Why NoSQL Equals NoSecurity - InformationWeek
IoT
IoT
Mobile // Mobile Devices
News
3/28/2012
12:15 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
How To Turn Your Data Into Dollars
Mar 29, 2017
Organizations are swamped with data in the form of web traffic, ERP systems, CRM systems, point of ...Read More>>

Why NoSQL Equals NoSecurity

If it seems security is an afterthought in the big data ecosystem, you’re right. Here’s what to do about it.

What About The OS?

The operating system on which any database runs should be hardened and locked down. Most NoSQL technologies leverage Linux, so there are a variety of options to choose from. When hardening an OS, focus on four areas: users, permissions, services, and logging. Mechanisms such as Bastille Linux or SELinux can help automate Linux hardening, but we recommend you follow a more structured approach, such as those from the Center for Internet Security or the Defense Information Systems Agency's Security Technical Implementation Guide for Linux. These guidelines have been reviewed and tested by thousands of people and are unlikely to cause problems like incompatibility.

It's important to note that when it comes to Hadoop and MongoDB, properly configuring file system permissions is vital. The Hadoop Distributed File System can be securely configured to give only appropriate permissions to users running various jobs. For example, we recommend splitting MapReduce jobs and HDFS users into two groups, so that you have separation of access. HDFS needs to run NameNode, DataNode, and Secondary NameNode, but MapReduce users need to run only the JobTracker and TaskTracker applications. Creating Hadoop groups allows you to set up permissions, a critical part of any system-hardening process. Without the proper permissions, a user could potentially copy the entire Hadoop or MongoDB instance, load it on a new server, and bypass all of your authentication controls; this is also an argument in favor of encryption, as we discuss in our full report.

Finally, don't run these databases as root. We have seen too many instances of this. Create a separate user, and lock down that user so the database has access to only those directories and executables it needs.

Right now, open source NoSQL technologies just aren't ready for the enterprise when it comes to security. Can you make them ready? Sure, but it comes down to resources--do you have people with the right skills? If so and if you're willing to work closely with developers and analyze your organization's risk, you can implement NoSQL technologies securely. Otherwise, there are commercial NoSQL databases such as Vertica and eXist-db that have security controls built in. Just because some well-known Web 2.0 company uses an open source database doesn't mean you should. Their risks, data, and expertise are likely very different from yours.

We're not trying to paint the future of big data and NoSQL as that of a security wasteland. There's precedent for a free-for-all market getting serious under pressure. We saw this happen in the public cloud, as enterprises forced providers to start caring about security controls and privacy. But the fact is that NoSQL technology is by developers, for developers. Unless companies make data protection a priority--and vote with their budget dollars--we don't foresee the NoSQL community suddenly getting security religion.

chart: have you implemented database encryption?

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Oracle66
50%
50%
Oracle66,
User Rank: Apprentice
4/21/2012 | 12:07:49 PM
re: Why NoSQL Equals NoSecurity
First of all, I wanted to say that I really enjoyed the article GǣWhy NoSQL Equals NoSecurityGǥ in the Information Week magazine, 4/9/12 issue, and I have never before seen such a thorough analysis of this issue. I am a Sr. Oracle DBA working in New York City with more than eleven years of experience in this field.

I believe that in the case of MongoDB you are wrong: there is a security architecture in this product. When I became aware of the new popularity of NoSQL databases, I took a class given by 10Gen, the creator of MongoDB software, called GǣMongoDB for DBAsGǥ. This class covered many aspects of this document data-store database, including its architecture and security aspects.

During this class I asked many question since I noticed that many of the features of a RDBMS are in MongoDB. One question that I asked on the second day was GǣIs there security and users?Gǥ since up to that point we had not covered security and user management. The response I received from the class instructor is that there is security but it is not enabled as a default. Unless security is enabled there are no user accounts and the database is wide open as you indicated in your article. The process on how to enable security is detailed in the following URL: http://www.mongodb.org/display...

The security model in MongoDB is not as robust as those found in Oracle or MS SQL Server, but it is present. It is a simple authentication model where the administrator account has control of everything and regular users can have full access to a collection (RDBMS table) or read-only access.

Again I would like to thank you for your very thorough treatment of the new and developing area of the database space.

Regards,

Joseph DeArce
Senior Database Administrator
http://www.linkedin.com/in/sro...
datatree2@yahoo.com

RGONZALEZ000
50%
50%
RGONZALEZ000,
User Rank: Apprentice
4/10/2012 | 5:14:13 PM
re: Why NoSQL Equals NoSecurity
Nice piece, Mike. I completely agree that NoSQL databases are not perfect fits for many enterprise apps, and not just for security. I've written a longer response here:
http://www.cambridgesemantics....
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 8:15:52 PM
re: Why NoSQL Equals NoSecurity
Shouldn't security be designed into a product during the development stage, as opposed to being tacked onto it at the end?

That's how my thought process works - secure from the beginning to the end, but it appears that idea has been lost on the developers putting together these new database technologies. Wonder how many breaches directly attributable to the lack of security on these databases it will take before things change?

Andrew Hornback
InformationWeek Contributor
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll