Cloud Database Security Issues and Challenges

Cloud Database Security Issues and Challenges

Ganesh Chandra Deka (Ministry of Labour and Employment, India)
Copyright: © 2019 |Pages: 23
DOI: 10.4018/978-1-5225-8176-5.ch007

Abstract

To get the desired benefits for the IT enterprise, NoSQL databases must be combined with proven and reliable SQL features into a single proven infrastructure meeting the manageability and security requirements of cloud computing. Various specifications, including SAML (Security Assertions Markup Language), improved interoperability across organizational boundaries are coming up. This chapter discuses some of the security issues of NoSQL databases. All the related technology used in the chapter are explained either where they appear or at the end of the chapter.
Chapter Preview
Top

Introduction

Data collected from various sources such as social media, logs, mobile devices and sensor networks has become very sensitive as lots of organization use various cloud based applications for various transactions. Data compromise is caused by:

  • Malicious attack,

  • Web application vulnerabilities,

  • Unauthorized access/change of data.

Data needs security when

  • 1.

    Data at rest,

  • 2.

    Data in motion,

  • 3.

    Data in use.

Data security plays a vital role specifically when the data is remotely accessible in cloud. The cloud computing delivery models i.e. SaaS, PaaS, IaaS are attractive targets for attacker due to the volume of information that can be compromised.

Developed specifically for meeting the requirements of cloud computing NoSQL database also popularly known as “Not only SQL” databases are primarily a non-relational distributed databases. NoSQL databases support massive data storage across multiple storage clusters.

Varieties of NoSQL database having different features are available with open source and proprietary option. The very interesting fact about the NoSQL database is that, no two NoSQL database solutions are same since they are designed to meet the specific requirements of particular cloud based applications. Most NoSQL database does not offer a Data Definition Language (DDL) for specifying a global schema. There is no schema management interface that works across NoSQL systems from different providers, allowing application administrators to manage their data structure systematically (McWilliams & Ivey, 2012).

Since NoSQL has not been designed with security as a priority, protecting data stores has become a concern to organizations using NoSQL databases. For example the MongoDB Developer FAQ says “…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem” (Sullivan, 2011). The lack of NoSQL security features, namely Authentication and Authorization support, means that sensitive data are safer in traditional RDBMS (Cobb, 2013). It was concluded in the proceedings of “2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11” that “The lack of encryption support for the data files, weak authentication both between the client and the servers and between server members, very simple authorization without support for RBAC or fine-grained authorization, and vulnerability to SQL Injection and Denial of Service attacks” (Factor, 2013).

The NoSQL security concerns are:

  • 1.

    Authorization,

  • 2.

    Authentication,

  • 3.

    Confidentiality,

  • 4.

    Injection [schema injection specifically in document databases].

This chapter discusses the emerging trends in NoSQL database security. Security mechanisms used by some popular NoSQL will be discussed in brief.

Top

Nosql Security Threats

Cloud providers offer services through Application Programming Interface (APIs) such as SOAP, REST, or HTTP with XML/JSON. Hence the security of the cloud applications depends upon the security of these application interfaces.

In comparison to SOAP-Based Web services, a REST-based approach to Web services is much easier to implement since REST simply relies on the HTTP protocol. REST uses (Lee & Mehta, 2013):

  • 1.

    URIs (Uniform Resource Identifiers) to identify resources.

  • 2.

    GET, PUT, POST and DELETE actions to retrieve, update, create, and delete the resources remotely through Web servers.

Complete Chapter List

Search this Book:
Reset