With another database breach in the news it’s a good time to stop and think about our obligations to our users. Companies are striving to build services that adapt quickly to customer needs, market shifts, and technology innovations. That’s great for customers and they’ve come to expect it. Customers also expect their information to be kept secure and private. All too often these days, we’re seeing that this second expectation goes unmet. In a number of cases, companies have unwittingly compromised security and privacy in an attempt to increase agility.
Agility and Security: Better Together
The key is, in 2016, there is no reason to trade off one for the other. Applying proven technologies and well-known best practices can significantly raise the security bar. Unfortunately, what we’re seeing time and time again, is that the hackers don’t have to work very hard. They don’t need to create complex malware to break these systems, they look for low hanging fruit. They find the systems that have been misconfigured, use weak technologies, or violate other well-known security practices.
The notion of a “minimum viable product” is an important and powerful one. It’s a way of zeroing in on what customers do (and don’t) want with minimal time/effort. Ultimately it can lead to better results faster — even though the initial offering may be fairly bare-bones. One thing we have to remember, though, is that protecting customer security and privacy is always a requirement and this is not truer anywhere than at the database level where all of this information is stored.
When building new features or deploying new services, DevOps teams need to incorporate security best practices and proven technologies into their everyday practices – it can’t be an afterthought. When it is an afterthought bad things can happen. First of all, afterthoughts sometimes just fall off the list. It’s a shame to see another report of a major breach because of a misconfigured database. The second problem is that when security is bolted on after the fact, it is much more likely that there will be noticeable gaps.
We feel very strongly about this at MarkLogic. Trillions of dollars’ worth of financial information flows through MarkLogic, as does healthcare information, and information relating to the security of individuals and nations. Moreover, MarkLogic is the place where people integrate data from dozens of siloes across their organizations. Each of those siloes carries sensitive information and MarkLogic is entrusted to hold and protect all of it. We take that responsibility very seriously which is why we are the only Common Criteria-certified NoSQL database in the market.
Don’t give up on security and privacy in the interests of speed and agility. You can have both.
For More Information
Introduction to Security An interactive chapter from our User Guide giving an overview of MarkLogic security.
The Security Database An 8-minute tutorial that lets you learn about the role of the Security database within a MarkLogic cluster.
Security in MarkLogic 9 Announcement on new security features in MarkLogic 9.