Abstract
To get the desired benefits for the IT enterprise, NoSQL databases must be combined with proven and reliable SQL features into a single proven infrastructure meeting the manageability and security requirements of cloud computing. Various specifications, including SAML (Security Assertions Markup Language), improved interoperability across organizational boundaries are coming up. This chapter discuses some of the security issues of NoSQL databases. All the related technology used in the chapter are explained either where they appear or at the end of the chapter.
TopIntroduction
Data collected from various sources such as social media, logs, mobile devices and sensor networks has become very sensitive as lots of organization use various cloud based applications for various transactions. Data compromise is caused by:
Data needs security when
- 1.
Data at rest,
- 2.
Data in motion,
- 3.
Data in use.
Data security plays a vital role specifically when the data is remotely accessible in cloud. The cloud computing delivery models i.e. SaaS, PaaS, IaaS are attractive targets for attacker due to the volume of information that can be compromised.
Developed specifically for meeting the requirements of cloud computing NoSQL database also popularly known as “Not only SQL” databases are primarily a non-relational distributed databases. NoSQL databases support massive data storage across multiple storage clusters.
Varieties of NoSQL database having different features are available with open source and proprietary option. The very interesting fact about the NoSQL database is that, no two NoSQL database solutions are same since they are designed to meet the specific requirements of particular cloud based applications. Most NoSQL database does not offer a Data Definition Language (DDL) for specifying a global schema. There is no schema management interface that works across NoSQL systems from different providers, allowing application administrators to manage their data structure systematically (McWilliams & Ivey, 2012).
Since NoSQL has not been designed with security as a priority, protecting data stores has become a concern to organizations using NoSQL databases. For example the MongoDB Developer FAQ says “…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem” (Sullivan, 2011). The lack of NoSQL security features, namely Authentication and Authorization support, means that sensitive data are safer in traditional RDBMS (Cobb, 2013). It was concluded in the proceedings of “2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11” that “The lack of encryption support for the data files, weak authentication both between the client and the servers and between server members, very simple authorization without support for RBAC or fine-grained authorization, and vulnerability to SQL Injection and Denial of Service attacks” (Factor, 2013).
The NoSQL security concerns are:
This chapter discusses the emerging trends in NoSQL database security. Security mechanisms used by some popular NoSQL will be discussed in brief.
TopNosql Security Threats
Cloud providers offer services through Application Programming Interface (APIs) such as SOAP, REST, or HTTP with XML/JSON. Hence the security of the cloud applications depends upon the security of these application interfaces.
In comparison to SOAP-Based Web services, a REST-based approach to Web services is much easier to implement since REST simply relies on the HTTP protocol. REST uses (Lee & Mehta, 2013):
- 1.
URIs (Uniform Resource Identifiers) to identify resources.
- 2.
GET, PUT, POST and DELETE actions to retrieve, update, create, and delete the resources remotely through Web servers.
Key Terms in this Chapter
MD5: Designed in 1992 as an improvement of MD4 the MD5 is one of the most widely used cryptographic hash functions nowadays. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack.
Fuzz Testing: Originally developed by Barton Miller at the University of Wisconsin in 1989, Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks. Fuzzing software input massive amounts of random data, called fuzz, to the system in an attempt to make it crash.
Dynamo: Dynamo is collection of techniques that collectively forms a highly available Key-Value structured storage system or a distributed data store.
Replication Factor: Represents the number of times a KV-Value pairs is stored in NoSQL database.
Developers Prefer Simple Authentication and Security Layer (SASL): With Kerberos via Generic Security Service Application Program Interface (GSSAPI) to authenticate users for defining the accessible services to a particular user/User group. When a user connects to a Job Tracker, the connection is mutually authenticated using Kerberos. Operating system authentication principles are also matched to a set of user and group access control lists maintained in flat configuration files.
Shard: A set of partitions also referred to as a partition group.
Light Weight Directory Access Protocol (LDAP): An open network protocol standard designed to provide access to distributed directories. LDAP provides a mechanism to query or modify information that exists in a directory information tree (DIT), which may contain a broad range of information about different types of objects such as users, printers, applications, and other network resources. This document presents information on the basic models used to describe LDAP, and describes the APIs used to expose the LDAP protocol.
XML Common Biometric Format Technical Committee (XCBF): An XML-based system for standardising biometric data transmission is being developed by standards organisation the Organization for the Advancement of Structured Information Standards (Oasis).
Port Scan: The port scan is the technique used by hackers on a System or Network to determine which ports is Open or in use. To collect the port status information Hackers use various tools to send data to TCP or UDP ports. Based on the response received from the port scan utility the Hackers can determine whether a port is in use/open. If a security flaw exists, hackers can register as legitimate users to carry out attacks through these ports for gaining unauthorized access of resources.