There has been a not so silent debate going on in the security world about the security profile of the NoSQL database products. While no one can argue that NoSQL has seen a dramatic rise over the last few years, there are those who say that in the rush to capture market things like security have been neglected (of course there are also those who say that NoSQL is nothing more than a passing fad and will soon be consumed back into the larger database market.).
Any time you have a market growing as fast as the NoSQL space is you will usually find vendors running as fast as they can to keep up. It is imperative that first to market and early movers solidify their positions in order to ensure the greatest return on investment that goes with being a leader in a space. Especially as hot a space as the NoSQL market. Features and functions are driven by the market and customers. If they are paying, you are building. If it is not important to them, it is not important to you. I saw this myself in software companies I have helped start.
Unfortunately in the security space this is an old story and we know how it ends. Security becomes an afterthought, a bolt on, added usually when it is too late. Very similar to doctors who say go for wellness checkups instead of coming here when you are sick already. Looking for security after something has happened usually means someone paid a price. Accepting that the rest of the world doesn't see this for the major problem the security market does is a bitter pill to swallow for most security folks.
Needless to say these two realities would make for an interesting discussion. So I have brought together the two sides to see if we can find some common ground. To see if there is a way to have our NoSQL cake and eat it securely too! Joining me in this podcast are:
Dwight Merriman, CEO and Founder of 10Gen, the makers of MongoDB
James Phillips, Co-Founder and SVP of Products of Couchbase
Rich Mogull, CEO of Securosis
Adrian Lane, CTO of Securosis
You can go to each of their web sites to check out their backgrounds, but I can save you the time. Each of these folks is a leader in their space with a long history of accomplishments. I couldn't think of a better panel to discuss this issue. I should warn you that this discussion runs about 40 minutes. But if you are interested in the NoSQL space and/or security, you should take the time and have a listen to this. I will give you some of the highlights below the media player.
NoSQL has grown so quickly that like many technologies meeting the customers highest priorities have taken precedent. Of course security would not be as important if your NoSQL database were not part of a public facing infrastructure. However in most cases it is. An exception is the new Sourcefire FireAMP cloud based anti-malware I wrote about yesterday. They use NoSQL but it is not forward facing, so don't have that level of security threats to worry about.
If as most your NoSQL is forward facing, you can look to your specific application and other infrastructure to provide additional security. Another factor that came out in our discussion is that not all NoSQL's are created equal. Some can be more prone to security weakness depending on the coding language you use. With most of these being open source, you can see for yourself where some threats may lie.
What came through loud and clear though is that most of the NoSQL vendors are running as fast as they possibly can. They are developing what their customers are asking for. The sad fact is that their customers are not necessarily asking them for security per se. As much as those in the security space don't like it as I said earlier, it is a familiar story. I am sure that when we see some security incidents take place there will be a call for more security features built into the NoSQL databases themselves. But like other features, security will be real when customers are willing to stand up and pay for it.
You must also remember that NoSQL is still in its relative infancy. A lot of the security and admin features we see in relational databases have been built up over 15 or 20 years or more. It would be unfair to hold the NoSQL products to that same level. But hackers, thieves,criminals and cyber terrorists don't know fair. If they see a way to exploit they will. So my prediction is we will see security becoming more of a request in the NoSQL market and then we will see the NoSQL vendors respond.
I don't want to give you a false sense here though either. While security has not been a top feature request, both Merriman and Phillips emphasized that their companies are taking very reasonable steps to ensure that the products are as secure as they can be given the development timecycles involved.
So is NoSQL secure enough for you? Ultimately you will have to decide that for yourself. But your decision will tell the vendors how much emphasis they should put into more security for NoSQL.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.