I'am evaluating OrientDB for a SaaS-CRM project and really expect to use it.
Since data security is a key factor, I'd like the OrientDB development team to answer my questions.
In version 2.2, is it possible to encrypt clusters/databases by orientjs api( and/or sql api, db functions), and totally independent of java api? if true, then how can I do?
Encrypting fields/attributes of records is on your schedule? If so,When will come to release?
If I do not express clearly, pls forgive me:-)
Many thanks.
Hanks
Do you mean encrypt records? OrientDB provides encryption at
storage level, but once records are sent to node.js driver, they are
decrypted. If you want such encryption it's not supported out of the box, sorry. You can still use SSL to encrypt data of your connection in case and this is provided out of the box.
It's a feature request, but it's not on our roadmap for the next
year unless we find a sponsor for it.
Related
Prototyping a project with Mongo & Spring Boot and thinking it does a lot of what I want. However, I really need to have encrypted data-at-rest, which would seem to indicate I have to purchase the enterprise version. Since I don't have a budget yet, I am wondering if there is another alternative that people have found useful? I think DynamoDB can be used in a local & test environment. Or it viable to encrypt the data at the application level and still have great performance for my CRUD operations?
I've done application level encryption with DynamoDB before with some success. My issues where not really with DynamoDB but with the encryption in the application.
First, encryption/decryption is very expensive. I had to increase the number of servers I was using by over double just to handle the extra CPU load. Your milage may very. In my case, I was using Node.js and the servers suddenly switched from being I/O bound to being CPU bound.
Second, doing encryption/decryption application side adds a lot of complexity to your app. You will almost certainly need to parallelize the encryption/decryption to minimize the added latency that it will cause. Also, you will need to figure out a secure way of sharing the keys.
Last, application level encryption will make some DynamoDB operations unavailable to you. For example, conditions probably won't make sense anymore for encrypted values.
Long story short, I wouldn't recommend application level encryption regardless of the database.
DynamoDB now supports what they call Server-Side Encryption at Rest. Personally I think that name is a little confusing but from their perspective, your application is the client and DynamoDB is the server.
Amazon DynamoDB encryption at rest helps you secure your application
data in Amazon DynamoDB tables further using AWS-managed encryption
keys stored in AWS Key Management Service (KMS). Encryption at rest is
fully transparent to the user with all DynamoDB queries working
seamlessly on encrypted data. With this new capability, it has never
been easier to use DynamoDB for security-sensitive applications with
strict encryption compliance and regulatory requirements.
Blog post about DynamoDB encryption at rest
You simply enable encryption when you create a new table and DynamoDB
takes care of the rest. Your data (tables, local secondary indexes,
and global secondary indexes) will be encrypted using AES-256 and a
service-default AWS Key Management Service (KMS) key. The encryption
adds no storage overhead and is completely transparent; you can
insert, query, scan, and delete items as before. The team did not
observe any changes in latency after enabling encryption and running
several different workloads on an encrypted DynamoDB table.
I created a mongodb database with this description
http://docs.mongodb.org/manual/tutorial/enable-authentication-without-bypass/
created database
created admin-user
run mongodb with --auth parameter
that works fine.
but how can I really protect the database files from anonymous access?
When someone would take my database-file and run mongodb without --auth parameter he would have access to the whole database.
Is there a way to protect the database file itself so I can't just run mongodb without --auth?
Best regards
Tobias
Encrypting data files is only part of an overall security strategy - if someone has access to copy any files from your computer or a backup, they may also be able to snag your encryption keys from the same source. The MongoDB manual has a Security section which covers general best practices including access control, network exposure, auditing, and a high level checklist.
If you want to encrypt your MongoDB data files you will need to look into a solution for "encryption at rest".
As at MongoDB 2.6, there is no built-in support for data encryption but there are a number of open source as well as commercial solutions available.
The broad categories of encryption at rest are application level or storage encryption (which can be used independently or together, depending on your requirements). Encryption will add some performance overhead for disk I/O, so you should consider this in your testing & evaluation of a suitable solution for your requirements.
A few examples of encryption at rest solutions are:
LUKS (Linux Unified Key Setup)
Windows Bitlocker Drive Encryption
For more information on supported options, have a read of the Encryption at Rest section of the MongoDB security documentation.
From the MongoLab's documentation, they recommend:
MongoLab databases can be accessed by your application code in two ways.
The first method - the one we strongly recommend - is to connect using one of the MongoDB drivers (as described above). You do not need
to use our API if you use the driver.
The second method, which you should use only if you cannot connect via one of the MongoDB drivers, is via MongoLab’s RESTful data API.
Why do they recommend using the driver rather than their REST API? One reason I can think of is portability across different MongoDB providers. Are there any other reasons? Wouldn't it be more beneficial for MongoLab to "vendor lock-in" customers with their API?
The points that #WiredPrairie and #Stennie brought up around security are correct. *When you use our REST API, you expose your API key to the client. Currently, anyone with the API key can modify your database. As a result, we only recommend using the REST API with public data, e.g. all the locations for taco trucks in the country.
By writing your own app tier, you can keep credentials to your database from being exposed to the client.
If you have any more questions, email us at support#mongolab.com. Happy to help!
-Chris#MongoLab
p.s. thanks #WiredPrairie and #Stennie
I would like to give a web app with a PostgreSQL database 100% offline functionality. In an ideal case the database should be completely replicated in the browser per user, and synchronized when online. So that the same code can be used to talk to both the offline and online database. I know this is possible with PouchDB and CouchDB, but have not found a solution that works with PostgreSQL. Is this at all possible?
Short answer: I don't know of anything like this that currently exists.
However, in theory, this could be made to work...(long answer:)
Write a PostgreSQL backend for levelup (one exists for MySQL: https://github.com/kesla/mysqldown)
Wire up pouch-server to read/write from your PostgreSQL db using pouchdb's existing leveldb adapter (which in turn will have to be configured to use your postgres backend). Congrats, you can now sync data using PouchDB!
Whether an approach like this is practical in reality for your application is a different question you'll have to answer.
You may be wondering, for example, "will I be able to sync an existing complex schema with multiple tables to the client with this approach?" The answer is probably not - the mysqldown implementation of leveldown uses a single MySQL table with three fields: id, key, and value (source), and I imagine any general-purpose PostgreSQL adapter would be similar (nothing says you can't do a special-purpose adapter just for your app though!).
On the other hand, if you were to implement a couchdb-compatible API (or a subset- you may not need attachments, for example) over your existing database schema, there's nothing stopping you from using PouchDB on the client to talk directly to that as if it were an actual CouchDB - just pop in the URL and call replicate()! Implementing the replication protocol might be a fair bit of work, since you'd need to track revisions and so on somewhere - but again, technically not impossible!
There are also implementations of levelup's backend storage that are designed for browsers. See level.js, which could be another way to sync between a server-side Postgres levelup backend and the browser.
TL;DR: There's tons of work being done around Javascript databases right now. Is syncing with Postgres impossible? probably not. Would it be a lot of work? Definitely. Worth it? Who knows, but it would be cool.
Without installing PostgreSQL on the client? No. Obviously you can cache data for offline use, but an entire RDBMS+procedural languages in Javscript, no.
We have an EZ Publish 5 already operational with an Oracle 11g database as a persistence backend.
We planned to get rid of Oracle and we know that we could use Postgresql for sure as a new RDBMS, but we also planned to use MongoDB whenever it's possible.
So the question is: Can we pair EZ Publish 5 to a MongoDB NoSQL database ?
Quick answer: You cannot now as there is no MongoDB driver implemented.
There was a NoSQL Driver planned in the 5.x series, but it is not yet implemented in the latest eZ Publish 2013.06.
With the official roadmap not being updated since the 4.6 release, it hard to guess when the NoSQL driver will be implemented, and if MongoDB will be supported.
Theorically, as the new persistence API make it "easier" to add new storage drivers, you could write a custom MongoDB storage driver.
But in practice implementing a storage driver is quite complex and resource consuming.
Contacting the eZ Systems office in your region and directly ask them when a MongoDB driver will be available might be fastest way to get a clear answer.
I hope it helps.
It is not currently possible as there is no storage engine implemented for MongoDB.
It is indeed planned to implement a NoSQL engine, but there is no version tag on this for now.
However, the new persistence API makes it possible to "easily" implement such a storage engine, but you will be limited by the fact that eZ Publish 5 still uses the legacy back office which runs in the legacy stack (so with 4.x infrastructure which is not compatible with NoSQL).
In short: Implementing a new storage engine will make it only accessible from Public API and REST API.
Since ez5 is a symfony application you can achieve this the symfony way
http://symfony.com/doc/current/bundles/DoctrineMongoDBBundle/index.html
just remember they have renamed the app folder and the appkernel.php.
Haven't tried it yet though