Linux has taken another step in its evolution. IBM and SuSE Linux announced that the open source operating system has achieved an international security certification used by the US government.
At this week’s LinuxWorld event in San Francisco, the companies announced that SuSE Linux Enterprise Server 8, running on Intel-based IBM servers, had achieved a Common Criteria Security certification. IBM has been shepherding SuSE through the Common Criteria process.
Common Criteria is an internationally recognized standards organization created specifically to develop criteria for IT security. To earn Common Criteria certification, products must meet strict standards in areas such as development environments, security functionality, how security vulnerabilities are handled, security-related documentation and product testing.
A year ago, the US National Security Agency mandated that all national security systems use Common Criteria-evaluated products, but has since relaxed that directive because of the dearth of accredited products. Instead, vendors whose products are used for national security systems must commit to getting their products through Common Criteria testing.
With the certification, Linux joins a handful of products that have been approved by Common Criteria. The certification "will be a critical factor as Linux is applied to mission critical environments," said Fritz Schulz of the US Defense Information Systems Agency.
SuSE Linux Enterprise Server 8 on IBM eServer xSeries earned an Evaluation Assurance Level 2+ certification (EAL2), and IBM and SuSE said that they had filed for a higher level of security certification and expected to achieve it later this year.
In addition to the Common Criteria certification, IBM and SuSE Linux also announced that the SuSE Linux product on IBM eServer platforms was expected to meet the Defense Department's Common Operating Environment requirements, which dealt with the functionality and interoperability of software with customized government code.
The Common Criteria evaluation of Linux was completed by Atsec Information Security, an independent IT security consulting company in Germany. In its evaluation, Atsec evaluated how SuSE Linux develops, tests and maintains its products and what its policies are when it comes to handling security issues in its software.
With the certification, IBM and SuSE have agreed to release key components of the evaluation to the Linux development community by the end of August. In addition, IBM and SuSE said they would continue to work with the open source community to further enhance Linux security.
SuSE Linux Enterprise 8 is just one of the software products IBM has, or intends to have, in the Common Criteria certification process, IBM said. IBM plans to seek certification for z/VM, which is mainframe virtualization technology that enables customers to run hundreds of instances of Linux on a single IBM zSeries server.
In addition, IBM Directory has completed evaluation under the Common Criteria process, and WebSphere Application Server and Tivoli Access Manager are in the evaluation process.