IBM, SuSE gain security certification

InfoWorld - In an achievement that they believe represents a giant step toward legitimizing Linux for mission-critical applications aimed at corporate and government users, IBM and SuSE Linux AG today announced that they have gained the first Common Criteria Security Certification for eServer xSeries and SuSE Linux Enterprise Server 8.
The Common Criteria is an International Standards Organization (ISO) standard that the U.S. government uses to assess security of technology products. The standard is also intended to help define more clearly the criteria by which products will be evaluated.
"We think this is pretty big because right now [SuSE Linux] is the only Linux distribution available that has this. This certification is used as a standard by 14 countries, including the U.S. and Canada. Once you get this certification, we find that it is tough for all government agencies to buy anything else," said Holger Dryoff, general manager of SuSe Linux in Oakland, Calif.
"We are pleased that Linux has reached this important security milestone through the joint efforts of IBM and SuSE," Fritz Schulz, kernel platform compliance program manager at the Defense Information Systems Agency, said in a prepared statement. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission-critical environments."
Specifically, Linux Enterprise Server 8 running on IBM servers has achieved the Evaluation Assurance Level 2+ certification (EAL2). Officials from both companies said they have jointly filed for a higher level of security certification, the Controlled Access Protection Profile, or EAL3+, for SuSE Linux running on IBM's eServer products. They said they expect that certification to come by the end of this year.
Some industry observers cheered the announcement, believing such certifications will significantly accelerate the development of more complete and sophisticated security systems.
"As the list of products grows for [Common Criteria] certification, it will only provide greater assurances in the component products that will be used to build much more secure information systems for the federal government," said Ron S. Ross, an official at the National Institute of Standards and Technology.
IBM said it will also make additional investments in ongoing Common Criteria certifications for its z/VM mainframe operating system, which aids users in running up to thousands of instances of Linux from one server. The company also intends to pursue Common Criteria certification for its complete suite of middleware applications, including DB2, MQSeries, Lotus Notes and Tivoli software.
In a related announcement, IBM officials also said that they expect the company's eServer systems to also meet the Common Operating Environment standard by year's end.
The evaluation was carried out by Atsec Information Security GmbH, a large independent IT security consulting company, which is accredited in Germany by the Federal Office for Information Security.
Explaining how the Common Criteria testing is done, Atsec officials explained that products are evaluated against standards for a variety of features, including the development environment, security functionality, the handling of numerous security vulnerabilities, security-related documentation and product testing.