Advances, Systems and Applications
From: Data management in cloud environments: NoSQL and NewSQL data stores
NoSQL data stores | Encryption | Authentication | Authorization | Auditing | |||
---|---|---|---|---|---|---|---|
Data at rest | Client/Server | Server/Server | |||||
Key-value stores | Redis | No | No | No | Admin password sent in clear text for admin functions. Data access does not support authentication. | No | No |
Memcached | NA, Memcache does store data on disk. | No | No | Binary protocol supports Simple Authentication and Security Layer (SASL) authentication. | No | No | |
BerkeleyDB | Yes, the database needs to be created using encryption. | NA, embedded data store. | No | No | No | No | |
Voldemort | Possibly if BerkeleyDB is used as the storage engine. | No | No | No | No | No | |
Riak | No | REST interface supports HTTPS. | Multiple data-centre replication can be done over HTTPS | No | No | No | |
Binary protocol is not encrypted. | |||||||
Column family stores | Cassandra | Enterprise Edition only. Commit log is not encrypted. | Yes, SSL based. | Yes, configurable: all server-to-server communication, only between datacentres or between servers in the same rack | Yes, store credentials in a system table. | Yes, similar to the SQL GRANT/REVOKE approach. | Enterprise Edition only. Based on log4j framework. |
Possible to provide pluggable implementations. | Possible to provide pluggable implementations. | Logging categories include ADMIN, ALL, AUTH, DML, DDL, DCL, and QUERY. Possible to disable logging for specific keyspaces. | |||||
HBase | No, planned for future release. | Yes | Communication of HBase nodes with the HDFS and Zookeeper clusters can be secured. | Yes, RPC API based on SASL, supporting Kerberos. REST API uses a HTTP gateway, which authenticates with the data store as one single user, and executes all operations on his/her behalf. | Yes, permissions include read, write, create and admin. | No, planned for future release. | |
Granularity of table, column family, or column. | |||||||
Not clear whether the HBase nodes communicate via a secure channel. | |||||||
Amazon DynamoDB | No | Yes, HTTPS | NA | Integration with Identity and Access Management (IAM) services. The requests need to be signed using HMAC-SHA256. | Allow the creation of policies that associate users and operations on domains. | Integrates with Amazon Cloud Watch service. Access. information about latencies for operations, amount of data stored, and requests throughput. | |
Possible to define policies for temporary access. | |||||||
Amazon SimpleDB | See DynamoDB | No | |||||
Document stores | MongoDB | No, a third-party partner (Gazzang) provides an encryption plug-in. | Yes, SSL-based | Yes | Yes, store credentials in a system collection. | Yes, permissions include read, read/write, dbAdmin, and userAdmin. | No |
REST interface does not support authentication. | |||||||
Granularity of collections. | |||||||
Enterprise Edition supports Kerberos. | |||||||
CouchDB | NA | Yes, SSL-based | Possible using HTTPS connections | Yes, HTTP authentication using cookies or BASIC method. | Three levels of users: server admin, database admin, and database member. | No | |
Oauth supported | |||||||
Complex authorization can be done in validation functions. | |||||||
Couchbase server | No | No | No, planned for future release | Yes, SASL authentication – each bucket is differentiated by its name and password. | No | No | |
REST API for administrative function uses HTTP BASIC authentication. | |||||||
Graph databases | Neo4J | No | Yes, SSL-based | No | No, developers can create a SecurityRule and register with the server. | No | No |
Hyper graphDB | No | NA, embedded data store | No | No | No | No | |
Allegro graph | No | Yes, HTTPS | NA | Yes | Yes, permissions include read, write, and delete. | A structure audit log can be used to record specific changes. | |
Predefined user attributes are used to define special administration capabilities. | Not clear what types of changes are logged, nor how to customize this process. | ||||||
NewSQL | VoltDB | No | No | No | Yes, users are defined in a deployment file that needs to be copied to each node. | Yes, roles are defined at the schema level, and each stored procedure defines which roles are allowed to execute it. | Yes, logging categories include connections, SQL statements, snapshots, exports, authentication / authorization, and others. |
Spanner | NA | ||||||
Clustrix | NA | Yes | NA | Yes, SQL-like | Yes, SQL-like | NA | |
NuoDB | Native store does not support it. | Yes | Yes | Yes, SQL-like | Yes, SQL-like | Yes, logging categories include SQL statements, security events, general statistics, and others. | |
Theoretically, it could use a pluggable store that supports it. |