Data security is a top priority. Almost every week, news articles about new data breaches hit the front pages, describing vulnerabilities that affect thousands of individuals.

The good news is that MongoDB has everything you need to ensure best practices in security, including encryption, authentication, access control, and auditing.

To go deeper into all of the best practices listed here, extensive documentation and detailed resources such as white papers are available. This page includes a quick summary of best practices for MongoDB security, as well as links to additional resources.

Now, let's go over several methods for keeping your MongoDB database secure.

1. Create Separate Security Credentials

Create login credentials for each user or process that accesses MongoDB to enable authentication.

Assume that numerous users require administrator access to the database. Instead of sharing credentials, which increases the possibility of account breach, give each person their own credentials and allocate them rights based on their duties, as explained below.

2. Use Role-Based Access Control

Instead of assigning permissions to individual users, assign them to roles such as application server, database administrator, developer, BI tool, and others. Predefined roles such as dbAdmin, dbOwner, clusterAdmin, and others are available right away. These roles can be further customised to match the demands of certain teams and functional areas while ensuring that policies are uniform across the organisation.

3. Limit Connections to the Database

An intruder gaining remote access to the database is one way for data leaks to occur. This risk is reduced by restricting remote connections to the database. The optimum practice is to accept connections exclusively from specific IP addresses, a technique known as whitelisting.

Each Atlas project gets its own VPC with MongoDB Atlas, the fully managed service for MongoDB. Customers can enable VPC peering to the private networks that house their applications to block access over the public internet for further security.

4. Encrypt Your Data

The data in most data leaks is readable by unauthorised users. When data is encrypted, it becomes unreadable to people who do not have the keys to decrypt it.

Encryption can be used in a variety of ways, including:

Encrypting data in transit. Encrypt the data wherever it is kept. MongoDB Community Edition does not support at-rest encryption; it is only available in MongoDB Enterprise or MongoDB Atlas.

Data encryption in transit By default, MongoDB encrypts all data in transit using TLS.

Add Extra Encryption for Sensitive Data

One of MongoDB's most important features

The majority of encryption is done on the server. This means that if someone has access to the server, they may be able to read that data. Client-side field-level encryption ensures that only relevant parties, using their unique decryption key, can read their own data on the client side.

This effectively means that only the user can read the encrypted data:

Assume Ralph's retirement account has his social security number. The data is encrypted and can only be viewed by Ralph. Ralph was the sole database administrator, developer, and analyst.

Enabling FILE only requires changing the database driver, not the application code.

Auditing and Logs

Audit trails should record who made modifications to the database setup, what those changes were, and when they were made. MongoDB Enterprise's audit framework provides a complete audit record of administrative actions.

Community Edition or Enterprise Server

MongoDB Community Edition is MongoDB's free and open source version. MongoDB Enterprise Server provides enhanced security and performance for enterprise use cases at scale. Here is a comparison of the two editions, as well as procedures for upgrading from Community Edition to Enterprise Server.

But, if you're contemplating Enterprise Server for features like LDAP connectivity and encryption at rest, why not check out MongoDB Atlas, the fully-managed database as a service that includes all of the benefits of MongoDB Enterprise Server as well as security best practises out of the box  MongoDB Atlas is available and secure by default on all three main public clouds: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

The Bottom Line:Secure Deployment with Confidence

MongoDB is on the cutting edge of security. Security professionals will enjoy MongoDB's breadth and depth of encryption options, as well as the engineering work put into features like client-side field-level encryption.

Consider learning more about MongoDB's security architecture by downloading a white paper.

Explore the Trust Centre and download a paper on MongoDB Atlas Security Controls to learn more about MongoDB Atlas and its security setup on the major public clouds.

Learn how MongoDB helps you comply with rules like GDPR and CCPA.

View a webinar about a novel approach to data privacy using MongoDB client-side field-level encryption.