The US National Computer Security Center has chosen three database management systems for its Trusted Product Evaluation Programme: Oracle v.7 for C2 level security and Trusted Oracle and a version of Informix for B1 level security, several other vendors’ product offerings were not selected and will have to wait a year or more for the next evaluation programme. The Security Center is currently working on a database interpretation of security for its Rainbow Series of texts. Following on from the Orange Book for operating systems and the Red Book for networks comes the Lavender Book for databases. Trusted Oracle will be available later this year and will be implemented on multi-level secure environments such as Digital Equipment Corp’s Security Enhanced VMS, Hewlett-Packard Co’s BLS 8.04 Unix, and AT&T Co’s System V/MLS Unix. As well as standard Oracle features, Trusted Oracle will also support the classification of data and users at multiple sensitivity levels for mandatory access control security. Oracle v.7 will have C2 level security features as standard – enhanced discretionary access controls, auditing and security administraiton capabilities – although users that require an assured C2 level of security need to run the database in a C2 operating environment. The new secure Oracle products are also designed to meet the equivalent European Information Technology Sec urity Evaluation Criteria.
