Ask any 10 qualified people to guess which of the major database platforms is the most secure and chances are at least half would say Oracle. That is incorrect.

The correct answer is Microsoft’s SQL Server. In fact, the Oracle database has recorded the most number of security vulnerabilities of any of the major database platforms over the last eight years.

This is not a subjective statement. The data comes directly from the National Institute of Standards and Technology.

Since 2002, Microsoft’s SQL Server has compiled an enviable record. It is the most secure of any of the major database platforms. SQL Server has recorded the fewest number of reported vulnerabilities — just 49 from 2002 through June 2010 — of any database. These statistics were compiled independently by the National Institute of Standards and Technology (NIST), the government agency that monitors security vulnerabilities by technology, vendor, and product (see Exhibit 1). So far in 2010, through June, SQL Server has a perfect record — no security bugs have been recorded by NIST CVE.

And SQL Server was the most secure database by a wide margin: Its closest competitor, MySQL (which was owned by Sun Microsystems until its January 2010 acquisition by Oracle) recorded 98 security flaws or twice as many as SQL Server.

By contrast, during the same eight-and-a-half year period spanning 2002 through June 2010, the NIST CVE recorded 321 security vulnerabilities associated with the Oracle database platform, the highest total of any major vendor. Oracle had more than six times as many reported security flaws as SQL Server during the same time span. NIST CVE statistics recorded 121 security-related issues for the IBM DB2 platform during the past eight-and-a-half years.

Solid security is an essential element for many mainstream line-of-business (LOB) applications, and a crucial cornerstone in the foundation of every organization’s network infrastructure. Databases are the information repositories for many organizations; they contain much of the sensitive corporate data and intellectual property. If database security is compromised, the entire business is potentially at risk.

SQL Server’s unmatched security record is no fluke. It is the direct result of significant Microsoft investment in its Trustworthy Computing Initiative, which the company launched in 2002. In January of that year, Microsoft took the step of halting all new code development for several months across its product lines to scrub the code base and make its products more secure.

The strategy is working. In the past 21 months since January 2009, Microsoft has issued only eight (8) SQL Server security-related alerts. To date in 2010 (January through June), there have been no SQL Server vulnerabilities recorded by Microsoft or NIST. Microsoft is the only database vendor with a spotless security record the first six months of 2010.

ITIC conducted an independent Web-based survey on SQL Server security that polled 400 companies worldwide during May and June 2010. The results of the ITIC 2010 SQL Server Security survey support the NIST CVE findings. Among the survey highlights:
• An 83% majority rated SQL Server security “excellent” or “very good” (see Exhibit 2, below).
• None of the 400 survey respondents gave SQL Server security a “poor” or “unsatisfactory” rating.
• A 97% majority of survey participants said they experienced no inherent security issues with SQL Server.
• Anecdotal data obtained during first-person customer interviews also elicited a very high level of satisfaction with the embedded security functions and capabilities of SQL Server 7, SQL Server 2000, SQL Server 2005, SQL Server 2008, and the newest SQL Server 2008 R2 release. In fact, database administrators, CIOs and CTOs interviewed by ITIC expressed their approbation with Microsoft’s ongoing initiatives to improve SQL Server’s overall security and functionality during the last decade starting with SQL Server 2000.

Strong security is a must for every organization irrespective of size or vertical industry. Databases are among the most crucial applications in the entire network infrastructure. Information in databases is the organization’s intellectual property and life blood.

Databases are essentially a company’s electronic filing system. The information contained in the database directly influences and impacts every aspect of the organization’s daily operations including relationships with customers, business partners, suppliers and its own internal end users. All of these users must have the ability to quickly, efficiently and securely locate and access data. The database platform must be secure. An insecure, porous database platform will almost certainly compromise business operations and by association, any firm that does business with it. Any lapses in database security, including deliberate internal and external hacks, inadvertent misconfiguration, or user errors can mean lost or damaged data, lost revenue, and damage to the company’s reputation, raising the potential for litigation and loss of business.

It’s also true that organizations bear at least 50 percent of the responsibility for keeping their databases and their entire network infrastructures secure. As the old proverb goes, “The chain is only as secure as its weakest link.” Even the strongest security can be undone or bypassed by user error, misconfiguration or weak computer security practices. No database or network is 100 percent hack-proof or impregnable.Organizations should consult with their vendors regarding any questions and concerns they may have about the security of ANY of their database platforms. They should also ensure they stay updated with the latest patches and install the necessary updates. Above all, bolster the inherent security of your databases with the appropriate third party security tools and applications. Make sure your organization strictly adheres to best computer security computing practices. At the end of the day only you can defend your data.

Registered ITIC site users can Email me at: ldidio@itic-corp.com for a copy of the full report.

In the mid-to-late 1980s colleagues and friends were surprised when I transitioned from working as an on camera investigative TV reporter to cover the then-fledgling high technology industry for specialized trade magazines.
After all they reasoned, how could I be content covering semiconductors, memory boards, server hardware, software and computer networks after working as a mainstream journalist covering stories such as lurid political and law enforcement corruption scandals ; drug trafficking; prostitution; dumping tainted substances on unsuspecting third world nations and cover-ups by big business when their planes, trains and automobiles malfunctioned? How could I trade in “murder and mayhem” for the staid, sterile world of high technology?
They needn’t have worried.
Admittedly, mastering the technology was a challenge. For the first few weeks every time I did story on PALs and had to spell out the acronym I wrote “Police Athletic League” instead of Programmable Array Logic. And then there was my first work-related trip to Las Vegas to cover the mammoth spectacle that was Comdex circa 1988. In the dark ages before wireless, laptops and decent broadband, it was nearly impossible to file stories from your hotel room because the trunk lines were overwhelmed. A colleague and I were forced to trek down to a bank of pay phones to transmit our news articles at 2:30 a.m. and were mistaken for hookers. The pay was arguably better than a journalist’s salary but we passed. Incidents like this made me feel close to my cops and crimes, murder and mayhem investigative TV roots.
I felt at home covering technology right away. Within a month, I was chronicling tales of high tech companies sending their top executives off to rehab for drug and alcohol addiction; there was a rash of top executives leaving established powerhouses like and taking top engineers and sales executives with them, which in turn precipitated a slew of theft of trade secrets and patent infringement lawsuits. Things really got interesting when Robert Morris, Jr. launched his now infamous Internet Worm; there were myriad other tales of sex scandals, involving corporate executives, board of director fights and coups, price fixing, hostile takeovers, corporate espionage and fiscal chicanery that entailed everything from embezzlement and theft to cooking the books .
Reality TV and the tabloids have nothing on high technology industry hijinks.
Fast forward to what’s making headlines during these “Dog Days” of summer 2010. The ancient Greeks and Romans believed that the dog days of summer (named after the constellation Sirius or Dog Star) lasted from late July to early September and hot weather foreshadowed evil doings. John Brady’s “Clavis Calendarium of 1813 describes it as “an evil time when the seas boiled, wine turned sour, dogs grew mad, and all creatures became languid, causing to man burning fevers, hysterics, and phrensies.” The recent spate of high tech headlines seems to bear that out. Here’s a sampling:
• The Hewlett-Packard board of directors abruptly fired CEO Mark Hurd, after allegations of sexual harassment surfaced.
• Oracle CEO Larry Ellison publicly blasted the HP board for firing Mark Hurd.
• Oracle sued Google for alleged patent and copyright infringement involving the use of Java intellectual property in Google’s mobile Android operating system.
• Google StreetView maps prompts privacy lawsuits and raids in several countries including South Korea
• Google releases version 6 of its Chrome web browser and vows to issue a stable new release every six weeks.
The headlines provide an accurate assessment of both the current state and the direction of the high tech industry. Four words say it all: sex, money, power and posturing. Let’s examine some of the stories in more detail.
The HP board of directors’ decision to fire CEO Mark Hurd after five years of stewardship remains cloaked in mystery. Hurd may or may not have been guilty of fudging expense reports and engaging in conduct not up to HP’s standards with Jodie Fisher, a contract HP “adviser” and sometime actress. In addition to being an adviser, Fisher also received $5,000 to attend HP events acting as a “meet and greet” hostess. Fisher, who retained the services of celebrity lawyer Gloria Allred, may or may not have been a victim of harassment. We don’t know for sure because all of the principals in this tableau are mum. Rumors are rife that the “real reason” the HP’s board may have shown Hurd the door is because: 1) he may have been more involved than was previously thought in the 2006 HP board of directors “pretexting” scandal. At that time, HP board members illegally spied on other board members to learn the source of news leaks and 2) Hurd was exceedingly unpopular with rank and file HP employees.
By all monetary measures, Hurd’s five year stint at HP was a resounding success. And for that, Hurd will walk away with a $40 to $50 million severance package. No one knows how much Fisher received, because Hurd and Fisher settled whatever transpired between them, privately. But it must be a pretty good sum, because Fisher issued a very upbeat and conciliatory statement saying she did not intend for Hurd to lose his job and wishes Hurd, his family and HP all the best. Thankfully, I read this on an empty stomach!
What’s wrong with this picture? Plenty.
The real victims here are HP’s rank and file employees, the American worker and sexual harassment victims – both men and women – who lack the clout to hire a Gloria Allred to rattle her saber for another 15 minutes of fame and a quick, inglorious settlement.
The average Joe and Jane worker have seen their ranks decimated with each new acquisition and round of layoffs. HP currently ranks number 9 on Fortune 500 list. In the past several years it has acquired Compaq, EDS, 3Com and Palm. Those mergers and acquisitions helped HP become the first high tech company to have annual revenues that exceed the $100 billion threshold. HP is also first in another category – albeit an unwelcome one: despite its stellar financial performance, over the last decade HP has cut more jobs (most of them here in the U.S.) than any other high tech firm. The head count stands at approximately 85,000.
So Mark Hurd gets $40 to $50 million and tens of thousands of HP’s American employees get shown the door.
Then there’s Ms. Fisher. I know nothing about the woman. One must presume if Hurd was willing to settle with her that her claim had some merit. However, as soon as I heard she was represented by Allred, I cringed. Allred has turned into a modern day Carrie Nation for the tabloid TV generation. In an age of instant and continual information via the Tabloids and the Web, publicity is the chief currency – the more salacious and lurid, the bigger the settlement. I phoned Allred’s office to inquire how many pro bono and non-celebrity sexual harassment cases she handles. I haven’t heard back yet and I’m not too hopeful.
The Equal Employment Opportunity Commission (EEOC) received 12,696 complaints of sexual harassment in the workplace – 16% of them by men. The EEOC says it recovered $51.5 million in monetary benefits for those nearly 13,000 workers. That’s probably just about what Mark Hurd, Jodie Fisher and Gloria Allred pocketed among the three of them. Nice work if you can get it.
That brings me to another prominent headline of the past couple of weeks: Oracle chief Larry Ellison, in an interview with the New York Times blasted the HP board for firing his longtime friend Mark Hurd. Ellison’s comments have all the credence of a professional athlete convicted of using steroids writing an editorial extolling the virtues of doping. Oracle, which completed its acquisition of Sun Microsystems earlier this year, is gearing up to axe up to one-third to one-half of Sun’s workforce of over 25,000. No one is sure exactly how many Oracle employees will be pink slipped but estimates range from 5,000 to as high as 10,000. Oracle disclosed in a recent government finding that it will take write off $825,000 in restructuring charges.
The question is will Larry Ellison make room for Mark Hurd at Oracle? He might. Hurd has a proven record of cutting costs, cutting people and thus delivering value to shareholders.
The real measure of a company’s success should not be measured by how many jobs it cuts by how many jobs it creates for the American worker.
Oracle also made headlines and flexed its muscles last week with the announcement that it is suing Internet search engine giant Google for allegedly infringing on the Java patents Oracle now owns as part of the Sun acquisition, that are used in Google’s mobile Android operating system. This is all about Oracle making a preemptive strike to try and contain Google in what’s shaping up to be a battle of high tech titans. Google’s Android OS runs on many of the major mobile phone platforms including Motorola and HTC Corp. The implications are enormous. Don’t expect this one will ever get to court. Neither firm wants to spend millions or expend precious corporate resources in a protracted legal battle, which would be detrimental to both sides. Expect them to settle. But we can also expect the acrimony between these two rivals to rise commensurately along with the stakes in the mobile market.
Google meanwhile engaged in some posturing of its own. The company released beta version 6 of its Google Chrome web browser. Google also says it will issue a stable new release of the browser every six weeks. This move is clearly designed as a challenge to Microsoft Internet Explorer, Mozilla Firefox and Apple Safari. While I applaud Google’s initiative and desire to retain its competitive edge, releasing a new version of its browser every six weeks is overkill. No matter how fast Google or any vendor makes its browser, the actual speeds are still determined by the user’s broadband. And frankly, the constant application upgrades to everyday packages like Adobe, WordPress and the various browsers are a nuisance. One can barely log on to an application without being hounded to upgrade to the latest version. It’s a major nuisance.
But these days, companies feel compelled to make an announcement just to keep their names in the headlines at all costs. There’s never a dull moment in the high tech industry, especially during the dog days of summer. I can’t wait to see what fall brings. If you have any ideas, Email me at: ldidio@itic-corp.com.

Cloud computing like any emerging new technology has both advantages and disadvantages. Before beginning any infrastructure upgrade or migration, organizations are well advised to first perform a thorough inventory and review of their existing legacy infrastructure and make the necessary upgrades, revisions and modifications. Next, the organization should determine its business goals for the next three-to-five years to determine when, if and what type of cloud infrastructure to adopt. It should also construct an operational and capital expenditure budget and a timeframe that includes research, planning, testing, evaluation and final rollout.
Public Clouds: Advantages and disadvantages
The biggest allure of a public cloud infrastructure over traditional premises-based network infrastructures is the ability to offload the tedious and time consuming management chores to a third party. This in turn can help businesses:
• Shave precious capital expenditure monies because they avoid the expensive investment in new equipment including hardware, software, and applications as well as the attendant configuration planning and provisioning that accompanies any new technology rollout.
• Accelerated deployment timetable. Having an experienced third party cloud services provider do all the work also accelerates the deployment timetable and most likely means less time spent on trial and error.
• Construct a flexible, scalable cloud infrastructure that is tailored to their business needs. A company that has performed its due diligence and is working with an experienced cloud provider can architect a cloud infrastructure that will scale up or down according to the organization’s business and technical needs and budget.
The potential downside of a public cloud is that the business is essentially renting common space with other customers. As such, depending on the resources of the particular cloud model, there exists the potential for performance, latency and security issues as well as acceptable response and service and support from the cloud provider.
Risk is another potential pitfall associated with outsourcing any of your firm’s resources and services to a third party. To mitigate risk and lower it to an acceptable level, it’s essential that organizations choose a reputable, experienced third party cloud services provider very carefully. Ask for customer references; check their financial viability. Don’t sign up with a service provider whose finances are tenuous and who might not be in business two or three years from now.
The cloud services provider must work closely and transparently with the corporation to build a cloud infrastructure that best suits the business’ budget, technology and business goals.
To ensure that the expectations of both parties are met, organizations should create a checklist of the items and issues that are of crucial importance to their business and incorporate them into Service Level Agreements (SLAs) Be as specific as possible. These should include but are not limited to:

• What types of equipment do they use?
• How old is the server hardware? Is the configuration powerful enough?
• How often is the data center equipment/infrastructure upgraded?
• How much bandwidth does the provider have?
• Does the service provider use open standards or is it a proprietary datacenter?
• How many customers will you be sharing data; resources with?
• Where is the cloud services provider’s datacenter physically located?
• What specific guarantees if any, will it provide for securing sensitive data?
• What level of guaranteed response time will it provide for service and support?
• What is the minimum acceptable latency/response time for its cloud services?
• Will it provide multiple access points to and from the cloud infrastructure?
• What specific provisions will apply to Service Level Agreements (SLAs)?
• How will financial remuneration for SLA violations be determined?
• What are the capacity ceilings for the service infrastructure?
• What provisions will there be for service failures and disruptions?
• How are upgrade and maintenance provisions defined?
• What are the costs over the term of the contract agreement?
• How much will the costs rise over the term of the contract?
• Does the cloud service provider use the Secure Sockets Layer (SSL) to transmit data?
• Does the cloud services provider encrypt the resting data to prohibit and restrict access?
• How often does the cloud services provider perform audits?
• What mechanisms will it use to quickly shut down a hack and can it track a hacker?
• If your cloud services provider is located outside your country of origin, what are the privacy and security rules of that country and what impact will that have on your firm’s privacy and security issues?
Finally, the corporation should appoint a liaison and that person should meet regularly with a representative from the cloud services provider to ensure that the company attains its immediate goals and that it is always aware and working on future technology and business goals. Outsourcing all or any part of your infrastructure to a public cloud does not mean forgetting and abandoning it.
Private Clouds: Advantages and Disadvantages
The biggest advantage of a private cloud infrastructure is that your organization keeps control of its corporate assets and can safeguard and preserve its privacy and security. Your organization is in command of its own destiny. That can be a double-edged sword.
Before committing to build a private cloud model the organization must do a thorough assessment of its current infrastructure, its budget and the expertise and preparedness of its IT department. Is your firm ready to assume the responsibility for such a large burden from both a technical and ongoing operational standpoint? Only you can answer that. Remember that the private cloud should be highly reliable and highly available – at least 99.999% uptime with built-in redundancy and failover capabilities. Many organizations currently struggle to maintain 99.9% uptime and reliability which is the equivalent of 8.76 hours of per server, per annum downtime. When your private cloud is down for any length of time, your end users (and anyone else who has access to the cloud) will be unable to access resources.
Realistically, in order for an organization to successfully implement and maintain a private cloud, it needs the following:
• Robust equipment that can handle the workloads efficiently during peak usage times
• An experienced, trained IT staff that is familiar with all aspects of virtualization, virtualization management, grid, utility and chargeback computing models
• An adequate capital expenditure and operational expenditure budget
• The right set of private cloud product offerings and service agreements
• Appropriate third party virtualization and management tools to support the private cloud
• Specific SLA agreements with vendors, suppliers and business partners
• Operational level agreements (OLAs) to ensure that each person within the organization is responsible for specific routine tasks and in the event of an outage
• A disaster recovery and backup strategy
• Strong security products and policies
• Efficient chargeback utilities, policies and procedures
Other potential private cloud pitfalls include: deciding which applications to virtualize; vendor lock-in and integration and interoperability issues. Businesses grapple with these same issues today in their existing environments. At present, however, the product choices from vendors and third party providers are more limited for virtualized private cloud offerings. Additionally, since the technology is still relatively new, it will be difficult from both a financial as well as technical standpoint to switch horses in midstream from one cloud provider to another if you encounter difficulties.
There is no doubt that virtualized public and private cloud infrastructures adoptions will grow significantly in the next 12 to 18 months. In order to capitalize on their benefits, lower your total cost of ownership (TCO), accelerate return on investment (ROI) and mitigate risk your organization should take its time and do it right.