How to Ensure MongoDB Security Options Are Enabled

By: Morpheus Data

MongoDB’s recent releases add the authentication, auditing, and other management controls serious business databases require.

TL;DR: Protect against data breaches by ensuring the industrial-strength security features built into the latest releases of MongoDB are configured correctly. These include user authentication, audit trails, encryption, and environment/process controls.

Any commercial database has to have security built in. One of the early knocks on the open-source MongoDB NoSQL database was that it lacked the management and security features of Oracle and other relational DBMSs.

The release of MongoDB 2.6 in 2014 addressed these concerns by upgrading the MongoDB Management Service (MMS). Java World’s Brian Crucitti writes in an April 10, 2014, article that version 2.6 added continuous backup, point-in-time recovery, and monitoring and alerts on more than 100 parameters. Other new security features in version 2.6 included authentication/authorization, field-level security, and encryption.

The new version 3.0 of MongoDB due in March builds on these enhancements by adding a pluggable storage engine API that allows multiple storage engines to coexist within a single replica set, according to the company. The new release’s WildTiger storage engine features document-level locking, as InfoQ’s Alex Giamas explains in a February 20, 2015, article.

The WildTiger storage engine is said to be seven to 10 times faster than its predecessor, and it compresses data 80 percent more efficiently than earlier releases, according to MongoDB’s Eliot Horowitz, as quoted by ZDNet’s Toby Wolpe in a February 3, 2015, article.

MongoDB data disclosure highlights built-in security features

In a February 10, 2015, post, Information Age’s Ben Rossi reports that three students at Saarland University in Germany discovered 40,000 unsecured MongoDB databases on commercial servers. MongoDB points out in a February 13, 2015, follow-up post that the breached databases failed to enable the database’s built-in security features, which would have precluded such vulnerabilities.

German university students discovered 40,000 publicly accessible MongoDB databases on commercial servers throughout the world. Source: Jens Heyens, Kai Greshake, and Eric Petryk, via Information Age

It is standard operating procedure to implement access controls whenever a database moves from a closed development environment to the public domain. The four essentials of any commercial database are authentication, operational audit trails, encryption at the communication and storage layers, and environment/process controls.

As part of the security-first mantra, the most popular MongoDB installer, RPM for the RedHat and CentOS Linux distributions, creates a process that restricts access to localhost. MongoDB also supports less-restrictive configurations that prevent unauthorized access such as those by the German students. (The MongoDB site features a tutorial for installing the database on Red Hat Enterprise, CentOS, Fedora, and Amazon Linux.)

Among the MongoDB security options are to configure a firewall to block client access to shards, and to configure Mongos to capture only local traffic. Source: IBM DeveloperWorks

The MongoDB Manual features a Security Checklist that includes authentication, role-based access control, encrypting data communications and storage, restricting network access, auditing system activity, running MongoDB with a dedicated user, secure configuration options, and security standards compliance. For deployments within the U.S. Department of Defense, you can request a Security Technical Implementation Guide.

When it comes to database security, the new Morpheus Virtual Appliance has you covered front, back, and sideways. With the Morpheus database-as-a-service (DBaaS) you can provision, deploy, and monitor your MongoDB, Redis, MySQL, and ElasticSearch databases from a single point-and-click console. Morpheus lets you work with SQL, NoSQL, and in-memory databases across hybrid clouds in just minutes. Each database instance you create includes a free full replica set for built-in fault tolerance and fail over.

In addition, the service allows you to migrate existing databases from a private cloud to the public cloud, or from public to private. A new instance of the same database type is created in the other cloud, and real-time replication keeps the two databases in sync. Visit the Morpheus site for pricing information and to create a free account.