NoSQL databases can help organizations manage their data in new ways for the digital era and can provide consumers with the types of digital experiences they’ve come to expect. However, last year saw some of the most popular NoSQL databases fall victim to catastrophic ransomware attacks that wiped out tens of thousands of infected databases due to a combination of user error and poor vendor design choices.
While these database breaches have elevated NoSQL security awareness, it would be wrong to assume NoSQL databases are inherently insecure—in fact, that’s far from the truth. NoSQL databases can and should be just as secure as their transactional and analytical counterparts—but users need to follow best practices, and NoSQL vendors need to establish—and refresh—secure-by-default features.
So, what do best practices look like for NoSQL cybersecurity? They are similar to other areas of cybersecurity best practices.
First and foremost, better cybersecurity requires a mindset that looks beyond the technology itself and focuses on having the technology, processes, and people working together in tandem to ensure a secure infrastructure. NoSQL, on the other hand, is slightly different.
All NoSQL database installations should maintain the following best practices, none of which are overly complex and instead are quick and easy to implement:
NEVER Expose Databases to the Internet
The first cardinal rule of any database security strategy is to never expose your database to the internet. It’s important to maintain a system that cannot be easily exposed and would take deliberate, technical action to break its stronghold.
Keep Firewalls Strong
A strong firewall is an essential tool in any database security strategy. It’s important for all nodes to be stored behind a database firewall to protect access to sensitive information.
Take a Secure-By-Default Approach
While there used to be tension between easy-to-use and secure-by-default solutions, security has again become top of mind for developers due to the need for GDPR compliance and increasing data regulations. As NoSQL gains prominence in the enterprise space and databases are filled with more and more customer data, built-in security will continue to grow in importance.
Securing Data In-Transit
Businesses are continuously transferring data both internally and externally, which can potentially open the risk of outside vulnerabilities. Developers can secure data in-transit by using SSL connections for client/server and server/server communication.
Updates, Updates, Updates!
It’s important to keep server operating systems up-to-date to maintain efficiency. However, it’s also crucial from a security standpoint, because updates can contain valuable security patches that can help avoid potential attacks.
New vulnerabilities and holes in security will continue to surface—they tend to appear when products are built with a bad set of assumptions that are then violated by a third party. Getting these assumptions correct 100% of the time from the very start is incredibly difficult. As organizations’ security becomes more sophisticated, so do hacker tactics, techniques, and procedures, and it must be understood and accepted that there is always the potential for disrupted business to happen. But while attackers will always lurk in the background, businesses must continually invest in security and emphasize the importance of security education and best practices.
The business mindset must also shift to view security and compliance as a shared responsibility, so that it’s not solely viewed as falling on the shoulders of the CSO or security department. The responsibility includes developers at the intersection of web, mobile, and app design, as well as the CIO and individuals with business tech roles who may have chosen the NoSQL platform for their projects.
For NoSQL vendors, they must recognize that organizations entrust their data with them, and there is a high responsibility to honor this trust. NoSQL vendors must educate users to inspire complete confidence in user ability to protect their organization’s data, and ensure that strong security is as easy as possible, with services that are secure-by-default—and not set up through additional steps that may be complicated for the user to understand.
Hopefully, the security breaches from 2017 will have triggered a wake-up call. We haven’t seen the last of NoSQL data breaches, but, moving forward, we need to ensure users heed database security best practices and take NoSQL security more seriously. If we can shift more mindsets to be more security-conscious, then the current year should be much brighter than the last.