Oracle Cross Domain Security Express
By Glenn Faden-Oracle on Feb 11, 2010
On January 27 Oracle announced that it had finalized its acquisition of Sun. This week I accepted an offer of employment from Oracle so I will be continuing in my role as one of the leaders of the Solaris security development team. Trusted Extensions remains a key part of that strategy, and is specifically highlighted in John Fowler's Webcast. There is about a minute devoted to Solaris security, starting a 4:38 and a slide at 5:30 showing Trusted Extensions and RBAC (two of my favorites) as key Solaris features.
Oracle and Sun have a long history of cooperation in the area of multilevel security, and I have been personally involved in some interesting projects. My earliest involvement dates back to 1991 when Oracle and Sun demonstrated Trusted Oracle running on SunOS CMW at 14th annual National Computer Security Conference in Baltimore. I presented a white paper at the conference entitled Reconciling CMW Requirements with those of X11 Applications.
I had another opportunity to work with Oracle, starting in 2006, prototyping a cross-domain architecture using labeled zones to proxy SQL requests from separate application enclaves. Oracle was our first partner to use Trusted Extensions, even before it was integrated into Solaris 10 update 3.
The prototype was successful, and after significant refinement has been released under the name Oracle Cross-Domain Security Express. It has been authorized to operate on US government networks and has been certified and accredited according to DCID 6/3 PL4 requirements. A brochure describing the solution is available on the Oracle Website. As you can see, it relies on labeled zones and trusted networking to provide isolation and to associate labels with client requests.
For an interactive description, I recommend the YouTube video that one of my new Oracle colleagues, Jonathan Bakke, has posted. Jon is the Senior Director of the Cross-Domain Systems group. We first met back in 2006, about the time I started this blog.