<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=752538731515435&amp;ev=PageView&amp;noscript=1">

Is MarkLogic a Secure NoSQL Database?

Another data breech.

A billion accounts this time.

If the security of your internal databases wasn't on your mind before, it should be now.

NoSQL = No Injection, Right?

We've written about the benefits of a NoSQL database. Does having a NoSQL database also include the benefit of being safe from SQL injection attacks like Little Bobby Tables?

Little Bobby Tables

 

 

 

 

(courtesy of XKCD.com)

 Yea, no.

If only life were that easy. Turns out NoSQL databases are still vulnerable to injection-based attacks through other technology vectors including Javascript (Source: Adobe.com PDF.)

Using NoSQL Securely

Between data injections and other security issues, NoSQL has a reputation for being less secure than a more traditional SQL database. Some of that is due to NoSQL's open-source heritage. Some of that is due to NoSQL being a younger and less mature technology.

However, we don't believe wanting to use a NoSQL database means you have to give up security. It's just a matter of choosing the right NoSQL product.

One of our requirements while searching for a NoSQL solution to offer clients was that the product have security features equalling traditional SQL options. That search led us to MarkLogic.

Let's look at the security-related features of MarkLogic:

Authentication

Authentication is the starting point for all other security configurations. Authentication validates the identity of a user and consults the database to find out what privileges that user has.

In the traditional SQL server world you'd have a database schema and map user permissions to the table, column or row level.

MarkLogic is less concerned about database schemas, but can still authenticate users either internally through a security database or externally through LDAP or Kerberos.

Encryption

Encryption scrambles data so that it's not readable by someone who gets access to it outside the context of your application. That threat may be from an outsider trying to grab the data while it's being transferred from the database to the application. Or the threat may be internal, with a rogue employee trying to access data sitting on a physical drive.

MarkLogic recently announced a partnership with Cryptsoft to provide encryption for MarkLogic databases.

Auditing

Audits aren't a way to prevent hacker attacks.

Rather, they help you identify suspicious activity quickly. Audits can highlight spikes of traffic from unknown IP addresses. Or they can flag you when highly secure data is accessed more often than normal.

MarkLogic has a robust auditing function designed to keep auditors, regulators, and security professionals happy.

Industry Cred

Have you heard of Common Criteria?

Common Criteria is an internationally recognized standard (ISO/IEC 15408) used by governments and other organizations to assess the security capabilities of technology products. Under Common Criteria, products are evaluated according to strict standards for various features, such as security functionality and the handling of security vulnerabilities.MarkLogic.com

Earlier in 2016 MarkLogic earned the only Common Criteria spot for an Enterprise NoSQL Database.

Datasheet

Need more info to make the MarkLogic sale internally? Here's their Security Datasheet (.pdf)

A Bit Pitchy?

It's true - this has been a bit of a sales pitch. But we read the same news every day as you do. We get frustrated when companies don't take the security of our personal data seriously. As a vendor in the technology space we had to figure out - what could we do to make sure the next news story wasn't about something we built?

We made security a priority. We let that guide the choice of the tools we would use. We evaluated the NoSQL options, and chose MarkLogic. We have other ideas for how to keep your data secure. Give us a call. We'll talk about them.

Share:
Marc Blazich

About Author Marc Blazich

Marc Blazich has seen a lot of during his 25+ years in consulting. While much has changed, the one thing that remains a constant is the excitement of delivering business value through innovative uses of technology. These days, innovation possibilities are seemingly endless! Marc takes a business-first approach to technology, and is privileged to help clients throughout the state. He welcomes the opportunity to have a chat with you at your office or over a cup of coffee. Marc is a former Omni employee



Disclaimer:

Omni’s blog is intended for informational purposes only. Any views or opinions expressed on this site belong to the authors, and do not represent those held by people or organizations with which Omni is affiliated, unless explicitly stated.

Although we try to the best of our ability to make sure the content of this blog is original, accurate and up-to-date, we make no claims of complete accuracy or completeness of the information on this site/s to which we link. Omni is not liable for any unintended errors or omissions, or for any losses, injuries, or damages from the display or use of this information. We encourage readers to conduct additional research before making decisions based on the information in this blog.