MongoDB Certified: Best Practices for At

advertisement
MongoDB Certified: Best Practices for At-Rest Encryption Tools
At-Rest Encryption tools that provide support for MongoDB should conform to the following Best
Practices for certification against MongoDB Enterprise.
● MongoDB Enterprise: https://www.mongodb.com/products/downloads/mongodb-enterprise
Deployment
Tools should support MongoDB deployments that are hosted on Windows or Linux platforms.
Encryption
Tools should support advanced encryption capabilities that are supported by broad industry
standards bodies.
Tools should provide encryption capabilities that are transparent to MongoDB and do not interfere
with standard database operation.
Tools should provide encryption capabilities that offer compliance with PCI-DSS, HIPAA HITECH,
FERPA, Sarbanes-Oxley (SOX), UK Data Protection.
Management
Tools should provide a centralized mechanism or infrastructure to create and deploy encryption keys,
policies, and controls.
Tools should store encryption keys separate from encrypted data to minimize security risks in case of
data breach.
Access Control
Tools should provide the ability to design and implement access control policies with individual userlevel granularity.
Tools should support access control mechanisms that prevent accessing data within and outside of
MongoDB.
Auditing
Tools should audit and log actions that are monitored by policy controls for unauthorized access.
Performance
Tools should not significantly impact performance of a MongoDB deployment and performance
profile or metrics must be submitted with certification application. Performance test should consist of a
simple client-server test using the instructions found in the appendix below. Note: measurements are for
internal validation only and will not be shared externally.
Appendix
Performance Testing
To measure performance, please conduct the following tests in an environment of your choice (bare
metal, virtualized, cloud). The tests consist of ascertaining and initial baseline given the testing
environment and then conducting the same tests with your software enabled.
●
●
●
●
●
2 nodes will be required - one running MongoDB, the other to generate the workload
The MongoDB setup should be very minimal, simply download and run it with the default
settings. Or you can use our packaging for yum or apt based distros. See here for complete
instructions: http://docs.mongodb.org/manual/administration/install-on-linux/.
For load generation, use the MongoDB fork of YCSB: http://github.com/achille/YCSB
Create a new workload file and incorporate the following parameters (those not noted can
remain at their defaults):
○ readproportion=0.5
○ updateproportion=0.5
○ scanproportion=0
○ insertproportion=0
○ requestdistribution=zipfian
○ recordcount=[ greater than system memory assuming 1KB records ]
○ operationcount = [ half of system memory assuming 1KB records ]
Execute the workload first with the “load” phase and next with the “run” phase:
○ Load:
$ bin/ycsb load mongodb -s -P yourWorkloadFile -p
mongodb.url=mongodb://hostname:port -threads [two per core]
○
Run:
$ bin/ycsb run mongodb -s -P yourWorkloadFile -p
mongodb.url=mongodb://hostname:port -threads [two per core]
●
Capture the output of both phases for each test, baseline and with your software and include
with certification application.
Download