Improving security in NoSQL document databases through model-driven modernization

NoSQL technologies have become a common component in many information systems and software applications. These technologies are focused on performance, enabling scalable processing of large volumes of structured and unstructured data. Unfortunately, most developments over NoSQL technologies consider security as an afterthought, putting at risk personal data of individuals and potentially causing severe economic loses as well as reputation crisis. In order to avoid these situations, companies require an approach that introduces security mechanisms into their systems without scrapping already in-place solutions to restart all over again the design process. Therefore, in this paper we propose the first modernization approach for introducing security in NoSQL databases, focusing on access control and thereby improving the security of their associated information systems and applications. Our approach analyzes the existing NoSQL solution of the organization, using a domain ontology to detect sensitive information and creating a conceptual model of the database. Together with this model, a series of security issues related to access control are listed, allowing database designers to identify the security mechanisms that must be incorporated into their existing solution. For each security issue, our approach automatically generates a proposed solution, consisting of a combination of privilege modifications, new roles and views to improve access control. In order to test our approach, we apply our process to a medical database implemented using the popular document-oriented NoSQL database, MongoDB. The great advantages of our approach are that: (1) it takes into account the context of the system thanks to the introduction of domain ontologies, (2) it helps to avoid missing critical access control issues since the analysis is performed automatically, (3) it reduces the effort and costs of the modernization process thanks to the automated steps in the process, (4) it can be used with different NoSQL document-based technologies in a successful way by adjusting the metamodel, and (5) it is lined up with known standards, hence allowing the application of guidelines and best practices.

[1]  Oscar Pastor,et al.  Comparing traditional conceptual modeling with ontology-driven conceptual modeling: An empirical study , 2019, Inf. Syst..

[2]  Fabio Massacci,et al.  How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns , 2009, Artificial Intelligence and Law.

[3]  Ehud Gudes,et al.  Security Issues in NoSQL Databases , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[4]  Keith W. Miller,et al.  Big Data: New Opportunities and New Challenges [Guest editors' introduction] , 2013, Computer.

[5]  N. Kshetri Big data's impact on privacy, security and consumer welfare , 2014 .

[6]  H. Herre General Formal Ontology (GFO): A Foundational Ontology for Conceptual Modelling , 2010 .

[7]  Li Xu,et al.  Universal designated verifier transitive signatures for graph-based big data , 2015, Inf. Sci..

[8]  Rongxing Lu,et al.  Obtain confidentiality or/and authenticity in Big Data by ID-based generalized signcryption , 2015, Inf. Sci..

[9]  Yan Wang,et al.  A graph-based comprehensive reputation model: Exploiting the social context of opinions to enhance trust in social commerce , 2015, Inf. Sci..

[10]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[11]  Reind P. van de Riet Twenty-five years of Mokum: For 25 years of data and knowledge engineering: Correctness by design in relation to MDE1The acronym MDA is a trademark of the OMG; MDE is the alternative.1 and correct protocols in cyberspace , 2008 .

[12]  P. Dhavachelvan,et al.  Big Data and Hadoop-a Study in Security Perspective , 2015 .

[13]  Wolfgang Wahlster,et al.  New Horizons for a Data-Driven Economy , 2016, Springer International Publishing.

[14]  Ron Weber,et al.  Conceptual Modeling and Ontology: Possibilities and Pitfalls , 2003, J. Database Manag..

[15]  Beata Strack,et al.  Impact of HbA1c Measurement on Hospital Readmission Rates: Analysis of 70,000 Clinical Database Patient Records , 2014, BioMed research international.

[16]  Guillermo Lafuente,et al.  The big data security challenge , 2015, Netw. Secur..