Perhaps the most compelling argument for the mass adoption of NoSQL is the general lack of buzz. Not that nobody’s writing about it or talking about it, but it’s less prominent at the trade shows and conferences, where the focus is on ‘all things new and shiny’. There, NoSQL is no longer even a big deal, which is a prime indication that it’s been widely accepted, adopted, and is no longer the new kid on the block. That means that there’s a good chance you’ve adopted — or are preparing to — and that you need to know the best practices for security.
The thing is, while NoSQL is a powerful solution and a real redesign for the way databases have always been structured, it was not developed with security in mind. Security was more of an afterthought, and even then, an afterthought by the organizations that adopt NoSQL databases and applications, not the developers themselves. An additional issue that hinders the security of these databases and apps is that most of the really popular NoSQL databases are open source. That naturally complicates the whole security issue. Does that mean that it can’t be made secure? Absolutely not! It simply means that you’ll have to take steps to secure your NoSQL databases and applications. Here’s how to do that the right way.
1. Understand the Risks
While the security climate for NoSQL is different, the threats are essentially the same as for any ordinary RDBMS data storage solution. So all of the best practices that apply to a traditional database also apply to NoSQL. There’s no need to reinvent the wheel. Database administrators have been securing relational databases since mankind first went to the moon, so this is not new territory. Be aware of the threats that are out there, as well as the most effective techniques for closing vulnerabilities and thwarting attacks.
2. Encrypt Sensitive Data
While it may not be necessary to encrypt every little thing, it is essential to encrypt the more sensitive database fields, as well as any information stored there that is subject to any compliance regulations. Naturally, the same backup and disaster recovery needs that exist with a RDBMS data storage solution are also necessary for a NoSQL DB or application.
3. Use Sandbox Environments for Unencrypted Data
Any data that isn’t encrypted should be put in a sandboxed environment where it cannot be accessed by the wrong people. While the prevailing theory these days is to allow all access to all data by all people (and devices) within the organization, that’s a bad philosophy when it comes to securing data. If they don’t need it, hide it.
4. Use Strong Input Validation
Keep your NoSQL database clean and make sure your apps are utilizing the highest quality of data. You do this by using strong input validation to assure that the data that goes in there is worthwhile and valuable. Remember: GIGO. Garbage in, garbage out.
5. Employ Stringent User Authentication Policies
Whenever possible, protect your NoSQL apps and databases with two-factor authentication. If this isn’t possible (or practical), at least make the password requirements a doozie. Require a minimum of 8-10 characters, and a variety of upper and lower case letters, plus a number or two, and even a special character. While this isn’t a 100% guarantee, it can thwart the less serious intruders. The others? Well, they would require more attention, anyway.
If you’re utilizing NoSQL apps, that means you are in the market for the products at Bigstep! Come see what your big data specialists have for you. Learn more about us when you visit our website.