Security Comparison Between Relational databases and NoSQL Databases

[TechTarget Chinese original] Q: I am studying various types of database architectures. Can you tell me the security of non-SQL databases (NoSQL) and mainstream commercial relational databases?

 

For a database that stores information securely, it must provide confidentiality, integrity, and availability (CIA ). When necessary, data must be available (availability), but limited to authorized individuals or systems (confidentiality), and data can only be modified (integrity) by authorized persons ).

 

Relational databases include integrated functions such as role-based security, encrypted communication, and support for row and field access control, as well as user-level access control over stored procedures. Enterprise relational databases (RDBMS), such as Oracle and Microsoft SQL Server, and ACID (atomicity, consistency, isolation, durability: atomicity, consistency, isolation, and durability) properties to ensure that database transactions are processed reliably; Data Replication and logging ensure durability and data integrity. However, these functions are generally cost-effective, primarily license fees and data access speeds.

 

For social network applications like Facebook and e-commerce sites like Amazon, they need to process massive data. scalability and availability are key database requirements. Data can be distributed across hundreds or even thousands of servers. Now, many companies have switched to non-relational database management systems or non-SQL databases (NoSQL ). However, the security of NoSQL databases is far less powerful than that of relational databases.

 

Non-SQL databases (NoSQL) have attributes called BASE (based on available, soft state, and eventually consistent), so consistency is not required after each transaction, this attribute is sufficient for the database to eventually remain in the consistent state. This means that the user may not be able to see the latest data, but the data from the last snapshot, such as the item number in the inventory. Because transactions are not written to the database immediately, other transactions may interfere with the synchronization. This inherent race condition means that not all users will view the same data at the same time, which is a real risk for database processing, such as shared transactions.

 

NoSQL databases also lack confidentiality and integrity. For example, NoSQL databases do not have schema. You cannot separate permissions from tables, rows, or columns and maintain quick access to data. They rarely have built-in security mechanisms. The popular non-relational database MongoDB documentation writes, "One way to verify Mongo database running is in a trusted environment without security and authentication ...... Of course, in this configuration, you must ensure that only trusted machines can access the TCP port of the database ". The NoSQL database Riak does not support authentication or authorization.

 

This means that the confidentiality and integrity must be completely provided by the data access application. It sounds unrealistic to put the last line of defense for any extremely valuable data at the application level. Application developers do not work on implementing security functions, let alone coding from the beginning. In this case, you only have a firewall to protect your data.