When working with data stored anywhere, the question of security is bound to come up. How do you secure the users, the data, and make sure only valid queries are made? MongoDB, like many database management systems, has some suggestions, or at least the community does.
Authentication is making sure only those with access to the database have access by verifying they are who they say they are. Authorization is giving only the users with permission to use or see what they need to and nothing more. For example, most users of an eCommerce site just want to buy things. They can view the database, but not edit or delete products. MongoDB provides a few different ways to authenticate.
SCRAM or Salted Challenge Response Authentication Mechanism is a way for MongoDB to present the user with a question or challenge and they have to give the proper response. This is basically password security, but I’ll cover that more later. X.509 security is also available to the MongoDB community and is much more secure and most people recognize it as SSL certificates. MongoDB uses client and cluster authentication. Cluster is more like knowing a secret handshake before allowing you to join the cluster and access the data.
Authorization in MongoDB is based on a Role and privilege system. Each user has a role and each role has a certain amount of privileges or actions that role can perform to the database. Not everyone accessing your database needs write access. Not everyone needs read access to every collection either. Be sure to limit what rights each role has and assign them accordingly.
Encryption can happen at different points, it can happen during data transfer or when it is at rest. If someone made a copy of the database, they would need the encryption key to figure out the data. These are two ways of securing your data.
MongoDB does not lock you out at multiple attempts at trying to figure out your password. This is great for those that use brute force to try to access your data. But to prevent this from happening to you passwords should be strong. They recommend using at least one capital letter, a number, and a special character (ie !@#$%&*). Substituting numbers for letters like 3’s for E’s helps with dictionary attacks. If you use the XKCD comic below, combined with the tips for a strong password, you will have an unbeatable password.
