Geez, enough of the political debates! Let's get back to the business at hand.
Here's an announcement from our favorite vendor:
Don't Let Microsoft's Claim of Superior Database Security Fool You
In a clever attempt to turnaround its weak security image, Microsoft issued a press
release touting it's superior database security after undergoing C2 certification.
Don't let the outdated C2 certification mislead your customers. Here is how you can
respond to Microsoft's misleading claim of having the most secure database over
Oracle:
Microsoft Press Release: "Of the current version enterprise databases from Oracle
Corp., IBM Corp. and Microsoft Corp., only SQL Server 2000 has achieved a C2 or higher
rating from the National Security Agency (NSA), making it a National Security Agency
Trusted Product."
Oracle Response:
Microsoft has finally joined the security evaluation club, only they are using
yesterday's standard.
No one does "Orange Book" evaluations any more. We got our first Orange Book C2
certificate for Oracle7 in April 1994!!!!
The NSA stated years ago that Orange Book was 'dead'. That is why the current release
of the Oracle database has not undergone C2 certification.
The Orange Book has been superseded by the internationally recognized, ISO standard
Common Criteria and all leading edge products are currently being evaluated by this
new standard. What database vendor received the first Common Criteria certificate for
commercial database? Oracle.
This is nothing more than the usual marketing drivel from Redmond, the folks that
bring millions of users the weekly Internet Information Server (IIS) security patch.
How many ecommerce web sites running the Microsoft platform have had their customers'
credit card numbers compromised and exposed? The public has lost count.
Why is this important?
Internet security is a top concern for C-level executives due to the risks involved. A
single security breach can result in financial loss, public distrust, and even
imprisonment. See the alarming statistics:
An estimated $1.6 trillion was lost last year worldwide due to downtime associated
with Internet security breaches (InformationWeek)
2 out of 3 U.S. corporations, government agencies, financial institutions, medical
institutions and universities acknowledged financial losses last year due to computer
security breaches (Computer Security Institute Survey March 2001)
$276.5 million lost by Europeans in 2000 due to online credit card fraud from poor
Web-site security and security breaches (European Union)
Customers need assurance that the Internet infrastructure maintaining their critical
data is well protected. Third party, independent security evaluators such as the
TCSEC, ITSEC, and the Common Criteria, to name a few, should give your customers
confidence that the products they purchase have been thoroughly tested for security
assurance. Your customers can trust Oracle, the only vendor with 13 security
evaluations of its database server. See scorecard below:
Database Server Products
Security Evaluation Oracle IBM Microsoft
TCSEC, level B1 1 0 0
TCSEC, level C2 1 0 1
ITSEC, levels E3/F-C2 3 0 0
ITSEC, levels E3/F-B1 2 0 0
Russian Criteria, levels III, IV 2 0 0
Common Criteria, level EAL-4 3 0 0
FIPS-140, level 2 1 0 0
Total 13 0 1
A detailed list of certifications for individual Oracle server products can be found
at the Oracle security evaluations web site. For more information about the
terminology on the chart, download the Oracle white paper, Computer Security Criteria:
Security Evaluations and Assessment.
What other security advantages does Oracle have over competitors?
Security assurance does not stop with independent evaluations. An internet
infrastructure requires multiple layers of security processes to ensure that
exploitation or failure of one mechanism does not compromise sensitive data. Oracle
integrates unique, multiple layers of security processes within the database to ensure
the overall protection and privacy of your most valuable asset - information. See
feature comparison below:
Database Feature Comparison
Feature Oracle9i IBM UDB SS 2000
Virtual Private Database Yes No No
Label Security Yes No No
Selective Data Encryption Yes (IBM Platforms only) No
Fine-grained auditing Yes No No
The Internet Platform Security Services address both technology and methodology
meeting the end-to-end security requirements of an e-business. Our security services
ensure that security policies and system components such as firewalls, intrusion
detection systems, web servers, application servers and data servers, are themselves
secure and interact with each other reliably.
What press or publications support Oracle's strong security?
Oracle, IBM zero in on database security - eWeek (March 2001)
Securing Oracle - Information Security Magazine (Sept 2000)
Oracle8i: Polished for Web - eWeek (March 2000)
Oracle Internet Directory: A Mission-Critical Directory Built for Heavy Lifting -
Aberdeen Group (2000)
Who are some of the customers and partners using Oracle's security technology?
Excite@Home
U.S. Air Force
FirstWorld Communications
Trusted Computer Solutions (E-Leaders)
U.S. Department of Interior
Chase Manhatten Bank
Braintree
Protegrity
Kaiser Permanente
Tomax
Covisint
The best reference is Oracle itself:
Oracle Global IT
Oracle E-Business Suite
Exchange.oracle.com
Oracle Portal Online
Sales.Oracle.com
Where can I find more security related information?
Respond against Microsoft's C2 certification press release:
http://compete3.us.oracle.com/rt/docs/DATABASE/SS2K_SECURITY.HTML
Sales/Marketing: http://marketing.us.oracle.com/security
Technical information:http://security.us.oracle.com
oracle.com:http://www.oracle.com/ip/solve/security/index.html?content.html
otn:http://technet.oracle.com/deploy/security/
Who can I contact for security assistance?
Product Marketing:[EMAIL PROTECTED]
Product Management:[EMAIL PROTECTED]
Sales:[EMAIL PROTECTED]
Consulting:[EMAIL PROTECTED]
Oracle Worldwide Marketing
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Tim Sawmiller
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
