-
(3 photos)
Get the Facts: Role Comparison Security Report: Database Server Role
Published: June 6, 2005
In
many cases, the cost to enterprises of poor security acquisition and
deployment decisions has eclipsed other traditionally evaluated costs
and increasing total cost of ownership.
In this commissioned
report, Security Innovation presents a role-based comparison of the
relative security of three different solutions satisfying the database
server role:
| • | Microsoft Windows Server 2003 running Microsoft SQL Server 2000 Service Pack 3 database server |
| • | Red Hat Enterprise Linux 3.0 running MySQL database server |
| • | Red Hat Enterprise Linux 3.0 running Oracle 10g database server |
Looking
at the database applications by themselves, the study found that SQL
Server 2000 had zero vulnerabilities in the one-year time period, MySQL
had 7 vulnerabilities, and Oracle 10g had 30 vulnerabilities.
The
results of this study are intended to provide guidance to the IT
manager who must make platform acquisition and deployment decisions to
both maximize value and minimize security risk.
Included in This Document
| • | Executive Summary |
| • | Introduction |
| • | Analysis of Database Server Roles |
| • | Qualitative Security Criteria |
| • | Conclusions |
| • | Appendix A: Step-by-Step Methodology |
| • | Appendix B: Recommended Installation Procedures for Oracle 10g |
In
this study, Wipro surveyed 90 organizations that use both Windows and
open-source software to determine the costs of patching both
environments under similar conditions. Based on the results of this
research, Wipro concluded that:
| • | The
annual costs of patching the security vulnerabilities of individual
Windows-based and similar OSS-based systems are roughly comparable. |
| • | On a per-patching event basis, Windows-based systems require less effort than similar OSS systems. |
| • | Survey respondents assess the number of vulnerabilities that apply to their systems inaccurately. |
| • | OSS-based systems faced with high-level and critical vulnerabilities are at risk longer than comparable Windows systems. |
| • | Using patch-related best practices can reduce patching costs for both Windows and OSS systems. |
Included in This Document
| • | Executive Summary |
| • | Introduction |
| • | Patch Management Costs |
| • | Risk-related Costs |
| • | Total Cost of Patching |
| • | Conclusions and Recommendations |
| • | Appendix A: About This Report |
Security Innovation
(March 2005): "Role Comparison Report: Web Server Role" by Richard
Ford, Ph.D., Florida Institute of Technology; Herbert H. Thompson,
Ph.D., Security Innovation; and Fabien Casteran, M.Sc., Security
Innovation.
This study is intended to provide guidance to the
information technology manager who must make platform acquisition and
deployment decisions to both maximize value and minimize security risk.
One
of the most common uses of a server platform is to host and deploy
distributed applications over the Web. This study presents a role-based
comparison of the relative security of two different platforms, based
on quantitative factors—such as numbers of security software flaws and
time to patch—and qualitative factors—such as ease of configuration and
default security stance.
Quantitative findings:
| • | The
cumulative days of risk and the vulnerability counts illustrate that
the number of vulnerabilities on the Windows Server 2003 platform is
considerably less than the number for the Red Hat server. |
| • | The
average days of risks calculations across all vulnerabilities show that
Windows Server 2003 has a lower average for days of risk. Furthermore,
examination of outliers shows that there are fewer bugs in the very
dangerous 90+ days of risk category. |
Qualitative findings:
When
looking at the software security factors that each vendor has the
ability to directly affect—software security quality and security
response—the data shows that a Web server workload built using Windows
Server 2003 has fewer security vulnerabilities requiring customer
mitigation or patching than a similar workload built on Red Hat
Enterprise Linux.
Included in This Document
| • | Executive Summary |
| • | Scope of Analysis |
| • | Acknowledgements |
| • | Introduction |
| • | Assumptions and Rules |
| • | Analysis of Web Server Role |
| • | Minimum Installation Analysis of Web Server Role |
| • | Qualitative Security Criteria |
| • | Conclusions |
| • | Appendix A: Step-by-Step Methodology |
Windows Users Have Fewer Vulnerabilities
Published: May 5, 2004
In
this non-sponsored report, Forrester collected a year's worth of data
and analyzed Windows and four key Linux distributors on key metrics of
responsiveness to vulnerabilities, severity of vulnerabilities, and
thoroughness in fixing flaws.
| • | Responsiveness: On average, Microsoft had a fix available 25 days after a security issue was publicly disclosed. |
| • | Thoroughness: Microsoft was the only vendor to have corrected 100% of the publicly known flaws during the study's time period. |
| • | Relative Severity: Windows has the fewest vulnerabilities and the fewest "high severity" vulnerabilities of any platform measured. |
Included in This Document
| • | Executive Summary |
| • | Understanding the Vulnerability Life Cycle |
| • | What Matters: Responsiveness, Relative Severity, and Thoroughness |
| • | Microsoft, Debian Fix Fast; Red Hat, MandrakeSoft Miss Few Flaws |
| • | Handling Competing Platform Requirements |
| • | Supplemental Material |
Windows
2000 passed the stringent and lengthy functional security requirements
of the International Organization for Standards (ISO) Common Criteria
Evaluation. Earning the EAL 4 + Flaw Remediation rating means:
| • | Windows 2000 achieved the highest security level for general-distribution commercial products. |
| • | Microsoft has an established process for identifying, correcting, and distributing fixes to security flaws. |
Included in This Document
| • | Introduction |
| • | Benefits of the Common Criteria |
| • | Windows 2000 Common Criteria Certifications |
| • | Putting Windows 2000 Common Criteria Certifications into Action |
| • | Summary |
| • | Additional Resources |
MB Financial Bank |
Bank Reduces IT Costs, Improves Employee Productivity with Integrated Server Solution |
 |
|
|
|
|
MB
Financial Bank is a rapidly growing provider of commercial financial
services. Its growth, arising largely from acquisitions, contributed to
a heterogeneous IT platform based on Novell NetWare for core functions
and various banking applications on the desktop. MB wanted to reduce
the inordinate amount of IT resources required to maintain its
infrastructure. It standardized on Microsoft Windows Server System
integrated server software with centralized tools to reduce IT costs
and improve security management, saving MB third-party update fees that
would have cost U.S.$156,000 per update. A standard desktop image, with
Microsoft Windows XP Professional and Microsoft Office Professional
Enterprise Edition 2003, reduced desktop management costs. Now that all
employees are using the same collaboration tools and the Microsoft
Office System, they are more productive.
MB Financial Bank is a U.S.$5.5 billion financial services
institution providing commercial banking, treasury management, personal
banking, and wealth management services in the Chicago, Illinois,
metropolitan area. MB is committed to providing personal,
relationship-oriented service, which sets it apart from its
competitors. To achieve that goal, it relies on a talented and
energized work force, as well as the most effective and efficient
operating systems.
However, after a period of mergers and acquisitions, MB's technology
platform had become a disparate set of systems held together with
third-party applications. Five different phone systems handled
communications for the branches and headquarters, and IT staff members
struggled to maintain and integrate two operating systems without
centralized management tools.
MB had been using Novell NetWare for the bulk of its core business
processes, including file and print services and application services;
eDirectory; XenWorks for network management; and GroupWise for
collaboration and messaging services. It also had two domains running
the Microsoft® Windows NT® Server operating system version 4.0 and two
servers running the Windows® 2000 Server operating system, for
applications that didn't perform on Novell. Most employees used
dedicated workstations for core banking applications that were
inefficiently integrated, and Microsoft Office programs had been
deployed on only 83 percent of the desktop computers.
Trying to manage and integrate all of the company's disparate IT
platforms consumed a great deal of time and money. Seemingly simple
tasks like setting up a user involved assigning more than one password
and required authentication on two different directory services. With
no centralized management or monitoring tools for the desktops and
servers, and no standard procedure for common IT tasks, the IT
department found itself in a constant reactive mode. Because they had
inconsistent capabilities for remote desktop management, IT staff
members made frequent trips through Chicago traffic to deploy software
and updates. A decentralized messaging system with GroupWise mailbox
servers located at every branch necessitated yet more trips to outlying
areas for troubleshooting and maintenance. To make matters more
difficult, servers at every branch were configured differently.
In addition to diverting valuable IT resources from strategic
endeavors to routine maintenance and crisis management, this situation
affected the business in other ways. "We have grown significantly
through mergers and acquisitions," says Larry Kallembach, Senior Vice
President and Chief Information Officer at MB Financial Bank. "However,
it was time-consuming and disruptive to integrate a new branch into our
heterogeneous IT platform. This painful process often cost us a week of
productivity. While we were trying to deploy technology to improve
customer service, we would end up with a deluge of other issues."
With disparate phone systems, networks, and desktop software, bank
employees could not easily communicate between branches. It was
complicated to even transfer calls to answer customers' questions.
Employees who worked in more than one branch relied on IT staff members
to manually authenticate them on different networks every time they
changed location.
What's more, complying with industry regulations governing data and
infrastructure security involved cumbersome manual processes.
"Maintaining security of our data and IT infrastructure is paramount,
and by not having a standard platform or centralized point of
administration, our staff worked many hours of overtime," says
Kallembach.
For MB Financial Bank, the purchase of a new 300,000-square-foot
data center served as a catalyst for moving forward with a much needed
infrastructure upgrade. The company narrowed its options to either
continuing with Novell's latest suite of server-side and desktop
products, or migrating to Microsoft Windows Server System™ integrated
server software that uses the Active Directory® service to provide
single-logon capability and a central repository for information about
MB's entire infrastructure.
"In many ways, when we evaluated Novell, we also evaluated Linux,"
says Mike Macikanycz, IT Engineering Manager at MB Financial Bank. "We
were concerned with choosing Novell because it had ceased further
development of its flagship operating system, NetWare. Novell had taken
on a different direction with Linux for its operating system and
desktop platform after the acquisition of SUSE. This strategy did not
align with our core infrastructure, and the transition for us would
have been disruptive, to say the least."
"In terms of operations, we had concerns about application
compatibility in a Novell environment, especially because the issue
affects productivity on the desktop and end-user mobility," says Duane
Caldwell, IT Operations Manager at MB Financial Bank. "When deploying
PDAs, for example, we found that most interfaces are already configured
for Microsoft Office Outlook® 2003 and Microsoft Exchange Server. But
if you mention a product like GroupWise, people ask, ‘What's that?' "
MB has a strategic commitment to maintaining its competitive
advantage through the use of technology that supports rather than
hinders the business of providing banking services. In keeping with
that focus, the company decided to migrate to Microsoft software
because it needed an integrated technology solution that wouldn't
consume undue amounts of IT resources, would integrate with its
line-of-business applications, and would provide ongoing opportunities
for collaboration and communication among its employees.
"We wanted technology that works out of the box. That's why Linux
wasn't really a contender," says Kallembach. "Microsoft is a stable,
known entity with reputable technology, a clearly articulated product
road map, and an outstanding partner network that we can call on for
reliable support."
MB Financial Bank engaged Microsoft Gold Certified Partner Berbee
Information Networks Corporation to standardize on a single
Microsoft-based desktop and server infrastructure. Berbee worked with
MB to articulate the company's goals for the migration and, after a
formal review of the existing architecture, presented a
 |
 |
|
 |
With Novell, people tried to improve their process,
but couldn't. With Microsoft, we have the technology to support
whatever processes our people want. That adds up to a lot of
potential.  |
|
|
|
Larry Kallembach
Senior Vice President and Chief Information Officer, MB Financial Bank |
|
|
| |
|
|
series
of design workshops for the Microsoft technologies that would form the
new infrastructure. Once a formal design was approved, Berbee built
environments in which to test the migration process for each piece of
the infrastructure. At the same time, MB and Berbee worked together to
physically set up the new data center, as well as configure the local
area network.
"Berbee was referred to us as a much-respected Microsoft integrator.
After our first meeting, we came away impressed with the knowledge and
experience of the Berbee professionals," says Kallembach. "They are an
extremely capable group and have done a good job for us, especially in
providing our IT staff with detailed build processes and the knowledge
required to get the most from our solution."
Berbee helped to deploy Windows Server System software, including
the Microsoft Windows Server™ 2003, Enterprise Edition, operating
system, which includes Automated Deployment Services (ADS) to remotely
deploy and manage Windows Server 2003 and Windows 2000 Server through a
central Microsoft Management Console (MMC) snap in or Windows
Management Instrumentation scripts. Windows Server 2003 also includes
Internet Information Services 6.0 and Active Directory. MB is also
deploying other Windows Server System software, including Microsoft
Internet Security and Acceleration Server 2004, Microsoft Systems
Management Server (SMS) 2003, Microsoft Operations Manager (MOM) 2005,
Exchange Server 2003, Microsoft SQL Server™ 2000, and Microsoft Office
SharePoint® Portal Server 2003.
On the desktop, MB Financial standardized on Microsoft Windows XP
Professional and Microsoft Office Professional Enterprise Edition
2003.
To date, Berbee has installed 106 servers in the data center and the
branches. When the rollout is complete, there will be 44 servers in the
branches, one for each facility. Berbee is using Windows Server 2003
clustering services to consolidate file-and-print workloads.
|
|
|
|
We wanted technology that works out of the box.
That's why Linux wasn't really a contender. Microsoft is a stable,
known entity with reputable technology, a clearly articulated product
road map, and an outstanding partner network. |
|
|
|
Larry Kallembach
Senior Vice President and Chief Information Officer, MB Financial Bank |
|
|
| |
|
|
Berbee
used ADS in Windows Server 2003 to deploy the servers at the branch
offices in record time. "There's a lot of customization required on a
branch server; however, that process is completely automated now,"
explains Arif Mahmood, Lead Berbee Architect working on-site at MB
Financial Bank. "We built the branch servers at the data facility,
backed them up, shipped them out to the branch offices, connected them
to the physical network, turned them on, and walked away. SMS is
achieving similar time savings as we migrate between 40 and 50
applications to the new platform."
"The combination of Berbee's expertise with the out-of-the-box
capabilities of Microsoft technologies expedited this migration," says
Kallembach. "Even during the deployment, as we saw the integrated
Microsoft products working together, we knew we had made the right
decision."
For MB Financial Bank, standardizing on Microsoft technologies from
the desktop to the back end is already delivering significant benefits
across the enterprise. "From the IT department to every bank teller,
employees are more productive," says Kallembach. "The value of the
Microsoft technology is that it doesn't deter from our main focus: the
business of banking. Instead of an infrastructure that hinders our
growth, we now have one that supports all our goals."
MB Financial Bank is taking advantage of a single set of centralized
management tools and the customizable MMC to reduce the time required
to monitor and maintain its entire infrastructure. Active Directory
makes it easy to create an infrastructure design that maps to the
bank's organization—for example, MB can classify its branches based on
the number of employees at each branch.
Most important for a bank that's growing through mergers and
acquisitions and new facilities, the integrated technology of the
Windows Server System–based solution significantly improves the process
of bringing a new branch into the infrastructure. "One of the key
pieces in the process [of setting up a new branch] is Automated
Deployment Services," says Caldwell. "Now we have a server image, we
run the tool, and we are done 75 percent faster than we were with
Novell. Microsoft provides a reliable, quick solution, and our customer
service stays right on track."
At MB Financial Bank, distributing antivirus software used to be a
manual process that occupied three-quarters of a day and required a
third-party vendor to travel out to the 40 branches. Today, that
process is entirely automated. With Systems Management Server, the
company has eliminated the need for a third-party vendor to manage
software updates, saving $150 per desktop—$156,000 across 1,100
desktops—every time an update is required. "Our antivirus distribution
used to be a manual process," says Kallembach. "Now updates happen
automatically. Instead of spending three-quarters of a day working on
an update, we just have to check the reports to see that everything is
working properly."
Active Directory enables the IT department to better manage
authentication and network logons. In conjunction with SMS and MOM,
Microsoft Management Console and Active Directory have turned a
reactive IT department that relied on manual processes into an
automated, proactive department that has the time for more strategic
endeavors. "We have a lot of federal and other regulatory issues in
this industry that deal with security and assessment, privacy, and
identity management, as well as control and disaster recovery," says
Kallembach. "We are comfortable that Microsoft understands the issues
around security and that it is committed to making and keeping its
systems as secure as possible."
The indemnification coverage that Microsoft offers also played a
factor in MB's decision to choose a Microsoft solution. Microsoft's
indemnification policy protects customers from exposure to legal costs
and damage claims related to patent and copyright disputes, enabling
them to focus on running their businesses instead of dealing with
lawsuits that may arise. "The Microsoft indemnification policies gave
us reassurance going forward," says Kallembach.
With a standard desktop operating system that integrates with its
back office, MB Financial Bank is reducing the cost of managing
personal computers throughout the organization. Improved remote support
services, centralized management of software updates, and reduced
training requirements because users are familiar with the Microsoft
Office System programs are all contributing to lower operating costs.
|
|
|
|
Before, integrating GroupWise with PDAs was a
challenge. We are about to roll out PDAs to a number of users, and we
won't face that challenge with Outlook 2003. |
|
|
|
Mike Macikanycz
IT Engineering Manager, MB Financial Bank |
|
|
| |
|
|
"Office
Professional Enterprise Edition 2003 is on every desktop, delivering
huge value in employee productivity through better collaboration and
communication," says Mike Furman, Vice President of Project Management
Office IT at MB Financial Bank. "Information workers can communicate
using the Outlook messaging and collaboration client that integrates
with Exchange Server 2003 to deliver enterprisewide calendaring and
scheduling tools. Now employees are arranging meetings in a way they
couldn't before. As we roll out tools like Office SharePoint Portal
Server 2003, we are seeing people come up with new ways to collaborate.
Overall, this project has given our business a huge amount of
potential."
Working with a single Cisco telephony solution and a new virtual
private network, and taking advantage of Active Directory, the Windows
Server System–based infrastructure at MB is contributing to improved
mobility and increased employee productivity at home, on the road, and
in the branches. "With Active Directory, it's easy to manage network
connections for employees who move between branches," says Macikanycz.
"Before, integrating GroupWise with PDAs was a challenge. We are about
to roll out PDAs to a number of users, and we won't face that challenge
with Outlook 2003."
Kallembach sums up the advantage of the new solution by relating
this equation: "There are three contributors to collaboration and
productivity: people, processes, and technology. With Novell, people
tried to improve their process, but couldn't. With Microsoft, we have
the technology to support whatever processes our people want. That adds
up to a lot of potential."
Microsoft Windows Server System integrated server
infrastructure software is designed to support end-to-end solutions
built on Windows Server 2003. It creates an infrastructure based on
integrated innovation, Microsoft's holistic approach to building
products and solutions that are intrinsically designed to work together
and interact seamlessly with other data and applications across your IT
environment. This allows you to reduce the costs of ongoing operations,
deliver a more secure and reliable IT infrastructure, and drive
valuable new capabilities for the future growth of your business.
| Qatar Radio & TV Corporation
|
 Middle Eastern Broadcaster Secures Network Against Virulent Attacks
|
|
|
Publication Date:
3/7/2005
Language:
English
|
|
|
|
|
|
The
State of Qatar’s Radio & TV Corporation (RTC) broadcasts two
channels. An Arabic and English channel is aimed at the country’s
residents, and a satellite channel is broadcast to a wider Middle
Eastern audience. It also provides a national radio Arabic channel and
an English FM service. RTC uses a modern technology infrastructure to
provide communications and business services across three locations.
But, the network was constantly being infected by viruses. In July
2004, the entire network was taken down by the Sasser worm. RTC turned
to Microsoft® Consulting Services (MCS), which in turn implemented
Microsoft Systems Management Server 2003. This provides remote update
deployment, automated updates, and centralised management. Its network
is now secure, IT staff are free to concentrate on core tasks, and
partnership with Microsoft has also led to a 30 per cent increase in
network performance and a prescriptive framework for future security
initiatives.
Evidence Content
|
|
|
| |
| |
|
| |
| |
| Quotes | Credits |
| “Microsoft helped us radically improve update management with its prescriptive security guidance, expertise, and technology.” | Shezhad Anwar Khan, Project Manager, Qatar Radio & TV Corporation |
|
|
|
 |
| Solution Overview |
|
| Company | | Qatar Radio & TV Corporation | | | Company DBA (Doing Business As) Name | | Qatar Radio & TV Corporation | | | Country | | Qatar | | Industries | | advertising industry | | |
Isle of Man Government |
Isle
of Man Government Standardises on a Common Platform to Achieve 99.995
Per Cent Availability and Secure its Status as the E-Island |
|
|
|
|
|
The
Isle of Man Government (IoMG) is committed to ensuring that the island
remains an attractive and lucrative place to do business. It also aims
to enhance the services it offers to citizens and use technology
innovatively to enhance its position as the e-island. As part of its
Joined UP Information for The Electronic Resident (JUPITER) programme,
it reviewed its IT infrastructure. The conclusion was the need to move
from its disparate platform mix of proprietary operating systems, UNIX,
Novell, and SUN, and standardise on Microsoft Windows Server 2003
running mainly on Unisys ES7000 and ClearPath servers. It is working
with technology partner Unisys to complete the work by 2006 and hopes
to increase security, reduce costs, and better-deploy in-house IT
resources as a result.
The Isle of Man lies in the heart of the British Isles and is a
self-governing dependent territory of the British Crown. It has
developed a reputation as an internationally-respected offshore
business centre, offering businesses a very attractive proposition as
it has its own Income Tax and Customs and Excise regime. Corporate and
personal taxes are low and there is no capital transfer or inheritance
tax. Key attributes of the island are its S&P and Moody's ‘AAA'
ratings reflecting the island's financial stability and prospects.
The
Isle of Man Government (IoMG) serves a population of more than 76,000,
spanning 277 square miles. In order to maintain and enhance the
island's status as a viable place to conduct business, it is working
hard towards upgrading the infrastructure and providing better services
to citizens and businesses.
In 2001, the IoMG adopted a new
e-commerce and e-society strategy in a bid to fundamentally change the
way it uses IT and re-invent itself as the e-island. This initiative
has been dubbed the Joined UP Information for The Electronic Resident
(JUPITER) project. Its Web site is a core part of this innovation
drive. It boasts around five million page impressions and more than
250,000 visitors each month (a number which has doubled in the last two
years).
Allan Paterson, Director, Information Systems Division,
IoMG, says: "We have set ourselves clear business goals for JUPITER—the
modernisation of the business of government itself, achieving joined-up
working between different parts of government, and providing new,
efficient, and convenient ways for citizens and businesses to
communicate with government and to receive its services."
However
in order to fully achieve these goals, the IoMG needed to radically
rethink the way it used technology. Historically, each business unit
was in control of its own IT destiny from a budget and support
standpoint. This resulted in a network infrastructure that was based on
a disparate mix of platforms, including various versions of Novell
NetWare, Microsoft® Windows® operating system, UnixWare, and Solaris,
running a mixture of applications. In essence, there was inconsistency
across the organisation.
In 2003, the IoMG conducted a full review of its IT assets, which
determined the need to standardise and consolidate on a common platform
to reduce complexity and cost and enable its small IT team to better
support the organisation in other, more value-added areas.
Paterson
says: "New versions of the third-party application products we were
running had come out with consequent need for changes to the base
software environment; for example, we were faced with a requirement to
change to a newer variant of UNIX in order to run them. Faced with the
challenge of changing UNIX anyway, and the complex infrastructure
integration tasks that would involve, we looked at our products to see
if we could run them in a Windows environment.
3/24/2007 11:35 AMwww.myshoes789.com