Secure Sharding in Mongo DB KTH Applied Information

Secure Sharding in Mongo. DB KTH Applied Information Security Lab Presented By: Anam Zahid Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Agenda n n n Scaling Mongo. DB’s Approach Architecture Mechanism Proposed Architecture KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Scaling n Scaling UP (Vertical Scaling) – Addition of more CPUs and Storage Capacity 64 MB KTH Applied Information Security Lab 64 MB 64 MB Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Scaling n Scaling OUT (Horizontal Scaling) – Distribution of data across multiple servers KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Mongo. DB’s Approach n Sharding (horizontal scalability) – A method to store data across multiple machines/shards – Supports deployments with very large datasets – Maintains high throughput operations KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Mongo. DB’s Approach n KTH Applied Information Security Lab Sharding Advantages – Reduces the number of operations each shard handles – Reduces the Amount of data that each server stores – Make the Cluster invisible for Clients – Ensures Cluster availability for reads and writes – Easy scaling out Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Sharding Architecture KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Sharding with Replica Set KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Mechanism Shards – Master slave , Replica Sets or Mongod instances n Configuration Servers – Exactly 3 for production – Contains meta-data n Routing Instances – Direct interface with client application – Can be many in number – Also act as a balancer for chunk migration n KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Mechanism Sharding on per collection basis n Based on shard keys n Default chunk size is 64 MB n KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Mechanism n Two basic operations – Chunk Splitting – Chunk Migration KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Proposed Architecture Encryption/Decryption Layer Key Distribution Store KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Shard C Shard B Shard A 9 Encryption/Decryption Engine Config. Server 8 7 6 5 Key Distribution Store Query Router 4 Authorization Authentication KTH Applied Information Security Lab 10 2 1 3 Client Application Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Proposed Architecture 1. 2. 3. 4. Client Application sends Login Request to authentication Module Authentication Module authenticates it on the basis of certificate and sends reply back to client application Client application sends query to authorization server. The Authorization server generates policies and maps user policies with user profile. Then it verifies user query against user policy. In case of successful authorization, authorization server sends the query to Query Router KTH Applied Information Security Lab Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

Proposed Architecture 5. 6. 7. 8. 9. KTH Applied Information Security Lab 10. Query router get meta-data information about shards from the configuration server/s It then looks for appropriate shard/s on the basis of query parameters Query router sends query request to encryption/decryption Engine The encryption/Decryption Engine requests key distribution store for encryption key The Engine requests data from appropriate shards, decrypt it and sends the response back to query router. Query router forwards this data to Client Application Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad

KTH Applied Information Security Lab Thank You Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad