Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

NoSQL: Are you ready to compromise with security Expand / Collapse
Author
Message
Posted Saturday, March 30, 2013 11:49 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 11:26 AM
Points: 561, Visits: 2,415
Comments posted to this topic are about the item NoSQL: Are you ready to compromise with security


Best wishes,

Phil Factor
Simple Talk
Post #1437212
Posted Saturday, March 30, 2013 12:06 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Saturday, June 29, 2013 4:52 PM
Points: 2, Visits: 1
The general conclusion "NoSQL is insecure" which the author is trying to make hardly follows from the mentioned facts.

They say a concrete product, MongoDB, has alarming security flaws? That might be true.
But does it mean EVERY NoSQL database is insecure in principle and by design? No, it doesn't.
Post #1437217
Posted Sunday, March 31, 2013 3:10 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 11:26 AM
Points: 561, Visits: 2,415
I'm sorry if I gave the impression of saying that all NoSQL products are insecure, or even that it is a general case. NoSQL is a very broad marketing category for a diverse range of products. The article I quoted at the start had a rather provocative title, but only evaluated two products, and gave, by implication, the idea that this was a general case. Some 'NoSQL' products have full transactionality and some have a high standard of security.
What I was trying to say was that, if you are having to select a database for a particular use, it would be wise to check that it actually has those features of security and data integrity that are important for the company you work for, or the users of your application. You can't just assume that they are there. There has been no technical breakthrough to doing all that hard boring stuff



Best wishes,

Phil Factor
Simple Talk
Post #1437282
Posted Monday, April 01, 2013 7:07 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, March 28, 2014 12:21 PM
Points: 148, Visits: 1,018
Interesting editorial.

I recall working someplace where physical security was thought to be an adequate means of hardening our servers to attack. That is, only authorized users could gain entry into a locked Server room. Of course, anyone outside of management knew that this was false because of the fact that the Servers were connected to a network.

That was a VERY long time ago, but does indicate how poor security can be simply by "securing everything around" a Server or Database. Many lessons have been learned since a locked server room was thought to be "enough".

Better to have multiple layers of security that have to be traversed rather than putting all your eggs in a single basket (Happy Easter! No Fooling).


Regards,

Irish
Post #1437426
Posted Wednesday, April 03, 2013 8:29 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 3:11 PM
Points: 280, Visits: 1,776
You don't necessarily have to set tcp / udp ports up to be publically accessible, for that matter if you care about your internet'in, you could have a box set to specifically answer clients coming from the public net, and do the heavy lifting elsewhere. Anybody not completely sure of their internet facing machines and what ports are in use needs to go back and check this aspect of their setup, end of story. Title would be better phrased as "internet server administrators should do their homework."

For your single box installations, you could possibly do something along these lines, or maybe just rent space on wordpress dot com

http://stackoverflow.com/questions/4961177/how-to-listen-only-to-localhost-on-mongodb

Post #1438381
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse