Skip to main content

Advances, Systems and Applications

Table 3 Security features

From: Data management in cloud environments: NoSQL and NewSQL data stores

NoSQL data stores Encryption Authentication Authorization Auditing
Data at rest Client/Server Server/Server
Key-value stores Redis No No No Admin password sent in clear text for admin functions. Data access does not support authentication. No No
Memcached NA, Memcache does store data on disk. No No Binary protocol supports Simple Authentication and Security Layer (SASL) authentication. No No
BerkeleyDB Yes, the database needs to be created using encryption. NA, embedded data store. No No No No
Voldemort Possibly if BerkeleyDB is used as the storage engine. No No No No No
Riak No REST interface supports HTTPS. Multiple data-centre replication can be done over HTTPS No No No
Binary protocol is not encrypted.
Column family stores Cassandra Enterprise Edition only. Commit log is not encrypted. Yes, SSL based. Yes, configurable: all server-to-server communication, only between datacentres or between servers in the same rack Yes, store credentials in a system table. Yes, similar to the SQL GRANT/REVOKE approach. Enterprise Edition only. Based on log4j framework.
Possible to provide pluggable implementations. Possible to provide pluggable implementations. Logging categories include ADMIN, ALL, AUTH, DML, DDL, DCL, and QUERY. Possible to disable logging for specific keyspaces.
HBase No, planned for future release. Yes Communication of HBase nodes with the HDFS and Zookeeper clusters can be secured. Yes, RPC API based on SASL, supporting Kerberos.
REST API uses a HTTP gateway, which authenticates with the data store as one single user, and executes all operations on his/her behalf.
Yes, permissions include read, write, create and admin. No, planned for future release.
Granularity of table, column family, or column.
Not clear whether the HBase nodes communicate via a secure channel.
Amazon DynamoDB No Yes, HTTPS NA Integration with Identity and Access Management (IAM) services. The requests need to be signed using HMAC-SHA256. Allow the creation of policies that associate users and operations on domains. Integrates with Amazon Cloud Watch service. Access. information about latencies for operations, amount of data stored, and requests throughput.
Possible to define policies for temporary access.
Amazon SimpleDB See DynamoDB No
Document stores MongoDB No, a third-party partner (Gazzang) provides an encryption plug-in. Yes, SSL-based Yes Yes, store credentials in a system collection. Yes, permissions include read, read/write, dbAdmin, and userAdmin. No
REST interface does not support authentication.
Granularity of collections.
Enterprise Edition supports Kerberos.
CouchDB NA Yes, SSL-based Possible using HTTPS connections Yes, HTTP authentication using cookies or BASIC method. Three levels of users: server admin, database admin, and database member. No
Oauth supported
Complex authorization can be done in validation functions.
Couchbase server No No No, planned for future release Yes, SASL authentication – each bucket is differentiated by its name and password. No No
REST API for administrative function uses HTTP BASIC authentication.
Graph databases Neo4J No Yes, SSL-based No No, developers can create a SecurityRule and register with the server. No No
Hyper graphDB No NA, embedded data store No No No No
Allegro graph No Yes, HTTPS NA Yes Yes, permissions include read, write, and delete. A structure audit log can be used to record specific changes.
Predefined user attributes are used to define special administration capabilities. Not clear what types of changes are logged, nor how to customize this process.
NewSQL VoltDB No No No Yes, users are defined in a deployment file that needs to be copied to each node. Yes, roles are defined at the schema level, and each stored procedure defines which roles are allowed to execute it. Yes, logging categories include connections, SQL statements, snapshots, exports, authentication / authorization, and others.
Spanner NA
Clustrix NA Yes NA Yes, SQL-like Yes, SQL-like NA
NuoDB Native store does not support it. Yes Yes Yes, SQL-like Yes, SQL-like Yes, logging categories include SQL statements, security events, general statistics, and others.
Theoretically, it could use a pluggable store that supports it.