For more than a year MongoDB has been in the headlines, and the story continues. Security researchers have discovered more than 40,000 databases accessible from the Internet without authorization, putting millions of identity profiles at risk of theft and misuse. One exposed database containing 93.4 million Mexican voter records was not secured until earlier this week. The incident raises concerns over who may have accessed this valuable identity data during those months. It also raises questions of how widespread the issue of unsecure data may be.

MongoDB, the open source NoSQL company, is at the forefront of the negative attention, but the problem does not rest solely with them. In many of the MongoDB cases, administrators upgrading to a newer version of the database after 2012 failed to change an unsecure default configuration or provide a firewall. In some instances, the security settings were adjusted to a less secure option for the sake of convenience.

The alarming truth is failure to secure data from unauthorized access could easily happen with many other NoSQL databases, not just MongoDB products. Some newer NoSQL database default settings are configured to listen to external connections, not only localhost, the default for older systems. The security issue is caused when administrators launch these servers into the Internet without the right security measures in place.

It’s a sobering reminder that securing data is complex, particularly today as more companies share data with third parties such as partner organizations and service providers. Even if your company or organization is doing everything correctly from a security standpoint, you can’t be sure how third parties are protecting the information.

The challenge underscores that, in addition to configuring security settings correctly and implementing firewalls, managing security centrally and at the data level is increasingly important.

One best practice is end-to-end encryption. It ensures that data is protected while it is stored, when it is in motion and when it arrives at its end-use point.

Another valuable security best practice is policy-based access governance. We typically think of protecting identity data by controlling who or what can access the data. Policy-based access governance enables you to control what data can be shared in addition to defining the people, applications and devices that can access it.

APIs are also a way in which organizations can strengthen security. Application development teams can use identity APIs that include security policies and access governance rules when they launch or upgrade apps. APIs ensure that these important security controls are enforced uniformly anywhere the data is used.

New mobile apps, IoT devices and digital channels are entering the market at a dizzying rate every day, and most need some form of identity data. Databases will continue to grow in size and complexity to meet these demands, and securing the data will continue to be a major issue. By centralizing security management and applying security policies to each identity profile instead of only defining a firewall, IT teams can ensure the data is always protected.


FREE Trial Download
Experience first-hand how modernizing your legacy directory server can lower costs, improve security, and support new apps and services.