MongoDB Atlas Security

A primer on security tools and controls available in MongoDB Atlas

In our modern digital age it’s no secret that security has become a process of perpetual evolution. As much as our security systems have improved, so too have the methods of attack that hackers choose to leverage.

There are two primary threat vectors, one is technical… The actual firewalls, network policies, and access controls put in place to keep potential intruders at bay. And the other is human… Attempts at fooling or even circumventing privileged users via social engineering attacks such as phishing campaigns and SIM swapping etc. This article will focus mostly on the former, covering the tools and controls available to you on the Atlas Data Platform.

The MongoDB Atlas Data Platform is set up with security as a core pillar. As such, you can expect Atlas to leverage Enterprise grade security by default. What this entails specifically is:

Encryption at Rest — All data is secured at the volume level using industry standard AES-256 bit encryption by default and cannot be disabled.

Encryption in Transit — TLS (1.2) is enabled by default and cannot be disabled. TLS 1.1 is also supported.

Network Isolation & Dedicated Systems — Each Atlas customer is provisioned in their own dedicated VPC, and (M10 Tiers and above) on dedicated compute instances. By default, these environments are fully locked down, meaning that you will need to create network and database access rules before anything can communicate with your Atlas databases.

High Availability — The Atlas control plane is designed with high availability principals in mind, and as such, is fully isolated from the data layer (aka respective cloud providers) where your clusters are hosted. This means that if, in the rare event that the Atlas platform goes down for any period of time, your clusters are still fully active and performant (so long as your chosen cloud provider, and region/s remain available).

Monitoring & Alerting — Atlas provides a customizable interface for monitoring across over 100 metrics, in addition to integrations with various tools and 3rd party monitoring solutions. A handful of critical alerts are enabled by default, such as a cluster or node failure, with various other alert parameters that can be customized to meet your specific requirements.

Secure Infrastructure — Atlas infrastructure is only accessible by MongoDB’s backend engineers via Bastion hosts that require SSH authentication, and all Atlas clusters are deployed on hardened Linux distros that meet PCI DSS requirements for malware prevention. Furthermore, volume and transport layer encryption in Atlas uses FIPS validated crypto modules, and all systems used by MongoDB personnel run industry leading anti-malware software.

Incident Detection & Response — The Atlas platform is monitored at all times by both in-house as well as third party tooling for intrusion and threat detection. The Atlas Security team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.

In addition to the above items, Atlas offers several security features that can be enabled a-la-carte, or as bundles via premium Atlas support packages. These include:

Customer Key Management — The ability to add and self-custody a second layer of encryption (beyond volume level) for the MongoDB storage engine, commonly referred to as database level encryption. This feature allows for centralized KMS and key-rotation practices.

Database Level Auditing — This feature gives you the ability to delve deeper than the native Atlas activity feeds and audit database CRUD level operations. A function that is commonly required by various compliance frameworks.

LDAP Integration — Atlas provides the ability to manage user authentication and authorization from all MongoDB clients using your own Lightweight Directory Access Protocol (LDAP) server over TLS.

Client-Side Field Level Encryption (FLE) — Atlas offers compatibility with MongoDB’s Client-Side FLE, giving you the ability to automatically encrypt targeted key/value pairs in your dataset that may contain PII or other sensitive information.

You may notice based on the above that the list of default controls and policies is quite robust. As such, I have found that 9 times out of 10 these policies are enough to satisfy most security requirements.

If you’re still reading this and have unanswered questions, please review the resources below for more comprehensive guides and White Papers on security features and processes in Atlas

Related posts:

Storytelling as an art. From history to impact of storytelling in business, cultures, behaviors, we explore the importance of storytelling in everyday life.

These chocolate cupcakes, heated up with some spicy red chile, are extraordinarily special. They are perfect for everything from birthday parties to afternoon tea — a great snack when you’re craving…

Some people master languages through studying textbooks, while others start speaking from day one. While it may look different from the outside how different people are able to master skills in such…