IBM and SuSE Linux today announced that SuSE achieved the first ever security certification of Linux, taking the critical next step in the maturation of Linux and enabling the adoption of Linux by governments and companies around the world for mission critical environments.
SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries. The Common Criteria (CC) is an internationally recognized ISO standard (ISO 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The Common Criteria provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.
"We are pleased that Linux has reached this important security milestone through the joint efforts of IBM and SuSE," said Fritz Schulz, Defense Information Systems Agency. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission critical environments."
SuSE Linux Enterprise Server 8 on IBM eServer xSeries has earned an Evaluation Assurance Level 2+ certification, commonly referred to as EAL2. IBM and SuSE also announced today that the companies have filed for a higher level of security certification for SuSE Linux, the Controlled Access Protection Profile with EAL3+ across the IBM eServer product line, which is expected later this year.
In addition to the Common Criteria certification, SLES 8 on IBM eServer platforms is expected to meet the Common Operating Environment (COE) standard later this year. This will lead to a product that simultaneously meets Common Criteria and COE requirements. This standard, unique to the US Department of Defense (DoD), addresses functionality and interoperability requirements for commercially acquired IT products. The COE specification is used to verify the look and feel and function of software products as they are joined with government customized code. The COE is broadly recognized as a standard computing environment across the U.S. Government command and control systems.
"The landmark decision to submit the SuSE Linux Enterprise Server product to Common Criteria testing challenges the view of many skeptics that open source systems could not withstand such testing due to the difficulty of establishing processes in an open-source environment. This announcement demonstrates IBM's commitment to enterprise infrastructure that is secure, cost effective and open," said IBM Senior Vice President of Technology and Manufacturing, Nicholas Donofrio. "With this announcement, we continue to build upon our commitment to delivering Common Criteria certification across the IBM eServer platforms. Most importantly, the Common Criteria certification further validates the security and quality of open source software, not only for Global Government, but for other industries with critical security requirements."
"SuSE is the world's only open source operating system manufacturer which has technically demonstrated Common Criteria proficiency that can control and minimize security risks through a comprehensive quality assurance process," said Richard Seibt, Chief Executive Officer, SuSE Linux. "The Common Criteria evaluation marks yet another first for SuSE, and will further reassure companies of the high quality and security of the SuSE Linux Enterprise Server."
The evaluation was completed by atsec information security GmbH, one of the world's leading vendor-independent IT security consulting companies, accredited in Germany by the Federal Office for Information Security (BSI).
Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security related documentation and product testing. In certifying SLES 8 on IBM xSeries, atsec information security GmbH evaluated how SuSE Linux develops, tests and maintains its products, as well as assessing the processes in place at the company for handling security issues in its software. IBM and SuSE have committed to release key components of the Common Criteria evaluation to the CCeLinux Consortium and Linux development community, by the end of the month. In addition, IBM and SuSE will continue to work with the open source development community to actively enhance Linux security to make Linux even more secure than it is today.
"We congratulate IBM and SuSE for their commitment to information security as evidenced by the recent successful evaluation and certification of SuSE Linux Enterprise Server 8. This Linux server product joins a growing list of commercial products evaluated under the international security standard Common Criteria---providing greater assurance in the component products used to build more secure information systems for the federal government," said Ron S. Ross, Ph.D., National Institute of Standards and Technology.
In addition to IBM's ongoing commitment to accelerate the development and certification of Linux as a secure, industrial strength operating system, IBM intends to continue to invest in ongoing certifications for new and existing IBM products. IBM plans to seek Common Criteria certification for IBM's premier virtualization technology, z/VM, in the upcoming year. z/VM helps enable mainframe customers to run tens to even hundreds of instances of the Linux operating system on a single IBM zSeries eServer. IBM's suite of middleware products are also in line for Common Criteria certification on Linux. IBM Directory has just completed evaluation under the Common Criteria. WebSphere Application Server and Tivoli Access Manager are in evaluation today, and several other IBM Software products are being prepared to enter the evaluation process.