If it seems security is an afterthought in the big data ecosystem, you’re right. Here’s what to do about it.
If Developers Ran The World
Steve Ballmer had it right: It's all about the developers, and that's the first place to focus efforts to secure unstructured data environments.
Schireson made it clear that security just wasn't part of the MongoDB thought process until recently, when 10gen's customer base expanded from Web 2.0 companies that generally don't store sensitive information to large financial service firms using NoSQL to mine customer data and patterns. Shireson's recommended approach to securing MongoDB installations is to implement an audit system, use SSL, and perform a system architecture review.
That's not bad advice, but the first two points require custom coding, and the third might not help at all, depending on who's doing the review.
Hint: It better not be a developer.
We believe a much more tactical approach must be taken to hardening your NoSQL database infrastructure. First, as an authentication mechanism, most NoSQL systems support Kerberos, which is better than nothing because it lets you use Active Directory or a specially configured MIT Kerberos server for authentication.
Unfortunately, in our experience working with clients that have NoSQL deployments, we've never seen Active Directory in use. We discuss how to do authentication, logging, and encryption right in our full report. For now, let's focus on the difficult job of securing these databases.
Frameworks To The Rescue
If there's one thing coders love it's rapid application development, and that quest for ease of use just might be the savior of big data security.
As discussed, there aren't many security features built into NoSQL databases, so developers are left to write their own. Rapid application development frameworks such as Spring, Lithium, and Ruby On Rails enable developers to quickly interface with NoSQL technologies without having to worry about the complicated installation and database schema configurations that are part and parcel of conventional SQL databases like Oracle and Microsoft SQL.
These frameworks implement the security features we wish were built into NoSQL databases, including authentication, role-based access control, and encryption. For example, the Spring security framework makes more than 20 capabilities available to developers. These frameworks provide a quick, reliable, and usually well-tested set of security features. Best of all, your developers don't need to reinvent the wheel.
Here are the top security controls we recommend developers implement when using a NoSQL back end:
>> Authentication. Unfortunately, even in 2012, most of the NoSQL installations we see have no passwords and allow anyone to access the database. At best, passwords are user-defined. If you can't use a built-in authentication capability within the NoSQL database, make sure you at least use authentication within the framework.
>> Data validation. Most NoSQL databases store documents or other objects that can contain dynamic structures. Leveraging the framework to validate data being written to and read from the database can prevent problems, such as when the system converts from one data type to another without the developer realizing it. Data-type conversions can trigger denial-of-service attacks.
>> Role-based access. Store information on which users have access to what data outside the NoSQL database and have the application enforce these roles.
Many developers argue that adding security decreases performance; that's the most common excuse we hear for why NoSQL deployments use no authentication or encryption. However, Owen O'Malley, a Hadoop engineer at Yahoo, says he saw less than a 3% performance hit in Hadoop when additional security features, such as ACLs and authentication, were enabled. That's well worth it, especially compared with the alternative of cleaning up after a successful attack.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.