NoSQL equals no security?

The IT world is embracing "big data" quickly. Huge data storage will be the next topic of big Data analytics, as big data is getting bigger, for example, startups are using these systems to analyze the history of human evolution with trillions of DNA testing strips. While big data (and its underlying technology NoSQL) is becoming a buzzword in the information systems community, there is not much discussion about the security implications of big data.
Big Data Overview
NoSQL refers to a non-relational database, a data store that contains a large number of different types of structured and unstructured data. Because of the diversity of data, these data stores are not accessed through standard SQL voice. Previously, we often divided data storage into two types: relational database (RDBMS) and file server. And NoSQL opens our horizons, unlike traditional relational concepts, which NoSQL does not follow in a structured form. The main advantages of this NoSQL data storage approach are the scalability and availability of data, and the flexibility of data storage. Business Intelligence systems each data store is mirrored in different locations to ensure continuous data availability and no data loss, and such storage systems are typically used for trend analysis, but these systems do not apply to financial transactions that require real-time updates, and financial institutions can use this system to analyze the most efficient or busiest branch offices.
NoSQL equals no security?
A lot of people might say that developers of different nosql systems are targeted to remove security from their systems. For example, Cassandra only has a basic built-in authentication program, and the idea is that database administrators do not need to worry about security issues, and security issues should be addressed to a dedicated team. In our view, NoSQL brings the following security challenges:
★ Mode Maturity level. The current standard SQL technology includes strict access control and privacy management tools, and in NoSQL mode, there is no such requirement. In fact, NoSQL cannot follow the SQL pattern, it should have its own new pattern. For example, in a NoSQL data store, column and row-level security are more important than traditional SQL data stores. In addition, NoSQL allows the constant addition of attributes to data records, so forward-looking security becomes very important and businesses need to define security for these future attributes.
★ Software Maturity level. Over the years, the database and file server systems have become more mature after being plagued by various security issues. While NoSQL can take some lessons from these systems, and the complexity of NOSQL data storage is reduced, we believe that there are still a variety of vulnerabilities in NoSQL for at least five years, after all it uses new code.
★ Employee Maturity level. Even the most experienced database administrator is a novice to NoSQL. This means that these people first have to look at how to make it work (it's hard enough), and maybe it's time to think about security later on. When that happens, they're bound to make a lot of integration mistakes.
★ Client software. Because NoSQL server software does not have enough security built-in, it must be a security factor in the application that accesses these software, which in turn leads to a number of security issues:
☆ Increase the authentication and authorization process to the application. This requires more security considerations, which only makes the application more complex. For example, an application would need to define users and roles. Based on this type of data, an application can decide whether to grant users access to the system.
☆ Input Validation. Again, we see problems plaguing relational database applications that continue to plague NoSQL databases. At last year's Black Hat meeting, for example, researchers showed how hackers could use "NoSQL injections" to access restricted information. Although the time for the Black Hat conference in 2012 is not yet established, we look forward to seeing more about the NoSQL show this year.
☆ Application Awareness. In situations where each application needs to manage security, the application must be aware of all other applications. This prevents access to all non-application data.
☆ When new data types are added to the data store, the data storage administrator must figure out which applications cannot access specific data.
☆ code that is prone to vulnerabilities. There are many NoSQL products on the market, but more applications and application server products. The more applications you have, the more code that is prone to vulnerabilities.
★ Data redundancy and dispersion. The basic knowledge of relational database security is about normalizing data---storing a piece of data in a single location. But big data systems have completely changed this pattern. The inherent pattern of these systems is to replicate data to many tables to optimize query processing. Data is scattered across different data warehouses in different geographic locations, and it is difficult for businesses to locate and protect all confidential information.
★ Privacy issues. The privacy issue is not driven by security issues, but by the use of big data to correlate data from different activities of different applications from different systems. Take Google for example, they changed their privacy terms a few months ago, and the new terms allow Google to fuse information from all services. As individuals, this seriously affects our ability to evade corporate tracking, even if we use multiple identities. However, these companies now face risks. On the one hand, they try to keep the data in their businesses, mainly because of ownership and regulatory needs. Recently, however, scientists have begun to worry about this practice, requiring companies to disclose the data sets to verify their findings.
Summarize
NoSQL is still in its infancy and we may not be able to see any nosql security solution for the next year or so. For companies that want to develop their own nosql solutions, they should first carefully select their development team, which should include industry veterans with a sense of security. In addition, code reviews should be conducted to ensure the security of the software.
Finally, the platform should be exposed to the user with dense input validation and network isolation to minimize the exposure. Fortunately, we are now in the big Data age, the cost of storage is down and technology allows us to easily access and analyze data.

NoSQL equals no security?