Wikileaks is consistently sharing information with the public that was intended to remain confidential, if not top secret, by organizations thought to have the toughest security in place. Add in the numerous other breaches reported in the past month and the message is clear: securing the perimeter doesn’t always work.
Tom Thomassen, lead security engineer, and Rangan Doreswamy, technical product manager, at enterprise NoSQL database provider MarkLogic, weigh-in with these steps enterprises can take to ensure the data itself stays secure within the database.
Standards Focus: Standards Focus security includes features like Common Criteria Certification, compartment security, and data auditing, as well as strict access controls and authentication that works with the organization’s existing IT infrastructure. Common Criteria is an internationally recognized International Standards Organization (ISO/IEC 15408) used by governments and other organizations to assess the security capabilities of technology products. Under Common Criteria, products are evaluated according to strict standards for various features, such as security functionality and the handling of security vulnerabilities. Common Criteria gives businesses more confidence in the security of technology products and helps lead to more informed decisions.
Redaction: Redaction is the process of suppressing sensitive data, such as any personally identifiable information (PII). It provides organizations with the ability to safely share the right views of their data with the right audiences by removing, replacing or blocking out sensitive information in order to prevent leakage or the violation of laws or regulations. There are different types of redaction, including full, partial, regular and random.
Element-level security: Allows specific elements of documents to be hidden from particular users, providing an even more granular level of security than the document-level security that previous generations of databases have had.
Advanced encryption: With automatic and fast granular key rotation, advanced encryption helps to provide separation of duties between the security administrator and any system, network or database administrator – a key security principle.
Principle of least privilege: The requirement that within a particular layer of a computing environment a user, program or process only has access to the information and resources necessary to do the job. This includes app security controls around APIs and security capabilities as provided by the database.
Role-Based Access Controls (RBAC) at scale: RBAC is the method of regulating access within a database based on the roles of users within an organization. In this environment, individual users have the ability to perform a specific task or set of tasks, such as view, edit or create a file. To ensure that performance isn’t limited by high speed, high volume queries or ingesting high volumes of data, it’s important that RBAC be “at scale” or has the ability to have very granular roles and access controls. For example, fine-grained authorization, which is a security feature that enables object-level (pdf., .jpg or other types) data security.
Certificate-Based Strong Authentication (CBA): A method that ensures authentication using a public and private encryption key that is unique to the authentication device and the user possessing it. CBA can also be used to ensure non-repudiation and digitally sign transactions.
Effective data governance policies: It’s important to implement and follow effective data governance policies and best practices such as maintenancing access controls, metadata, data quality and security features. When attributes can travel with the data, as is the case with an operational and transactional enterprise NoSQL database platform, then the policy enforcement can be more granular and effective.
Separation of duties: Separation of duties is a security method used to manage conflict of interest, the appearance of conflict of interest and fraud. By carefully restricting the types or amount of data, or in other words the amount of power, any one employee can access creates a natural barrier, protecting the organization from the fraudulent acts of an individual.
Standards-Based (Encryption) Key Management: The highest encryption standard as defined by the U.S. National Institute of Standards and Technology. It is the most widely adopted security benchmark for cryptographic solutions in government and commercial enterprises.
Use the strongest available authentication: Using the strongest or highest level of authentication ensures the security and quality of the data. Examples of this type of authentication include, LDAP, Kerberos and an external Key Management System.
Use SSL/TLS: An essential security feature that encrypts all communications between all the different nodes and hosts.