another stack)

Scale out by horizontal partitioning by tenant ID Sharding by tenant ID

Sharding big tenants by a secondary key

Cross-tenant queriesProgrammatic aggregation or ETL to an analytical platform

Database level RBAC and Audit

No resource isolationDisk, memory isolation

Application-level encryption would blind the database

Common database user conn

Per tenant connection with x.509 Certificate, key per tenant Common database user conn

Diminishing low cost per tenantHigh constant cost per tenant

Se

curit

yO

pe

ratio

ns

$

© 2014 Cisco and/or its affiliates. All rights reserved. 11

We went with "Database per tenant”

• It was a happy medium when it came to operations and cost-effectiveness

• We’re B2B aiming for customers in the Ks not Ms

• We just care too much about securityNeed to exceed our customers expectations

• We don’t care much about cross-tenant queriesOur customers would see it as a security risk!

• Now, we have to implement these ---->

https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

© 2014 Cisco and/or its affiliates. All rights reserved. 12

Encryption

• At reststorage.directoryPerDB

Stores files of each database in its own folder in the data directory

With simple Linux gymnastics we can:

Create multiple volumes, encrypt each one with a different key

Mount those volumes as directories under the data root directories

• At flightnet.ssl.mode = requireSSL

SSL for Client Server communications

SSL for Server Server communications (replica set)

http://docs.mongodb.org/manual/reference/configuration-options/#storage.directoryPerDBhttp://docs.mongodb.org/manual/tutorial/configure-ssl/

© 2014 Cisco and/or its affiliates. All rights reserved. 13

Authentication

• I need each tenant to authenticate with different credentials to MongoDB

• This means: every working thread connects to MongoDB with different database credentials

• Hmm…

• Will I still be able to leverage connection pools‽

• Will I be able to make it generic in a low-layer app infrastructure?

© 2014 Cisco and/or its affiliates. All rights reserved. 14

Standard Connection Pool

App Server

Connection Pool

Workerthreads

Mongod Replica Set

All Data

REST Call

Spr

ing

Fra

mew

ork

Browser/Client

Authorization Server

Authenticate GetOAuth Token

REST Call

Send OAuth Token

Browser/Client

© 2014 Cisco and/or its affiliates. All rights reserved. 15

Authentication in MongoDB

• MongoDB completely separated the actions of "connect” and “authenticate”

Connect: heavy operation of creating the channel to the database

Authenticate: lightweight operation of creating an authenticated context

• Leverage connection poolsUpon appserver startup, a pool of “blank” connections is created

A connection borrowed from the pool is authenticated as the current tenant

• Result: each database session is authenticated when-needed, and with different credentials

http://docs.mongodb.org/manual/reference/method/db.auth

© 2014 Cisco and/or its affiliates. All rights reserved. 16

Benchmarks – Results

• Creating and closing of blank connections to Mongo:Repetitions: 10000: Connection avg (ms): 0.580, Close avg (ms): 0.218

Repetitions: 10000: Connection avg (ms): 0.539, Close avg (ms): 0.196

Repetitions: 10000: Connection avg (ms): 0.604, Close avg (ms): 0.223

• Authentication (creating MongoTemplate serial random context switches between 5 tenants):

Repetitions: 10000: MongoTemplate avg (ms): 0.171, Read avg (ms): 0.309

Repetitions: 10000: MongoTemplate avg (ms): 0.166, Read avg (ms): 0.306

Repetitions: 10000: MongoTemplate avg (ms): 0.174, Read avg (ms): 0.309

© 2014 Cisco and/or its affiliates. All rights reserved. 17

Tenant Authentication Infrastructure

Mongod Replica Set

Acme Foo Bar

API Server

Connection Pool

Workerthreads

MT Infrastructure

Authorization Server

Authenticate GetOAuth Token

REST Call

Spr

ing

Fra

mew

ork

Send OAuth Token

KeyManager

Use Oauth token to retrieve a key to authenticate to the database and encrypt traffic.

Connections in the connection pool are unauthenticated. Requires key to access DB.

Browser/Client

© 2014 Cisco and/or its affiliates. All rights reserved. 18

Tenant Authentication Infrastructure

• Mongo object hold the pool of blank connections

• A MongoTemplate object is created with the Mongo object and with a database name and UserCredentials

MongoTemplate object is used to access the database

MongoTemplate object is discarded at the end of use, blank connection is returned to pool

http://docs.spring.io/spring-data/mongodb/docs/current/api/org/springframework/data/mongodb/core/MongoTemplate.html

<mongo:mongo replica-set="mongo0:27000,mongo1:27000,mongo2:27000"> <mongo:options connections-per-host="8" threads-allowed-to-block-for-connection-multiplier="4" connect-timeout="1000" max-wait-time="1500" socket-keep-alive="true" slave-ok="true" write-number="1" write-timeout="0" write-fsync="true"/></mongo:mongo>----@Autowired private Mongo mongo;

MongoTemplate mongoTemplate = new MongoTemplate(mongo, tenantDatabase, new UserCredentials(tenantUser, tenantPassword));

© 2014 Cisco and/or its affiliates. All rights reserved. 19

Authorization

• Ah with authenticated users – it’s easy!

• MongoDB employs Role-Based Access Control (RBAC)

• A user is granted one or more roles that determine the user’s access to database resources and operations

http://docs.mongodb.org/manual/core/authorization/

db.createRole(

{

role: "accessSomeColls",

privileges: [

{ resource: { db: "acme", collection: "inventory" }, actions: [ "find", "update", "insert" ] },

{ resource: { db: "acme", collection: "orders" }, actions: [ "find" ] }

],

roles: []

}

)

db.grantRolesToUser( "acme", [ "accessSomeColls" ])

© 2014 Cisco and/or its affiliates. All rights reserved. 20

Audit

• Cool important feature in MongoDB Enterprise

• Can audit everythingschema (DDL)

replica set

authentication and authorization

general operations

• Audit GuaranteeBefore adding an operation to the journal, MongoDB writes all audit events on the connection that triggered the operation

• By default, the auditing system records all these operationsFilters are set up to restrict events captured

http://docs.mongodb.org/manual/core/auditing/http://docs.mongodb.org/manual/reference/audit-message/http://docs.mongodb.org/manual/reference/audit-message/#audit-event-actions-details-and-results

Audit Message Structure:{ atype: <String>, ts : { "$date": <timestamp> }, local: { ip: <String>, port: <int> }, remote: { ip: <String>, port: <int> }, users : [ { user: <String>, db: <String> }, ... ], roles: [ { role: <String>, db: <String> }, ... ], param: <document>, result: <int>}

© 2014 Cisco and/or its affiliates. All rights reserved. 21

Audit

• Sample config

• Additional atype examples:authenticate, authCheck, createCollection, createDatabase, createIndex, renameCollection, createUser, grantRolesToUser, createRole, grantPrivilegesToRole, replSetReconfig, shardCollection, addShard, shutdown

http://docs.mongodb.org/manual/tutorial/configure-auditing/#audit-filter

security:

authorization: enabled

auditLog:

destination: file

format: JSON

path: data/db/auditLog.json

filter: '{ atype: "authCheck", "param.command": { $in: [ "insert", ”remove" ] } , “param.ns”: ”acme.devices” }'

setParameter: { auditAuthorizationSuccess: true }

© 2014 Cisco and/or its affiliates. All rights reserved. 22

Summary

• Why MongoDB?

• Why security?

• Security considerations

• Tenant isolation considerations

• Implementation of security with MongoDBEncryption of data at rest and at flight

Strong authentication

Fine grained authorization

Audit trail

© 2014 Cisco and/or its affiliates. All rights reserved. 23

Doron Levarihttps://www.linkedin.com/in/doronlevari @doron_levari