4.5 Ensure Encryption of Data at Rest

Information

Encryption of data at rest must be enabled to ensure compliance with security and privacy standards including HIPAA, PCI-DSS, and FERPA.

Encryption at rest, when used in conjunction with transport encryption and good security policies that protect relevant accounts, passwords, and encryption keys.

Unauthorized users, such as intruders who are attempting security attacks, cannot read the data from storage and back up media unless they have the master encryption key to decrypt it.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

It is recommended to enable the data at rest encryption to protect the data.Protecting Data at Rest Including following steps.

- Generating a master key.
- Generating keys for each database.
- Encrypting data with the database keys.
- Encrypting the database keys with the master key.

Only the master key is external to the server and requires external management. To manage the master key, MongoDB's encrypted storage engine supports two key management options:

- Integration with a third-party key management appliance via the Key Management Interoperability Protocol (KMIP). Recommended
- Use of local key management via a keyfile.

The encryption occurs transparently in the storage layer; i.e. all data files are fully encrypted from a filesystem perspective, and data only exists in an unencrypted state in memory and during transmission.

To enable Encryption on Database follow below step mentioned in below Link

https://docs.mongodb.com/manual/tutorial/configure-encryption/

Rotation of Key is also important. This can be enabled by following mentioned steps in below link.

https://docs.mongodb.com/manual/tutorial/rotate-encryption-key/

See Also

https://workbench.cisecurity.org/benchmarks/15858

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: Windows

Control ID: 9aeb66c70557148fcdc1ae67fa229140e35b24820dcbbba54aaf3f07ec0cd5f3