SlideShare ist ein Scribd-Unternehmen logo

Security Considerations in NoSQL Data Access

DATAVERSITY
DATAVERSITY

NoSQL databases have been gaining popularity in the recent years. These solutions offer great flexibility and scalability compared to the traditional relational databases. It's critical to manage the security aspects of the data throughout its life cycle. In this session, I will discuss the security considerations when using NoSQL database solutions, including application (authentication and authorization) and data encryption aspects. Following items will be covered in the presentation: Data Security considerations and requirements in NoSQL world Authentication Role Based Access Control (RBAC) Data Encryption Security Logging and Auditing Monitoring Sample Application with code examples

Technologie
1 von 67
Downloaden Sie, um offline zu lesen
SECURITY CONSIDERATIONS IN NOSQL DATA ACCESS NoSQL Now 2011 Conference Srini Penchikala 08.25.11
GOALS AND SCOPE  Goals:  Overview of application security aspects of NoSQL DBs  Best practices of implementing security in NoSQL  Is Not:  A NoSQL Security Vulnerabilities talk  Is:  Security best practices in applications when using a NoSQL Database as backend  Code Examples on Security aspects (Java based)  Format:  45 min presentation + 5 min Q&A 2  Demo’s (Java)
ABOUT THE SPEAKER  Security Architect  Certified Scrum Master  Author, Editor (InfoQ)  IASA Austin Chapter Leader  Detroit Java User Group Leader (past)  Working with Java since 1996, JEE (2000), SOA (2006), Security (2007) & PPT since 01/2011  Current: Agile Security Architectures, NoSQL Security, Domain-Driven Design, Architecture Enforcement, MDD  Future: Role of DSL in Architecture Enforcement, NoSQL Security Tools and Frameworks 3
BEFORE WE START  How many are currently using some kind of NoSQL DB to store data?  How many are currently working as a security architect or in a related position?  How many are responsible for managing security in NoSQL DB space?  Any regulatory Compliance (Federal, State, Local, or Finance related)? 4
BACKGROUND  Financial services organization  J2EE security architecture model  Agile software development  Regulatory compliance impact on IT  Architecture 5
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 6  Conclusions
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 7  Conclusions
WHAT'S IN A NAME (NOSQL)?  Is not:  “No SQL”  "Never SQL“  "No Way SQL“  Is:  "Not Only SQL“  "Non-Relational DBMS" (NRDBMS) 8
NOSQL, CAP THEOREM AND CIA  CAP Theorem  Consistency  Availability  Partition Tolerance  NoSQL impl's are based on the “AP” part of CAP.  Availability component can also be tied to Security (“A” in CIA) 9
NOSQL – RELATED TOPICS  Cloud Computing  NoSQL as a Service (NoSQL on the Cloud)  NoSQL, Cloud and Security  CouchDB Moving Into the Cloud (1)  MongoHQ: Hosted (Cloud) database solution for getting applications up and running on MongoDB (2)  Mobile Computing  Mobile Couchbase for iOS and Android  Social Computing  Most of social networking apps use some type of NoSQL DB as the backend data store.  Some NoSQL DBs were developed by social computing companies (e.g. Cassandra by Facebook?). 10 (1) http://architects.dzone.com/articles/couchdb-moving-cloud?mz=36885-nosql (2) https://mongohq.com/home
NOSQL CATEGORIES  Key Value Stores:  Data Model: Collection of K-V Pairs  Voldemort, Riak, Redis, Membase  BigTable Based/Column Stores:  Data Model: Column Families  Cassandra, HBase, Hypertable  Document Based:  Document is the basic unit of data  Data Model: Collection of K-V Collections  MongoDB, CouchDB  Map-Reduce  Hadoop  Graph Based:  Data Model: Nodes, Relations, K-V on both elements 11  Neo4J
NOSQL DB'S DISCUSSED IN THIS SESSION  MongoDB  Cassandra  Neo4J  CouchDB*  Redis*  Hadoop/Hbase* 12 *Time permitting
WHICH ONE TO USE?  MongoDB:  Modeling rich domain objects.  Apache Cassandra:  Highly scalable second-generation distributed database  Dynamo's fully distributed design and Bigtable's Column Family-based data model.  Neo4J  Fully transactional  Redis:  Open source advanced key/value store  Riak:  Dynamo based key/value store with a distributed database network platform  Built-in REST server  Extensible  Hadoop:  Distributed data processing, natural language processing, data mining 13  “Cloud Enterprise Data Warehouse (EDW)”* *Forrester
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 14  Conclusions
NOSQL AND SECURITY  Requirement: Provide necessary validation and security constraints to prevent bad data from getting into NoSQL data store  Usage Growth  Level of security and privacy of data  noSQL Database Management Systems (At the Peak) (1)  Database Platform as a Service (dbPaaS):  noSQL DB as a Service 15 (1) Gartner's Hype Cycle for Data Management, 2011
NOSQL DATA SECURITY  Data Security: NoSQL v. RDBMS  NoSQL Data Security Breaches?  Growth in research and hacker activity targeting NoSQL databases (1).  FourSquare outage (MongoDB) (2)  Software running behind a firewall with inadequate security  (In)Secure Design and Coding 16 (1) Source:TeamSHATTER (2) http://mashable.com/2010/10/07/mongodb-foursquare/
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 17  Conclusions
NOSQL DB SECURITY - CURRENT STATE  Security Standards:  Application Security:  Authentication and Authorization  Encryption  Message Level Security  Database Security:  Table, Row, Column Level Security 18
NOSQL, NO SECURITY?  Authentication  Role Based Access Control (RBAC)  ACLs for Transactional as well as Batch processes/jobs  Encryption  Logging  Monitoring  Security Vulnerabilities* 19 *We will briefly look at this.
NOSQL DATABASES – SUPPORT FOR AUTHN AND AUTHZ NoSQL DB Version Authentication Authorization MongoDB 1.9.1 Y Y Cassandra 0.8.1 Y Y Neo4J 1.4 CouchDB 0.11 (Win 1.0.1) Y Y Hadoop* 0.20.203.0 Y (Kerberos) Y 20 *No installation
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 21  Conclusions
APPLICATION FRAMEWORKS  NoSQL Data Access:  Spring Data  Spring Data Graph for Neo4J (RC Status)  Spring Redis  Spring Data – Riak  Spring Security  Spring Roo  Cloud Foundry  Persistence Layer:  Hibernate Object Mapping (OGM) for NoSQL Datastores:  Full-blown JPA engine  DataNucleus has persistence (JDO/JPA) to MongoDB, HBase, Cassandra, BigTable etc. 22  Polyglot persistence
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 23  Conclusions
SAMPLE APPLICATION  Tools:  JDK 1.7  Eclipse  Neoclipse  MongoDB/Cassandra/Neo4J  DBExplorer (using MongoDB JDBC Driver?)  Security scanner (OWASP LAPSE+) 24
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 25  Conclusions
MONGODB SECURITY  Listens on all interfaces (by default)  Authentication:  Turned off by default (“trusted environment”)  User passwords are hashed using MD5  Basic authentication (user name + password in a DB context)  Per connection authentication  User in “admin” database: super user  Authentication with sharding (v1.9.1+)  Replica Set Authentication  Authorization:  Normal user (full read and write access)  Read-only user (read access)  No table level access control  Encryption:  No database encryption  Communication with database is not encrypted 26
MONGODB SECURITY (2)  Enable Security:  “--auth” command line option  “--keyFile” for replica sets and sharding  Pre-requisite: Add a user to the admin db.  Trusted environment  “--bindip” option (IP based control)  Administration Interface Security:  “--nohttpinterface” option  Server-side JavaScript execution  “--noscripting” option 27
DEMO 1 28
CASSANDRA SECURITY  Package: org.apache.cassandra.auth  Authentication:  IAuthenticator interface  AllAuthenticator (default)  SimpleAuthenticator (cassandra.yaml)  Custom Authentication Provider  Login operation (added in v0.7)  Authorization:  IAuthority interface  SimpleAuthority  AllowAllAuthority  Encryption: 29  Uses MD5 Encryption
DEMO 2 30
NEO4J SECURITY  No Security at the data level  No security on the REST access layer  Run Neo4J server behind a proxy (mod_proxy) 31
DEMO 3 32
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 33  Conclusions
DATA PROTECTION  Data Loss Prevention (DLP):  Data at Rest  Data in Transit  Data in Use  Cryptography  Encryption  Decryption  Hashing 34
DATABASE SECURITY  DB Level Security  Table Level  Row Level 35
COMMUNICATION LAYER SECURITY  Transport Layer Security  Message Security 36
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 37  Conclusions
SECURITY LOGGING AND AUDITING  Logging  Log4J  Custom Appender for secure logging  Security Analytics  Security BI  SIEM 38
LOGGING BEST PRACTICES  What data needs to be logged for security analytics purposes?  What should be the log format for business v. security logs?  Do we need to store the security logs in a different file (a new log4j appender) so only authorized users (admin) will have access to it?  How would the logs work with SIEM tool (if applicable)? 39
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 40  Conclusions
MONITORING  Standards:  JMX - JSR??  Remote JMX - JSR??  Tools:  JConsole/VisualVM 41
MONITORING  MongoDB  MongoDB Data Profiler  Cassandra  JMX  Integrating JMX  MX4J  Neo4J  JMX support 42
OTHER SECURITY USE CASES FOR NOSQL  MongoDB for Logging  Capped collections  Cassandra for Logging  Neo4J  ACL (graph data pattern)  Semantic Web for Security  Security Ontology 43
ACLS - THE GRAPH DATABASE WAY 44 Source: http://wiki.neo4j.org/content/ACL
SECURITY VULNERABILITIES  Connection Pollution  JSON Injection  Key Brute Force  HTTP/REST based attacks  Server-side JavaScript (SSJS):  Integral to many NoSQL databases such as MongoDB and Neo4j. 45
NOSQL - POTENTIAL SECURITY VULNERABILITIES NoSQL DB Security Vulnerability Notes MongoDB SQL injection In PHP MongoDB Blind SQL injection MongoDB Null Byte Injection MongoDB/ DOS SpiderMonkey CouchDB / XSS Admin interface Futon CouchDB String comparison, Timing Attack Authentication 46
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 47  Conclusions
BEST PRACTICES  Input Validation  Output Validation (Encoding/Escaping) 48
TOOLS AND TECHNIQUES  NoSQL Development:  Neoclipse  Spring Tool Suite (STS) for Spring Data projects  Security:  Static and Dynamic (Blackbox) Scanners for NoSQL  LAPSE+: Security scanner for detecting vulnerabilities in Java EE Applications.  w3af (Web Application Attack and Audit Framework)  Fuzzing: hzzp  SQL InjectMe  ZAP  HackBar  Test HackBar  Burp Suite  Tamper Data 49  WATOBO http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/
DATA ARCHITECTURE CONSIDERATIONS  Data Security Strategy and Standards  Data Classification  Separation of Concerns  Defense In Depth 50
DESIGN CONSIDERATIONS  Separate persistence layer to apply Authentication and ACL's in a standard and centralized fashion  Schema Validator  Do not store sensitive data in remote storage NoSQL.  Build the interface with security from day one  Batch jobs or other utility scripts that access database outside of typical application interface 51
RECOMMENDED APPROACH  Define your use cases.  Categorize use cases to see where NoSQL is a good solution and where it's not  Separate security requirements out of core business and data requirements  Review security requirements and assess if NoSQL is still a good solution  Based on security requirements, decide if you should host your database(s) in your own Data Center or on the Cloud 52
FUTURE ROAD MAP  MongoDB:  Encryption/Compression of wire protocol  stronger password authentication scheme  Hadoop:  Pluggable authentication modules  SAML  PKI  Better authorization for Hive and Hbase 53
AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 54  Conclusions
CONCLUSIONS  "One Size Fits All" Fits Nothing  Involve security early in application development process (SDLC or Agile)  Risk based strategy  RDBMS is not a four letter word  Hybrid approach (Polyglot Data Storage) 55
RESOURCES  MongoDB: The Definitive Guide  Cassandra: The Definitive Guide  CouchDB: http://wiki.apache.org/couchdb/Security_Features_Overview  Spring Data:  http://www.springsource.org/spring-data/mongodb  http://static.springsource.org/spring-data/data-document/docs/current/reference/html/  http://www.springsource.org/spring-data/neo4j  http://static.springsource.org/spring-data/data- graph/docs/current/reference/html/#tutorial_security  http://www.springsource.org/spring-data/hadoop  Redis:  https://github.com/dmajkic/redis  Authentication  http://www.mongodb.org/display/DOCS/Security+and+Authentication  Security Testing Tools:  http://w3af.sourceforge.net/  http://www.fiddler2.com/Fiddler2/version.asp  http://www.sensepost.com/labs/tools/pentest/wikto  http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page 56
Q&A 57
THANK YOU  Thank you for your attention  Feedback survey 58
CONTACT ME  Domain-Driven Design, Security and Enterprise Architecture articles on InfoQ  website: http://www.infoq.com  srinipenchikala@gmail.com  @srinip  http://srinip2007.blogspot.com 59
BONUS SLIDES
COUCHDB SECURITY  Apache project  Written in Erlang  HTTP communication (REST+JSON)  No SSL support  Only listens on 127.0.0.1 IP Address (by default)  Authentication Handlers:  Oauth  Cookie based  Default handler  “Admin party” mode startup (by default)  Passwords: SHA1 hashing (128-bits UUID salt) 61
COUCHDB SECURITY (2)  Authorization:  Three types of users  database readers  database admins  server admins 62
HADOOP/HBASE SECURITY  Enabled by default  Kerberos (v5) based authentication*  org.apache.hadoop.hbase.security  Classes:  HadoopUser  SecureHadoopUser  User  Server authentication is bi-directional 63 *CDH3b3
HADOOP/HBASE SECURITY (2)  RPC Connection Security: SASL “GSSAPI”  HDFS: Permissions Model  Job Control: ACL based; includes a View ACL  Web Interfaces: OOTB Kerberos SSL support  HDFS and MapReduce modules should have their own users.  Middle Tier: Act as broker in interacting with Hadoop server  Apache Hive, Oozie etc. 64
HADOOP/HBASE SECURITY (3)  No encryption on the wire.  Protection again DoS attacks 65
REDIS SECURITY  Even the security will be handled through Redis rather than the container HttpSession (?) 66
RIAK SECURITY  Built-in REST server  Webmachine pre-commit hooks 67

Empfohlen

NoSQL Solutions - a comparative study
NoSQL Solutions - a comparative studyNoSQL Solutions - a comparative study
NoSQL Solutions - a comparative studyGuillaume Lefranc
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
Trinity respond
Trinity respondTrinity respond
Trinity respondtrinitymobility
 
Neo4j: Graph-like power
Neo4j: Graph-like powerNeo4j: Graph-like power
Neo4j: Graph-like powerRoman Rodomansky
 
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013Neo4j
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 

Empfohlen

NoSQL Solutions - a comparative study
NoSQL Solutions - a comparative studyNoSQL Solutions - a comparative study
NoSQL Solutions - a comparative studyGuillaume Lefranc
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
Trinity respond
Trinity respondTrinity respond
Trinity respondtrinitymobility
 
Neo4j: Graph-like power
Neo4j: Graph-like powerNeo4j: Graph-like power
Neo4j: Graph-like powerRoman Rodomansky
 
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013
Graph Adoption at Gamesys - Toby O'Rourke @ GraphConnect SF 2013Neo4j
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Introducing Neo4j
Introducing Neo4jIntroducing Neo4j
Introducing Neo4jNeo4j
 
Introducing Neo4j 3.0
Introducing Neo4j 3.0Introducing Neo4j 3.0
Introducing Neo4j 3.0Neo4j
 
Graphs for Enterprise Architects
Graphs for Enterprise ArchitectsGraphs for Enterprise Architects
Graphs for Enterprise ArchitectsNeo4j
 
Neo4j in Depth
Neo4j in DepthNeo4j in Depth
Neo4j in DepthMax De Marzi
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBSqreen
 
SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?Venu Anuganti
 
Intro to Neo4j and Graph Databases
Intro to Neo4j and Graph DatabasesIntro to Neo4j and Graph Databases
Intro to Neo4j and Graph DatabasesNeo4j
 
Intro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and GremlinIntro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and GremlinCaleb Jones
 
Intro to Neo4j presentation
Intro to Neo4j presentationIntro to Neo4j presentation
Intro to Neo4j presentationjexp
 
Working With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and ModelingWorking With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and ModelingNeo4j
 
Graph database Use Cases
Graph database Use CasesGraph database Use Cases
Graph database Use CasesMax De Marzi
 
Big Data Platforms: An Overview
Big Data Platforms: An OverviewBig Data Platforms: An Overview
Big Data Platforms: An OverviewC. Scyphers
 
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...DATAVERSITY
 
Data at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceData at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceDATAVERSITY
 
Exploring Levels of Data Literacy
Exploring Levels of Data LiteracyExploring Levels of Data Literacy
Exploring Levels of Data LiteracyDATAVERSITY
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsBuilding a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsDATAVERSITY
 
Make Data Work for You
Make Data Work for YouMake Data Work for You
Make Data Work for YouDATAVERSITY
 
Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?DATAVERSITY
 
Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?DATAVERSITY
 
Data Modeling Fundamentals
Data Modeling FundamentalsData Modeling Fundamentals
Data Modeling FundamentalsDATAVERSITY
 
Showing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectShowing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectDATAVERSITY
 
How a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleHow a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleDATAVERSITY
 

Weitere ähnliche Inhalte

Andere mochten auch

Introducing Neo4j
Introducing Neo4jIntroducing Neo4j
Introducing Neo4jNeo4j
 
Introducing Neo4j 3.0
Introducing Neo4j 3.0Introducing Neo4j 3.0
Introducing Neo4j 3.0Neo4j
 
Graphs for Enterprise Architects
Graphs for Enterprise ArchitectsGraphs for Enterprise Architects
Graphs for Enterprise ArchitectsNeo4j
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBSqreen
 
SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?Venu Anuganti
 
Intro to Neo4j and Graph Databases
Intro to Neo4j and Graph DatabasesIntro to Neo4j and Graph Databases
Intro to Neo4j and Graph DatabasesNeo4j
 
Intro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and GremlinIntro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and GremlinCaleb Jones
 
Intro to Neo4j presentation
Intro to Neo4j presentationIntro to Neo4j presentation
Intro to Neo4j presentationjexp
 
Working With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and ModelingWorking With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and ModelingNeo4j
 
Graph database Use Cases
Graph database Use CasesGraph database Use Cases
Graph database Use CasesMax De Marzi
 
Big Data Platforms: An Overview
Big Data Platforms: An OverviewBig Data Platforms: An Overview
Big Data Platforms: An OverviewC. Scyphers
 

Andere mochten auch (12)

Introducing Neo4j
Introducing Neo4jIntroducing Neo4j
Introducing Neo4j
 
Introducing Neo4j 3.0
Introducing Neo4j 3.0Introducing Neo4j 3.0
Introducing Neo4j 3.0
 
Graphs for Enterprise Architects
Graphs for Enterprise ArchitectsGraphs for Enterprise Architects
Graphs for Enterprise Architects
 
Neo4j in Depth
Neo4j in DepthNeo4j in Depth
Neo4j in Depth
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?SQL/NoSQL How to choose ?
SQL/NoSQL How to choose ?
 
Intro to Neo4j and Graph Databases
Intro to Neo4j and Graph DatabasesIntro to Neo4j and Graph Databases
Intro to Neo4j and Graph Databases
 
Intro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and GremlinIntro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
Intro to Graph Databases Using Tinkerpop, TitanDB, and Gremlin
 
Intro to Neo4j presentation
Intro to Neo4j presentationIntro to Neo4j presentation
Intro to Neo4j presentation
 
Working With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and ModelingWorking With a Real-World Dataset in Neo4j: Import and Modeling
Working With a Real-World Dataset in Neo4j: Import and Modeling
 
Graph database Use Cases
Graph database Use CasesGraph database Use Cases
Graph database Use Cases
 
Big Data Platforms: An Overview
Big Data Platforms: An OverviewBig Data Platforms: An Overview
Big Data Platforms: An Overview
 

Mehr von DATAVERSITY

Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...DATAVERSITY
 
Data at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceData at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceDATAVERSITY
 
Exploring Levels of Data Literacy
Exploring Levels of Data LiteracyExploring Levels of Data Literacy
Exploring Levels of Data LiteracyDATAVERSITY
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsBuilding a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsDATAVERSITY
 
Make Data Work for You
Make Data Work for YouMake Data Work for You
Make Data Work for YouDATAVERSITY
 
Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?DATAVERSITY
 
Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?DATAVERSITY
 
Data Modeling Fundamentals
Data Modeling FundamentalsData Modeling Fundamentals
Data Modeling FundamentalsDATAVERSITY
 
Showing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectShowing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectDATAVERSITY
 
How a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleHow a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleDATAVERSITY
 
Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?DATAVERSITY
 
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...DATAVERSITY
 
Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?DATAVERSITY
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsDATAVERSITY
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayDATAVERSITY
 
2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics2023 Trends in Enterprise Analytics
2023 Trends in Enterprise AnalyticsDATAVERSITY
 
Data Strategy Best Practices
Data Strategy Best PracticesData Strategy Best Practices
Data Strategy Best PracticesDATAVERSITY
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?DATAVERSITY
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best PracticesDATAVERSITY
 
MLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageMLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageDATAVERSITY
 

Mehr von DATAVERSITY (20)

Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
Architecture, Products, and Total Cost of Ownership of the Leading Machine Le...
 
Data at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and GovernanceData at the Speed of Business with Data Mastering and Governance
Data at the Speed of Business with Data Mastering and Governance
 
Exploring Levels of Data Literacy
Exploring Levels of Data LiteracyExploring Levels of Data Literacy
Exploring Levels of Data Literacy
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business GoalsBuilding a Data Strategy – Practical Steps for Aligning with Business Goals
Building a Data Strategy – Practical Steps for Aligning with Business Goals
 
Make Data Work for You
Make Data Work for YouMake Data Work for You
Make Data Work for You
 
Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?Data Catalogs Are the Answer – What is the Question?
Data Catalogs Are the Answer – What is the Question?
 
Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?Data Catalogs Are the Answer – What Is the Question?
Data Catalogs Are the Answer – What Is the Question?
 
Data Modeling Fundamentals
Data Modeling FundamentalsData Modeling Fundamentals
Data Modeling Fundamentals
 
Showing ROI for Your Analytic Project
Showing ROI for Your Analytic ProjectShowing ROI for Your Analytic Project
Showing ROI for Your Analytic Project
 
How a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at ScaleHow a Semantic Layer Makes Data Mesh Work at Scale
How a Semantic Layer Makes Data Mesh Work at Scale
 
Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?Is Enterprise Data Literacy Possible?
Is Enterprise Data Literacy Possible?
 
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
The Data Trifecta – Privacy, Security & Governance Race from Reactivity to Re...
 
Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?Emerging Trends in Data Architecture – What’s the Next Big Thing?
Emerging Trends in Data Architecture – What’s the Next Big Thing?
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and Forwards
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement Today
 
2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics2023 Trends in Enterprise Analytics
2023 Trends in Enterprise Analytics
 
Data Strategy Best Practices
Data Strategy Best PracticesData Strategy Best Practices
Data Strategy Best Practices
 
Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?Who Should Own Data Governance – IT or Business?
Who Should Own Data Governance – IT or Business?
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best Practices
 
MLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive AdvantageMLOps – Applying DevOps to Competitive Advantage
MLOps – Applying DevOps to Competitive Advantage
 

Kürzlich hochgeladen

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Security Considerations in NoSQL Data Access

  • 1. SECURITY CONSIDERATIONS IN NOSQL DATA ACCESS NoSQL Now 2011 Conference Srini Penchikala 08.25.11
  • 2. GOALS AND SCOPE  Goals:  Overview of application security aspects of NoSQL DBs  Best practices of implementing security in NoSQL  Is Not:  A NoSQL Security Vulnerabilities talk  Is:  Security best practices in applications when using a NoSQL Database as backend  Code Examples on Security aspects (Java based)  Format:  45 min presentation + 5 min Q&A 2  Demo’s (Java)
  • 3. ABOUT THE SPEAKER  Security Architect  Certified Scrum Master  Author, Editor (InfoQ)  IASA Austin Chapter Leader  Detroit Java User Group Leader (past)  Working with Java since 1996, JEE (2000), SOA (2006), Security (2007) & PPT since 01/2011  Current: Agile Security Architectures, NoSQL Security, Domain-Driven Design, Architecture Enforcement, MDD  Future: Role of DSL in Architecture Enforcement, NoSQL Security Tools and Frameworks 3
  • 4. BEFORE WE START  How many are currently using some kind of NoSQL DB to store data?  How many are currently working as a security architect or in a related position?  How many are responsible for managing security in NoSQL DB space?  Any regulatory Compliance (Federal, State, Local, or Finance related)? 4
  • 5. BACKGROUND  Financial services organization  J2EE security architecture model  Agile software development  Regulatory compliance impact on IT  Architecture 5
  • 6. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 6  Conclusions
  • 7. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 7  Conclusions
  • 8. WHAT'S IN A NAME (NOSQL)?  Is not:  “No SQL”  "Never SQL“  "No Way SQL“  Is:  "Not Only SQL“  "Non-Relational DBMS" (NRDBMS) 8
  • 9. NOSQL, CAP THEOREM AND CIA  CAP Theorem  Consistency  Availability  Partition Tolerance  NoSQL impl's are based on the “AP” part of CAP.  Availability component can also be tied to Security (“A” in CIA) 9
  • 10. NOSQL – RELATED TOPICS  Cloud Computing  NoSQL as a Service (NoSQL on the Cloud)  NoSQL, Cloud and Security  CouchDB Moving Into the Cloud (1)  MongoHQ: Hosted (Cloud) database solution for getting applications up and running on MongoDB (2)  Mobile Computing  Mobile Couchbase for iOS and Android  Social Computing  Most of social networking apps use some type of NoSQL DB as the backend data store.  Some NoSQL DBs were developed by social computing companies (e.g. Cassandra by Facebook?). 10 (1) http://architects.dzone.com/articles/couchdb-moving-cloud?mz=36885-nosql (2) https://mongohq.com/home
  • 11. NOSQL CATEGORIES  Key Value Stores:  Data Model: Collection of K-V Pairs  Voldemort, Riak, Redis, Membase  BigTable Based/Column Stores:  Data Model: Column Families  Cassandra, HBase, Hypertable  Document Based:  Document is the basic unit of data  Data Model: Collection of K-V Collections  MongoDB, CouchDB  Map-Reduce  Hadoop  Graph Based:  Data Model: Nodes, Relations, K-V on both elements 11  Neo4J
  • 12. NOSQL DB'S DISCUSSED IN THIS SESSION  MongoDB  Cassandra  Neo4J  CouchDB*  Redis*  Hadoop/Hbase* 12 *Time permitting
  • 13. WHICH ONE TO USE?  MongoDB:  Modeling rich domain objects.  Apache Cassandra:  Highly scalable second-generation distributed database  Dynamo's fully distributed design and Bigtable's Column Family-based data model.  Neo4J  Fully transactional  Redis:  Open source advanced key/value store  Riak:  Dynamo based key/value store with a distributed database network platform  Built-in REST server  Extensible  Hadoop:  Distributed data processing, natural language processing, data mining 13  “Cloud Enterprise Data Warehouse (EDW)”* *Forrester
  • 14. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 14  Conclusions
  • 15. NOSQL AND SECURITY  Requirement: Provide necessary validation and security constraints to prevent bad data from getting into NoSQL data store  Usage Growth  Level of security and privacy of data  noSQL Database Management Systems (At the Peak) (1)  Database Platform as a Service (dbPaaS):  noSQL DB as a Service 15 (1) Gartner's Hype Cycle for Data Management, 2011
  • 16. NOSQL DATA SECURITY  Data Security: NoSQL v. RDBMS  NoSQL Data Security Breaches?  Growth in research and hacker activity targeting NoSQL databases (1).  FourSquare outage (MongoDB) (2)  Software running behind a firewall with inadequate security  (In)Secure Design and Coding 16 (1) Source:TeamSHATTER (2) http://mashable.com/2010/10/07/mongodb-foursquare/
  • 17. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 17  Conclusions
  • 18. NOSQL DB SECURITY - CURRENT STATE  Security Standards:  Application Security:  Authentication and Authorization  Encryption  Message Level Security  Database Security:  Table, Row, Column Level Security 18
  • 19. NOSQL, NO SECURITY?  Authentication  Role Based Access Control (RBAC)  ACLs for Transactional as well as Batch processes/jobs  Encryption  Logging  Monitoring  Security Vulnerabilities* 19 *We will briefly look at this.
  • 20. NOSQL DATABASES – SUPPORT FOR AUTHN AND AUTHZ NoSQL DB Version Authentication Authorization MongoDB 1.9.1 Y Y Cassandra 0.8.1 Y Y Neo4J 1.4 CouchDB 0.11 (Win 1.0.1) Y Y Hadoop* 0.20.203.0 Y (Kerberos) Y 20 *No installation
  • 21. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 21  Conclusions
  • 22. APPLICATION FRAMEWORKS  NoSQL Data Access:  Spring Data  Spring Data Graph for Neo4J (RC Status)  Spring Redis  Spring Data – Riak  Spring Security  Spring Roo  Cloud Foundry  Persistence Layer:  Hibernate Object Mapping (OGM) for NoSQL Datastores:  Full-blown JPA engine  DataNucleus has persistence (JDO/JPA) to MongoDB, HBase, Cassandra, BigTable etc. 22  Polyglot persistence
  • 23. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 23  Conclusions
  • 24. SAMPLE APPLICATION  Tools:  JDK 1.7  Eclipse  Neoclipse  MongoDB/Cassandra/Neo4J  DBExplorer (using MongoDB JDBC Driver?)  Security scanner (OWASP LAPSE+) 24
  • 25. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 25  Conclusions
  • 26. MONGODB SECURITY  Listens on all interfaces (by default)  Authentication:  Turned off by default (“trusted environment”)  User passwords are hashed using MD5  Basic authentication (user name + password in a DB context)  Per connection authentication  User in “admin” database: super user  Authentication with sharding (v1.9.1+)  Replica Set Authentication  Authorization:  Normal user (full read and write access)  Read-only user (read access)  No table level access control  Encryption:  No database encryption  Communication with database is not encrypted 26
  • 27. MONGODB SECURITY (2)  Enable Security:  “--auth” command line option  “--keyFile” for replica sets and sharding  Pre-requisite: Add a user to the admin db.  Trusted environment  “--bindip” option (IP based control)  Administration Interface Security:  “--nohttpinterface” option  Server-side JavaScript execution  “--noscripting” option 27
  • 28. DEMO 1 28
  • 29. CASSANDRA SECURITY  Package: org.apache.cassandra.auth  Authentication:  IAuthenticator interface  AllAuthenticator (default)  SimpleAuthenticator (cassandra.yaml)  Custom Authentication Provider  Login operation (added in v0.7)  Authorization:  IAuthority interface  SimpleAuthority  AllowAllAuthority  Encryption: 29  Uses MD5 Encryption
  • 30. DEMO 2 30
  • 31. NEO4J SECURITY  No Security at the data level  No security on the REST access layer  Run Neo4J server behind a proxy (mod_proxy) 31
  • 32. DEMO 3 32
  • 33. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 33  Conclusions
  • 34. DATA PROTECTION  Data Loss Prevention (DLP):  Data at Rest  Data in Transit  Data in Use  Cryptography  Encryption  Decryption  Hashing 34
  • 35. DATABASE SECURITY  DB Level Security  Table Level  Row Level 35
  • 36. COMMUNICATION LAYER SECURITY  Transport Layer Security  Message Security 36
  • 37. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 37  Conclusions
  • 38. SECURITY LOGGING AND AUDITING  Logging  Log4J  Custom Appender for secure logging  Security Analytics  Security BI  SIEM 38
  • 39. LOGGING BEST PRACTICES  What data needs to be logged for security analytics purposes?  What should be the log format for business v. security logs?  Do we need to store the security logs in a different file (a new log4j appender) so only authorized users (admin) will have access to it?  How would the logs work with SIEM tool (if applicable)? 39
  • 40. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 40  Conclusions
  • 41. MONITORING  Standards:  JMX - JSR??  Remote JMX - JSR??  Tools:  JConsole/VisualVM 41
  • 42. MONITORING  MongoDB  MongoDB Data Profiler  Cassandra  JMX  Integrating JMX  MX4J  Neo4J  JMX support 42
  • 43. OTHER SECURITY USE CASES FOR NOSQL  MongoDB for Logging  Capped collections  Cassandra for Logging  Neo4J  ACL (graph data pattern)  Semantic Web for Security  Security Ontology 43
  • 44. ACLS - THE GRAPH DATABASE WAY 44 Source: http://wiki.neo4j.org/content/ACL
  • 45. SECURITY VULNERABILITIES  Connection Pollution  JSON Injection  Key Brute Force  HTTP/REST based attacks  Server-side JavaScript (SSJS):  Integral to many NoSQL databases such as MongoDB and Neo4j. 45
  • 46. NOSQL - POTENTIAL SECURITY VULNERABILITIES NoSQL DB Security Vulnerability Notes MongoDB SQL injection In PHP MongoDB Blind SQL injection MongoDB Null Byte Injection MongoDB/ DOS SpiderMonkey CouchDB / XSS Admin interface Futon CouchDB String comparison, Timing Attack Authentication 46
  • 47. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 47  Conclusions
  • 48. BEST PRACTICES  Input Validation  Output Validation (Encoding/Escaping) 48
  • 49. TOOLS AND TECHNIQUES  NoSQL Development:  Neoclipse  Spring Tool Suite (STS) for Spring Data projects  Security:  Static and Dynamic (Blackbox) Scanners for NoSQL  LAPSE+: Security scanner for detecting vulnerabilities in Java EE Applications.  w3af (Web Application Attack and Audit Framework)  Fuzzing: hzzp  SQL InjectMe  ZAP  HackBar  Test HackBar  Burp Suite  Tamper Data 49  WATOBO http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/
  • 50. DATA ARCHITECTURE CONSIDERATIONS  Data Security Strategy and Standards  Data Classification  Separation of Concerns  Defense In Depth 50
  • 51. DESIGN CONSIDERATIONS  Separate persistence layer to apply Authentication and ACL's in a standard and centralized fashion  Schema Validator  Do not store sensitive data in remote storage NoSQL.  Build the interface with security from day one  Batch jobs or other utility scripts that access database outside of typical application interface 51
  • 52. RECOMMENDED APPROACH  Define your use cases.  Categorize use cases to see where NoSQL is a good solution and where it's not  Separate security requirements out of core business and data requirements  Review security requirements and assess if NoSQL is still a good solution  Based on security requirements, decide if you should host your database(s) in your own Data Center or on the Cloud 52
  • 53. FUTURE ROAD MAP  MongoDB:  Encryption/Compression of wire protocol  stronger password authentication scheme  Hadoop:  Pluggable authentication modules  SAML  PKI  Better authorization for Hive and Hbase 53
  • 54. AGENDA  Introduction  NoSQL and Security  Current State of NoSQL Security  Application Frameworks  Sample Application  Authentication and Authorization  Encryption  Logging  Monitoring  Best Practices 54  Conclusions
  • 55. CONCLUSIONS  "One Size Fits All" Fits Nothing  Involve security early in application development process (SDLC or Agile)  Risk based strategy  RDBMS is not a four letter word  Hybrid approach (Polyglot Data Storage) 55
  • 56. RESOURCES  MongoDB: The Definitive Guide  Cassandra: The Definitive Guide  CouchDB: http://wiki.apache.org/couchdb/Security_Features_Overview  Spring Data:  http://www.springsource.org/spring-data/mongodb  http://static.springsource.org/spring-data/data-document/docs/current/reference/html/  http://www.springsource.org/spring-data/neo4j  http://static.springsource.org/spring-data/data- graph/docs/current/reference/html/#tutorial_security  http://www.springsource.org/spring-data/hadoop  Redis:  https://github.com/dmajkic/redis  Authentication  http://www.mongodb.org/display/DOCS/Security+and+Authentication  Security Testing Tools:  http://w3af.sourceforge.net/  http://www.fiddler2.com/Fiddler2/version.asp  http://www.sensepost.com/labs/tools/pentest/wikto  http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page 56
  • 57. Q&A 57
  • 58. THANK YOU  Thank you for your attention  Feedback survey 58
  • 59. CONTACT ME  Domain-Driven Design, Security and Enterprise Architecture articles on InfoQ  website: http://www.infoq.com  srinipenchikala@gmail.com  @srinip  http://srinip2007.blogspot.com 59
  • 61. COUCHDB SECURITY  Apache project  Written in Erlang  HTTP communication (REST+JSON)  No SSL support  Only listens on 127.0.0.1 IP Address (by default)  Authentication Handlers:  Oauth  Cookie based  Default handler  “Admin party” mode startup (by default)  Passwords: SHA1 hashing (128-bits UUID salt) 61
  • 62. COUCHDB SECURITY (2)  Authorization:  Three types of users  database readers  database admins  server admins 62
  • 63. HADOOP/HBASE SECURITY  Enabled by default  Kerberos (v5) based authentication*  org.apache.hadoop.hbase.security  Classes:  HadoopUser  SecureHadoopUser  User  Server authentication is bi-directional 63 *CDH3b3
  • 64. HADOOP/HBASE SECURITY (2)  RPC Connection Security: SASL “GSSAPI”  HDFS: Permissions Model  Job Control: ACL based; includes a View ACL  Web Interfaces: OOTB Kerberos SSL support  HDFS and MapReduce modules should have their own users.  Middle Tier: Act as broker in interacting with Hadoop server  Apache Hive, Oozie etc. 64
  • 65. HADOOP/HBASE SECURITY (3)  No encryption on the wire.  Protection again DoS attacks 65
  • 66. REDIS SECURITY  Even the security will be handled through Redis rather than the container HttpSession (?) 66
  • 67. RIAK SECURITY  Built-in REST server  Webmachine pre-commit hooks 67