Why NoSQL Equals NoSecurity - InformationWeek
Mobile // Mobile Devices
12:15 PM
Connect Directly
Threat Intelligence Overload?
Aug 23, 2017
A wide range of threat intelligence feeds and services have cropped up keep IT organizations up to ...Read More>>

Why NoSQL Equals NoSecurity

If it seems security is an afterthought in the big data ecosystem, you’re right. Here’s what to do about it.

If Developers Ran The World

Steve Ballmer had it right: It's all about the developers, and that's the first place to focus efforts to secure unstructured data environments.

Schireson made it clear that security just wasn't part of the MongoDB thought process until recently, when 10gen's customer base expanded from Web 2.0 companies that generally don't store sensitive information to large financial service firms using NoSQL to mine customer data and patterns. Shireson's recommended approach to securing MongoDB installations is to implement an audit system, use SSL, and perform a system architecture review.

That's not bad advice, but the first two points require custom coding, and the third might not help at all, depending on who's doing the review.

Hint: It better not be a developer.

We believe a much more tactical approach must be taken to hardening your NoSQL database infrastructure. First, as an authentication mechanism, most NoSQL systems support Kerberos, which is better than nothing because it lets you use Active Directory or a specially configured MIT Kerberos server for authentication.

Unfortunately, in our experience working with clients that have NoSQL deployments, we've never seen Active Directory in use. We discuss how to do authentication, logging, and encryption right in our full report. For now, let's focus on the difficult job of securing these databases.

Frameworks To The Rescue

If there's one thing coders love it's rapid application development, and that quest for ease of use just might be the savior of big data security.

As discussed, there aren't many security features built into NoSQL databases, so developers are left to write their own. Rapid application development frameworks such as Spring, Lithium, and Ruby On Rails enable developers to quickly interface with NoSQL technologies without having to worry about the complicated installation and database schema configurations that are part and parcel of conventional SQL databases like Oracle and Microsoft SQL.

These frameworks implement the security features we wish were built into NoSQL databases, including authentication, role-based access control, and encryption. For example, the Spring security framework makes more than 20 capabilities available to developers. These frameworks provide a quick, reliable, and usually well-tested set of security features. Best of all, your developers don't need to reinvent the wheel.

Here are the top security controls we recommend developers implement when using a NoSQL back end:

>> Authentication. Unfortunately, even in 2012, most of the NoSQL installations we see have no passwords and allow anyone to access the database. At best, passwords are user-defined. If you can't use a built-in authentication capability within the NoSQL database, make sure you at least use authentication within the framework.

>> Input validation. While NoSQL databases don't normally suffer from the SQL injection issues found in a conventional relational database management system, they can still be injected using JavaScript attacks and string concatenation. Filtering to remove JavaScript, or setting up the NoSQL database to not allow JavaScript within the store at all, will eliminate this attack vector.

>> Data validation. Most NoSQL databases store documents or other objects that can contain dynamic structures. Leveraging the framework to validate data being written to and read from the database can prevent problems, such as when the system converts from one data type to another without the developer realizing it. Data-type conversions can trigger denial-of-service attacks.

>> Role-based access. Store information on which users have access to what data outside the NoSQL database and have the application enforce these roles.

Many developers argue that adding security decreases performance; that's the most common excuse we hear for why NoSQL deployments use no authentication or encryption. However, Owen O'Malley, a Hadoop engineer at Yahoo, says he saw less than a 3% performance hit in Hadoop when additional security features, such as ACLs and authentication, were enabled. That's well worth it, especially compared with the alternative of cleaning up after a successful attack.

chart: which of these analytic application and databases are you using or investigating?

2 of 3
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 8:15:52 PM
re: Why NoSQL Equals NoSecurity
Shouldn't security be designed into a product during the development stage, as opposed to being tacked onto it at the end?

That's how my thought process works - secure from the beginning to the end, but it appears that idea has been lost on the developers putting together these new database technologies. Wonder how many breaches directly attributable to the lack of security on these databases it will take before things change?

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
4/10/2012 | 5:14:13 PM
re: Why NoSQL Equals NoSecurity
Nice piece, Mike. I completely agree that NoSQL databases are not perfect fits for many enterprise apps, and not just for security. I've written a longer response here:
User Rank: Apprentice
4/21/2012 | 12:07:49 PM
re: Why NoSQL Equals NoSecurity
First of all, I wanted to say that I really enjoyed the article GǣWhy NoSQL Equals NoSecurityGǥ in the Information Week magazine, 4/9/12 issue, and I have never before seen such a thorough analysis of this issue. I am a Sr. Oracle DBA working in New York City with more than eleven years of experience in this field.

I believe that in the case of MongoDB you are wrong: there is a security architecture in this product. When I became aware of the new popularity of NoSQL databases, I took a class given by 10Gen, the creator of MongoDB software, called GǣMongoDB for DBAsGǥ. This class covered many aspects of this document data-store database, including its architecture and security aspects.

During this class I asked many question since I noticed that many of the features of a RDBMS are in MongoDB. One question that I asked on the second day was GǣIs there security and users?Gǥ since up to that point we had not covered security and user management. The response I received from the class instructor is that there is security but it is not enabled as a default. Unless security is enabled there are no user accounts and the database is wide open as you indicated in your article. The process on how to enable security is detailed in the following URL: http://www.mongodb.org/display...

The security model in MongoDB is not as robust as those found in Oracle or MS SQL Server, but it is present. It is a simple authentication model where the administrator account has control of everything and regular users can have full access to a collection (RDBMS table) or read-only access.

Again I would like to thank you for your very thorough treatment of the new and developing area of the database space.


Joseph DeArce
Senior Database Administrator

How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll