Introduction to MongoDB Security and Authentication

October 12th, 2017 . 8 minutes read
Blog featured image

Security is very important for your online database or online business. We will discuss why you need to secure your database and then how can you secure your database with mongodb.

First of all, let’s discuss one security attack incident-

Niall Merrigan, a security researcher and Microsoft developer based in Norway, has been tracking the MongoDB ransom incidents, and in one day, he saw the number of attacks more than double from 12,000 to 27,633.

Why Do You Need to Secure Database?

Data saved in the database is really important for any organization. It can be confidential or very sensitive which you don’t want to share with people but there are lots of attackers who are always trying to access your data without your permission or knowledge.

Attackers have been accessing databases, copying files, deleting everything, and leaving a ransom note promising the return of the data for a fee.

How You Can Secure Mongodb Database?

Now, let’s discuss how to secure mongodb with attackers. There are four ways you can use while secure your database-

secure mongodb database


mongodb database authentication

Authorization and authentication are commonly interchanged with one another but they’re actually two very different things. Authentication is the process by which we verify the identity of a user, whereas authorization is the process by which we verify the privileges of a user. 

The best way to think about it is that authentication answers the question, “Who are you?” Whereas authorization answers the question, “What do you have access to?” I can be authenticated to a system, but I might not be authorized to control a certain resource.

authentication machanisms

We can divide authentication mechanisms into two categories. There are client and user authentication, which deals with how clients of the database authenticate to MongoDB. Then, there is internal authentication which is how different members of a replica set or sharded cluster authenticate with one another. Here are all of the different authentication mechanisms that MongoDB currently supports-


different authentication mechanisms currently supported


mongodb authorization

MongoDB actually follows a very straightforward and common authorization model, called role-based access control. Role-Based Access Control as the name implies is a model where for any given userwe assign a specific role over a given namespace.

Why Role Base Access Control?

The best way to describe why MongoDB uses role-based access control is to say that it gives us a high level of responsibility isolation for operational tasks. And what I mean by this is that across our organization, there are going to be a myriad of different people who are going to need access to our database, but each of these individuals has very different needs

mongodb role base access control

Build in Role

MongoDB comes with a set of general-purpose built-in roles. Roles that we know from experience have different responsibilities within an organization. These roles can be divided into the following categories

mongodb build in role

User-Defined Role

That said, sometimes we have specific requirements that do not exactly fit a particular user. Let’s talk about the different parts that make up a user-defined role.

When we create a role, we create it on a specific database, so the role name and the database that it was created on define a unique role. After giving the role a name, you specify what over roles you’d like to inherit privileges from. It’s important to note that for any given role created on a specific database, we can only include resources and inherent roles defined on that same database. For example, if we define a role in the products database, we can’t inherit that role on the orders database.

mongodb user defined role


You can think of actions as verbs while resources are the subjects of these verbs. Within MongoDB, we have several different types of actions

mongodb actions


They are the subjects of our actions. Resources will eventually have their state or behavior change in some form by an action. Mongo DB has four resources; collections, databases, clusters, and special. All of these resources will be defined by a resource document

mongodb resources


Auditing is an enterprise feature of MongoDB and for certain organizations and administrators, it is a very important part of the security infrastructure. There are three main use-cases of auditing, i.e., for the accountability of users of the database, to investigate suspicious activity, and to monitor and gather data about specific database activities.

mongodb auditing


mongodb encryption

Encryption plays an important part in any security infrastructure. In this series of videos, we’re going to discuss the different encryption options that MongoDB supports. 

There are two discrete categories of encryption with regard to MongoDB

  • Transport encryption 
  • Encryption at rest

Transport encryption, as the name implies, refers to encrypting information over network traffic between the client and the server. Encryption at rest concerns actually encrypting the data that we store on disk.

Encryption type

These are the two types of encryption:
1. Transport Encryption
2. Encryption at rest

Transport Encryption

Transport encryption, as the name implies, refers to encrypting information over network traffic between the client and the server. Encryption at rest concerns actually encrypting the data that we store on disk.

mongodb transport encryption

Encryption at Rest

Storage engine encryption with MongoDB is a four-step process. As a database administrator, all the steps are abstracted away from you but are important to understand to deliver a secure implementation. Firstly, it generates a master key which we use to encrypt each individual database key. The second step, like I mentioned in the previous step, is to generate a key for each database. In the last step, we use that key to encrypt that actual database.

 Application-level Encryption is not an actual feature of MongoDB. To encrypt a document or field within our data, we can write custom encryption and decryption routine for our application. Or, of course, we can use a commercial solution for encryption within our application.

encryption with in application

I explained some common but important factors for database security with MongoDB, try it and tell us in the comment what challenges you face with your database security.


Author: ahir