Oracle and US Dept of Energy deal to focus on security model

Last week's announcement by the US Department of Energy that it will use Oracle to deliver software configured for optimal...

Last week's announcement by the US Department of Energy that it will use Oracle to deliver software configured for optimal security could be the start of a different security model for the government and industry.

The potential shift stems from the government's push to use a security configuration benchmark developed by the Centre for Internet Security (CIS) to test and certify Oracle database versions 8i and 9i running on Windows and Unix.

The benchmark, developed with dozens of Oracle software users and the Sans Institute through the CIS, will be available to anyone, free of charge at the CIS website.

"Oracle not only agreed to deliver a safely configured system but also to deliver hot fixes and patches automatically and to ensure that none of those fixes undoes the security settings," said Alan Paller, director of research at the Sans Institute.

This solves two huge problems for software buyers, said Paller, because they will no longer have to search for patches and they will no longer have to test patches to determine whether they would unravel other key security settings.

The DoE will now receive data on bugs and fixes through an internal, Oracle-run automated bug-tracking system. Through this system, the company will automatically deliver patches to a central server at the DoE.

The agency signed a separate contract with Opsware to ensure that every DoE system has the most up-to-date configuration of Oracle software, therefore enabling patches to proliferate automatically throughout the network.

Tim Hoechst, Oracle's senior vice-president of technology for government, education and health care, said the release of the CIS-developed Oracle benchmark in conjunction with the DoE contract is designed to ensure that customers configure their software properly so they can take full advantage of the security features.

"Designing our products with secure functionality does not necessarily mean our customers take advantage of that functionality. What this does is produce guidelines for how to best use the technology," Hoechst said.

Clint Kreitner, president and chief exectuive officer of CIS, said that until now, much of the focus has been on influencing operating system suppliers to improve security and support.

The next phase will focus on application suppliers.

"People don't buy computers around operating systems," Kreitner said. "They buy them around applications."

The DoE's contract with Oracle is something other agencies and companies should consider emulating, he added.

Dan Verton writes for Computerworld

Read more on IT risk management