Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Don't Let Microsoft's Claim of Superior Database Security Fool

Don't Let Microsoft's Claim of Superior Database Security Fool

From: Tim Sawmiller <sawmillert_at_state.mi.us>
Date: Tue, 17 Apr 2001 05:36:26 -0700
Message-ID: <F001.002EAA4E.20010417053545@fatcity.com>

Geez, enough of the political debates! Let's get back to the business at hand. Here's an announcement from our favorite vendor:

Don't Let Microsoft's Claim of Superior Database Security Fool You In a clever attempt to turnaround its weak security image, Microsoft issued a press release touting it's superior database security after undergoing C2 certification. Don't let the outdated C2 certification mislead your customers. Here is how you can respond to Microsoft's misleading claim of having the most secure database over Oracle:

Microsoft Press Release: "Of the current version enterprise databases from Oracle Corp., IBM Corp. and Microsoft Corp., only SQL Server 2000 has achieved a C2 or higher rating from the National Security Agency (NSA), making it a National Security Agency Trusted Product."
Oracle Response:
Microsoft has finally joined the security evaluation club, only they are using yesterday's standard.
No one does "Orange Book" evaluations any more. We got our first Orange Book C2 certificate for Oracle7 in April 1994!!!! The NSA stated years ago that Orange Book was 'dead'. That is why the current release of the Oracle database has not undergone C2 certification. The Orange Book has been superseded by the internationally recognized, ISO standard Common Criteria and all leading edge products are currently being evaluated by this new standard. What database vendor received the first Common Criteria certificate for commercial database? Oracle.
This is nothing more than the usual marketing drivel from Redmond, the folks that bring millions of users the weekly Internet Information Server (IIS) security patch. How many ecommerce web sites running the Microsoft platform have had their customers' credit card numbers compromised and exposed? The public has lost count.  

   Why is this important?
Internet security is a top concern for C-level executives due to the risks involved. A single security breach can result in financial loss, public distrust, and even imprisonment. See the alarming statistics: An estimated $1.6 trillion was lost last year worldwide due to downtime associated with Internet security breaches (InformationWeek) 2 out of 3 U.S. corporations, government agencies, financial institutions, medical institutions and universities acknowledged financial losses last year due to computer security breaches (Computer Security Institute Survey March 2001) $276.5 million lost by Europeans in 2000 due to online credit card fraud from poor Web-site security and security breaches (European Union) Customers need assurance that the Internet infrastructure maintaining their critical data is well protected. Third party, independent security evaluators such as the TCSEC, ITSEC, and the Common Criteria, to name a few, should give your customers confidence that the products they purchase have been thoroughly tested for security assurance. Your customers can trust Oracle, the only vendor with 13 security evaluations of its database server. See scorecard below:    

 Database Server Products
Security Evaluation Oracle IBM Microsoft

TCSEC, level B1  1 0 0 
TCSEC, level C2 1 0 1 
ITSEC, levels E3/F-C2 3 0 0 
ITSEC, levels E3/F-B1 2 0 0 

Russian Criteria, levels III, IV 2 0 0
Common Criteria, level EAL-4 3 0 0
FIPS-140, level 2 1 0 0
Total 13 0 1

A detailed list of certifications for individual Oracle server products can be found at the Oracle security evaluations web site. For more information about the terminology on the chart, download the Oracle white paper, Computer Security Criteria: Security Evaluations and Assessment.  

   What other security advantages does Oracle have over competitors? Security assurance does not stop with independent evaluations. An internet infrastructure requires multiple layers of security processes to ensure that exploitation or failure of one mechanism does not compromise sensitive data. Oracle integrates unique, multiple layers of security processes within the database to ensure the overall protection and privacy of your most valuable asset - information. See feature comparison below:

    Database Feature Comparison

Feature                             Oracle9i  IBM UDB       SS 2000  
Virtual Private Database   Yes         No                  No 
Label Security                   Yes         No                  No 
Selective Data Encryption Yes        (IBM Platforms only)  No 
Fine-grained auditing          Yes       No                   No 

   

The Internet Platform Security Services address both technology and methodology meeting the end-to-end security requirements of an e-business. Our security services ensure that security policies and system components such as firewalls, intrusion detection systems, web servers, application servers and data servers, are themselves secure and interact with each other reliably.  

   What press or publications support Oracle's strong security? Oracle, IBM zero in on database security - eWeek (March 2001)

Securing Oracle - Information Security Magazine (Sept 2000)

Oracle8i: Polished for Web - eWeek (March 2000)

Oracle Internet Directory: A Mission-Critical Directory Built for Heavy Lifting - Aberdeen Group (2000)  

   Who are some of the customers and partners using Oracle's security technology? Excite_at_Home
U.S. Air Force
FirstWorld Communications
Trusted Computer Solutions (E-Leaders) U.S. Department of Interior
Chase Manhatten Bank
Braintree
Protegrity
Kaiser Permanente
Tomax
Covisint
The best reference is Oracle itself:
Oracle Global IT
Oracle E-Business Suite
Exchange.oracle.com
Oracle Portal Online
Sales.Oracle.com

   Where can I find more security related information? Respond against Microsoft's C2 certification press release: http://compete3.us.oracle.com/rt/docs/DATABASE/SS2K_SECURITY.HTML

Sales/Marketing: http://marketing.us.oracle.com/security

Technical information:http://security.us.oracle.com

oracle.com:http://www.oracle.com/ip/solve/security/index.html?content.html

otn:http://technet.oracle.com/deploy/security/  

   Who can I contact for security assistance? Product Marketing:mona.patel_at_oracle.com

Product Management:infosec_us_at_oracle.com

Sales:secure_us_at_oracle.com

Consulting:greg.rogers_at_oracle.com  

   Oracle Worldwide Marketing     

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Tim Sawmiller
  INET: sawmillert_at_state.mi.us

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists

--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Tue Apr 17 2001 - 07:36:26 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US