Securing MongoDB Transport in the cloud [closed]

Question

Are there any service providers offering hosted MongoDB with secure transport? I know that native TLS support for MongoDB isn't quite OOB yet, but I'm looking for a provider that can encrypt the transport using SSH, VPN or perhaps IPSEC?

I know that the MongoDB connection password handshake itself is secure but I need to secure the data from prying eyes. I can of course encrypt fields directly in my app layer, but I can't do that for fields I'll want to search.

From what I can tell, the only transport security we have relies on the VLAN/Switch routing. In other words, I should assume (according to providers like MongoHQ and MongoLab) that my packets are secure as long as I'm running in the same data centre provider, eg. Amazon. But what if I'm not. Unfortunately, for instance, it looks like there are no commercial providers running on Azure yet so it would mean building our our own cluster.

Obviously, it probably makes sense to be close to my data in any case, but currently we need some flexibility in mixing and matching providers without compromising security.

Even so, in the same hosting provider, is MAC address routing really the best transport security on offer?

Answer 1

I think the answer depends on whether you are evaluating providers solely on the basis of providing SSL over the Mongo Wire protocol (choices are likely limited at the moment) or if you are fine to use their APIs (most will support https).

MongoDB's SSL support (as at 2.0.6) requires a separate build due to some licensing/export complications, and is "all or nothing" (i.e. all of your mongo processes and client drivers will need to use SSL). There is some ongoing discussion on the Jira issue for this feature request: SERVER-524: encryption of wire protocol with SSL.

Based on a quick search, the providers you mentioned do not currently appear to offer secure transport on top of the wire protocol (and have caveats on same) .. but they do have https endpoints for their REST APIs:

• MongoHQ's REST API - The MongoHQ REST API allows you to create and interact with MongoDB databases created on the MongoHQ platform with an easy to use JSON API over HTTPS.

• MongoLab's REST API - With MongoLab's REST API you can access any database linked to your account. The API exposes most the operations you would find in the MongoDB driver, but offers them as a RESTful interface over HTTPS.