Another day, another security breach. This time it was 93 million Mexican voters punished due to an unsecured, AWS-hosted MongoDB instance. The problem, as MongoDB vice president Kelly Stirman made clear, wasn’t the software, as “There is no security issue with MongoDB,” but rather with the people who don’t secure it.
All of which is true, yet perhaps explains why the cloud looks increasingly appealing.
But wait! You complain this MongoDB breach happened on Amazon-hosted servers. True. That’s cloud. But, there’s something else happening in the market, something that Redmonk’s Stephen O’Grady highlights: Amazon and others are removing all this back-end complexity, making security its problem, not IT’s. That’s good news for all.
Servers don’t kill security, people do
I spent two years at MongoDB and loved it, largely because so many other people loved it. Among NoSQL databases, MongoDB isn’t the easiest to cluster (that’s Cassandra), or even necessarily the most scalable. Yet, it’s wildly popular because it’s amazingly easy to use, scales impressively, and can be used for a broad array of workloads.
Unfortunately, I suspect its very ease of use is at fault in the Mexican data breach, as well as other reported breaches. Just as too many developers think MongoDB’s flexible schema means “schema-less” (rarely a good idea in practice), some apparently focus more on building their applications than securing them, forgetting the most basic of rules for operational hygiene.
SEE 10 legal aspects of data breaches lawyers urge you to abide (TechRepublic)
As Stirman told The Register, “There is no security issue with MongoDB—extensive security capabilities are included with MongoDB.” However, he goes on, some developers clearly have deployed MongoDB without its security features enabled. Why? “I think it really is simply a matter of convenience,” Stirman said.
This convenience—this ease of use—is alluring…and dangerous. Stirman concludes: “We have to expect there’s going to be more of this in the future. People don’t always follow best practices.”
But, what if the software forced them to do so?
Trust me, I’m cloudy
I’ve talked before about how security is moving to the cloud, along with a rising number of workloads. But there’s a difference between security solutions built to run in the cloud, and security deeply woven into the fabric of an application itself.
It’s this latter approach that characterizes new services from Amazon Web Services, Microsoft Azure, and Google Cloud. These services, like Amazon’s data warehousing service Redshift, take care of all the underlying complexity for the user and, in the process, significantly mitigate potential security landmines.
The alternative, as painted by O’Grady, is ugly:
On a purely technical level, fragmentation is systemic at the moment, the new norm. Pick a technical category, and there are not just multiple technologies to select from, but increasingly multiple technical approaches. Each of these must first be deeply understood, even if they’re entirely new and thus difficult to conceptualize, before a technology choice can be made. And there are many such approaches to be studied and digested, at every level.
Understood, then integrated, and prayed over that no obvious security holes were left. Good luck with that.
SEE Security’s future is the cloud, as enterprise trust in Amazon grows (TechRepublic)
Public cloud services, by contrast, are “as much about assuming the burden of someone else’s problem as they are the underlying hardware or software,” O’Grady noted in a separate post, and one of those problems Amazon and others take on for their customers is security. Of public cloud providers, O’Grady said:
What if, in stark contrast to the industry’s history however, a competitive model emerged that abstracted traditional complexity away entirely? What if a growing number of difficult choices between specialized and esoteric software options gave way to a web page and a set of APIs for as-a-service implementations?
In this cloudy world developers will get to enjoy convenience to an even greater degree, without having to worry about securing underlying infrastructure. Amazon will do it for them. That’s cause for concern if you’re a traditional peddler of bits and bytes, but it’s cause for celebration if you’re yet another developers with better things to do than cobble together others’ software and hope it’s secure.