Skip to main content

Advances, Systems and Applications

Table 3 Security features

From: Data management in cloud environments: NoSQL and NewSQL data stores

NoSQL data stores

Encryption

Authentication

Authorization

Auditing

Data at rest

Client/Server

Server/Server

Key-value stores

Redis

No

No

No

Admin password sent in clear text for admin functions. Data access does not support authentication.

No

No

Memcached

NA, Memcache does store data on disk.

No

No

Binary protocol supports Simple Authentication and Security Layer (SASL) authentication.

No

No

BerkeleyDB

Yes, the database needs to be created using encryption.

NA, embedded data store.

No

No

No

No

Voldemort

Possibly if BerkeleyDB is used as the storage engine.

No

No

No

No

No

Riak

No

REST interface supports HTTPS.

Multiple data-centre replication can be done over HTTPS

No

No

No

Binary protocol is not encrypted.

Column family stores

Cassandra

Enterprise Edition only. Commit log is not encrypted.

Yes, SSL based.

Yes, configurable: all server-to-server communication, only between datacentres or between servers in the same rack

Yes, store credentials in a system table.

Yes, similar to the SQL GRANT/REVOKE approach.

Enterprise Edition only. Based on log4j framework.

Possible to provide pluggable implementations.

Possible to provide pluggable implementations.

Logging categories include ADMIN, ALL, AUTH, DML, DDL, DCL, and QUERY. Possible to disable logging for specific keyspaces.

HBase

No, planned for future release.

Yes

Communication of HBase nodes with the HDFS and Zookeeper clusters can be secured.

Yes, RPC API based on SASL, supporting Kerberos.

REST API uses a HTTP gateway, which authenticates with the data store as one single user, and executes all operations on his/her behalf.

Yes, permissions include read, write, create and admin.

No, planned for future release.

Granularity of table, column family, or column.

Not clear whether the HBase nodes communicate via a secure channel.

Amazon DynamoDB

No

Yes, HTTPS

NA

Integration with Identity and Access Management (IAM) services. The requests need to be signed using HMAC-SHA256.

Allow the creation of policies that associate users and operations on domains.

Integrates with Amazon Cloud Watch service. Access. information about latencies for operations, amount of data stored, and requests throughput.

Possible to define policies for temporary access.

Amazon SimpleDB

See DynamoDB

No

Document stores

MongoDB

No, a third-party partner (Gazzang) provides an encryption plug-in.

Yes, SSL-based

Yes

Yes, store credentials in a system collection.

Yes, permissions include read, read/write, dbAdmin, and userAdmin.

No

REST interface does not support authentication.

Granularity of collections.

Enterprise Edition supports Kerberos.

CouchDB

NA

Yes, SSL-based

Possible using HTTPS connections

Yes, HTTP authentication using cookies or BASIC method.

Three levels of users: server admin, database admin, and database member.

No

Oauth supported

Complex authorization can be done in validation functions.

Couchbase server

No

No

No, planned for future release

Yes, SASL authentication – each bucket is differentiated by its name and password.

No

No

REST API for administrative function uses HTTP BASIC authentication.

Graph databases

Neo4J

No

Yes, SSL-based

No

No, developers can create a SecurityRule and register with the server.

No

No

Hyper graphDB

No

NA, embedded data store

No

No

No

No

Allegro graph

No

Yes, HTTPS

NA

Yes

Yes, permissions include read, write, and delete.

A structure audit log can be used to record specific changes.

Predefined user attributes are used to define special administration capabilities.

Not clear what types of changes are logged, nor how to customize this process.

NewSQL

VoltDB

No

No

No

Yes, users are defined in a deployment file that needs to be copied to each node.

Yes, roles are defined at the schema level, and each stored procedure defines which roles are allowed to execute it.

Yes, logging categories include connections, SQL statements, snapshots, exports, authentication / authorization, and others.

Spanner

NA

Clustrix

NA

Yes

NA

Yes, SQL-like

Yes, SQL-like

NA

NuoDB

Native store does not support it.

Yes

Yes

Yes, SQL-like

Yes, SQL-like

Yes, logging categories include SQL statements, security events, general statistics, and others.

Theoretically, it could use a pluggable store that supports it.