Hello, I'm Petra Manche! I work in the Security Evaluations team in Oracle's Security Assurance Group. Security Evaluations are a critical part of Oracle Software Security Assurance, and my team is responsible for managing the independent security evaluations of all Oracle products
Oracle recently completed the evaluations of Oracle Database 10g Release 2 (10.2.0.3) and Oracle Label Security 10g Release 2 (10.2.0.3) against Common Criteria assurance level EAL4+ and against the U.S. Government Protection Profile for Database Management Systems in Basic Robustness Environments (Version 2.1). As usual Oracle evaluated the Enterprise Edition of the Database, but for the first time we also evaluated Standard Edition and Standard Edition 1. Real Application Clusters (RAC), Enterprise Users, and Partitioning were also included with these evaluations for the first time.
For those who don't know what Security Evaluations are: independent bodies (laboratories) examine Information Technology products and systems, and if the examination is passed, a certificate is awarded (usually by a government body). This process provides confidence in the security of the Evaluated products to end users, including government and military institutions.
Oracle has a long history among IT vendors of having security evaluations performed on its products. Since committing to the security evaluation process in 1990, Oracle has successfully completed 29 security evaluations. Many of the early evaluations were on Oracle Database Server, but more recently we have extended our scope and evaluated other products including Oracle Enterprise Linux, Oracle Application Server and Oracle Internet Directory.
Oracle is currently committed to evaluating its products under two industry standards:
- FIPS 140 for cryptographic modules, and
- Common Criteria for Information Technology Security Evaluation.
FIPS stands for Federal Information Processing Standard. The full title of FIPS 140 is �FIPS 140-2: Security Requirement for Cryptographic Modules.� It is published by the U.S. National Institute of Standards and Technology (NIST). Hardware, firmware or software cryptographic modules are all tested and validated against the standard. The cryptographic algorithms are NIST approved. FIPS 140-3 is currently being drafted and representatives from Oracle will attend the upcoming FIPS 140-3 Software Security Workshop.
Common Criteria (CC) is also known as ISO standard 15048. The full title of the standard is �Common Criteria for Information Technology Security Evaluation". The Common Criteria is a single framework of evaluation criteria for products or systems. It is designed to look at the whole development lifecycle: from design, implementation, testing to delivery and installation of the product or system by a third party, in order to provide assurance that development practices have been documented, followed and enforced correctly.
A common misconception about the Common Criteria is that the entire product is always evaluated in this process. In fact, it is the security-related functions and the parts of the product that interact with those security functions that are evaluated. These make up the scope of the evaluation, a.k.a. �Target of Evaluation�. The product is installed in an evaluated configuration, whereby some of the product functionality may be disabled but the product must be able to function normally. Information on what exactly has been evaluated is found in a document called the �Security Target�. This document is publicly available once a product has been certified. Security Targets for Oracle software are available on the Security Evaluation page on Oracle Technology Network.
To date Oracle has completed four FIPS 140 validations and 15 Common Criteria evaluations. A listing of the evaluations that have been obtained or are currently underway can be found on Oracle�s Security Evaluation status page.
Note that Oracle not only performs evaluations, but it is also actively participating in the development of the Common Criteria. Oracle is a member of the Common Criteria Vendors Forum (CCVF) that works with the Common Criteria International organisations to enhance the Common Criteria and address common issues within the criteria. In a previous blog entry, Duncan Harris discussed some of the limitations with the current version of the Common Criteria.
More information on Oracle Software Security Assurance is available on Oracle.com. The Security Evaluation page on Oracle Technology Network provides detailed information about Oracle's involvement with Security Evaluations.
