SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


NoSQL: Are you ready to compromise with security


NoSQL: Are you ready to compromise with security

Author
Message
Phil Factor
Phil Factor
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3685 Visits: 3005
Comments posted to this topic are about the item NoSQL: Are you ready to compromise with security


Best wishes,

Phil Factor
Simple Talk
cryinstone
cryinstone
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 1
The general conclusion "NoSQL is insecure" which the author is trying to make hardly follows from the mentioned facts.

They say a concrete product, MongoDB, has alarming security flaws? That might be true.
But does it mean EVERY NoSQL database is insecure in principle and by design? No, it doesn't.
Phil Factor
Phil Factor
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3685 Visits: 3005
I'm sorry if I gave the impression of saying that all NoSQL products are insecure, or even that it is a general case. NoSQL is a very broad marketing category for a diverse range of products. The article I quoted at the start had a rather provocative title, but only evaluated two products, and gave, by implication, the idea that this was a general case. Some 'NoSQL' products have full transactionality and some have a high standard of security.
What I was trying to say was that, if you are having to select a database for a particular use, it would be wise to check that it actually has those features of security and data integrity that are important for the company you work for, or the users of your application. You can't just assume that they are there. There has been no technical breakthrough to doing all that hard boring stuff


Best wishes,

Phil Factor
Simple Talk
Jeffrey Irish
Jeffrey Irish
SSC-Addicted
SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)SSC-Addicted (460 reputation)

Group: General Forum Members
Points: 460 Visits: 1144
Interesting editorial.

I recall working someplace where physical security was thought to be an adequate means of hardening our servers to attack. That is, only authorized users could gain entry into a locked Server room. Of course, anyone outside of management knew that this was false because of the fact that the Servers were connected to a network.

That was a VERY long time ago, but does indicate how poor security can be simply by "securing everything around" a Server or Database. Many lessons have been learned since a locked server room was thought to be "enough".

Better to have multiple layers of security that have to be traversed rather than putting all your eggs in a single basket (Happy Easter! No Fooling).

Regards,

Irish w00t
patrickmcginnis59 10839
patrickmcginnis59 10839
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3140 Visits: 5750
You don't necessarily have to set tcp / udp ports up to be publically accessible, for that matter if you care about your internet'in, you could have a box set to specifically answer clients coming from the public net, and do the heavy lifting elsewhere. Anybody not completely sure of their internet facing machines and what ports are in use needs to go back and check this aspect of their setup, end of story. Title would be better phrased as "internet server administrators should do their homework."

For your single box installations, you could possibly do something along these lines, or maybe just rent space on wordpress dot com ;-)

http://stackoverflow.com/questions/4961177/how-to-listen-only-to-localhost-on-mongodb

to properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search