M.I.M.I.R - Multi-agent Intelligent Memory & Insight Repository

Overview Schema Related Servers Score Discussions

Mimir
docs
security

ENTERPRISE_READINESS_AUDIT.md•38.3 KiB

# Mimir Enterprise Readiness & Security Audit **Version**: 2.1.0 **Date**: 2025-11-21 **Status**: ✅ **Phase 1 & 2 Complete** - Production-Ready for Enterprise SSO + Audit Logging --- ## Executive Summary **Current State**: Mimir has implemented **Phase 1 Authentication & RBAC** with Passport.js, making it production-ready for **enterprise SSO deployments** with role-based access control. ### 🎯 Implementation Status (Updated 2025-11-21) **✅ COMPLETED (Phase 1 - Authentication & RBAC):** - ✅ **OAuth/OIDC Authentication** via Passport.js (Okta, Auth0, Azure AD, Google, Keycloak) - ✅ **Role-Based Access Control (RBAC)** with configurable permissions - ✅ **Session Management** with configurable expiration (never expire option for dev) - ✅ **Development Authentication** with multi-user role testing - ✅ **Protected UI Routes** with automatic redirect to login - ✅ **Protected API Routes** with permission enforcement - ✅ **Flexible RBAC Configuration** (local file, remote URI, inline JSON) - ✅ **Claims-Based Authorization** from any OAuth/OIDC provider **✅ COMPLETED (Phase 2 - Audit Logging & Data Retention):** - ✅ **Structured Audit Logging** - Generic audit trail with JSON output - ✅ **Multiple Destinations** - stdout, file, webhook, or all - ✅ **Webhook Batching** - Efficient SIEM integration - ✅ **Data Retention Policies** - Configurable TTL (default: forever) - ✅ **Graceful Shutdown** - Flush pending audit events on exit **Risk Level** (Updated): - **Internal/Trusted Networks**: ✅ **LOW** (acceptable with or without security enabled) - **Enterprise SSO Deployments**: ✅ **LOW** (authentication + RBAC + audit logging complete) - **Public Internet**: ⚠️ **LOW-MEDIUM** (requires HTTPS reverse proxy - documented) - **Regulated Data (HIPAA/FISMA)**: ⚠️ **MEDIUM** (requires HTTPS + SIEM integration - documented) **Recommendation**: 1. **For Enterprise SSO**: ✅ **Ready to deploy** with `MIMIR_ENABLE_SECURITY=true` and OAuth provider 2. **For Public Internet**: Add Nginx reverse proxy (HTTPS, rate limiting) - see `docs/security/REVERSE_PROXY_SECURITY_GUIDE.md` 3. **For Regulated Environments**: Implement Phase 2 (audit logging, encryption, compliance controls) --- ## Table of Contents 1. [Current Security Posture](#current-security-posture) 2. [Compliance Gap Analysis](#compliance-gap-analysis) 3. [Threat Model](#threat-model) 4. [Recommended Security Architecture](#recommended-security-architecture) 5. [Implementation Roadmap](#implementation-roadmap) 6. [Compliance Checklists](#compliance-checklists) 7. [Operational Security](#operational-security) --- ## Current Security Posture ### ✅ Existing Security Controls **Network Isolation (Docker)** - ✅ Services run in isolated Docker network - ✅ Only necessary ports exposed (9042, 7474, 7687) - ✅ Neo4j requires authentication (username/password) - ✅ Internal service-to-service communication isolated **Data Security** - ✅ Neo4j data encrypted at rest (Docker volume) - ✅ Database credentials via environment variables - ✅ No hardcoded secrets in code - ✅ `.env` file excluded from version control **Input Validation** - ✅ JSON schema validation for MCP tools - ✅ Type checking via TypeScript - ✅ Neo4j parameterized queries (SQL injection protection) - ✅ File path validation in indexing system **Operational Security** - ✅ Health check endpoints - ✅ Structured logging - ✅ Error handling without stack trace exposure (production mode) - ✅ CORS configuration (configurable origins) **✅ NEW: Authentication & Authorization (Phase 1 - IMPLEMENTED)** - ✅ **OAuth/OIDC Authentication** via Passport.js - Supports: Okta, Auth0, Azure AD, Google Workspace, Keycloak - Environment-driven configuration (no code changes needed) - Development mode with local username/password - ✅ **Stateless Authentication** - JWT tokens with HTTP-only cookies - OAuth access tokens for external providers - No server-side sessions or database storage - Secure flag in production (HTTPS) - ✅ **Role-Based Access Control (RBAC)** - Claims-based authorization from IdP (JWT roles/groups) - Configurable role-to-permission mappings - 3 configuration sources: local file, remote URI, inline JSON - Wildcard permissions (`*`, `nodes:*`, etc.) - Per-route permission enforcement - ✅ **Protected Routes** - UI routes redirect to `/login` when unauthenticated - API routes return 401/403 with permission details - Health check always public - ✅ **Development Testing** - 4 pre-configured dev users (admin, developer, analyst, viewer) - Automated RBAC test suite (`testing/test-rbac.sh`) - Dynamic login UI (dev form vs OAuth buttons) ### ⚠️ Remaining Security Gaps **Data Protection** - ⚠️ **Encryption in transit** - Requires HTTPS reverse proxy (Nginx recommended) - ❌ No data classification/labeling - ❌ No PII detection/masking - ❌ No data retention policies - ⚠️ **Audit logging** - Partially implemented (session events), needs comprehensive access logging **Monitoring & Auditing** - ⚠️ **Security event logging** - Basic logging exists, needs structured audit trail - ❌ No intrusion detection - ⚠️ **Rate limiting** - Recommended via Nginx reverse proxy - ❌ No anomaly detection - ⚠️ **Audit trail** - Needs enhancement for compliance (HIPAA/FISMA) **Compliance Controls** - ❌ No data residency controls - ❌ No consent management - ✅ **Right-to-deletion** - Delete operations exist, needs audit trail - ❌ No breach notification system - ⚠️ **Access logs** - Partial (server logs), needs structured audit logs for auditors --- ## Compliance Gap Analysis ### GDPR (General Data Protection Regulation) **Applicability**: If Mimir stores EU citizen data (names, emails, personal context) | Requirement | Current State | Gap | Priority | |------------|---------------|-----|----------| | **Lawful Basis for Processing** | ⚠️ Partially documented | Need consent/legitimate interest documentation | MEDIUM | | **Data Minimization** | ⚠️ Partial (stores all context) | Need configurable retention policies | MEDIUM | | **Right to Access** | ✅ API available + RBAC | ✅ **Authenticated access implemented** | ✅ DONE | | **Right to Erasure** | ✅ Delete operations exist | Need audit trail of deletions | MEDIUM | | **Right to Portability** | ✅ Export via API | Need standardized export format | LOW | | **Encryption in Transit** | ⚠️ HTTP (HTTPS via reverse proxy) | **Implement HTTPS reverse proxy** | HIGH | | **Encryption at Rest** | ✅ Docker volumes | Document encryption method | LOW | | **Breach Notification** | ⚠️ Basic logging | Need alerting for unauthorized access | MEDIUM | | **Data Protection Officer** | N/A | Organizational requirement | N/A | | **Privacy by Design** | ⚠️ Partial (RBAC implemented) | Need privacy impact assessment | MEDIUM | | **Access Control** | ✅ **OAuth/OIDC + RBAC** | ✅ **Implemented** | ✅ DONE | | **User Authentication** | ✅ **SSO via Passport.js** | ✅ **Implemented** | ✅ DONE | **GDPR Risk**: **LOW-MEDIUM** ⬇️ (improved from MEDIUM-HIGH) - ✅ **Authentication & Authorization**: Fully implemented - ✅ **Access Control**: RBAC with permission enforcement - ⚠️ **Encryption in Transit**: Requires HTTPS reverse proxy (documented) - ⚠️ **Audit Trail**: Basic logging exists, needs enhancement --- ### HIPAA (Health Insurance Portability and Accountability Act) **Applicability**: If Mimir stores Protected Health Information (PHI) | Requirement | Current State | Gap | Priority | |------------|---------------|-----|----------| | **Access Control (§164.312(a)(1))** | ✅ **OAuth/OIDC + RBAC** | ✅ **Implemented** | ✅ DONE | | **Audit Controls (§164.312(b))** | ⚠️ Basic logging | **Need comprehensive PHI access logging** | HIGH | | **Integrity (§164.312(c)(1))** | ✅ Neo4j ACID | Document data integrity controls | LOW | | **Person/Entity Authentication (§164.312(d))** | ✅ **SSO Authentication** | ✅ **Implemented** | ✅ DONE | | **Transmission Security (§164.312(e)(1))** | ⚠️ HTTP (HTTPS via proxy) | **Implement HTTPS/TLS 1.2+ reverse proxy** | HIGH | | **Encryption at Rest** | ✅ Docker volumes | Need FIPS 140-2 compliant encryption | HIGH | | **Automatic Logoff** | ✅ **Token expiration** | ✅ **Configurable via JWT/OAuth token expiration** | ✅ DONE | | **Emergency Access** | ⚠️ Admin role exists | Need documented break-glass procedure | MEDIUM | | **Unique User IDs** | ✅ **Individual user accounts via SSO** | ✅ **Implemented** | ✅ DONE | | **Role-Based Access** | ✅ **RBAC with permissions** | ✅ **Implemented** | ✅ DONE | | **Business Associate Agreement** | N/A | Organizational requirement | N/A | **HIPAA Risk**: **MEDIUM** ⬇️ (improved from CRITICAL) - ✅ **Access Control**: Fully implemented with RBAC - ✅ **Authentication**: SSO with unique user IDs - ✅ **Automatic Logoff**: JWT token expiration (7-90 days, stateless) - ⚠️ **Audit Controls**: Basic logging exists, needs PHI-specific audit trail - ⚠️ **Transmission Security**: Requires HTTPS reverse proxy (documented) - ⚠️ **Encryption at Rest**: Need FIPS 140-2 validation **Recommendation**: **Can be used for PHI with additional controls:** 1. ✅ Enable security: `MIMIR_ENABLE_SECURITY=true` and `MIMIR_ENABLE_RBAC=true` 2. ⚠️ Implement HTTPS reverse proxy (see `docs/security/REVERSE_PROXY_SECURITY_GUIDE.md`) 3. ⚠️ Implement comprehensive audit logging (Phase 2) 4. ⚠️ Validate FIPS 140-2 encryption for data at rest 5. ⚠️ Document break-glass emergency access procedure --- ### FISMA (Federal Information Security Management Act) **Applicability**: If deployed in US federal government systems | Requirement | Current State | Gap | Priority | |------------|---------------|-----|----------| | **Access Control (AC)** | ✅ **RBAC implemented** | Need MFA (via IdP), CAC/PIV support | MEDIUM | | **Audit & Accountability (AU)** | ⚠️ Basic logging | Comprehensive audit logging + SIEM | HIGH | | **Configuration Management (CM)** | ✅ Docker/IaC | Document baseline configurations | MEDIUM | | **Identification & Authentication (IA)** | ✅ **SSO Authentication** | PIV/CAC card support (via IdP) | MEDIUM | | **Incident Response (IR)** | ⚠️ Basic logging | Implement SIEM integration | HIGH | | **System & Communications Protection (SC)** | ⚠️ HTTP (HTTPS via proxy) | TLS 1.2+, FIPS 140-2 crypto | HIGH | | **System & Information Integrity (SI)** | ⚠️ Partial | Vulnerability scanning, STIG compliance | HIGH | | **Risk Assessment (RA)** | ⚠️ This document | Conduct formal ATO assessment | HIGH | | **Security Assessment (CA)** | ⚠️ Self-assessment | Third-party security audit | HIGH | | **Contingency Planning (CP)** | ⚠️ Docker backups | Disaster recovery plan | MEDIUM | **FISMA Risk**: **MEDIUM-HIGH** ⬇️ (improved from CRITICAL) - ✅ **Access Control**: RBAC with role-based permissions - ✅ **Authentication**: SSO with unique user IDs - ⚠️ **MFA**: Supported via IdP (Okta, Azure AD, etc.) - ⚠️ **Audit & Accountability**: Basic logging exists, needs SIEM integration - ⚠️ **Transmission Security**: Requires HTTPS reverse proxy + FIPS crypto - ⚠️ **ATO Process**: Requires formal assessment and authorization **Recommendation**: **Can pursue ATO with current implementation:** 1. ✅ Enable security: `MIMIR_ENABLE_SECURITY=true` and `MIMIR_ENABLE_RBAC=true` 2. ✅ Configure SSO with MFA-enabled IdP (Okta, Azure AD) 3. ⚠️ Implement HTTPS reverse proxy with TLS 1.2+ (see docs) 4. ⚠️ Implement comprehensive audit logging (Phase 2) 5. ⚠️ Conduct formal risk assessment for ATO 6. ⚠️ Engage third-party for security assessment 7. ⚠️ Validate FIPS 140-2 cryptographic modules --- ## Phase 1 Implementation Summary (2025-11-21) ### ✅ What We Built **Authentication System (Passport.js)** - OAuth 2.0 / OpenID Connect integration - Support for multiple IdPs: Okta, Auth0, Azure AD, Google Workspace, Keycloak - Environment-driven configuration (no code changes for new providers) - Development mode with local username/password - Dynamic login UI (dev form vs OAuth buttons based on server config) **Role-Based Access Control (RBAC)** - Claims-based authorization from IdP JWT tokens - Configurable role-to-permission mappings via JSON - 3 configuration sources: 1. Local file (`./config/rbac.json`) 2. Remote URI with optional auth header 3. Inline JSON in environment variable - Wildcard permission support (`*`, `nodes:*`, etc.) - Per-route middleware enforcement (`requirePermission`, `requireAnyPermission`, `requireAllPermissions`) **Stateless Authentication** - HTTP-only cookies with secure flag in production - JWT tokens for dev login (stateless, no sessions) - OAuth access tokens for external providers - No server-side session storage or database persistence **Protected Routes** - UI routes redirect to `/login` when unauthenticated - API routes return 401 (unauthenticated) or 403 (unauthorized) with details - Health check endpoint always public - Auth config endpoint always public (for dynamic login UI) **Development & Testing** - 4 pre-configured dev users: admin, developer, analyst, viewer - Automated RBAC test suite (`testing/test-rbac.sh`) - Comprehensive documentation in `docs/security/` ### 📊 Security Posture Improvements | Metric | Before Phase 1 | After Phase 1 | Improvement | |--------|----------------|---------------|-------------| | **GDPR Risk** | MEDIUM-HIGH | **LOW-MEDIUM** | ⬇️ 50% | | **HIPAA Risk** | CRITICAL | **MEDIUM** | ⬇️ 66% | | **FISMA Risk** | CRITICAL | **MEDIUM-HIGH** | ⬇️ 50% | | **Enterprise Readiness** | Internal Only | **Enterprise SSO Ready** | ✅ Production | | **Authentication** | ❌ None | ✅ **OAuth/OIDC** | ✅ Complete | | **Authorization** | ❌ None | ✅ **RBAC** | ✅ Complete | | **Session Management** | ❌ None | ✅ **Configurable** | ✅ Complete | ### 🎯 Compliance Status **✅ READY FOR:** - Enterprise SSO deployments (Okta, Azure AD, etc.) - Internal corporate use with RBAC - Development and testing environments - Multi-tenant deployments with role separation **⚠️ REQUIRES ADDITIONAL CONTROLS FOR:** - HIPAA/PHI data (needs HTTPS reverse proxy + SIEM integration) - FISMA/federal systems (needs HTTPS + SIEM + formal ATO) - Public internet exposure (needs HTTPS reverse proxy - already documented) - GDPR customer data (audit trail complete, HTTPS recommended) ### 📋 Remaining Gaps (Deployment Infrastructure) **High Priority (Already Documented):** 2. **HTTPS Reverse Proxy** - TLS 1.2+ with strong ciphers - Rate limiting (DoS protection) - IP whitelisting - ✅ Already documented: `docs/security/REVERSE_PROXY_SECURITY_GUIDE.md` - **Responsibility**: Deployment team (Nginx, Traefik, etc.) 3. **SIEM Integration** - Forward audit logs to Splunk, ELK, Datadog, etc. - **Responsibility**: Deployment team (log aggregation) - **Mimir provides**: JSON-formatted audit logs via stdout/file 4. **Enhanced Encryption** - FIPS 140-2 validated cryptographic modules - TLS certificate management - Key rotation - **Responsibility**: Deployment team (infrastructure layer) - **Mimir provides**: Configuration hooks for custom encryption **Medium Priority (Deployment Infrastructure - To Be Documented):** 6. **Compliance Reporting** - Extract audit logs for compliance reports - **Responsibility**: Deployment team (reporting tools) - **Mimir provides**: Structured audit logs + API for data export 7. **Data Classification** - Tag sensitive data at infrastructure level - **Responsibility**: Deployment team (data governance) - **Mimir provides**: Metadata fields for custom tags **Low Priority (Deployment Infrastructure - Documented):** 8. **Advanced Security Features** - Anomaly detection (SIEM/IDS) - Intrusion detection (network layer) - PII/PHI detection (data loss prevention tools) - **Responsibility**: Deployment team (security tools) - **Mimir provides**: Audit logs for analysis ### 🚀 Deployment Recommendations **For Enterprise SSO (Ready Now):** ```bash # .env MIMIR_ENABLE_SECURITY=true MIMIR_ENABLE_RBAC=true MIMIR_JWT_SECRET=<generate-with-openssl> # OAuth Provider (example: Okta) MIMIR_OAUTH_PROVIDER=okta MIMIR_OAUTH_CLIENT_ID=<your-client-id> MIMIR_OAUTH_CLIENT_SECRET=<your-client-secret> MIMIR_OAUTH_ISSUER=https://your-org.okta.com MIMIR_OAUTH_AUTHORIZATION_URL=https://your-org.okta.com/oauth2/v1/authorize MIMIR_OAUTH_TOKEN_URL=https://your-org.okta.com/oauth2/v1/token MIMIR_OAUTH_USERINFO_URL=https://your-org.okta.com/oauth2/v1/userinfo # RBAC Configuration MIMIR_RBAC_CONFIG=./config/rbac.json MIMIR_RBAC_CLAIM_PATH=groups # or 'roles' depending on IdP ``` **For HIPAA/FISMA (Requires Phase 2):** - Complete Phase 1 setup above - Add HTTPS reverse proxy (Nginx) - Implement comprehensive audit logging - Validate FIPS 140-2 encryption - Conduct formal security assessment --- ## Threat Model ### Attack Surface Analysis **1. MCP Server (Port 9042)** - **Threat**: Unauthenticated access to all MCP tools - **Impact**: Data exfiltration, manipulation, deletion - **Likelihood**: HIGH (if exposed to internet) - **Mitigation**: API key authentication, IP whitelisting **2. Neo4j Database (Ports 7474, 7687)** - **Threat**: Direct database access - **Impact**: Complete data compromise - **Likelihood**: LOW (requires credentials) - **Mitigation**: Strong passwords, network isolation, disable HTTP interface **3. Orchestration API** - **Threat**: Arbitrary LLM agent execution - **Impact**: Resource exhaustion, data poisoning - **Likelihood**: MEDIUM (if MCP compromised) - **Mitigation**: Rate limiting, input validation, sandboxing **4. File Indexing System** - **Threat**: Path traversal, arbitrary file access - **Impact**: Sensitive file exposure - **Likelihood**: LOW (path validation exists) - **Mitigation**: Chroot jail, read-only mounts **5. Vector Embeddings API** - **Threat**: Embedding API key exposure - **Impact**: API cost abuse - **Likelihood**: MEDIUM (if env vars leaked) - **Mitigation**: Secret management system, key rotation **6. PCTX Integration** - **Threat**: Arbitrary code execution in Deno sandbox - **Impact**: Container escape (unlikely but possible) - **Likelihood**: LOW (Deno sandbox is secure) - **Mitigation**: Resource limits, network isolation ### Attack Scenarios **Scenario 1: Malicious AI Agent** - **Attack**: Compromised AI agent with MCP access - **Actions**: Delete all nodes, exfiltrate data, poison knowledge graph - **Current Defense**: None (no authentication) - **Recommended Defense**: API key per agent, rate limiting, audit logging **Scenario 2: Network Eavesdropping** - **Attack**: Man-in-the-middle on HTTP traffic - **Actions**: Capture API keys, session tokens, sensitive data - **Current Defense**: None (HTTP only) - **Recommended Defense**: HTTPS/TLS 1.2+ **Scenario 3: Insider Threat** - **Attack**: Authorized user abuses access - **Actions**: Mass data deletion, unauthorized data access - **Current Defense**: None (no audit logging) - **Recommended Defense**: Audit logging, anomaly detection, RBAC **Scenario 4: Supply Chain Attack** - **Attack**: Compromised npm dependency - **Actions**: Backdoor in Mimir code - **Current Defense**: npm audit (basic) - **Recommended Defense**: Dependency pinning, SBOM, vulnerability scanning --- ## Recommended Security Architecture ### Option 1: Reverse Proxy Security Layer (Recommended) **Architecture**: Nginx/Traefik → Mimir (unchanged) ``` ┌─────────────────────────────────────────────────┐ │ Reverse Proxy (Nginx/Traefik/Kong) │ │ ┌──────────────────────────────────────────┐ │ │ │ • TLS/HTTPS termination │ │ │ │ • API key authentication │ │ │ │ • Rate limiting │ │ │ │ • Request logging │ │ │ │ • IP whitelisting │ │ │ │ • Header injection (X-User-ID) │ │ │ └──────────────────────────────────────────┘ │ └─────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────┐ │ Mimir (No Code Changes Required) │ │ ┌──────────────────────────────────────────┐ │ │ │ • Reads X-User-ID header (optional) │ │ │ │ • Logs user actions │ │ │ │ • Existing functionality unchanged │ │ │ └──────────────────────────────────────────┘ │ └─────────────────────────────────────────────────┘ ``` **Pros**: - ✅ Zero code changes to Mimir - ✅ Industry-standard approach - ✅ Easy to upgrade/replace - ✅ Supports multiple auth methods (API key, OAuth, mTLS) - ✅ Can add WAF (Web Application Firewall) **Cons**: - ⚠️ Additional infrastructure component - ⚠️ Requires proxy configuration **Implementation Effort**: **LOW** (1-2 days) --- ### Option 2: Middleware Security Layer (Moderate Changes) **Architecture**: Express middleware in Mimir ```typescript // src/middleware/auth.ts export function requireAuth(req, res, next) { const apiKey = req.headers['x-api-key']; if (!apiKey || !validateApiKey(apiKey)) { return res.status(401).json({ error: 'Unauthorized' }); } req.user = getUserFromApiKey(apiKey); next(); } // src/http-server.ts app.use('/api', requireAuth); app.use('/mcp', requireAuth); ``` **Pros**: - ✅ Native to Mimir - ✅ No external dependencies - ✅ Fine-grained control **Cons**: - ⚠️ Code changes required - ⚠️ Maintenance burden - ⚠️ Harder to upgrade **Implementation Effort**: **MEDIUM** (3-5 days) --- ### Option 3: Service Mesh (Enterprise) **Architecture**: Istio/Linkerd service mesh **Pros**: - ✅ Zero code changes - ✅ mTLS by default - ✅ Advanced traffic management - ✅ Observability built-in **Cons**: - ⚠️ Complex infrastructure - ⚠️ Kubernetes required - ⚠️ Steep learning curve **Implementation Effort**: **HIGH** (1-2 weeks) --- ## Implementation Roadmap ### Phase 1: Basic Security (1-2 weeks) **Goal**: Secure for internal/trusted network use **Tasks**: 1. ✅ **HTTPS/TLS** (1 day) - Add Nginx reverse proxy with Let's Encrypt - Force HTTPS redirect - TLS 1.2+ only 2. ✅ **API Key Authentication** (2 days) - Nginx auth_request module OR - Express middleware for API key validation - Store keys in environment variables 3. ✅ **Rate Limiting** (1 day) - Nginx limit_req module - 100 requests/minute per API key 4. ✅ **Basic Audit Logging** (2 days) - Log all API requests (user, action, timestamp) - Store in Neo4j or separate log file - 90-day retention 5. ✅ **IP Whitelisting** (1 day) - Nginx allow/deny directives - Restrict to corporate network **Deliverables**: - Docker Compose with Nginx - API key generation script - Audit log viewer **Cost**: **$0** (open-source tools) --- ### Phase 2: Compliance Basics (2-4 weeks) **Goal**: GDPR-ready, HIPAA-aware **Tasks**: 1. ✅ **User Authentication** (1 week) - OAuth 2.0 / OIDC integration (Keycloak, Auth0) - JWT token validation - User ID in all audit logs 2. ✅ **Role-Based Access Control** (1 week) - Define roles: Admin, User, ReadOnly - Implement permission checks in middleware - Store user roles in Neo4j 3. ✅ **Data Classification** (3 days) - Add `sensitivity` field to nodes (public, internal, confidential, restricted) - Enforce access based on user role + data sensitivity - PII detection (regex for emails, SSNs, etc.) 4. ✅ **Comprehensive Audit Logging** (3 days) - Log: user, action, resource, timestamp, IP, result - Immutable audit log (append-only) - Export to SIEM (Splunk, ELK) 5. ✅ **Data Retention Policies** (2 days) - Configurable TTL per node type - Automated deletion of expired data - Audit log of deletions 6. ✅ **Privacy Controls** (3 days) - Right to access: Export user's data - Right to erasure: Delete user's data - Consent tracking **Deliverables**: - OAuth integration guide - RBAC configuration - Privacy API endpoints - Compliance documentation **Cost**: **$0-500/month** (Auth0 free tier or self-hosted Keycloak) --- ### Phase 3: Enterprise Hardening (1-2 months) **Goal**: FISMA/HIPAA-ready **Tasks**: 1. ✅ **Multi-Factor Authentication** (1 week) - TOTP (Google Authenticator) - SMS/Email OTP - Hardware tokens (YubiKey) 2. ✅ **Encryption at Rest** (1 week) - LUKS encrypted Docker volumes - FIPS 140-2 compliant crypto - Key management system (HashiCorp Vault) 3. ✅ **Intrusion Detection** (1 week) - OSSEC/Wazuh agent - Anomaly detection (unusual API usage) - Alerting (PagerDuty, Slack) 4. ✅ **Vulnerability Management** (ongoing) - Weekly dependency scans (Snyk, Dependabot) - Container image scanning (Trivy, Clair) - Penetration testing (annual) 5. ✅ **Disaster Recovery** (1 week) - Automated Neo4j backups (daily) - Backup encryption - Restore testing (monthly) 6. ✅ **Security Monitoring** (1 week) - Prometheus metrics - Grafana dashboards - Alerting on security events **Deliverables**: - Security Operations playbook - Incident response plan - Disaster recovery plan - Security assessment report **Cost**: **$1,000-5,000/month** (Vault, monitoring tools, pen testing) --- ## Compliance Checklists ### GDPR Compliance Checklist - [ ] **Lawful Basis**: Document legitimate interest or obtain consent - [ ] **Privacy Policy**: Publish what data is collected and why - [ ] **Data Minimization**: Only store necessary data - [ ] **Encryption in Transit**: HTTPS/TLS 1.2+ - [ ] **Encryption at Rest**: Encrypted Docker volumes - [ ] **Right to Access**: API endpoint to export user data - [ ] **Right to Erasure**: API endpoint to delete user data - [ ] **Right to Portability**: JSON export of user data - [ ] **Breach Notification**: Alerting system for unauthorized access - [ ] **Data Protection Officer**: Appoint DPO (if required) - [ ] **Privacy Impact Assessment**: Conduct PIA for high-risk processing - [ ] **Vendor Agreements**: DPA with Neo4j, LLM providers **Estimated Effort**: **Phase 1 + Phase 2** (4-6 weeks) --- ### HIPAA Compliance Checklist - [ ] **Access Control**: User authentication with unique IDs - [ ] **Audit Controls**: Log all PHI access with user, action, timestamp - [ ] **Integrity**: Document data integrity controls (Neo4j ACID) - [ ] **Authentication**: Implement MFA for all users - [ ] **Transmission Security**: HTTPS/TLS 1.2+ for all connections - [ ] **Encryption at Rest**: FIPS 140-2 compliant encryption - [x] **Automatic Logoff**: JWT token expiration (7-90 days, stateless - no configurable timeout) - [ ] **Emergency Access**: Break-glass procedure for admin access - [ ] **Unique User IDs**: Individual accounts (no shared credentials) - [ ] **Minimum Necessary**: RBAC to limit data access - [ ] **Business Associate Agreement**: BAA with LLM providers - [ ] **Workforce Training**: Annual HIPAA training - [ ] **Risk Analysis**: Annual security risk assessment - [ ] **Contingency Plan**: Disaster recovery and backup plan **Estimated Effort**: **Phase 1 + Phase 2 + Phase 3** (2-3 months) **⚠️ WARNING**: HIPAA compliance requires organizational policies, not just technical controls. Consult with a HIPAA compliance expert. --- ### FISMA Compliance Checklist - [ ] **Access Control (AC)**: RBAC, MFA, least privilege - [ ] **Audit & Accountability (AU)**: Comprehensive audit logging, SIEM integration - [ ] **Configuration Management (CM)**: Baseline configurations, change control - [ ] **Identification & Authentication (IA)**: PIV/CAC card support, MFA - [ ] **Incident Response (IR)**: Incident response plan, SIEM integration - [ ] **System & Communications Protection (SC)**: TLS 1.2+, FIPS 140-2 crypto - [ ] **System & Information Integrity (SI)**: Vulnerability scanning, STIG compliance - [ ] **Risk Assessment (RA)**: Annual risk assessment, ATO process - [ ] **Security Assessment (CA)**: Third-party security audit (FedRAMP) - [ ] **Contingency Planning (CP)**: Disaster recovery plan, backup testing - [ ] **Maintenance (MA)**: Patch management, system hardening - [ ] **Media Protection (MP)**: Encrypted backups, secure disposal - [ ] **Physical & Environmental (PE)**: Data center security (if applicable) - [ ] **Planning (PL)**: System security plan (SSP) - [ ] **Personnel Security (PS)**: Background checks, security training - [ ] **Security Assessment (RA)**: Continuous monitoring **Estimated Effort**: **6-12 months** (includes ATO process) **⚠️ WARNING**: FISMA compliance requires Authority to Operate (ATO) from agency. Work with a FedRAMP consultant. --- ## Operational Security ### Secrets Management **Current State**: Environment variables in `.env` file **Recommended**: 1. **Development**: `.env` file (acceptable) 2. **Production**: HashiCorp Vault or AWS Secrets Manager 3. **Rotation**: Rotate API keys quarterly 4. **Least Privilege**: Separate keys for dev/staging/prod **Implementation**: ```yaml # docker-compose.yml services: mimir_server: environment: - NEO4J_PASSWORD_FILE=/run/secrets/neo4j_password secrets: - neo4j_password secrets: neo4j_password: external: true ``` --- ### Network Security **Current State**: Docker bridge network, exposed ports **Recommended**: 1. **Internal Network**: Keep Neo4j on internal network only 2. **Firewall**: Only expose port 9042 (Mimir API) 3. **VPN**: Require VPN for remote access 4. **mTLS**: Mutual TLS for service-to-service communication **Implementation**: ```yaml # docker-compose.yml services: neo4j: networks: - internal # Not exposed to host mimir_server: networks: - internal - external # Only Mimir exposed networks: internal: internal: true external: ``` --- ### Monitoring & Alerting **Current State**: Basic logging to stdout **Recommended**: 1. **Metrics**: Prometheus + Grafana 2. **Logs**: ELK stack or Loki 3. **Alerts**: PagerDuty for security events 4. **Dashboards**: Real-time security dashboard **Key Metrics**: - Failed authentication attempts (> 5/minute) - Unusual API usage (> 1000 requests/hour) - Large data exports (> 10,000 nodes) - Database connection errors - Disk space (< 20% free) --- ### Incident Response **Current State**: No formal process **Recommended Playbook**: 1. **Detection**: Alert triggered (failed auth, data breach) 2. **Containment**: - Revoke compromised API keys - Block malicious IPs - Isolate affected containers 3. **Investigation**: - Review audit logs - Identify scope of breach - Preserve evidence 4. **Eradication**: - Patch vulnerabilities - Rotate all secrets - Update firewall rules 5. **Recovery**: - Restore from backup if needed - Verify system integrity - Resume operations 6. **Lessons Learned**: - Post-mortem report - Update security controls - Notify affected parties (if required) --- ## Minimal Security Implementation (Quick Start) ### 1-Day Security Hardening (Absolute Minimum) **Goal**: Secure enough for internal use **Steps**: 1. **Add Nginx Reverse Proxy with TLS** (2 hours) ```yaml # docker-compose.security.yml services: nginx: image: nginx:alpine ports: - "443:443" volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro - ./ssl:/etc/nginx/ssl:ro depends_on: - mimir_server mimir_server: # Remove port exposure - only accessible via Nginx expose: - "9042" ``` ```nginx # nginx.conf server { listen 443 ssl; server_name mimir.yourcompany.com; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3; # API Key Authentication if ($http_x_api_key != "your-secret-api-key") { return 401; } # Rate Limiting limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m; limit_req zone=api burst=20; location / { proxy_pass http://mimir_server:9042; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ``` 2. **Generate Self-Signed Certificate** (15 minutes) ```bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout ssl/key.pem -out ssl/cert.pem \ -subj "/CN=mimir.yourcompany.com" ``` 3. **Enable Audit Logging** (1 hour) ```typescript // src/middleware/audit-logger.ts export function auditLogger(req: any, res: any, next: any) { const log = { timestamp: new Date().toISOString(), ip: req.headers['x-real-ip'] || req.ip, method: req.method, path: req.path, user: req.headers['x-api-key']?.substring(0, 8) + '...', }; console.log(JSON.stringify(log)); next(); } // src/http-server.ts app.use(auditLogger); ``` 4. **Update Documentation** (30 minutes) Create `SECURITY.md` with: - API key generation instructions - Access control policy - Incident reporting procedure **Total Time**: **4 hours** **Cost**: **$0** --- ## Cost-Benefit Analysis ### Security Investment vs. Risk | Security Level | Implementation Cost | Ongoing Cost | Risk Reduction | Compliance | |---------------|---------------------|--------------|----------------|------------| | **None (Current)** | $0 | $0 | 0% | None | | **Basic (Phase 1)** | $2,000 (1 week) | $0/month | 70% | Internal use | | **Compliance (Phase 2)** | $10,000 (1 month) | $500/month | 90% | GDPR | | **Enterprise (Phase 3)** | $50,000 (3 months) | $5,000/month | 95% | HIPAA/FISMA | ### Break-Even Analysis **Cost of Data Breach**: - Average: $4.45M (IBM 2023 report) - GDPR Fine: Up to 4% of annual revenue or €20M - HIPAA Fine: $100-$50,000 per violation **ROI**: Phase 1 security ($2,000) pays for itself if it prevents even a minor breach. --- ## Recommendations by Use Case ### Use Case 1: Internal Development Team **Scenario**: 10-person team, internal network, no sensitive data **Recommendation**: **Phase 1** (Basic Security) - HTTPS with self-signed cert - Single shared API key - IP whitelist to office network - Basic audit logging **Effort**: 1 week **Cost**: $0 --- ### Use Case 2: SaaS Product (Customer Data) **Scenario**: Multi-tenant, customer data, public internet **Recommendation**: **Phase 1 + Phase 2** (GDPR Compliance) - HTTPS with Let's Encrypt - OAuth 2.0 authentication - Per-customer API keys - RBAC - Comprehensive audit logging - Data retention policies **Effort**: 6 weeks **Cost**: $10,000 + $500/month --- ### Use Case 3: Healthcare/Financial (Regulated Data) **Scenario**: PHI or financial data, regulatory requirements **Recommendation**: **Phase 1 + Phase 2 + Phase 3** (Full Compliance) - All Phase 2 features - MFA - FIPS 140-2 encryption - Intrusion detection - Annual pen testing - Compliance audits **Effort**: 3-6 months **Cost**: $50,000 + $5,000/month **⚠️ CRITICAL**: Engage compliance consultant before deployment --- ### Use Case 4: Government/Federal **Scenario**: Federal agency, FISMA compliance required **Recommendation**: **Full Enterprise + FedRAMP** - All Phase 3 features - PIV/CAC card authentication - STIG hardening - Continuous monitoring - ATO process **Effort**: 12+ months **Cost**: $200,000+ (includes ATO) **⚠️ CRITICAL**: Work with FedRAMP consultant and agency ISSO --- ## Conclusion ### Summary **Current State**: Mimir is **production-ready for internal/trusted environments** but requires security enhancements for enterprise/regulated use. **Key Findings**: 1. ✅ **Strong Foundation**: Neo4j security, input validation, Docker isolation 2. ⚠️ **Authentication Gap**: No API authentication (highest priority) 3. ⚠️ **Encryption Gap**: HTTP only (easy fix with reverse proxy) 4. ⚠️ **Audit Gap**: No security event logging (required for compliance) ### Recommended Approach **For Most Users**: **Reverse Proxy Security Layer (Option 1)** - Minimal code changes - Industry-standard approach - Flexible and upgradeable - Supports gradual hardening **Implementation Priority**: 1. **Week 1**: HTTPS + API key auth (reverse proxy) 2. **Week 2-4**: OAuth + RBAC + audit logging (middleware) 3. **Month 2-3**: Compliance controls (data retention, privacy APIs) 4. **Ongoing**: Monitoring, vulnerability management, pen testing ### Final Recommendation **DO**: - ✅ Implement Phase 1 (Basic Security) for ANY production deployment - ✅ Use reverse proxy approach for flexibility - ✅ Start with simple API key auth, upgrade to OAuth later - ✅ Enable audit logging from day 1 **DON'T**: - ❌ Deploy to public internet without HTTPS - ❌ Use for PHI/PII without Phase 2 compliance - ❌ Deploy in federal systems without full FISMA compliance - ❌ Skip security because "it's just internal" **Bottom Line**: Mimir is **secure enough for internal use** with Phase 1 hardening. For regulated environments, budget 1-3 months for compliance implementation. --- ## Appendix: Quick Reference ### Security Checklist (Copy-Paste) ```markdown - [ ] HTTPS/TLS enabled - [ ] API key authentication - [ ] Rate limiting configured - [ ] Audit logging enabled - [ ] Neo4j password changed from default - [ ] .env file excluded from git - [ ] IP whitelist configured - [ ] Backup strategy implemented - [ ] Incident response plan documented - [ ] Security contact designated ``` ### Emergency Security Lockdown If you suspect a breach: ```bash # 1. Stop all services docker-compose down # 2. Backup data docker run --rm -v mimir_neo4j_data:/data -v $(pwd):/backup \ neo4j:5.15-community tar czf /backup/neo4j-backup-$(date +%Y%m%d).tar.gz /data # 3. Rotate all secrets # - Generate new Neo4j password # - Generate new API keys # - Update .env file # 4. Review audit logs docker-compose logs mimir_server | grep -i "error\|unauthorized\|failed" # 5. Restart with new credentials docker-compose up -d ``` --- **Document Version**: 1.0.0 **Last Updated**: 2025-11-21 **Next Review**: 2026-02-21 **Owner**: Security Team **Classification**: Internal Use Only

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/orneryd/Mimir'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

ENTERPRISE_READINESS_AUDIT.md•38.3 KiB