Databases Reference
In-Depth Information
Now that you know how a NoSQL system can fit into your enterprise, let's look at how
you can qualify a NoSQL database by looking at its ability to handle authentication,
authorization, audit, and encryption requirements. Taking a structured approach to
comparing NoSQL databases against these components will increase your organiza-
tion's confidence that a NoSQL database can satisfy security concerns.
11.2
Gathering your security requirements
Selecting the right NoSQL system will depend on how complex your security require-
ments are and how mature the security model is within your NoSQL database. Before
embarking on a NoSQL pilot project, it's a good idea to spend some time understand-
ing your organization's security requirements. We encourage our customers to group
security requirements into four areas, as outlined in figure 11.4.
Are users and requests from
the people they claim to be?
Do users have read and/or write
access to the appropriate data?
Authentication
Authorization
Audit
Encryption
Can you track who read or
updated data and when they did it?
Can you convert data to a form that
can't be used by unauthorized viewers?
Figure 11.4
The four questions of a secure database. You want to make sure that
only the right people have access to the appropriate data in your database. You also
want to track their access and transmit data securely in and out of the database.
The remainder of this chapter will focus on a review of authentication, authorization,
audit, and encryption processes followed by three case studies that apply a security
policy to a NoSQL database. Let's begin by looking at the authentication process to
see how it can be structured within your security requirements.
11.2.1
Authentication
Authenticating users is the first step in protecting your data. Authentication is the pro-
cess of validating the identity of a specific individual or a service request. Figure 11.5
shows a typical authentication process.
As you'll see, there are many ways to verify the identity of users, which is why many
organizations opt to use an external service for the verification process. The good
news is that many modern databases are used for web-only access, which allows them
to use web standards and protocols outside of the database to verify a user. With this
model, only validated users will ever connect with the database and the user's ID can
then be placed directly in an
HTTP
header. From there the database can look up the
groups and roles for each user from an internal or external source.
