Tip

Securing NoSQL applications: Best practises for big data security

NoSQL database systems are designed to provide real-time performance while managing large volumes of data.  This performance, coupled with the no-cost philosophy behind many NoSQL products, has led many companies to take a look at NoSQL.

Requires Free Membership to View

It is quite likely that new attack vectors will emerge that will target NoSQL data stores in new ways.

However, companies should not rush to implement NoSQL without first evaluating the security implications of switching from a relational database management system (RDBMS) model to a NoSQL model. This tip will consider the security implications for any company thinking of deploying a NoSQL database.

Who uses NoSQL?
NoSQL can be an important tool for any company, large or small, that has big data. Big data is simply any data set that has grown too big to be efficiently worked on in real-time with traditional database tools.

NoSQL is a broad class of database management systems that are not traditional relational database management systems. They do not use SQL as the primary query language, nor do they typically require fixed table schemas. Also, NoSQL is not a single-vendor product (many NoSQL implementations are open source), but rather an umbrella term that can be applied to any of the non-RDBMS big data alternative systems.

Currently, NoSQL databases are in the evolutionary stage of their lifecycle and, unlike their RDBMS counterparts, such as DB2, MySQL, Oracle and SQL Server, the attack vectors for NoSQL databases aren’t well mapped out. And it’s likely new attack vectors will emerge that will target NoSQL data stores in new ways.

More specifically, data breaches caused by a NoSQL injection are probably not far away. With some NoSQL implementations being, essentially, authentication-free JavaScript processing engines, this is inevitable. Indeed, the basics of just such a vulnerability were exposed at Black Hat USA last year when Bryan Sullivan demonstrated a server-side JavaScript injection attack against one NoSQL implementation that could discover database contents and run basic commands.

Is NoSQL secure?
The truth is that NoSQL has not been designed with security as a priority, so developers or security teams must add a security layer to their organisations' NoSQL applications.

During the last couple years, many small businesses have been moving into big data territory, struggling to manage ever-increasing volumes of business data. So it should come as no surprise to learn that threat-tracking firms have reported increased security researcher and hacker activity targeting the NoSQL database sector. Some of this is driven by confusion amongst small businesses about how NoSQL databases can be securely implemented. Too often, these companies ignore NoSQL security measures -- measures that would have been implemented by default with traditional RDBMS installations.

About Kerberos and NTLM

Kerberos is a method for authenticating a request for a service in a network.

Microsoft developed the NTLM authentication method for Exchange Server.

For example, many NoSQL products allow and even recommend the use of a “trusted environment” with no additional security or authentication measures in place. These modes assume that only trusted machines can access the database's TCP ports. But relying on the network to protect data in an Internet-enabled world is a sure-fire way of inviting a breach of any sensitive information held there.

Fortunately, as the NoSQL market matures, security will mature with it. Kerberos authentication modules are now becoming available, which should provide access control capabilities equivalent to the current Kerberos or NTLM (Microsoft Windows NT LAN Manager) approaches to user authentication.

Securing NoSQL databases
Because most of the popular NoSQL databases are open source, IT staff would be wise to devote some time to contributing stronger authentication and encryption systems to their NoSQL implementations, rather than waiting for the publisher of a proprietary database to make changes.

NoSQL data stores are basically vulnerable to the same security risks as traditional RDBMS data stores, so the usual best practises for storing sensitive data should be applied when developing a NoSQL-based application. These include:

  • Encrypting sensitive database fields;
  • Keeping unencrypted values in a sandboxed environment;
  • Using sufficient input validation;
  • Applying strong user authentication policies.

Of course, it would be ideal if there were an accepted standard for authentication, authorisation and encryption in the yet-to-mature NoSQL space. Until such a standardised consensus can be reached, the best approach is to look at security in the middleware layer, rather than on the cluster level, as most middleware software comes with ready-made support for authentication, authorisation and access control. For example, if Java is being used, then the JAAS, Oracle Corp. J2EE or SpringSource (a division of VMware) Spring Security frameworks are available for the authentication, authorisation and access control for noSQL database implementations.

In closing, the most important tip to take from this brief exploration of NoSQL security is this: Beware of jumping on the NoSQL bandwagon until you have made sure the wheels won't fall off. Recognise that NoSQL databases are inherently insecure. If you decide to proceed, apply your own encryption and authentication controls to safeguard the big data in your NoSQL databases.

About the author:
Davey Winder is a UK-based freelance writer and former 'Technology Journalist of the Year' who has spent the best part of two decades writing about IT security issues. A three time winner of the 'Information Security Journalist of the Year' title, in 2011 Davey was honoured to receive the Enigma Award from BT in recognition of his lifetime contribution to information security journalism.

This was first published in June 2012

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.