Designing for Security

I just finished reading this article on NoSQL security. It raised a couple of concerns:

1. Systems require security. Hard stop. no if’s and’s or but’s about it. Designing security from the start is a hard task. At Microsoft there are several practices and resources we use to design and evaluate security. These have been in place for ~10 years and have been refined. My assessment is it’s working. Look at the security track record for SQL2K5 through SQL2K8R2. Pretty darn solid, especially when compared to Oracle. We spent a significant amount of time reviewing existing product functionality and in designing and testing new functionality. It’s simple ignorance to release new infrastructure software, much less anything else, without designing for security.

2. It’s additional ignorance like the following that cause me serious concern; from the same article:

While [James Phillips, co-founder and senior vice president of products for Couchbase, a NoSQL platform firm] agrees that there is still an experience gap with such a new technology, he believes that some of the security concerns should be at least a little quelled if organizations consider the typical use case for NoSQL. He believes that these data stores usually contain less sensitive information than the typical relational database and that they tend to have limited touch points to other applications within the enterprise network.”

What in the world does “less sensitive information” mean? Philips goes on to say:

"They’re using the technology not as a database per se, like you would consider perhaps an enterprise data store where you’re collecting and aggregating lots of the business data of the organization that other apps are going to tie into," he says. "Rather, if I’m building a social network or social game or building a very specific web application that has certain functionality, it tends to sit behind the firewall and it ties to this application and usually isn’t available for other parts of organization to tap."

The belief that security attacks only come from outside the organization is pure ignorance. The belief that security concerns will be quelled if the implementers of the technology consider the typical use case for NoSQL is another example of ignorance. And finally the characterization that only social network and social game companies are going to use NoSQL and that they don’t hold sensitive data is flabbergasting; think of the Sony incident.

My intent isn’t to personally attack Mr. Phillips. I’m sure there are many people in the software industry that use the same spin when it suits them or or their company’s product. Imagine if Microsoft or IBM took the same stance as Couchbase? Couchbase considers themselves a platform company. Their lack of outward concern for security is proof they are not a platform company.

I want to state again that I have nothing personal toward Mr. Phillips or his company. I’ve never met him or used his company’s product. But he is simply doing NoSQL and his company a disservice by attempting to downplay the lack of security in NoSQL.

As I said, adding security after the fact is extremely hard. But this doesn’t mean we should give up or position the technology as not needing it. As an IT professional it’s your responsibility to understand the benefits and limitation of all technology you implement, do a security review and ensure it meets the business requirements. Hard Stop!

Comments (2)

  1. Brent Ozar says:

    By "less sensitive information" he means things like clickstream data.  I'm working with a client today that's putting every mouse movement on their web site into SQL Server – on the same database server that houses their orders, inventory, and credit card data.  With your experience, you can guess which kind of data is absolutely dominating the buffer pool, and in order to get increased performance on the transactional data, we need to separate out the clickstream data into another instance, another server, or another platform altogether.  With SQL Server 20012's Enterprise Edition licensing running $7k per core, it was a pretty easy decision to move the clickstream data into NoSQL.

    "As I said, adding security after the fact is extremely hard."  And Microsoft should know, right?  After the default blank SA passwords, the Slammer problems, finally putting TDE in SQL 2008, and still requiring SA access for third party backup software that needs to use the VDI interface, we live in a glass house and we shouldn't be throwing stones.

  2. dtjones says:

    Thanks Brent. Insightful as usual.