Energy and Oracle negotiate a license with security benchmarks

Energy and Oracle negotiate a license with security benchmarks

The Energy Department has struck a deal with Oracle Corp. under an enterprise license agreement requiring the database vendor to configure its software to meet new security benchmarks.

'We have a large installed Oracle base within the department,' Energy CIO Karen Evans said today at a press conference announcing the deal. 'We leveraged our business requirements' when negotiating with the company to consolidate its Oracle licenses under a single contract.

Oracle also will test any security patches released to Energy against the benchmarks to facilitate patch management.

The security benchmarks also were announced today by the Center for Internet Security, a nonprofit industry organization. The 50-page document represents a consensus of government and commercial users on how Oracle8i and Oracle9i should be configured to achieve a basic level of security. It applies to software running under both Microsoft Windows and Unix.

The benchmarks join a growing number of configuration benchmarks for software, including those for Windows NT and 2000, Linux and communication software for routers from Cisco Systems Inc. of San Jose, Calif.

The task force that compiled the Oracle benchmarks included representatives from government agencies such as Energy, the Defense Department and the National Security Agency, and companies such as Campbell Soup.

Although vendors have cooperated on developing configuration benchmarks, they typically do not ship their products with those default settings because user requirements vary. Tim Hoechst, senior vice president of technology at Oracle, said the size of the Energy deal made it worthwhile to custom configure the software for the department.

Besides custom configuration and patch services, Energy will also have access to internal Oracle information on software vulnerabilities being tracked by the company. Evans said these services were negotiated into the basic cost of the contract.

'We did not pay extra on our license,' she said. She said the costs to Oracle should be offset by the savings from centralizing management of Energy licenses under a single deal. 'That generates efficiencies on their end.'

The enterprise license is being phased in over two stages. The first will cover headquarters offices and contractors and the second all other facilities. The cost of the Phase 1 license implementation is $5 million.

Energy also will use configuration management software from Opsware Inc. of Sunnyvale, Calif., to ensure standard configurations of operating systems when Energy offices download Oracle software for installation.

Evans, who has been named to take over as the Office of Management and Budget's director of e-government and IT, said she would like to expand the Oracle agreement across government under the General Services Administration's SmartBuy program. So far, GSA has not set any governmentwide licenses for the new program.

The Center for Internet Security is developing a free automated tool to analyze a user's Oracle configuration and rate it against the benchmark settings. Federal uses will be able to access both the tool and the benchmarks from the Web site of the Federal Computer Incident Response Center.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group