An assortment of NoSQL databases, Hadoop file systems and cloud-based data stores are enabling organizations to handle more data, both in volume and variety, than was possible with only the relational databases that preceded them. But the expanded data architectures are also expanding the security challenges -- and headaches -- faced by data management teams.
There are multiple threads to that. The plethora of data platforms complicates efforts to secure them. Controlling access to data in cloud systems is another hurdle. And database security issues are stalking some of the new kids on the data block. For example, NoSQL databases MongoDB and Redis have both been targeted by attackers looking to exploit security shortcomings.
Getting a handle on security at the data level is becoming a bigger priority, though. That's because the shift toward distributed data frameworks and cloud deployments is changing the security status quo, according to Garrett Bekker, an analyst at 451 Research.
The old model of building perimeter protections with firewalls and other network security tools is less relevant in the era of cloud computing and increased remote access by employees and outside workers at contractors and business partners, Bekker said. As data moves around more and is made available to broader groups of users, he sees more of a need to focus on securing it in addition to guarding against network intrusions.
"Putting a wall around your organization isn't enough anymore," Bekker explained. "People are coming in and out of your network all the time. So, logically, you try to protect the data itself."
The problem is that doing so isn't simple. Data-level security can require encryption, masking and tokenization as well as authentication policies based on the specific data that individual users need to access, he said. It can also include database activity monitoring, which in turn encompasses data discovery and classification.
With size comes complexity
Those things get even more challenging in distributed architectures with large amounts of data spread across a mix of databases and big data systems. "Discovering and classifying terabytes of data -- that can be time-consuming and require a lot of people to manage," Bekker said. "There are costs, and it adds complexity."
In fact, complexity was the most-often-cited barrier to adoption of data security processes in a survey of senior security executives conducted by 451 Research in the fall of 2016. According to a report released by the research firm together with software and services provider Thales E-Security, 50% of the 1,105 survey respondents said complexity was a roadblock in their organizations. Lack of available workers was next at 36%.
Configuration is another common thread among the database security issues brought to light by the recent exploits against NoSQL systems. Security researchers estimate that up to 99,000 MongoDB configurations are at risk for cyberattacks due to a lack of authentication controls. Others found a flaw in configurations of the Redis database that allowed attackers to gain shell access to Linux servers.
Well-established relational databases, and some of the older ones classified as NoSQL software, have a clear edge on security maturity over newer NoSQL technologies, according to Mike Bowers, principal enterprise information architect at The Church of Jesus Christ of Latter-day Saints in Salt Lake City.
Where data security starts
Bowers leads technology strategy on database platforms at the church, and he has spoken about managing NoSQL systems at various data management conferences. With some NoSQL databases, data architects and IT managers should be alert to the need to enforce proper security principles, Bowers advised. "You may have to compensate for a database's lack of maturity," he said.
That can mean educating developers on how to set up systems to avoid database security issues. For example, some open source NoSQL databases -- MongoDB among them -- don't enable authentication by default. That's helpful to students eager to finish academic projects or database developers intent on getting a prototype system up and running. But it isn't a good security practice in enterprise applications. "A database should not allow the option of using a default password," Bowers said.
Database security processes should begin with encryption of data while it's at rest, and account protections that use multifactor authentication where possible, Bowers recommended. Another step he advocates is to ensure that databases are locked into specific network zones. "The goal is to reduce the surface area for a hacker," he noted.
Mike Bowersprincipal enterprise information architect, The Church of Jesus Christ of Latter-day Saints
At the Church of Jesus Christ, Bowers and his team also use database monitoring software to help highlight patterns of activity and track all SQL statements across the databases in use there. He said the church's data processing work is centered primarily on three database platforms -- Oracle Database, Microsoft SQL Server and MarkLogic. The latter is categorized as a NoSQL database, but it has a few years on most NoSQL offerings from a development standpoint.
Bowers noted that MarkLogic supports daily "under-the-hood" encryption routines that run automatically once they're configured by database administrators or developers. He favors such regular, cell-level encryption processes over less frequent ones that involve larger amounts of data and consume more compute cycles, thus slowing database performance while running.
A matter of trust
Behind all of the security efforts is a mindfulness that the data in the church's databases involves real people who could be affected by a breach. "Our church member data is important to us; it's a sacred trust," Bowers said. His team is working to maintain that trust while it also now works to support groups experimenting with new databases and moving some types of data to cloud platforms.
As more data goes to the cloud, new classification schemes will need to be put in place in cloud databases so that "data controls correspond to the specific values of data," said Daniel Mellen, managing director for cloud data security at consulting and professional services provider Accenture.
That discussion is different than the one in the early days of cloud computing, when security concerns blocked adoption in many enterprises. But cloud systems certainly aren't immune to database security issues. For example, in June 2017, a security researcher uncovered a misconfigured data repository in the cloud-based Amazon Simple Storage Service (S3) that exposed account information on 14 million Verizon customers.
As in the S3 case, many of the mistakes that can lead to cloud data breaches have a familiar ring, according to Mellen. "Looking at the attacks and compromises that have been tied to cloud service providers," he said, "I haven't seen one yet that hasn't been related to customer configurations."
More from Gartner on the need to secure Hadoop systems
Tips on evaluating and selecting database security tools
Read more about NoSQL security issues and processes