MongoDB World 2019: Securing Application Data from Day One
0 likes320 views
The document discusses key components and structures related to cloud application security, emphasizing the importance of prioritizing security in application development. It outlines features of the Stitch platform, including authentication options, data access, and rules for effective data management. Additionally, it highlights upcoming features, compliance achievements, and resources for getting started with Stitch.
![Rules for Data Access
{
"filters": [{
"name": "ActiveOnly",
"apply_when": {"%%true" : true},
"query": {"empStatus":"active"}
}, … ],
"roles": [{
name: "OwnData"
apply_when: {"userid":"%%user.id"}
"fields": {
"name": {"read": true},
"salary": {"read": true}}
},
"additional fields": {
"read": false,
"write": false
}}, … ],
"schema": {…}
}
Filters
Roles
Rules
Schema](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-21-320.jpg)
![Finding Data
User
db.collection.find()
(plus user info)
db.collection.find({"empStatus": "active"})
[{
userid: "101"
name: …,
salary: …,
empStatus:"active"
},{
userid: "404"
name: …,
salary: …,
empStatus: "terminated",
}]
Results
{
"name": "ActiveOnly",
"apply_when": {"%%true" : true},
"query": {"empStatus":"active"}
}
Filters contain an apply_when and a
Query which is appended to a request
[{
userid: "101"
name: …,
salary: …,
empStatus:"active"
}]](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-22-320.jpg)
![Finding Data
[{ userid: "101"
name: …
salary: …
empStatus: "active"}]
Roles are defined by Match statements,
evaluated per document, and assign a set of
Rules per document
User
{name: "OwnData",
apply_when: {"userid":"%%user.id"},
fields: {…}
}
[{ userid: "101"
name: …
salary: …
empStatus: "active"}]
userid: "101"](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-23-320.jpg)
![Finding Data
User
Each Role has a set of matching Rules that define
read and write access at the field-level
[{ userid: "101"
name: …
salary: …
empStatus: "active"}]
"fields": {
"name" :{ "read": true},
"salary":{"read": true}
},
"additional_fields": {
"read": false,
"write": false
}
userid: "101"
[{ userid: "101"
name: …
salary: …}]](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-24-320.jpg)
![JSON Schema
schema: {
bsonType: "object",
required: ["userid", "email", "name"],
properties: {
userid: {
bsonType: "objectid",
description: "The ID of the Stitch user"
},
email: {
bsonType: "string",
description: "must be a string and is required"
},
name: {
bsonType: "string",
description: "must be a string and is required"
}
}](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-26-320.jpg)
![Schema Validation
schema: {
bsonType: "object",
required: ["userid", "email", "name"],
properties: {
userid: {
bsonType: "objectid",
description: "The ID of the Stitch user"
},
email: {
bsonType: "string",
validate: {"%%true": {
"%function": {
"name": "isValid",
"arguments": ["%%user", "%%this"]}
}},
description: "must be a string and is not required"
},
name: {
bsonType: "bool",
description: "True if the data is a secret"
}
[...]](https://image.slidesharecdn.com/applicationsecuritystitch-190717220736/85/MongoDB-World-2019-Securing-Application-Data-from-Day-One-27-320.jpg)
MongoDB World 2019: Securing Application Data from Day One
- 1. Drew DiPalma – Sr. Product Manager, Cloud Application Security from Day 1
- 2. How often do you put the security of your application first?
- 3. Traditional Application Structure Presentation UI Components UI Process Components Business Business Workflow Business Components Business Entities Application Facade Data Data Access Components Data Helper Utilities Server Agents Data Sources Users External Systems Service Interface
- 4. Let’s break down the pieces – Data Users Systems API Hosting Data Access Business Logic / Integrations
- 5. What do we trust? Data Users Systems API Hosting Data Access Data Users Systems API Hosting Data Access Business Logic / Integrations Requests from the browser? Users? Integrity/Security Of upstream services Connection between the browser and app? Endpoints between Services?
- 6. Presentation UI Components UI Process Components Business Business Workflow Business Components Business Entities Application Facade Data Data Access Components Data Helper Utilities Server Agents Data Sources Users External Systems Benefits of a platform Automatic initial configuration of security Regular penetration testing and security audits Streamlined assessment, updates, and patches Strict access and storage policies Data Users Systems API Hosting Data Access Business Logic / Integrations
- 7. QueryAnywhere Simple, streamlined syntax for data access, robust access rules, hosting included Build full apps for iOS, Android, Web, and IoT Functions Integrate server-side logic + microservices + cloud services Power apps with Server-side logic, or enable Data as a Service with custom APIs. Triggers Real-time notifications let your application functions react in response to database changes App responds immediately to change Mobile Sync Automatically synchronizes data between documents held locally in MongoDB Mobile and your backend database (Beta) Stitch provides services to build applications –
- 8. • Write generic requests from applications • Rule-based Access set by Asset/Document SDKs: • JavaScript, Android, and iOS SDKs • Integrated Authentication, Database, and Service requests Stitch Rules: • Fine-grained access rules relating to all aspects of Stitch • Access to context from users, request, external services, functions, etc. Stitch (Authentication & Access rules) Application (Stitch SDK) MongoDB Stitch QueryAnywhere
- 9. Stitch Functions • Stitch is a set of servers that process requests Requests: • Single actions for Database or Services • Or executing a Stitch Function • Integrated with Stitch’s Rules Functions: • Scalable, hosted JavaScript (ES6) Functions • Integrated with application context • User, Request, Services, Values, etc. Stitch Functions addtoCart calcStats … sendMail Application (Stitch SDK) MongoDB
- 11. Authentication Overview Stitch provides built-in Authentication: § Anonymous § Email/Password § API Key § Facebook/Google § Custom Authentication Alternatively, use an auth library like Passport.js, Auth0, or Cognito § Authenication links request to identity § Users want options for authentication § Credential storage introduces risk § Auth frameworks provide choice, stability and scalability
- 12. Authentication with Stitch StitchClientExternal Auth Provider 1 1-2. If using Facebook, Google, or Custom Auth user completes a separate auth flow. 3 2 3. Stitch receives the token/ credential and validates it. 4. Stitch returns an access/ refresh token to the client. Any Auth triggers associated with the provider run. On initial log-in a user may be created. 4
- 13. Data Access
- 14. Authorization Overview Stitch provides Rule-based access for: § Read § Write § Authentication § Function/Service calle Alternatively, use info about the user and authentication context to assign a role for server-side access Alternatives: § RBAC – Create roles that users inherit permissions from § ABAC – Center rules around assets within your application § Rules-based – Create a rules that evaluate It can be easy to start by access choices on a per-call basis, but…
- 15. ELB Stitch Request Processing Atlas Stitch Metadata 1 Services The user requests to run a function and Stitch SDKs check authentication, refreshing if necessary. 1 Authentication Check User Stitch Function Access
- 16. ELB Stitch Request Processing Atlas Stitch Metadata 2 Services Stitch requests hit a load balancer which distributes them across available capacity within a region. 2 Load Balancer User Stitch Function Access
- 17. ELB Stitch Request Processing Atlas Stitch Metadata 3 Services Stitch requests are processed by a set of multi-tenant Go servers. Each request is run within a goroutine. All JavaScript is run by Otto. 3 Request Processor User Stitch Function Access
- 18. ELB Stitch Request Processing Atlas Stitch Metadata 4 Services Stitch coordinates with a metadata instance used for: application definition, authentication, end-user information, and logs. For functions, Stitch will check if the user has the permissions to run it. 3 Stitch Metadata User Stitch Function Access
- 19. ELB Stitch Core Request Processing Atlas Stitch Metadata 4 Services When Stitch works with Atlas it keeps connections alive and pools whenever possible. Service interactions are done over standard HTTPS. All requests are subject to rules and Atlas requests have Read, Write, and Validation rules 4 Service Coordination User Stitch Function Access
- 20. Data Access in Practice { "userid":"101", "name": "Bernice Herrera", "employeeId": 53164957, "zip": 2082, "position": "IT Manager", "manager": "Ralph McBride", "hiringDate": ISODate("2017-05-02"), "employeeSource": "website ads", "salary": 205000, "gender": "female", "dob": ISODate("1972-10-02"), "citizenship": "Australia", "email": "[email protected]", "empStatus": "active" } Sensitive Information
- 21. Rules for Data Access { "filters": [{ "name": "ActiveOnly", "apply_when": {"%%true" : true}, "query": {"empStatus":"active"} }, … ], "roles": [{ name: "OwnData" apply_when: {"userid":"%%user.id"} "fields": { "name": {"read": true}, "salary": {"read": true}} }, "additional fields": { "read": false, "write": false }}, … ], "schema": {…} } Filters Roles Rules Schema
- 22. Finding Data User db.collection.find() (plus user info) db.collection.find({"empStatus": "active"}) [{ userid: "101" name: …, salary: …, empStatus:"active" },{ userid: "404" name: …, salary: …, empStatus: "terminated", }] Results { "name": "ActiveOnly", "apply_when": {"%%true" : true}, "query": {"empStatus":"active"} } Filters contain an apply_when and a Query which is appended to a request [{ userid: "101" name: …, salary: …, empStatus:"active" }]
- 23. Finding Data [{ userid: "101" name: … salary: … empStatus: "active"}] Roles are defined by Match statements, evaluated per document, and assign a set of Rules per document User {name: "OwnData", apply_when: {"userid":"%%user.id"}, fields: {…} } [{ userid: "101" name: … salary: … empStatus: "active"}] userid: "101"
- 24. Finding Data User Each Role has a set of matching Rules that define read and write access at the field-level [{ userid: "101" name: … salary: … empStatus: "active"}] "fields": { "name" :{ "read": true}, "salary":{"read": true} }, "additional_fields": { "read": false, "write": false } userid: "101" [{ userid: "101" name: … salary: …}]
- 25. Updating Data
- 26. JSON Schema schema: { bsonType: "object", required: ["userid", "email", "name"], properties: { userid: { bsonType: "objectid", description: "The ID of the Stitch user" }, email: { bsonType: "string", description: "must be a string and is required" }, name: { bsonType: "string", description: "must be a string and is required" } }
- 27. Schema Validation schema: { bsonType: "object", required: ["userid", "email", "name"], properties: { userid: { bsonType: "objectid", description: "The ID of the Stitch user" }, email: { bsonType: "string", validate: {"%%true": { "%function": { "name": "isValid", "arguments": ["%%user", "%%this"]} }}, description: "must be a string and is not required" }, name: { bsonType: "bool", description: "True if the data is a secret" } [...]
- 28. Streamlining Performance Performance hinges on assets evaluated in a request. § Use Filters to limit the data sent to the server and checked § Project out unnecessary fields to skip their evaluation § Use Functions run as System to avoid rules when appropriate
- 29. Demo
- 30. Stitch Roadmap Rules • Additional Rules Context • Function-enhanced Rules • Caching for Rules evaluation • Alerts on permissive Rules Authentication • UI Elements for Auth • Function-based Authentication • Configurable email/password confirmation flows • Apple Sign-in support Development • Automatic Github Deployment • Draft deploys for Stitch UI • Better API Creation Support • Static Hosting GA • Additional Watch() support Stitch has recently announced HIPAA and ISO compliance
- 31. What’s Next? Get started at stitch.mongodb.com Stitch § Tutorial: Modern Web Dev with MongoDB Stitch – 12:45pm Tuesday – Naussau § Check out the Stitch POD on Wednesday! Realm § REST-less Mobile Apps – 9:00am Tuesday – Rhinelander South § Realm: The Secret Sauce for Better Mobile Apps – 3:00pm Tuesday – Murray Hill § Check out the Realm Mobile POD on Wednesday
- 33. Titles on one line looks so much better First line of copy is not bulleted. Use bold or green font treatment to place emphasize on content. § Bullet one - use Paragraph > Increase List Level to add bullet § Bullet two – click Increase List Level again for next level bullet § Bullet three – click Increase List Level again for next level bullet