Are you kept awake at night with fears about undiscovered security flaws in your database server? You're not alone! Many database professionals hesitate to blindly trust the assurances they receive from vendors that a product is secure.
If you're running Oracle 7 or Microsoft SQL Server 2000 8.0, you can rest a little easier tonight! The National Security Agency (NSA) recently evaluated these products under the Trusted Computer System Evaluation Criteria (TCSEC) and determined that they are inherently secure enough for use on classified government computer systems. These criteria, released in 1985, are the yardstick against which the nation's computer security experts evaluate information systems. Ratings on a scale ranging from the strict (and extremely rare) A1 rating of "Verified Design" to the D rating of "Minimal Protection" assigned to systems that fail to meet the minimum government security standards.
How did your favorite product fare? In the report on Oracle 7, NSA awarded a C2 rating signifying "Controlled Access Protection." From a review of the Oracle web site security section, it appears that they do not intend to begin the expensive and lengthy TCSEC process for Oracle 8. Oracle Corporation appears to be counting on a pilot program to replace TCSEC with the International Common Criteria. For the truly paranoid, Oracle also offers a more secure platform in Trusted Oracle 7 which was awarded the advanced B1 rating of "Labeled Security Protection." This level of protection is mainly of interest only to government agencies with strict product acquisition guidelines and requirements.
Microsoft Corporation was awarded the same C2 rating for SQL Server 2000. This rating was awarded based upon a system running Windows NT Server 4.0 with Service Pack 6a. NSA cited as strengths SQL Server's full row-level locking, centralized administration and tight integration with the Windows NT identification and authentication facilities. We can probably expect a similar certification for SQL Server 2005, so stay tuned on that front.
When planning your own database environment, be sure to take these evaluations with a grain of salt. It is important to realize that NSA only certifies specific versions of products running on very specific hardware and software configurations. Be sure to read the exact parameters used by reviewing NSA's Evaluated Products List. Keep in mind that the NSA's database certifications cover only the database server itself. Bad security administration practices can easily undermine even the most secure platforms. Be sure to develop and stick to a database security policy tailored to your environment!
If you're running Oracle 7 or Microsoft SQL Server 2000 8.0, you can rest a little easier tonight! The National Security Agency (NSA) recently evaluated these products under the Trusted Computer System Evaluation Criteria (TCSEC) and determined that they are inherently secure enough for use on classified government computer systems. These criteria, released in 1985, are the yardstick against which the nation's computer security experts evaluate information systems. Ratings on a scale ranging from the strict (and extremely rare) A1 rating of "Verified Design" to the D rating of "Minimal Protection" assigned to systems that fail to meet the minimum government security standards.
How did your favorite product fare? In the report on Oracle 7, NSA awarded a C2 rating signifying "Controlled Access Protection." From a review of the Oracle web site security section, it appears that they do not intend to begin the expensive and lengthy TCSEC process for Oracle 8. Oracle Corporation appears to be counting on a pilot program to replace TCSEC with the International Common Criteria. For the truly paranoid, Oracle also offers a more secure platform in Trusted Oracle 7 which was awarded the advanced B1 rating of "Labeled Security Protection." This level of protection is mainly of interest only to government agencies with strict product acquisition guidelines and requirements.
Microsoft Corporation was awarded the same C2 rating for SQL Server 2000. This rating was awarded based upon a system running Windows NT Server 4.0 with Service Pack 6a. NSA cited as strengths SQL Server's full row-level locking, centralized administration and tight integration with the Windows NT identification and authentication facilities. We can probably expect a similar certification for SQL Server 2005, so stay tuned on that front.
When planning your own database environment, be sure to take these evaluations with a grain of salt. It is important to realize that NSA only certifies specific versions of products running on very specific hardware and software configurations. Be sure to read the exact parameters used by reviewing NSA's Evaluated Products List. Keep in mind that the NSA's database certifications cover only the database server itself. Bad security administration practices can easily undermine even the most secure platforms. Be sure to develop and stick to a database security policy tailored to your environment!
