Security Standards

While not related directly to SQL, security standards define the infrastructure within which it is employed, and are therefore of interest to SQL users. Usually, RDBMS software complies with these standards to a certain degree — either voluntarily, or under pressure from the government agencies that mandate requirements for the software's acceptance.

The first nationwide attempt to standardize security procedures for computer systems was undertaken in 1985 by the U.S. National Computer Security Center (NCSC). To be considered for a government contract, the vendors had to achieve a certain level of security for their products through proctored testing. Dozens of vendors went through years (the process has taken three years, on average) of testing procedures just to be able to sell their products to government agencies. The vendors, like Sun, Oracle, and Novell, received their certifications (either C1 or B2) in early 1990s, following a directive that all computer systems storing sensitive information must be C2 certified.

International security standards

BS7799 and its international equivalent ISO 17799 are the most widely recognized security standards in the world. Their closest equivalent in the United States is the level B1 security.

ISO 17799 provides a detailed roadmap in several areas, and every company that seeks this standard's endorsement for its product must address all of these areas:

• Business Continuity Planning. Mandates procedures for continuing business activities in spite major failures or disasters.

• System Access Control. Focuses on controlling access to information, ensures protection of the networked services, detects and counteracts unauthorized activity, ensures information security for distributed mobile applications.

• System Development and Maintenance. Mandates that security be built-in (as opposed to external); deals with data loss prevention and data misuse, as well as with confidentiality, authenticity, and integrity of information

• Physical and Environmental Security. Deals with preventing unauthorized access, damage, and interference to top business premises and information, preventing loss, compromise, or theft of information and information processing facilities.

• Compliance. Avoids breaches of any criminal or civil law, statutory, regulatory, or contractual obligations; ensures compliance of every system in the organization with established organizational security policies and standards; minimizes interference of the audit process with business practices.

• Personnel Security. Reduces risks resulting from human error, theft, fraud, or misuse of facilities, minimizing damage in case such incidents occur; educates users about proper policy procedures.

• Security Organization. Manages information security within an organization; maintains security for the organization's facilities accessed by third parties, for example, when the responsibility for information protection has been outsourced to a third party.

• Computer and Operation Management. Deals with facility's operational policies, ensures safety of information in the networks and the supporting infrastructure, prevents loss, misuse, or unauthorized modification of data exchanged between organizations.

• Assets Classification and Control. Maintains protection of the corporate assets.

• Policy. Establishes and manages a viable security policy within an organization.

In spite of the detailed standards, the actual implementations of them might widely differ across the board. One reason for the differences is that there are so many standards; and, since the certification process can be very expensive, it is not a viable option for many businesses. Most banks in the United States, for example, do not use ISO standards, relying instead on SAS 70 auditing standards, while other companies prefer using use ISO 9000/2000 standards.

There are also emerging standards like the Common Criteria (CC) program. This program was started in 1996, initially by the United Kingdom, Germany, France, and the Netherlands with strong support from the National Information Assurance Partnership (NIAP). Since then 11 more countries have joined the program: Australia, New Zealand, Canada, Finland, Greece, Israel, Italy, Norway, Spain, and Sweden.

Class C2 is a security rating established by the U.S. National Computer Security Center (NCSC). It is granted to the products that pass Trusted Computer System Evaluation Criteria (TCSEC) tests (known as Orange Book) administered by the Department of Defense. This rating is an absolute security minimum required for a product to be considered for employment in government agencies and offices that accumulate and process sensitive secure information.

The TCSEC standards were established in 1985 and updated numerous times since then. According to TCSEC, system security is evaluated at one of four levels, ranging from class A1 to class D.

Class D is defined as Minimum Security; meaning essentially — "In God we trust."

Class C1 is defined as Discretionary Security Protection; systems evaluated at this level have to meet security requirements by controlling user access to data.

Class C2, defined as Controlled Access Protection complements class C1 by adding additional accountability features, such as login procedures, auditing capabilities to verify all users' actions (i.e., attempts to access, read, write, or delete any object), finely grained access privileges, and so on.

Class B1 is defined as Labeled Security Protection; systems at this level must have a stated policy model, and specifically labeled data.

Class B2, defined as Structured Protection, adds a much more explicit and formal security policy to the B1 requirements.

Class B3, defined as Security Domains, adds stringent engineering and monitoring requirements.

Class A1 is defined as Verified Design; systems at this level are functionally equivalent to B3 systems, but in addition to all the features of the all previous levels they must undergo formal functional analysis procedures to ensure security.

The National Security Agency (NSA) instituted — beginning July 2002 — that all new national security systems (and that includes RDBMS software) must pass a rigorous test as mandated in CC; there are also indications that this might spread to every government organization.