NoSQL solutions have recently been gaining significant attention because they address some of the inefficiencies of traditional database management systems. NoSQL databases offer features such as performant distributed architecture, flexibility and horizontal scaling. Despite these advantages, there is a vast quantity of NoSQL systems available, which differ greatly from each other. The resulting lack of standardization of security features leads to a questionable maturity in terms of security. What is therefore much needed is a systematic lab research of the availability and maturity of the implementation of the most common standard database security features in NoSQL systems, resulting in a NoSQL security map. This paper summarizes the first part of our research project trying to outline such a map. It documents the definition of the standard security features to be investigated based on a literature review in the area of standard database security. After selection of OrientDB, Redis, Cassandra and MongoDB as initial representatives of commonly used NoSQL systems, a description of systematic investigation of standard database security features for each of these four systems is given. All findings are summarized in tables for quick and easy comparison. We conclude that systems investigated need better default configurations and should enable their security features per default. Finally, we provide an outlook to the next steps of researching a security map for NoSQL systems.
Published in | American Journal of Information Science and Technology (Volume 3, Issue 2) |
DOI | 10.11648/j.ajist.20190302.12 |
Page(s) | 41-49 |
Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
Copyright |
Copyright © The Author(s), 2019. Published by Science Publishing Group |
Database Security, NoSQL Database Systems, NoSQL Security, Database Authentication, Database Authorization, Database Encryption
[1] | Schram, A., Anderson, K., M.: MySQL to NoSQL: data modelling challenges in supporting scalability. In Proc. of the 3rd annual conference on Systems, programming, and applications: software for humanity, 2012, pp. 191-202. |
[2] | Seth, G., Lynch, N.: Brewer's conjecture and the feasibility of consistent, available, partition-tolerant web services. ACM SIGACT News, v. 33 issue 2, 2002, pp. 51–59. |
[3] | Gessert, F., Ritter, N.: Scalable data management: NoSQL data stores in research and practice. In: 2016 IEEE 32nd International Conference on Data Engineering (ICDE) 2016, pp 1420-1423. IEEE, ICDE (2016). |
[4] | Edlich, S.: NoSQL – List of NoSQL databases, http://nosql-database.org. Accessed June 4th 2017 and November 10th 2017 |
[5] | Database-Engines.COM, https://db-engines.com/de/ranking_definition. Accessed June 4th 2017 and December 7th 2017 |
[6] | Natan, R., B.: Implementing Database Security and Auditing. Elsevier Digital Press, Burlington, MA (2005). |
[7] | Knox, D.: Effective Oracle Database 10g Security by Design. McGraw-Hill/Osborne, Emeryville, CA (2004). |
[8] | Afyouni, H. A.: Database security and auditing. Thomson/Course Technology, Boston 2006. |
[9] | Open Web Application Security Project, https://www.owasp.org/index.php/Category: Vulnerability. Accessed January 11, 2018 |
[10] | Becker, M. Y., Sewell, P.: Cassandra: Distributed Access Control Policies with Tuneable Expressiveness. In: Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 159-168. IEEE, POLICY (2004). |
[11] | Tian, X., Huang, B., Wu, M.: A transparent middleware for encrypting data in MongoDB. In: 2014 IEEE Workshop on Electronics, Computer and Applications, pp. 906–909. IEEE (2014). |
[12] | Shetty, R., R., et al.: Secure NoSQL Based Medical Data Processing and Retrieval: The Exposome Project. In: Proceedings of the10th International Conference on Utility and Cloud Computing, pp. 99-105. UCC (2017). |
[13] | Hasija, H., Kumar, D.: Compression & Security in MongoDB without affecting Efficiency. In: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, Article No 96. ACM, ICTCS (2016). |
[14] | Hou, B., et al.: Towards Analyzing MongoDB NoSQL Security and Designing Injection Defense Solution. In: 2017 IEEE 3rd international conference on big data security on cloud (bigdatasecurity), IEEE international conference on high performance and smart computing (hpsc), and IEEE international conference on intelligent data and security, pp. 90-95. IEEE, IDS (2017). |
[15] | Dissanayaka, A. M. et al.: A Review of MongoDB and Singularity Container Security in regards to HIPAA Regulations. In: Proceedings of the10th International Conference on Utility and Cloud Computing, pp. 91-97. Pages 91-97. ACM, UCC (2017). |
[16] | Srinivas, S., Nair, A.: Security maturity in NoSQL databases - are they secure enough to haul the modern IT applications?. In: 2015 International Conference on Advances in Computing, Communications and Informatics, art. No. 7275699, pp. 739-744. ICACCI (2015). |
[17] | Okman, L., et al.: Security Issues in NoSQL Databases. In: Proceedings of the 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 541-547. IEEE, Changsha (2011). |
[18] | Aniello, L. et al.: Assessing data availability of Cassandra in the presence of non-accurate membership. In: Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing, pp. 1-6, September 30-30, 2013, Braga, Portugal. |
[19] | Zaki, A., K., Indiramma, M.: A novel redis security extension for NoSQL database using authentication and encryption. In: Proceedings of the 2015 IEEE International Conference on Electrical, Computer and Communication Technologies (ICECCT), pp. 1-6. IEEE, Coimbatore (2015). |
[20] | Weintraub, G., Gudes, E.; Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud. In: Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 498-503. IEEE, Madrid (2017). |
[21] | Zahid, A., Masood, R., Shibli, M., A.: Security of sharded NoSQL databases: A comparative analysis. In: Proceedings of the 2014 Conference on Information Assurance and Cyber Security, pp. 1-8. IEEE, Rawalpindi (2014). |
[22] | RCP 1 – Multi user AUTH and ACLs for Redis, https://github.com/redis/redis-rcp/blob/master/RCP1.md. Accessed December 10, 2017 |
[23] | Sanfilippo, S.: A few things about Redis security, http://antirez.com/news/96. Accessed June 5, 2017 |
[24] | Redmond, E., Wilson, J., R., Carter, J.: Seven Databases in Seven Weeks: A Guide to Modern Databases and the NoSQL Movement. Pragmatic Bookshelf, Dallas (2012), p. 281. |
[25] | Ming, C.: Abusing NoSQL Databases, https://github.com/mchow01/Security /blob/master/DEFCON21/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf. Accessed December 1, 2017 |
[26] | SCRAM-SHA-1, https://docs.mongodb.com/manual/core/security-scram-sha-1/#authentication-scram-sha-1., Accessed December 7, 2017 |
[27] | Cryptology Group at Centrum Wiskunde & Informatica (CWI), https://shattered.io. Accessed January 15, 2018 |
[28] | Heller, M.: Insecure MongoDB configuration leads to boom in ransom attacks, https://searchsecurity.techtarget.com/news/450410798/Insecure-MongoDB-configuration-leads-to-boom-in-ransom-attacks. Accessed April 21, 2017 |
[29] | McLean, T.: The design flaw in PBKDF2, https://www.chosenplaintext.ca/2015/10/08/ pbkdf2-design-flaw.html. Accessed April 16, 2018 |
[30] | Apache Software Foundation: Apache License, Version 2.0. Wakefield 2004, http://www.apache.org/licenses/LICENSE-2-0.txt. Accessed December 9, 2017. |
APA Style
Wilhelm Zugaj, Anita Stefanie Beichler. (2019). Analysis of Standard Security Features for Selected NoSQL Systems. American Journal of Information Science and Technology, 3(2), 41-49. https://doi.org/10.11648/j.ajist.20190302.12
ACS Style
Wilhelm Zugaj; Anita Stefanie Beichler. Analysis of Standard Security Features for Selected NoSQL Systems. Am. J. Inf. Sci. Technol. 2019, 3(2), 41-49. doi: 10.11648/j.ajist.20190302.12
AMA Style
Wilhelm Zugaj, Anita Stefanie Beichler. Analysis of Standard Security Features for Selected NoSQL Systems. Am J Inf Sci Technol. 2019;3(2):41-49. doi: 10.11648/j.ajist.20190302.12
@article{10.11648/j.ajist.20190302.12, author = {Wilhelm Zugaj and Anita Stefanie Beichler}, title = {Analysis of Standard Security Features for Selected NoSQL Systems}, journal = {American Journal of Information Science and Technology}, volume = {3}, number = {2}, pages = {41-49}, doi = {10.11648/j.ajist.20190302.12}, url = {https://doi.org/10.11648/j.ajist.20190302.12}, eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajist.20190302.12}, abstract = {NoSQL solutions have recently been gaining significant attention because they address some of the inefficiencies of traditional database management systems. NoSQL databases offer features such as performant distributed architecture, flexibility and horizontal scaling. Despite these advantages, there is a vast quantity of NoSQL systems available, which differ greatly from each other. The resulting lack of standardization of security features leads to a questionable maturity in terms of security. What is therefore much needed is a systematic lab research of the availability and maturity of the implementation of the most common standard database security features in NoSQL systems, resulting in a NoSQL security map. This paper summarizes the first part of our research project trying to outline such a map. It documents the definition of the standard security features to be investigated based on a literature review in the area of standard database security. After selection of OrientDB, Redis, Cassandra and MongoDB as initial representatives of commonly used NoSQL systems, a description of systematic investigation of standard database security features for each of these four systems is given. All findings are summarized in tables for quick and easy comparison. We conclude that systems investigated need better default configurations and should enable their security features per default. Finally, we provide an outlook to the next steps of researching a security map for NoSQL systems.}, year = {2019} }
TY - JOUR T1 - Analysis of Standard Security Features for Selected NoSQL Systems AU - Wilhelm Zugaj AU - Anita Stefanie Beichler Y1 - 2019/07/02 PY - 2019 N1 - https://doi.org/10.11648/j.ajist.20190302.12 DO - 10.11648/j.ajist.20190302.12 T2 - American Journal of Information Science and Technology JF - American Journal of Information Science and Technology JO - American Journal of Information Science and Technology SP - 41 EP - 49 PB - Science Publishing Group SN - 2640-0588 UR - https://doi.org/10.11648/j.ajist.20190302.12 AB - NoSQL solutions have recently been gaining significant attention because they address some of the inefficiencies of traditional database management systems. NoSQL databases offer features such as performant distributed architecture, flexibility and horizontal scaling. Despite these advantages, there is a vast quantity of NoSQL systems available, which differ greatly from each other. The resulting lack of standardization of security features leads to a questionable maturity in terms of security. What is therefore much needed is a systematic lab research of the availability and maturity of the implementation of the most common standard database security features in NoSQL systems, resulting in a NoSQL security map. This paper summarizes the first part of our research project trying to outline such a map. It documents the definition of the standard security features to be investigated based on a literature review in the area of standard database security. After selection of OrientDB, Redis, Cassandra and MongoDB as initial representatives of commonly used NoSQL systems, a description of systematic investigation of standard database security features for each of these four systems is given. All findings are summarized in tables for quick and easy comparison. We conclude that systems investigated need better default configurations and should enable their security features per default. Finally, we provide an outlook to the next steps of researching a security map for NoSQL systems. VL - 3 IS - 2 ER -