Skip to main content

Table 4 Comparison of security services provided by some popular document-oriented NoSQL databases with DB-SECaaS

From: DB-SECaaS: a cloud-based protection system for document-oriented NoSQL databases

Security service

MongoDB security [41]

CouchDB security [40]

RavenDB security [42, 43]

DB-SECaaS

Authentication

Authentication in MongoDB can be incorporated using password-based challenge and response protocol or x.509 certificates. Additionally, MongoDB supports various other third-party authentication mechanisms to integrate with existing authentication infrastructure.

Apart from basic username-password authentication, CouchDB also provides Cookie authentication, which generates a one-time token that can be used in the next request. By default, a token is valid for 10 min.

RavenDB comes with a built-in authentication functionality, and it supports two types of authentication: Windows authentication and OAuth authentication. An appropriate mechanism is chosen by examining the incoming request headers and by default all actions except read-only are being authenticated.

DB-SECaaS provides strong authentication using the FIPS 196 challenge-response protocol, which is designed to mitigate attacks such as reply. An additional layer of security using security assertion markup language (SAML) is included to validate the identity of the user and the various services participating in the system. The three major modules of authentication service, i.e., IDM, CA, and SA, provide the authentication using standardized technologies and help in validating users and modules that interact with DB-SEC system.

Authorization

MongoDB allows role-based access control wherein access is granted or denied based on the roles assigned to a user. Access can also be granted based on action and resource. MongoDB provides numerous built-in roles and users can create specific roles customized to clients’ requirements.

By default, everyone is given administrative privileges, which allows them to do anything with the databases. However, privileges can be customized in order to restrict the operations that they are allowed to perform.

Any anonymous user can perform read-only operations. But other functions require authentication. Admin has the privilege to carry out all operations.

DB-SECaaS offers authorization at the granularity of attribute and document level of the database (fine-grained), based on XACML 3.0. The fine-grained XACML policies restrict the access level of users to ensure that a user can only perform certain operations on a certain data, if and only if is allowed to do so.

Encryption (in transit)

MongoDB provides support for SSL to make sure that only the intended recipient receives a transaction.

CouchDB, as of version 1.1.0, comes with built in SSL support.

RavenDB allows the usage of SSL.

The data is completely wrapped into SAML queries to provide protection during transit.

Encryption (at rest)

MongoDB provides encryption of data at rest by incorporating the proprietary data encryption solution provided by Gazzang [44]. Gazzang encrypts data in real time and offers advanced key management solutions.

No support for encryption of data at rest.

RavenDB provides support for data encryption. By default, it uses the AES-128 encryption algorithm, but that can be changed if needed. It applies to all documents and to all indexes.

The two major modules KD and encryption as a service helps in performing the encryption and decryption of the data stored in collection on the request of privileged user.