Oracle security standard, instead of Week of Oracle Bugs
Initially proclaimed from the rooftops, then vanished in the night: regardless of what was announced last week, the Week of Oracle Database Bugs (WoODB) has now been called off. Its initiators have provided no detailed explanation. They have only said: there were too many problems for the event to go forward. One reason may well have been the criticisms levied by other security specialists: that no one was being served by the event; and that given Oracle's policy of releasing patches only once every three months, any holes publicised by the event would likely remain open until April 2007.
Oracle's new Identity Governance Framework (IGF) security standard is unlikely to have been the catalyst for the withdrawal. The framework does little to improve the quality of the software as a means of preventing intrusions and data theft. It instead aims at making the transmission of personal data, like credit card numbers between different systems, easier to track. Oracle claims that IGF will allow organisations like banks to inspect where names, addresses, account numbers and the information tied to them, actually end up and how. This makes it easier to fulfil compliance requirements like Sarbanes-Oxley (SOX) Gramm-Leach-Bliley or the European Data Protection Initiative.
Oracle created the framework on its own, but secured support from other companies like CA, Layer 7 Technologies, Novell, Ping Identity, Securent and Sun Microsystems. However, SAP, IBM and Microsoft are not members of that group. IBM already works with a similar solution, via the Tivoli Privacy Manager. Microsoft never agreed to the Liberty Alliance and OASIS (Organization for the Advancement of Structured Information Standards) that are the basis of the IGF and hence intends, for the foreseeable future, to continue pursuing its own identity management course with CardSpace (formerly InfoCard).
- Identity Governance Framework, specification from Oracle