Top Data Security

Concerns When
Integrating Data
MARKLOGIC WHITE PAPER · AUGUST 2018

Data security is a top priority for organizations and there are a plethora of tactical details that
DevOps and security experts need to worry about. But, what should CIOs, architects, and
business leaders focus on at a strategic level? In this white paper, we discuss the top data
security concerns – with a particular focus on data integration – and provide an overview of how
MarkLogic® addresses those concerns as a database.
Contents

Introduction.............................................................................................................................................................. 1

Concern #1: Traditional Data Integration Creates Security Vulnerabilities..................................... 2

Concern #2: Application Developers Are Burdened With Data Security........................................ 3

Concern #3: Unknown, Unmanaged Risks From Insider Threats...................................................... 6

Introduction to MarkLogic Security............................................................................................................ 7

Certified, Granular, Government-Grade, & Comprehensive
Security Certifications and Standards

How A Secure Database Supports the Data Governance Lifecycle....................................... 10

Data Quality
Provenance & Lineage
Security & Privacy
Compliance
Lifecycle
Availability

Deeper Dive Into MarkLogic Security..................................................................................................... 12

Conclusion............................................................................................................................................................. 12
Additional Resources
 AVERAGE COST OF CYBER MAJOR BREACHES % OF COMPANIES THAT SAY
INCIDENTS ON U.S. REPORTED. THEY DEPLOY NEW IT
COMPANIES1 SEE THE TREND?2 WITHOUT APPROPRIATE
SECURITY MEASURES
IN PLACE 3

Introduction
Headlines reporting cyberattacks, ransomware, At a more strategic level, we see three primary
and compromises in data security are increasingly concerns that CIO’s, architects, and business
common. It makes sense that data security is now leaders should consider. These concerns are
a top priority—the risk of not securing data is commonly shared across industries and have
simply too high. There is no shortage of splashy particular relevance to data integration:
numbers that highlight the problem:
• Concern #1: How traditional data integration
• Each cyber incident costs U.S. companies with relational databases creates security
a reported $7.1 million on average, or $221 vulnerabilities
per record1 • Concern #2: How application developers are
• In 2011, there were 468 major breaches recorded. unduly burdened with data security
In 2012, 1,175. In 2013, 1,731. See the trend?2 • Concern #3: How insider threats create
• Two-thirds (63%) of organizations deploy new unknown, unmanaged data security risks
IT prior to having appropriate data security within the network perimeter
measures in place3
In this white paper, we take a closer look at
Despite increasing awareness and spending, the these concerns, and discuss how MarkLogic
problem with data security is getting worse. helps organizations address them as the most
secure NoSQL database available today. It is one
In addressing the problem, it is easy to get buried of the reasons that large investment banks, major
figuring out how to protect against the latest healthcare organizations, and classified government
incident patterns and attack vectors. The tactical systems around the world run their most demanding,
details are important, and your DevOps and mission-critical systems on MarkLogic.
security experts need to be working together to
tackle them. But, there are also more strategic
concerns to consider.

1 Survey of 64 U.S. based organizations. IBM and Ponemon Research, 2016 Cost of Data Breach Study: United States, 2016.
<[Link]
2 For the gory details, check out the Veris Community Database at [Link] This data is summarized in the Verizon Breach Report, also a helpful resource:
[Link]
3 451 Research Data Threat Report, 2016.
<[Link]

1
 RELATIONAL
SOURCE SYSTEMS ETL DATA WAREHOUSE

Figure 2: The traditional approach to data integration with relational databases and ETL leads to data loss
and goveranance problems.

Concern #1:
Traditional Data Integration Creates Security Vulnerabilities
Role-and policy-based access controls are essential system can be used to count things, do math, or
to govern, preserve, and audit data and associated disambiguate the data. But, far from ensuring
entitlements. If these controls are not managed, quality, this cleansing process may actually be
you introduce unnecessary complexity and risk. reducing quality by removing important data.

Unfortunately, most organizations have a To a data analyst, some metadata may seem like “data
proliferation of relational database silos. Each lint” that needs to be laundered, but to a compliance
one has separate security access controls that analyst or data modeler, that same “data lint” may be
make it virtually impossible to adequately track required for critical business reasons (say, to prove to a
and protect all of the data. Additionally, there regulatory agency that your trades were legal in order to
are multiple ETL tools with obfuscated code and avoid a hefty fine).
integration points, not to mention their own
Over time, it becomes more and more difficult
access controls that need to be managed. With an
to maintain data governance. Data governance,
increasing number of data silos, there are more
which we define simply as the application of
opportunities for exploits.
policy to data, includes many aspects: Data
Often, what happens is a team builds a complex quality, lineage and provenance, security and
ETL process from multiple databases to a privacy, compliance requirements, availability.
centralized analytical data warehouse—all using If an organization fails to pay close attention to
relational databases. The ETL is done to (a) simply each aspect of data governance across the entire
make the system be able to function, and (b) to lifecycle of data, they open themselves up to
“cleanse” the data because there is a business additional cyber risk.
process that requires standardization so that the

2
 When security teams should be involved

code deploy
pl
an
se

operate
a
DEV le OPS
build
re

test monitor

When security teams are involved

Figure 3: There is a disconnect between DevOps and security teams. Security is often only worked on during testing and release
rather than through the whole lifecycle.

How MarkLogic Helps Concern #2: Application

MarkLogic makes data integration a good thing for
security and data governance.
Developers Are Burdened
With Data Security
First, MarkLogic reduces the burden of
traditional ETL. By handling the process of It’s really hard to secure your data up and
ingesting source data as is and transforming down the stack and across multiple data silos.
and harmonizing the data inside MarkLogic, Unfortunately, security is often not tested and
the whole process of integrating data becomes maintained in a single data layer. Instead, the
faster and more seamless. No data gets discarded burden is put on developers to secure data at the
during the process. application layer for every new application. With
regulation around data privacy and security that
Second, MarkLogic’s multi-model approach organizations now have to account for (HIPAA,
using documents and triples is better for SEC17a-4, FINRA, GDPR, etc.), the stakes are
governing data over time. You can manage higher and the burden is growing.
high level business concepts from multiple
silos, materializing them as entities and This is problematic because development
relationships. Data and metadata stay together and security teams are often disconnected.
and you can track the details across the A disconnect has grown because of the move
lifecycle—its provenance, who can see it, how towards DevOps and agile development. Both are
it changed—all in a single system. By taking positive improvements to software development
a more comprehensive approach, MarkLogic that enable shorter release cycles. With these
reduces opportunities for exploits and provides approaches, it may be common to commit small
a more agile platform to handle new and batches of code every few days—if not hours.
changing regulations.

3
 SECURITY
CALL CENTER AUDIT
SECURITY
AUDIT
ETL SECURITY
AUDIT
LINEAGE

LINEAGE LINEAGE SECURITY

OLTP REFERENCE DATA DASHBOARD AUDIT
LINEAGE

SECURITY
ETL SECURITY
CRM
ETL AUDIT
LINEAGE
AUDIT
LINEAGE

WAREHOUSE SECURITY
ADJUDICATION AUDIT
LINEAGE
SECURITY
AUDIT
ETL SECURITY
AUDIT
SECURITY
LINEAGE LINEAGE
CUSTOMER PORTAL AUDIT
ARCHIVES DATA MARTS LINEAGE

Figure 4: Unless security is handled in a more centralized database, what results is a spaghetti architecture that leads to more vulnerabilities. This
graphic does not even depict the systems for backup and recovery, development, and testing that also require security monitoring maintenance.

Unfortunately, security teams cannot keep While most organizations are not the size of Intuit,
up. Security review cycles are designed to take the challenge is often similar. A development
weeks or months, and security certification and team is tasked with stitching together multiple
accreditations are bound to waterfall methods, not technologies with different, usually quite limited
continuous improvement. Most developers know security capabilities. The security team is out of
the OSWAP Top Ten, but the real security experts sync and cannot keep up.
are only brought into the development process to
To solve this problem, organizations should
do a final check before go-live.
implement many tactical recommendations:
According to Gartner, 90 percent of companies Develop closer integration between security and
using DevOps consider security an afterthought.4 DevOps teams to close the feedback loop, make
It is no surprise then, that according to the security checks more automated by performing
Department of Homeland Security, 90 percent of dynamic code analysis (and perform such checks
exploits are due to defective software.5 earlier and more frequently in the sprint lifecycle),
design for security, improve Identity and Access
One example showing the disconnect between Management (IAM) systems, enforce segregation
teams is at Intuit, which adopted an agile, DevOps of duties, and conduct risk and threat modeling for
approach for their 3,000-person team. Shannon applications.
Lietz, senior manager for cloud security engineering
at Intuit, said in an interview, “We realized that Additionally, it is important to take a broader,
the DevOps teams were throwing [responsibility] more strategic look at how data is managed at the
over the wall to security, and [security] had all the lowest possible level—in the database.
information; they knew all the attacks that were
coming in, and the DevOps people did not have the
information to make the decisions.”6

4 Gartner, DevSecOps: How to Seamlessly Integrate Security Into DevOps. September, 2016.
<[Link]
5 Department of Homeland Security Infosheet, reporting on research done by the Security Engineering Insitute at Carnegie Mellon.
<[Link]
6 TechTarget. Robert Lemos,
<[Link]

4
How MarkLogic Helps RBAC governs who can access what data based on
The goal is to keep data governance governable their privileges and permissions. These privileges
across the stack. If you move to using a centralized and permissions work to secure data at the
database to govern and secure the data, securing document level. MarkLogic also has Element
applications becomes easier and faster. The work Level Security, which makes it possible to secure
of data governance happens in one place so that pieces of data inside documents (more on this
one change in data policy at the database level can later). Working together, these features make
be automatically applied to a hundred applications life easier on developers by managing the access
rather than having developers make a hundred controls in the database.
manual changes to application code. Additionally, MarkLogic has programming APIs
MarkLogic has extensive capabilities to govern and so developers can create and execute policies
secure data in the database, which in turn helps utilizing all of the security and data protection
with many of the aspects of application security. capabilities in MarkLogic (e.g., backup, retention,
data access, data lifecycle, and authentication).
The SANS Institute, a well-known cybersecurity Policies can be associated with data, metadata,
training organization, provides a SWAT checklist and data attributes so that policies such as those
to help development teams.7 for privacy or compliance can be easily executed.
And, the security controls and checks are
SWAT Checklist
transparent to developers.
(Securing Web Application Technologies)
Beyond these features, MarkLogic also has
1. Error handling and logging
additional out-of-the-box features designed to
2. Data protection
help organizations with compliance. Bitemporal
3. Configuration and operations
data management ensures that historical data
4. Authentication
remains unchanged and that you have a full
5. Session management
audit trail of data. Also, Compliance Archive
6. Input and output
provides a mechanism to protect data from
7. Access control
changes, and save the data to WORM (Write
Of this list, MarkLogic fully addresses numbers Once, Read Many) storage.
1, 2, and 7 – error handling and logging, data
All of these features means smarter data
protection, and access control – and also helps
management in the database, less work for
address the rest (3, 4, 5, and 6). By addressing
developers to do at the application level, reduced
many of these concerns in the database, the attack
time and complexity around security testing, and
surface is decreased significantly.
better security resilience.
One of MarkLogic’s key underlying capabilities that
makes data security stronger and easier to implement
is Role Based Access Control (RBAC).

7 Note: This checklist includes references to the common weakness enumerators that map very closely to those referenced by the OWASP Top Ten, which many people are
more familiar with.

5
Concern #3:
Unknown, Unmanaged Risks From Insider Threats
Typically, most organizations put an immense
focus on implementing endpoint, application,
perimeter, and network security—and for good NETWORK SECURITY
Protect the perimeter,
reason. Preventing intrusion into your network is a the “crunchy outside”
critical part of securing your infrastructure. Some
companies see hundreds of thousands of intrusion
DATA SECURITY
attempts against their network—every single day. Protect the data in
the “squishy middle”
But focusing only on network security is like
creating a hard shell around a soft, squishy
middle. If you can get in, you’re in. The truth is,
Figure 5: Focusing only on network security, the perimeter might
no network perimeter will ever be impenetrable. be somewhat secure, but the data lives in the “squishy middle” that
becomes extremely vulnerable.
There are likely bad actors already in the network.

Some of the biggest data breaches have occurred

because an insider got the keys to the kingdom. of data with broad access to users. One global
And, the number of incidents involving internal bank we work with spent years building a data
actors is increasing. lake using another technology. But, they shut it
down for security and compliance reasons when
The numbers vary, but in general, internal actors they realized the new system did not have proper
are involved in 25 percent of all breaches.8 In the controls and that were potentially violating certain
healthcare industry, insiders are responsible for 68 rules and regulations regarding customer data.
percent of breaches.9 Unfortunately, many systems
are vulnerable to such attacks because they only Organizations today need better data security. It
have all-or-none data access rather than fine- is not an option, however, to just lock everything
grained security controls. down. While the most secure database in the world
might be one that is locked in a safe and dropped
Complicating the insider threat problem is in the bottom of the ocean, that data would not be
the fact that modern enterprises have staff, very shareable.
contractors, sub-contractors, trading partners,
consultants, auditors, and other people involved. In the quest for data security, it is important to still
It is very difficult to discern just who is ‘inside’ maintain data sharing. Organizations must have
and who is ‘outside.’ proper security controls to ensure that the right
portions of data are accessible and shareable with
Sometimes, it is relatively innocuous data those in and outside the company who are granted
management decisions that can create the biggest proper access. And, there must be a separation of
insider threats. For example, many organizations duties so that administrators granting access do
have data lakes that are virtual treasure troves not themselves have access to the crown jewels.

8 Verizon. 2017 Data Breach Investigations Report: 10th Edition. < [Link]
9 IBM. Security trends in the healthcare industry. February, 2017. [Link]

6
How MarkLogic Helps
As discussed in the previous section, MarkLogic has
fine-grained access controls designed to provide CONFIDENTIALITY

optimal data security even when sharing data. One

additional feature that directly addresses the problem INTEGRITY AUTHENTICITY

of insider threats is Advanced Encryption.

Without encryption, or even with file system

AVAILABILITY PROVENANCE
encryption, the system administrator, cloud
operator, or hacker could access or modify files— CERTIFIED
including the files that comprise the database.

MarkLogic’s Advanced Encryption allows data,

configuration, and logs to be encrypted on disk Certified, Granular, Government-
(i.e., encrypted at rest). This feature requires Grade, & Comprehensive
no modification to applications developed on
MarkLogic. And, the optional use of an External Highly Certified & Compliant with Major
Key Management System (KMS) further Systems Security Standards
ensures separation of duties and integration into
The Common Criteria for Information
existing security infrastructure. Technology Security Evaluation (or “Common
Criteria”) is the driving force for the widest
available mutual recognition of secure IT
Introduction to products worldwide. It is not easy to meet the

MarkLogic Security requirements to be Common Criteria certified,

and the list of vendors is short.
With the context of these concerns and a bit about
MarkLogic is one of only six vendors that offers a
how MarkLogic addresses them, let us now provide
database that is Common Criteria certified, and
a full overview of MarkLogic’s security capabilities.
MarkLogic is the only NoSQL database with
As a company, we focused on security from the the certification.
start. Without strong data security, you cannot
MarkLogic is also installed and operational on
safely manage enterprise data, and that is
government systems with demanding security
what MarkLogic was originally designed for—
policies. These policies include stringent
integrating, storing, searching, and managing
measures for access, authentication, management,
enterprise data. Some database vendors forget
audits, role separation, and system assurance.
about the “M” in DBMS, but “management” is
For example:
central to how MarkLogic is designed.
• NIACAP (National Information Assurance
With fine-grained access controls, separation of
Certification and Accreditation Process) –
duties, data segmentation, advanced encryption, and
Developed by the U.S. intelligence
more, MarkLogic has the features you need to deliver
community for certification of computer and
the triad of Confidentiality, Integrity, and Availability
telecommunications systems that handle U.S.
(CIA). Whether you’re an IT executive or security
national security information
manager, performing security audits and reviewing
controls, responsible for deploying applications, • NIST Special Publication 800-37 –
or for ensuring software supply chain safety— Guide for applying risk management to federal
MarkLogic provides the necessary data protection to information systems. It supports the six-step
exceed modern enterprise requirements. Risk Management Framework (RMF)

7
 Security Certifications and Standards

MarkLogic's Security Certifications Additional Security Standards

• NIACAP
• NIST Special Publication 800-37
• NIST 800-53
• ICD 503
Common Criteria Certification – The driving force • FIPS 140-2
for the widest available mutual recognition of secure IT • HIPAA
products worldwide. It is not easy to meet the requirements • SOX 302/404
to be Common Criteria certified, and the list of vendors is • FedRAMP
short. MarkLogic is one of only six vendors that offers a • SSAE 18
database that is Common Criteria certified, and MarkLogic • EU 95/46/EC
is the only NoSQL database with the certification.

Customers have also received Authority to Operate actions, code execution, and changes to
(ATO) for information systems utilizing MarkLogic access controls.
that involve almost all of the major systems
security standards. These standards continue to MarkLogic supports external authentication
evolve and MarkLogic stays up to date on the latest using Lightweight Directory Access Protocol (LDAP)
changes (for example, SSAE 18 replaced SSAE 16). or Kerberos. MarkLogic also supports strong
certificate-based authentication with Public Key
The system security standards currently in place on Infrastructure (PKI) and Certificate Authorities (CAs).
systems running MarkLogic include the following:
Additionally, beyond RBAC, MarkLogic supports
• NIST 800-53 • SOX 302/404 Attribute Based Access Control (ABAC) and
• ICD 503 • FedRAMP Policy Based Access Control (PBAC). These
• FIPS 140-2 • SSAE 18 models further restrict access based on attributes,
• HIPAA • EU 95/46/EC (i.e., metadata about the data such as provenance,
geo-location, time of day, etc.), policy information
Granular Security at the Lowest Levels stored in document metadata, or simple labels
As mentioned, MarkLogic uses a Role Based representing “high” or “low” levels of trust.
Access Control (RBAC) security model by default,
in which each user is assigned any number of roles, Beyond just securing data at the level of individual
and these roles are associated with any number of documents, MarkLogic also has even more fine-
privileges and permissions. Privileges govern the grained security. Element Level Security
creation of documents and execution of functions provides access control at the level of JSON
(URI and execute privileges) and permissions properties or XML elements within documents,
govern what can be done with a document (read, regardless of schema. Specific information inside
insert, update, execute). Security checks verify a document may be hidden from users based on
the necessary credentials before granting the their role, while still providing access to other
requested action, and security information is information in the document. Element Level
stored in a specific security database in MarkLogic. Security is akin to “cell-level” security in relational
databases. But, it is a step above “cell-level,” as it is
MarkLogic closely monitors database activity and not restricted to protecting a certain set of cells in
makes it possible to audit document access and a relational database schema.
updates, configuration changes, administrative

8
Government-Grade & Trusted for Mission Here are a just a few of the many
Critical Use Cases examples of major organizations
MarkLogic has been in the business of protecting
using MarkLogic:
and securing data for over a decade, and is
installed and operational on sensitive government
systems that require databases to meet extremely
rigorous requirements.
KPMG
MarkLogic exceeds the security requirements KPMG built a MarkLogic-powered application to
to serve as the trusted platform to run the most support client onboarding primarily for the purposes
demanding, mission-critical applications at the of compliance with regulation, tax, and reporting.
The application uses intelligent automation of
heart of large investment banks, major healthcare
complex manual processes and maintains a fully
organizations, and classified government systems.
traceable, auditable data workflow.

Comprehensive Security, Built-in

From the Start

Security is an end-to-end feature in MarkLogic,

where data, data security, and data-driven policies
are all tied together. In other words, security
Deutsche Bank
travels with the data. MarkLogic replaced Oracle as the global trade store
for the bank’s operational trade data. The first
Since the first version of MarkLogic was released, production deployment integrated dozens of trading
we have continued to improve security in each systems and launched in just six months—all while
subsequent release. For example, MarkLogic 1 maintaining secure and consistent transactions.
(originally called Cerisent XQE Server) included
RBAC. And, MarkLogic has continued to
maintain the Common Criteria Certification since
MarkLogic 4.

Additionally, the security features are designed U.S. Combatant Command

to scale. Many MarkLogic customers are running MarkLogic replaced Oracle to serve as the data layer
extremely large product systems, and the security for a command-wide knowledge- and information-
checks and data encryption processes do not slow sharing system for an increasingly diverse dataset
consumed by a wide variety of programs and people
down data access.
in the U.S. Department of Defense.

9
 DATA QUALITY SECURITY & PRIVACY LIFECYCLE
PROVENANCE & LINEAGE COMPLIANCE AVAILABILITY

Figure 7: One common architectural pattern is the Operational Data Hub, shown here to illustrate the lifecycle of integrating data from silos with
MarkLogic. Throughout the process, MarkLogic maintains the highest standards of data governance and security.

Advanced Security Option for Certain

Security Use Cases
How A Secure Database
In addition to the key features that come out-of-
Supports the Data
the-box with MarkLogic, some customers need Governance Lifecycle
additional capabilities for certain use cases:
With a better understanding of MarkLogic’s
• External KMS Support – This option
OPTION security capabilities, you may now be asking, “How
makes it possible to use an external Key does this help me with data governance when
Management System, or KMS10, to help with integrating data?”
Advanced Encryption, which is often done for
In this section, we summarize the key components
the additional separation of concerns and ease
of data governance, the questions that define each
of management
component, and how MarkLogic checks each of the
• Compartment Security OPTION – With boxes. We already discussed some of the features
Compartment Security, more complex rules mentioned, and so will skip some of the detail
can be applied to documents so that a user here.
must have all of the right roles to access or
If you are interested in learning more about
create a document rather than just one of the
MarkLogic and data governance, you can watch a
rights roles. This is often useful when handling
recording of a keynote presentation by our SVP of
classified material
Engineering, David Gorbet, which walks through
• Redaction OPTION – Similar to Element Level each of the following components.
Security, but focused on securing data on export
rather than real-time protection when querying Data Quality
data. Redaction eliminates the exposure of
Is the data fit for purpose? Is it accurate, timely,
sensitive information by making it possible to
consistent, etc.?
remove existing information or replace it with
other values when exporting data or sharing. MarkLogic’s flexible data model makes it easier to
The process is simple, flexible, and is designed track lineage and provenance, and not discard any
to work with large volumes of data raw data. With MarkLogic, data and metadata can

10 For example, SafeNet, Vormetric, or other vendors that are KMIP-compliant.

10
stay together and you can transform data within fast data access using built-in search. If a regulator
the database. You can manage multiple schemas asks a question that was not planned for, that is
and avoid the problems of data loss that you get okay because all data is indexed with the “Ask
with a traditional approach. Anything” Universal Index. Other Compliance
features such as Bitemporal and Compliance
You can also define flexible and fluid validation Archive further help address regulatory concerns.
rules that execute in MarkLogic. As data is For these reasons, customers use MarkLogic to
ingested, it can be rejected as invalid or accepted. help comply with specific regulations such as
If accepted, you can flag it so it is not used until GDPR and MiFID II.
reviewed, used for some use cases but not others,
or used only for some people and made invisible to
Lifecycle
others. The database is designed to be flexible and
support a variety of policies. It is not restrictive. How is the data changed, stored, and accessed
as it ages?
Provenance & Lineage In addition to having a flexible data model
Where did the data originate, and how did that supports messy, changing, complex data,
it change? MarkLogic’s Tiered Storage feature makes it
possible to define a policy-based tiering strategy for
With MarkLogic, you can validate the data and data storage—including age-based policies. With
metadata together, without worrying about ETL this feature, you can automatically manage the
transformations that may have been done to movement of data through its lifecycle, from fast
“cleanse” the data to make it fit a certain schema. storage to slower storage to a queryable archive.
MarkLogic is designed to handle messy, changing
data—including data from different sources
Availability
and schemas.
Does your system meet your Service Level
Security & Privacy Agreements (SLAs) for durability, consistency,
high availability, and disaster recovery?
Is the data protected with fine-grained access
controls? Is it encrypted? Is your database certified? As emphasized, enterprise capabilities have been
built into MarkLogic from the start and they have
This is where MarkLogic’s robust security features been proven through thousands of enterprise
apply. As mentioned, MarkLogic has a huge deployments. MarkLogic has the features required
number of security features designed to secure – most notably HA/DR and ACID transactions
data at a fine-grained level. These features are all – to provide five nines of availability (i.e. available
designed to work at scale. And, the database is 99.999% of the time, or always available except for
certified by a third party. 5.26 minutes per year).

Compliance Other new features such as Rolling Upgrades

(eliminates downtime during upgrades), Ops
Are you in compliance with regulations, and can
Director (single view to monitor and manage
you demonstrate it?
clusters), and Telemetry (opt-in support line)
MarkLogic can handle frequent rule changes make management of MarkLogic faster and easier.
because of the flexible data model and through

11
Deeper Dive Into Conclusion
MarkLogic Security In this white paper, we looked at three top
cybersecurity concerns, provided an introduction
Listed below are some additional resources If you
to MarkLogic security, and highlighted key aspects
are interested in going deeper into MarkLogic
of data governance. Our view is that by focusing
security from a more technical perspective.
more on security at the level of the database, it is
possible to prevent a lot of the common security
and data governance issues from happening in the
W H I T E PA P E R first place.
Building Security Into MarkLogic
Tying back to the top data security concerns
Our company’s engineering team applies best discussed earlier in this white paper, MarkLogic’s
practices, tools, and techniques to build the most main value proposition is the unique data and
secure product possible, using the MarkLogic indexing approach that contributes to the robust
Security Framework to guide the process. security and data governance capabilities. Based
on that foundation, we developed a better database
to integrate, store, manage, and search your data:
W H I T E PA P E R

Developing Secure Applications 1. Improved data integration – Using

on MarkLogic MarkLogic to integrate data helps prevent
a spaghetti architecture of data silos and
We provide integrated security services and
ETL from consuming time and resources,
capabilities built into the MarkLogic platform
and opening up unnecessary security
that are available for use by developers and DBAs.
vulnerabilities.
The MarkLogic Security Model provides a
conceptual, multi-layered view of how MarkLogic 2. Centralized data governance – Bringing
implements security. your data together in MarkLogic aids
developers and the security experts by
centralizing a lot of the security policies and
W H I T E PA P E R
reducing the time they would have ordinarily
Deploying MarkLogic Securely spent duplicating security and data governance
To deploy MarkLogic into a secure environment, across applications.
we provide guidance on best practices through
3. Fine-grained security capabilities –
education and consulting, in addition to ensuring that
MarkLogic’s fine-grained security is on by
MarkLogic is compatible with industry-standards
default, and provides the necessary access
(e.g., LDAP, Kerberos, SSL/TLS, KMIP, etc.).
controls that modern enterprises need to
manage data access while not limiting the
ability to share their data securely.

12
By choosing a database like MarkLogic that is still having a system you can trust with your most
built with the necessary controls for modern data critical data. In other words, you can have both
security, you can get the agility you need while agility and security.

Additional Resources
The following are additional resources that provide more information about security and data governance.

PRESENTATION

Security Keynote: SVP of Engineering

David Gorbet, SVP of Engineering, MarkLogic
Provides an overview of MarkLogic’s approach to security and data governance.

PRESENTATION

Data Security In Practice

Caio Milani, Director of Product Management, MarkLogic
Provides an overview of security features in MarkLogic, including the new features in MarkLogic 9: Encryption, Element
Level Security, and Redaction.

PRESENTATION

Data Governance in an Unpredictable World

Damon Feldman, Ph.D., Solutions Director, MarkLogic
Provides examples of how MarkLogic improves data governance in regulated industries.

© 2018 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED. This technology is protected by U.S. Patent No. 7,127,469B2, U.S. Patent
No. 7,171,404B2, U.S. Patent No. 7,756,858 B2, and U.S. Patent No 7,962,474 B2. MarkLogic is a trademark or registered trademark of
MarkLogic Corporation in the United States and/or other countries. All other trademarks mentioned are the property of their respective owners.

MARKLOGIC CORPORATION
999 Skyway Road, Suite 200 San Carlos, CA 94070
+1 650 655 2300 | +1 877 992 8885 | [Link] | sales@[Link]
999 Skyway Road, Suite 200 San Carlos, CA 94070
+1 650 655 2300 | +1 877 992 8885
[Link] | sales@[Link]