Volume 3, Issue 2, June 2019, Page: 41-49
Analysis of Standard Security Features for Selected NoSQL Systems
Wilhelm Zugaj, Applied Computer Sciences, FH JOANNEUM University of Applied Sciences, Kapfenberg, Austria
Anita Stefanie Beichler, Applied Computer Sciences, FH JOANNEUM University of Applied Sciences, Kapfenberg, Austria
Received: Apr. 11, 2019;       Accepted: Jun. 5, 2019;       Published: Jul. 2, 2019
DOI: 10.11648/j.ajist.20190302.12      View  515      Downloads  133
NoSQL solutions have recently been gaining significant attention because they address some of the inefficiencies of traditional database management systems. NoSQL databases offer features such as performant distributed architecture, flexibility and horizontal scaling. Despite these advantages, there is a vast quantity of NoSQL systems available, which differ greatly from each other. The resulting lack of standardization of security features leads to a questionable maturity in terms of security. What is therefore much needed is a systematic lab research of the availability and maturity of the implementation of the most common standard database security features in NoSQL systems, resulting in a NoSQL security map. This paper summarizes the first part of our research project trying to outline such a map. It documents the definition of the standard security features to be investigated based on a literature review in the area of standard database security. After selection of OrientDB, Redis, Cassandra and MongoDB as initial representatives of commonly used NoSQL systems, a description of systematic investigation of standard database security features for each of these four systems is given. All findings are summarized in tables for quick and easy comparison. We conclude that systems investigated need better default configurations and should enable their security features per default. Finally, we provide an outlook to the next steps of researching a security map for NoSQL systems.
Database Security, NoSQL Database Systems, NoSQL Security, Database Authentication, Database Authorization, Database Encryption
To cite this article
Wilhelm Zugaj, Anita Stefanie Beichler, Analysis of Standard Security Features for Selected NoSQL Systems, American Journal of Information Science and Technology. Vol. 3, No. 2, 2019, pp. 41-49. doi: 10.11648/j.ajist.20190302.12
Copyright © 2019 Authors retain the copyright of this article.
This article is an open access article distributed under the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Schram, A., Anderson, K., M.: MySQL to NoSQL: data modelling challenges in supporting scalability. In Proc. of the 3rd annual conference on Systems, programming, and applications: software for humanity, 2012, pp. 191-202.
Seth, G., Lynch, N.: Brewer's conjecture and the feasibility of consistent, available, partition-tolerant web services. ACM SIGACT News, v. 33 issue 2, 2002, pp. 51–59.
Gessert, F., Ritter, N.: Scalable data management: NoSQL data stores in research and practice. In: 2016 IEEE 32nd International Conference on Data Engineering (ICDE) 2016, pp 1420-1423. IEEE, ICDE (2016).
Edlich, S.: NoSQL – List of NoSQL databases, http://nosql-database.org. Accessed June 4th 2017 and November 10th 2017
Database-Engines.COM, https://db-engines.com/de/ranking_definition. Accessed June 4th 2017 and December 7th 2017
Natan, R., B.: Implementing Database Security and Auditing. Elsevier Digital Press, Burlington, MA (2005).
Knox, D.: Effective Oracle Database 10g Security by Design. McGraw-Hill/Osborne, Emeryville, CA (2004).
Afyouni, H. A.: Database security and auditing. Thomson/Course Technology, Boston 2006.
Open Web Application Security Project, https://www.owasp.org/index.php/Category: Vulnerability. Accessed January 11, 2018
Becker, M. Y., Sewell, P.: Cassandra: Distributed Access Control Policies with Tuneable Expressiveness. In: Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 159-168. IEEE, POLICY (2004).
Tian, X., Huang, B., Wu, M.: A transparent middleware for encrypting data in MongoDB. In: 2014 IEEE Workshop on Electronics, Computer and Applications, pp. 906–909. IEEE (2014).
Shetty, R., R., et al.: Secure NoSQL Based Medical Data Processing and Retrieval: The Exposome Project. In: Proceedings of the10th International Conference on Utility and Cloud Computing, pp. 99-105. UCC (2017).
Hasija, H., Kumar, D.: Compression & Security in MongoDB without affecting Efficiency. In: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, Article No 96. ACM, ICTCS (2016).
Hou, B., et al.: Towards Analyzing MongoDB NoSQL Security and Designing Injection Defense Solution. In: 2017 IEEE 3rd international conference on big data security on cloud (bigdatasecurity), IEEE international conference on high performance and smart computing (hpsc), and IEEE international conference on intelligent data and security, pp. 90-95. IEEE, IDS (2017).
Dissanayaka, A. M. et al.: A Review of MongoDB and Singularity Container Security in regards to HIPAA Regulations. In: Proceedings of the10th International Conference on Utility and Cloud Computing, pp. 91-97. Pages 91-97. ACM, UCC (2017).
Srinivas, S., Nair, A.: Security maturity in NoSQL databases - are they secure enough to haul the modern IT applications?. In: 2015 International Conference on Advances in Computing, Communications and Informatics, art. No. 7275699, pp. 739-744. ICACCI (2015).
Okman, L., et al.: Security Issues in NoSQL Databases. In: Proceedings of the 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 541-547. IEEE, Changsha (2011).
Aniello, L. et al.: Assessing data availability of Cassandra in the presence of non-accurate membership. In: Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing, pp. 1-6, September 30-30, 2013, Braga, Portugal.
Zaki, A., K., Indiramma, M.: A novel redis security extension for NoSQL database using authentication and encryption. In: Proceedings of the 2015 IEEE International Conference on Electrical, Computer and Communication Technologies (ICECCT), pp. 1-6. IEEE, Coimbatore (2015).
Weintraub, G., Gudes, E.; Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud. In: Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 498-503. IEEE, Madrid (2017).
Zahid, A., Masood, R., Shibli, M., A.: Security of sharded NoSQL databases: A comparative analysis. In: Proceedings of the 2014 Conference on Information Assurance and Cyber Security, pp. 1-8. IEEE, Rawalpindi (2014).
RCP 1 – Multi user AUTH and ACLs for Redis, https://github.com/redis/redis-rcp/blob/master/RCP1.md. Accessed December 10, 2017
Sanfilippo, S.: A few things about Redis security, http://antirez.com/news/96. Accessed June 5, 2017
Redmond, E., Wilson, J., R., Carter, J.: Seven Databases in Seven Weeks: A Guide to Modern Databases and the NoSQL Movement. Pragmatic Bookshelf, Dallas (2012), p. 281.
Ming, C.: Abusing NoSQL Databases, https://github.com/mchow01/Security /blob/master/DEFCON21/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf. Accessed December 1, 2017
SCRAM-SHA-1, https://docs.mongodb.com/manual/core/security-scram-sha-1/#authentication-scram-sha-1., Accessed December 7, 2017
Cryptology Group at Centrum Wiskunde & Informatica (CWI), https://shattered.io. Accessed January 15, 2018
Heller, M.: Insecure MongoDB configuration leads to boom in ransom attacks, https://searchsecurity.techtarget.com/news/450410798/Insecure-MongoDB-configuration-leads-to-boom-in-ransom-attacks. Accessed April 21, 2017
McLean, T.: The design flaw in PBKDF2, https://www.chosenplaintext.ca/2015/10/08/ pbkdf2-design-flaw.html. Accessed April 16, 2018
Apache Software Foundation: Apache License, Version 2.0. Wakefield 2004, http://www.apache.org/licenses/LICENSE-2-0.txt. Accessed December 9, 2017.
Browse journals by subject