SQL Bible [Electronic resources] نسخه متنی

Security Standards

While not related directly to SQL,
security standards define the infrastructure within which it is employed, and
are therefore of interest to SQL users. Usually, RDBMS software complies with
these standards to a certain degree — either voluntarily, or under pressure
from the government agencies that mandate requirements for the software's
acceptance.

The first nationwide attempt to
standardize security procedures for computer systems was undertaken in 1985 by
the U.S. National Computer Security Center (NCSC). To be considered for a
government contract, the vendors had to achieve a certain level of security for
their products through proctored testing. Dozens of vendors went through years
(the process has taken three years, on average) of testing procedures just to
be able to sell their products to government agencies. The vendors, like Sun,
Oracle, and Novell, received their certifications (either C1 or B2) in early
1990s, following a directive that all computer systems storing sensitive
information must be C2 certified.

International security
standards

BS7799 and its international equivalent
ISO 17799 are the most widely recognized security standards in the world. Their
closest equivalent in the United States is the level B1 security.

ISO 17799 provides a detailed roadmap in
several areas, and every company that seeks this standard's endorsement for its
product must address all of these areas:

Business Continuity Planning.
Mandates procedures for continuing business activities in spite major failures
or disasters.

System Access Control. Focuses on
controlling access to information, ensures protection of the networked
services, detects and counteracts unauthorized activity, ensures information
security for distributed mobile applications.

System Development and
Maintenance. Mandates that security be built-in (as opposed to
external); deals with data loss prevention and data misuse, as well as with
confidentiality, authenticity, and integrity of information

Physical and Environmental
Security. Deals with preventing unauthorized access, damage, and
interference to top business premises and information, preventing loss,
compromise, or theft of information and information processing
facilities.

Compliance. Avoids breaches of any
criminal or civil law, statutory, regulatory, or contractual obligations;
ensures compliance of every system in the organization with established
organizational security policies and standards; minimizes interference of the
audit process with business practices.

Personnel Security. Reduces risks
resulting from human error, theft, fraud, or misuse of facilities, minimizing
damage in case such incidents occur; educates users about proper policy
procedures.

Security Organization. Manages
information security within an organization; maintains security for the
organization's facilities accessed by third parties, for example, when the
responsibility for information protection has been outsourced to a third
party.

Computer and Operation Management.
Deals with facility's operational policies, ensures safety of information in
the networks and the supporting infrastructure, prevents loss, misuse, or
unauthorized modification of data exchanged between organizations.

Assets Classification and Control.
Maintains protection of the corporate assets.

Policy. Establishes and manages a
viable security policy within an organization.

In spite of the detailed standards, the
actual implementations of them might widely differ across the board. One reason
for the differences is that there are so many standards; and, since the
certification process can be very expensive, it is not a viable option for many
businesses. Most banks in the United States, for example, do not use ISO
standards, relying instead on SAS 70 auditing standards, while other companies
prefer using use ISO 9000/2000 standards.

There are also emerging standards like
the Common Criteria (CC) program. This program was started in 1996, initially
by the United Kingdom, Germany, France, and the Netherlands with strong support
from the National Information Assurance Partnership (NIAP). Since then 11 more
countries have joined the program: Australia, New Zealand, Canada, Finland,
Greece, Israel, Italy, Norway, Spain, and Sweden.

Class C2 is a security rating
established by the U.S. National Computer Security Center (NCSC). It is granted
to the products that pass Trusted Computer System Evaluation Criteria (TCSEC)
tests (known as Orange Book) administered by the Department of Defense. This
rating is an absolute security minimum required for a product to be considered
for employment in government agencies and offices that accumulate and process
sensitive secure information.

The TCSEC standards were established
in 1985 and updated numerous times since then. According to TCSEC, system
security is evaluated at one of four levels, ranging from class A1 to class
D.

Class D is defined as
Minimum Security; meaning essentially — "In God we
trust."

Class C1 is defined as
Discretionary Security Protection; systems evaluated at
this level have to meet security requirements by controlling user access to
data.

Class C2, defined as
Controlled Access Protection complements class C1 by
adding additional accountability features, such as login procedures, auditing
capabilities to verify all users' actions (i.e., attempts to access, read,
write, or delete any object), finely grained access privileges, and so
on.

Class B1 is defined as
Labeled Security Protection; systems at this level must
have a stated policy model, and specifically labeled data.

Class B2, defined as
Structured Protection, adds a much more explicit and
formal security policy to the B1 requirements.

Class B3, defined as
Security Domains, adds stringent engineering and
monitoring requirements.

Class A1 is defined as
Verified Design; systems at this level are functionally
equivalent to B3 systems, but in addition to all the features of the all
previous levels they must undergo formal functional analysis procedures to
ensure security.

The National Security Agency (NSA)
instituted — beginning July 2002 — that all new national security systems (and
that includes RDBMS software) must pass a rigorous test as mandated in CC;
there are also indications that this might spread to every government
organization.