I'm trying to encrypt the data of my MongoDB database (very sensitive data). MongoDB Entreprise advises to use a KMIP server.
What do you advise me to use to manage my keys compatible with the KMIP protocol? I find that installing my own server can be complicated to maintain.
That's why I would be more reassured to go through a company that offers a KMS. AWS or Google offers this kind of service but are not compatible with the KMIP protocol.
What do you advise me?
Thank you
Related
How do we create client certificate to get validated by aws document db?In aws docs https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled, it is mentioned only about one way ssl i.e.,clients authenticating server certificate.I didn't find information regarding two way ssl supported by aws document db.Can anyone help on this?
Amazon DocumentDB does not support using client certificates to connect to your cluster. Are you looking for client-side certificates to be used by the server for authentication? Amazon DocumentDB only supports SCRAM based authentication.
I'm using CloudFlare to get free SSL coverage for a domain I own on GoDaddy. That's great and if you haven't checked out those services you might find them handy to use. I do have a question though, I'd like to provide HTTPS/SSL encryption for data transmitted from my MongoLab DB to my Heroku App. Both of these are through Heroku. So,
(1) Do I need additional SSL encryption to protect the sensitive data I'll be transmitting between those two endpoints?
(2) How do I go about acquiring that?
(3) If yes to (1) and no good answer for (2), what's an alternative (nearly free) option to accomplish the same thing. I'm not wed to MongoDB for this project.
Thanks in advance and hope this question helps someone else out as well.
Apparently, Heroku maintains that if you provision a MongoLab DB through them (and not through MongoLab directly) and have your Heroku app in the same AWS region you're fine as no packet sniffing can occur.
Otherwise you can purchase separate SSL encryption.
I've also decided to encrypt the data going into my database as well.
I am trying to setup an enterprise level Spring Config Server which will be used by multiple config client applications across the company. As the encrypt.key should be common across multiple clients, is it possible to protect sensitive information of a client application from other client applications. Am I missing something? Please help me.
That is one way to set things up. You can also let the config server handle decryption so the clients only get decrypted values and secure the connection from client to server using spring security.
I've been looking at setting up a MongoDB as a Service on Mongo HQ/Compose.io or some other service.
From what I can gather the major security hole is the data in transit. Mongo doesn't support native driver SSL by default, and most DBaaS providers don't offer it standard.
It seems to me that it is a big security risk. Am I wrong here?
thanks.
Yes, That is correct. MongoDB does not support SSL by default and few DbaaS providers don't usually offer one. You might have to manage mongodb yourself. The easiest way I guess is to docker it up.
Btw, Did you check out CloudBoost.io (https://www.cloudboost.io). We have SSL on our API's and have all the features which MongoDB has and more.
P.S : I work at CloudBoost.io
How are Cassandra clusters usually built in security way? Should they always be kept locally or are there any security functions that makes it reasonable to open up for external connections to the cluster? As far as I've understand I seems like Cassandra doesn't have any "inbuild security engine" for handling these kind of things. I'm planning on building a service to talk with the Cassandra from, should that connection be made locally (on the same net as the cluster) or from external using the DNS?
Cassandra supports builtin password authentication and authorisation since version 1.2.
User credentials and privileges are kept internally, in system auth tables. This can be viewed as its "inbuild security engine".
As for protecting connections (encryption), since version 1.2, there's SSL support for both internode and client-to-node communication. DataStax Enterprise platform additionally extends that with Kerberos/LDAP support to allow single-sign-on.
Configure a stateful firewall to allow incoming connections, but allow outgoing only if someone requested something from the server. Also C* has inbuilt SSL support, but not all APIs can use the SSL, so you'll have to pick a compatible one.