未加星标

Dear #MongoDB users, we welcome you in #Azure #DocumentDB

字体大小 | |
[数据库(综合) 所属分类 数据库(综合) | 发布者 店小二03 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Dear #MongoDB users, we welcome you in #Azure #DocumentDB
First and foremost, security is our priority

Microsoft makes security a priority at every step, from code development to incident response. Azure code development adheres to Microsoft’s Security Development Lifecycle (SDL) - a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring. Azure is ubiquitous, with a global footprint approaching nearly 40 geographical regions and continuously expanding. With its worldwide presence, one of the differentiated capabilities Azure offers is the ability to easily build, deploy, and manage globally distributed data-driven applications that are secure.

Azure DocumentDB is Microsoft's multi-tenant, globally distributed database system designed to enable developers to build planet scale applications. DocumentDB allows you to elastically scale both throughput and storage across any number of geographical regions. The service offers guaranteed low latency at P99 - 99.99% high availability, predictable throughput, and multiple well-defined consistency models all backed by comprehensive enterprise-level SLAs. By virtue of its schema-agnostic and write optimized database engine , by default DocumentDB is capableof automatically indexing all the data it ingests and serveSQL,MongoDB, and javascript language-integrated queries in a scale-independent manner.

DocumentDB has a number of powerful security features built-in. To secure data stored in an Azure DocumentDB database account, DocumentDB provides support for a secret-based authorization model that utilizes a strong hash-based message authentication code (HMAC). In addition to the secret based authorization model, DocumentDB also supports policy driven IP-based access controls for inbound firewall support. This model is very similar to the firewall rules of a traditional database system and provides an additional level of security to the DocumentDB database account. With this model, you can now configure a DocumentDB database account to be accessible only from an approved set of machines and/or cloud services . Once this configuration is applied, all requests originating from machines outside this allowed list will be blocked by the server. Access to DocumentDB resources from these approved sets of machines and services still require the caller to present a valid authorization token . All communication inside the cluster in DocumentDB (e.g., replication traffic) is using SSL. All communication from Mongo (or any other clients) to DocumentDB service is always using SSL.To learn more about securing access to your data in DocumentDB, see Securing Access to DocumentDB Data .

The table below maps current DocumentDB features to the security checklist that MongoDB recommends .

Checklist Item

Status

Enable Access Control and Enforce Authentication

Enabled by default

Only discovery/authentication commands like IsMaster/GetLastError/WhatsMyUri are supported before authentication

Configure Role-Based Access Control

Each DatabaseAccount has its own key.

Support for ReadOnly keys to limit access.

No default user/account present.

Encrypt Communication

We do not allow non-SSL communication all communication to service is always over SSL.

DocumentDB requires TLS1.2 which is more secure than TLS1, SSL3

Encrypt and Protect Data

Encryption at rest

Limit Network Exposure

IP Filtering

Audit System Activity

We audit all APIs and all system activities, and plan to expose it to customers using Portal shortly (today we already expose it to customers when they ask for it).

Run MongoDB with a Dedicated User

DocumentDB is a multi-tenant service so no account has direct access to the core operating system resources.

Run MongoDB with Secure Configuration Options

DocumentDB only support MongoDB wire protocol and does not enable HTTP/JSONP endpoints


Dear #MongoDB users, we welcome you in #Azure #DocumentDB

The capabilities offered by DocumentDB span beyond that of traditional geographical disaster recovery (Geo-DR) offered by "single-site" databases. Single site databases offering Geo-DR capability are a strict subset of globally distributed databases. With DocumentDB's turnkey global distribution , developers do not have to build their own replication scaffolding by employing either the Lambda pattern (for example, AWS DynamoDB replication ) over the database log or by doing "double writes" across multiple regions. We do not recommend these approaches since it is impossible to ensure correctness of such approaches and provide sound SLAs.

DocumentDB enables you to have policy-based geo-fencing capabilities . Geo-fencing is an importantcapability thatensures data governance and compliance restrictions and may prevent associating a specific region with your account. Examples of geo-fencing include (but are not restricted to), scoping global distribution to the regions within a sovereign cloud (for example, China and Germany), or within a government taxation boundary (for example, Australia). The policies are controlled using the metadata of your Azure subscription.

For failover, you can specify an exact sequence of regional failovers if there is a multi-regional outage and you can associate the priority to various regions associated with the database account. DocumentDB will ensure that the automatic failover sequence occurs in the priority order you specified.

We are also working on encryption-at-rest and in-motion . Customers will be able to encrypt data in DocumentDB to align with best practices for protecting confidentiality and data integrity. Stay tuned for that.

Second, you don’t have to rewrite your Apps Moving to DocumentDB doesn’t require

本文数据库(综合)相关术语:系统安全软件

主题: MongoDBSQLJavaScriptJSONPJava
分页:12
转载请注明
本文标题:Dear #MongoDB users, we welcome you in #Azure #DocumentDB
本站链接:http://www.codesec.net/view/535074.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(综合) | 评论(0) | 阅读(22)