Mobile // Mobile Devices
News
3/28/2012
12:15 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Why NoSQL Equals NoSecurity

If it seems security is an afterthought in the big data ecosystem, you’re right. Here’s what to do about it.

If it seems that security is an afterthought in the big data ecosystem, you're right. And that's unfortunate, because attackers go where the data is. Our security surveys consistently show that even conventional structured databases aren't protected as well as they should be. And now we're piling up unstructured data.

We understand how this state of affairs came about. The whole point of NoSQL databases and superfast key-value stores like Redis is to provide rapid, unfettered access to data. The mission statement says nothing about protecting all that data.

This isn't a news flash to security pros, but those charged with managing big data seem unfazed. In our InformationWeek 2012 Big Data Survey of business technology professionals managing a minimum of 10 TB of data, we asked about a dozen management priorities. Robust security came in eighth, selected by just 17% of respondents.

That would be less scary if the No. 1 application driving big data needs at respondents' companies weren't financial transactions.

Clearly, the developers driving the NoSQL bus just don't get it. The only thing we've gotten from years of pushing to secure Hadoop and other big data technologies is integration with authentication frameworks such as Kerberos. Excuse us if we don't swoon with gratitude.

As technologies like Hadoop and NoSQL go mainstream, this situation must be addressed. In 2010, only a handful of companies, notably Foursquare and Craigslist, were heavily into unstructured data, and they didn't deal with sensitive information. But 2011 was a turning point, says Max Schireson, president of 10gen, developer of the NoSQL database MongoDB. "We went from a handful of [employees] to over 100," says Schireson. "We can barely keep up with demand."

10gen's customer list has expanded to include financial services companies such as Intuit, big consumer brands like Disney, and the U.S. intelligence community. InformationWeek's 2012 State of Database Technology Survey (conducted in November) confirms the upward trend. Among 760 respondents, the number with Hadoop in production, running pilots, or investigating it jumped 17 points from August 2010, to 39%. Use of MapReduce and BigTable also rose significantly. The industry most represented in our State of Database Technology poll was government, with healthcare, financial services, and education not far behind--even JPMorgan Chase is using NoSQL technologies to improve fraud detection.

And yet, the NoSQL ecosystem is woefully behind in incorporating even basic security. MongoDB, for example, includes Secure Sockets Layer support only in the commercial offering. There's an outstanding request from January 2010 to add SSL to the open version.

You're thinking, "OK, they must provide good guidance on how to harden the system, right?" Here's what MongoDB's documentation has to say: "The current version of Mongo supports only basic security." What's basic? "It is often valid to run the database in a trusted environment with no in-database security and authentication (much like how one would use, say, memcached)," MongoDB says. "Of course, in such a configuration, one must be sure only trusted machines can access database TCP ports."

So firewalls are now considered sufficient protection for financial data? And it's not just MongoDB. The security page for Redis states that untrusted access to the key-value store should be mediated by a layer implementing access controls lists, validating user input, and deciding what operations to perform against the Redis instance.

We asked a financial services firm that leverages a NoSQL database for trading information where it would put security controls. At the database or application, perhaps? Its answer: the operating system.

So, yes, the NoSQL world has gone mad, and that's because the big data show is being run by developers, not architects or even system administrators. These developers clearly don't realize that 14% of all breaches last year were caused by compromised database servers. That's second only to point-of-sale servers in terms of a single point of weakness and well above the 9% of breaches that involved Web application servers, according to Verizon's Data Breach Incident Report. It seems developers are stuck in 1998, when perimeter security was state of the art.

So do security teams need to go on a (probably doomed) mission to outlaw use of Hadoop, MongoDB, and other NoSQL technologies, at least until they mature? That depends on how willing you are to get your hands dirty.

Our full report on NoSQL database security is available free with registration.

This report includes 14 pages of analysis along with best practices and hardening tips. What you'll find:
  • Discussion of database and date encryption
  • How to do security logging the right way
Get This And All Our Reports


Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Oracle66
50%
50%
Oracle66,
User Rank: Apprentice
4/21/2012 | 12:07:49 PM
re: Why NoSQL Equals NoSecurity
First of all, I wanted to say that I really enjoyed the article GǣWhy NoSQL Equals NoSecurityGǥ in the Information Week magazine, 4/9/12 issue, and I have never before seen such a thorough analysis of this issue. I am a Sr. Oracle DBA working in New York City with more than eleven years of experience in this field.

I believe that in the case of MongoDB you are wrong: there is a security architecture in this product. When I became aware of the new popularity of NoSQL databases, I took a class given by 10Gen, the creator of MongoDB software, called GǣMongoDB for DBAsGǥ. This class covered many aspects of this document data-store database, including its architecture and security aspects.

During this class I asked many question since I noticed that many of the features of a RDBMS are in MongoDB. One question that I asked on the second day was GǣIs there security and users?Gǥ since up to that point we had not covered security and user management. The response I received from the class instructor is that there is security but it is not enabled as a default. Unless security is enabled there are no user accounts and the database is wide open as you indicated in your article. The process on how to enable security is detailed in the following URL: http://www.mongodb.org/display...

The security model in MongoDB is not as robust as those found in Oracle or MS SQL Server, but it is present. It is a simple authentication model where the administrator account has control of everything and regular users can have full access to a collection (RDBMS table) or read-only access.

Again I would like to thank you for your very thorough treatment of the new and developing area of the database space.

Regards,

Joseph DeArce
Senior Database Administrator
http://www.linkedin.com/in/sro...
datatree2@yahoo.com

RGONZALEZ000
50%
50%
RGONZALEZ000,
User Rank: Apprentice
4/10/2012 | 5:14:13 PM
re: Why NoSQL Equals NoSecurity
Nice piece, Mike. I completely agree that NoSQL databases are not perfect fits for many enterprise apps, and not just for security. I've written a longer response here:
http://www.cambridgesemantics....
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 8:15:52 PM
re: Why NoSQL Equals NoSecurity
Shouldn't security be designed into a product during the development stage, as opposed to being tacked onto it at the end?

That's how my thought process works - secure from the beginning to the end, but it appears that idea has been lost on the developers putting together these new database technologies. Wonder how many breaches directly attributable to the lack of security on these databases it will take before things change?

Andrew Hornback
InformationWeek Contributor
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.