Skip to content
Studio 3T - The professional GUI, IDE and client for MongoDB
  • Tools
    • Aggregation Editor
    • IntelliShell
    • Visual Query Builder
    • Export Wizard
    • Import Wizard
    • Query Code
    • SQL Query
    • Connect
    • Schema Explorer
    • Compare
    • SQL ⇔ MongoDB Migration
    • Data Masking
    • Task Scheduler
    • Reschema
    • More Tools and Features
  • Solutions
  • Resources
    • Knowledge Base
    • MongoDB Tutorials & Courses
    • Tool/Feature Documentation
    • Reports
    • Case Studies
    • Whitepapers
    • Blog
    • Testimonials
    • Community
  • Contact us
    • Contact
    • Sales Support
    • Feedback and Support
    • Career
    • About Us
  • Store
    • Buy Now
    • Preferred Resellers
    • Team Pricing
  • My License
  • Download
search

Studio 3T Knowledge Base

  • Documentation
  • Tutorials
  • Workshops
Take the fastest route to learning MongoDB. Cover the basics in two hours with MongoDB 101, no registration required.
Start the free course

MongoDB Monitoring, Auditing & Authentication: 3 Steps to Secure Your Database

Posted on: 17/03/2020 (last updated: 04/08/2021) by Phil Factor

Below is an excerpt from the whitepaper, MongoDB Security Checklist: Essential Tactics Against Data Breaches. Download it here.


See: An avoidable situation

If you are running a database service in a development environment, it pays every which way to aim at a secure installation. When that database system is providing a service for an organisation then it must be made secure.

Any organisation, however small, is required to protect its data from security threats and to mitigate risks that cannot be countered directly. Everyone within the organisation has to be aware of current relevant legislation and understand their personal responsibilities. Everyone has to protect the confidentiality and integrity of the data that they access.

However, security isn’t just about legal obligations and the heavy fines that can be the consequence of a data breach. It is also about safeguarding the reputation of the organisation and protecting its ability to function properly.

In addition, the paperwork and bureaucracy that follows a breach, even one that is relatively harmless, can sap the energy of any organisation. Employees of any business that is being held up for public ridicule feel it personally. Trying to hire in the glare of scandal just adds to the sense of a vicious circle.

We can divide the security task into eight categories. We should then treat them as being of equal importance because, if one fails, then they all fail. By no means do all database people regard them all as being strictly security topics but because of their interdependence, many do.

Here’s the list:

  • Monitoring
  • Auditing
  • Authentication
  • Security of Access
  • Security of Data In Transit
  • Security of Data at Rest
  • Application Security
  • Infrastructure Security

We’ll cover monitoring, auditing, and authentication below.

Monitoring your MongoDB service

Imagine that you are defending a fort. You’d have lookouts, watchmen, early warning from surrounding villages and perhaps a system of beacons. Your last resort may end up being boiling oil, but far better if you can nip the incursion in the bud at the earliest point.

Monitor and defend your database

By analogy, you need to be able to check generally on the activity of a MongoDB service, and to archive the values from the logs to the point that you can compare activities at different times. Monitoring defined periods of time is even better, so that all potentially suspicious activities, such as login failures, are recorded.

Insider threats are surprisingly common. These can be normal users or attackers gaining access to privileged user accounts. You need to know what is normal and what isn’t and the system needs to be able to fire off alerts if anomalies require investigation. Beyond the MongoDB service itself, the server that is hosting it also needs attention, particularly the security events.

Knowing when the server is starting to get massively scanned allows you to prevent subsequent advanced attacks. Everything needs to be visible: the more visible it is, the sooner you can spot when things go wrong.

Auditing your MongoDB system

In our imaginary fort, we have valuables. You have to check you’ve still got them. If you lend them out, you need to know they’re returned. You need to know who has been visiting to take a look or clean them. All visitors to the database must feel that they are being observed. It’s the same with auditing.

There has to be a record of business activities and commercial transactions over and above the basic book-keeping, and in a way that is independent of the system being audited. We can thereby detect attempts at fraud, as well as mistakes, exploits of bugs in the software, or intrusions.

All visitors to the database must feel that they are being observed.

Records must always be in sufficient detail to facilitate forensic analysis and allow administrators to verify proper controls. Unlike Monitoring, you are checking definite parts of a mechanism. Only MongoDB Enterprise includes a way of auditing the system that can record system events such as user operations or failed logins on a MongoDB instance.

Authenticating MongoDB clients, processes & servers

Forts have very few entrances, usually manned by mean-looking suspicious people who, if they don’t recognise you, want proof of identity. They know who is legitimately in the building at any one time. Their modern counterparts don’t give you all the keys to the fort, just the access-restricted swipecard that you need.

Likewise in database security. Authentication requires that all clients, processes and servers must provide valid authentication before they can connect to the system, and can be uniquely identified. MongoDB authentication must be enabled and used: In clustered deployments, you need to enable authentication for each MongoDB server, using either the default MongoDB authentication mechanism or an existing external framework such as Active Directory.

Authentication that is shared between users is useless. It should be at a level that allows you to identify a named individual or process. If a process needs to interact with MongoDB, it must have its own credentials, and be assigned to a role that gives it only the access it requires and no more.


Download the whitepaper, MongoDB Security Checklist: Essential Tactics Against Data Breaches, to read more about five other areas of security to consider.


How helpful was this article?
This article was hideous
This article was bad
This article was ok
This article was good
This article was great
Thank you for your feedback!

About The Author

Phil Factor

Phil Factor (real name withheld to protect the guilty), aka Database Mole, has 30 years of experience with database-intensive applications. Despite having once been shouted at by a furious Bill Gates at an exhibition in the early 1980s, he has remained resolutely anonymous throughout his career.

Article navigation

Related articles

  • MongoDB DevOps Checklist: 3 Steps to Secure Your Database
  • 6 Tips for Adding MongoDB to Your Database Architecture
  • Export MongoDB to SQL in 5 Steps
  • What’s New in Studio 3T 2022.1 – SQL Connection Import/Export, MongoDB-AWS authentication
  • Test your skills: Importing and Exporting MongoDB Data

Studio 3T

MongoDB Enterprise Certified Technology PartnerSince 2014, 3T has been helping thousands of MongoDB developers and administrators with their everyday jobs by providing the finest MongoDB tools on the market. We guarantee the best compatibility with current and legacy releases of MongoDB, continue to deliver new features with every new software release, and provide high quality support.

Find us on FacebookFind us on TwitterFind us on YouTubeFind us on LinkedIn

Education

  • Free MongoDB Tutorials
  • Connect to MongoDB
  • Connect to MongoDB Atlas
  • Import Data to MongoDB
  • Export MongoDB Data
  • Build Aggregation Queries
  • Query MongoDB with SQL
  • Migrate from SQL to MongoDB

Resources

  • Feedback and Support
  • Sales Support
  • Knowledge Base
  • FAQ
  • Reports
  • Case Studies
  • White Papers
  • Testimonials
  • Discounts

Company

  • About Us
  • Blog
  • Careers
  • Legal
  • Press
  • Privacy Policy
  • EULA

© 2022 3T Software Labs GmbH. All rights reserved.

  • Privacy Policy
  • Cookie settings
  • Impressum
When you click "Accept", you are agreeing to cookies being on your device. They may improve site navigation, site usage analysis, or the relevance of messages. It is up to you which cookies are enabled. Read our Privacy Policy.
Manage cookies
Accept
✕

Privacy Preference Center

A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. Cookies are used by many websites and can do a number of things, eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. In the form below you can choose which cookies, except for essential cookies, to allow or disable.

Accept all cookies

Manage consent preferences

Essential cookies are strictly necessary to provide an online service such as our website or a service on our website which you have requested. The website or service will not work without them.

Performance cookies allow us to collect information such as number of visits and sources of traffic. This information is used in aggregate form to help us understand how our websites are being used, allowing us to improve both our website’s performance and your experience.

Functional cookies collect information about your preferences and choices and make using the website a lot easier and more relevant. Without these cookies, some of the site functionality may not work as intended.

Social media cookies are cookies used to share user behaviour information with a third-party social media platform. They may consequently effect how social media sites present you with information in the future.

Accept selected