Mobile // Mobile Devices
12:15 PM
Connect Directly

Why NoSQL Equals NoSecurity

If it seems security is an afterthought in the big data ecosystem, you’re right. Here’s what to do about it.

What About The OS?

The operating system on which any database runs should be hardened and locked down. Most NoSQL technologies leverage Linux, so there are a variety of options to choose from. When hardening an OS, focus on four areas: users, permissions, services, and logging. Mechanisms such as Bastille Linux or SELinux can help automate Linux hardening, but we recommend you follow a more structured approach, such as those from the Center for Internet Security or the Defense Information Systems Agency's Security Technical Implementation Guide for Linux. These guidelines have been reviewed and tested by thousands of people and are unlikely to cause problems like incompatibility.

It's important to note that when it comes to Hadoop and MongoDB, properly configuring file system permissions is vital. The Hadoop Distributed File System can be securely configured to give only appropriate permissions to users running various jobs. For example, we recommend splitting MapReduce jobs and HDFS users into two groups, so that you have separation of access. HDFS needs to run NameNode, DataNode, and Secondary NameNode, but MapReduce users need to run only the JobTracker and TaskTracker applications. Creating Hadoop groups allows you to set up permissions, a critical part of any system-hardening process. Without the proper permissions, a user could potentially copy the entire Hadoop or MongoDB instance, load it on a new server, and bypass all of your authentication controls; this is also an argument in favor of encryption, as we discuss in our full report.

Finally, don't run these databases as root. We have seen too many instances of this. Create a separate user, and lock down that user so the database has access to only those directories and executables it needs.

Right now, open source NoSQL technologies just aren't ready for the enterprise when it comes to security. Can you make them ready? Sure, but it comes down to resources--do you have people with the right skills? If so and if you're willing to work closely with developers and analyze your organization's risk, you can implement NoSQL technologies securely. Otherwise, there are commercial NoSQL databases such as Vertica and eXist-db that have security controls built in. Just because some well-known Web 2.0 company uses an open source database doesn't mean you should. Their risks, data, and expertise are likely very different from yours.

We're not trying to paint the future of big data and NoSQL as that of a security wasteland. There's precedent for a free-for-all market getting serious under pressure. We saw this happen in the public cloud, as enterprises forced providers to start caring about security controls and privacy. But the fact is that NoSQL technology is by developers, for developers. Unless companies make data protection a priority--and vote with their budget dollars--we don't foresee the NoSQL community suddenly getting security religion.

chart: have you implemented database encryption?

3 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/21/2012 | 12:07:49 PM
re: Why NoSQL Equals NoSecurity
First of all, I wanted to say that I really enjoyed the article GǣWhy NoSQL Equals NoSecurityGǥ in the Information Week magazine, 4/9/12 issue, and I have never before seen such a thorough analysis of this issue. I am a Sr. Oracle DBA working in New York City with more than eleven years of experience in this field.

I believe that in the case of MongoDB you are wrong: there is a security architecture in this product. When I became aware of the new popularity of NoSQL databases, I took a class given by 10Gen, the creator of MongoDB software, called GǣMongoDB for DBAsGǥ. This class covered many aspects of this document data-store database, including its architecture and security aspects.

During this class I asked many question since I noticed that many of the features of a RDBMS are in MongoDB. One question that I asked on the second day was GǣIs there security and users?Gǥ since up to that point we had not covered security and user management. The response I received from the class instructor is that there is security but it is not enabled as a default. Unless security is enabled there are no user accounts and the database is wide open as you indicated in your article. The process on how to enable security is detailed in the following URL:

The security model in MongoDB is not as robust as those found in Oracle or MS SQL Server, but it is present. It is a simple authentication model where the administrator account has control of everything and regular users can have full access to a collection (RDBMS table) or read-only access.

Again I would like to thank you for your very thorough treatment of the new and developing area of the database space.


Joseph DeArce
Senior Database Administrator

User Rank: Apprentice
4/10/2012 | 5:14:13 PM
re: Why NoSQL Equals NoSecurity
Nice piece, Mike. I completely agree that NoSQL databases are not perfect fits for many enterprise apps, and not just for security. I've written a longer response here:
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 8:15:52 PM
re: Why NoSQL Equals NoSecurity
Shouldn't security be designed into a product during the development stage, as opposed to being tacked onto it at the end?

That's how my thought process works - secure from the beginning to the end, but it appears that idea has been lost on the developers putting together these new database technologies. Wonder how many breaches directly attributable to the lack of security on these databases it will take before things change?

Andrew Hornback
InformationWeek Contributor
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.