NoSQL, or Not Only SQL, is an approach to data storage and retrieval = that is=20 very fashionable with startups developing interactive Web applications = and=20 enterprises dealing with huge=20 quantities of data. The main reason for its popularity is that it = provides=20 better scalability and availability, as well as faster access to data, = than=20 traditional relational database management systems (RDBMS), including = Oracle's=20 MySQL and Microsoft's SQL Server.
These [security] features = increase the=20 time it takes to retrieve large amounts of data, so NoSQL databases = don=E2=80=99t=20 implement them.
Data held in a RDBMS has to be predictable so it can be stored in = organized=20 tables and rows, with relationships defined between different elements. = Data in=20 a NoSQL database, on the other hand, doesn't need to be so structured or = follow=20 a fixed schema. When performance and real-time access are more important = than=20 consistency, such as when indexing and retrieving a large number of = records,=20 NoSQL is a better fit than a relational database. Data can also be more = easily=20 held across multiple servers, providing improved fault tolerance and=20 scalability. Companies like Google=20 and Amazon=20 use their own cloud-friendly NoSQL database technologies, and there are = a number=20 of commercial and open source NoSQL databases available, such as = Couchbase,=20 MongoDB, Cassandra and Riak.
For all the advantages of storing data in a NoSQL database, NoSQL = security is=20 adversely impacted by the need to access data quickly and easily. To = store=20 information securely, a database needs to provide confidentiality, = integrity and=20 availability (CIA). Enterprise RDBMS databases provide CIA through = integrated=20 security features such as role-based security, encrypted communications, = support=20 for row and field access control, as well as access control through = user-level=20 permissions on stored procedures. RDBMS databases also have ACID = (atomicity,=20 consistency, isolation, durability) properties that guarantee database=20 transactions are processed reliably; data replication and logging ensure = durability and data integrity. These features increase the time it takes = to=20 retrieve large amounts of data, so they are not implemented in NoSQL=20 databases.
In order to maintain fast access to data, NoSQL=20 databases come with little built-in security. They have what's = called BASE=20 (basically available, soft state, eventually consistent) properties; = rather than=20 requiring consistency after every transaction, the database just needs = to=20 eventually reach a consistent state. For example, when users view data, = such as=20 the number of items in stock, they may see the last snapshot taken of = the data=20 rather than a current view. Because transactions aren't written to the = database=20 immediately, there is a possibility that simultaneous transactions could = interfere with each other. This inherent race condition, in which users = do not=20 necessarily see the same data at the same time, means a NoSQL database = could=20 never be used for handling financial transactions.
NoSQL databases also lack confidentiality and integrity. As NoSQL = databases=20 don't have a schema, permissions on a table, column or row can't be = segregated.=20 This can also lead to multiple copies of the same data. This can make it = hard to=20 keep data consistent, particularly as changes to multiple tables can't = be=20 wrapped in a transaction where a logical unit of insert, update or = delete=20 operations is executed as a whole.
From the editors: More on database = security=20 management
Learn how to mitigate MySQL=20 zero-day flaws.
Understand how to defend against server-side=20 request forgery attacks in SAP.
With more than 20 different implementations of NoSQL available, a = lack of=20 standards also increases the complexities of keeping data secure.=20 Confidentiality and integrity have to be provided entirely by the = application=20 accessing the NoSQL data. It is not a sound practice to have the last = line of=20 defense for any valuable data at the application level. Application = developers=20 are not renowned for implementing=20 security features, and new code usually means new bugs. Any requests = sent to=20 a NoSQL database need to be escaped, filtered and validated, while the = database=20 itself needs to reside in a hardened environment.
Interestingly some NoSQL projects are now starting to add back = RDBMS-type=20 security features. Oracle, for example, added transactional control over = data=20 written to one node. Cassandra supports transaction logging and = automatic=20 replication, and MongoDB supports master-slave replication.
If scalability and availability are the key database requirements for = an=20 organization, then NoSQL may be the right choice for certain large data = sets.=20 However, system architects should take a close look at their = requirements for=20 security, privacy and data integrity before choosing a NoSQL database. = The lack=20 of NoSQL security features, namely authentication=20 or authorization support, means that sensitive data is best kept in a=20 traditional RDBMS.
About the author
Michael Cobb, CISSP-ISSAP, is a =
renowned=20
security author with more than 15 years of experience in the IT industry =
and=20
another 16 years of experience in finance. He is founder and managing =
director=20
of Cobweb Applications Ltd., a consultancy that helps companies secure =
their=20
networks and websites, and also helps them achieve ISO 27001 =
certification. He=20
co-authored the book IIS Security and has written numerous =
technical=20
articles for leading IT publications. Michael is also a Microsoft =
Certified=20
Database Administrator and a Microsoft Certified =
Professional.
This was first published in April 2013