IBM, SuSE gain security certification

Believing it is a giant step toward legitimizing Linux for mission-critical applications aimed at both corporate users and governments, IBM and SuSE Linux on Tuesday announced they have gained the first Common Criteria Security Certification for eServer xSeries and SuSE Linux Enterprise Server 8, respectively.

The Common Criteria is an International Standards Organization (ISO) standard that is ascribed to by the U.S. government so it can properly assess security and assurance of technology products. The standard is also intended to help define more clearly the respective set of rigorous criteria by which products will be evaluated.

"We think this is pretty big because right now it is the only Linux distribution available that has this. This certification is used as a standard by 14 countries including the U.S. and Canada. Once you get this certification we find that it is tough for all government agencies to buy anything else," said Holger Dryoff, general manager of SuSe Linux in Oakland, Calif.

"We are pleased that Linux that reached this important security milestone through the joint efforts of IBM and SUSE," said Fritz Schulz, with the German Defense Information Systems Agency, in a prepared statement. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission-critical environments," he said.

Specifically, both Linux Enterprise Server 8 on the IBM server has achieved the Evaluation Assurance Level 2+ certification (EAL2). Officials from both companies said they have jointly filed for a higher level of security certification for Linux, namely the Controlled Access Protection Profile or EAL3+ for across IBM's eServer family. They said they expect that certification to come by the end of this year.

Some industry observers cheered the announcement, believing such certifications will significantly accelerate the development of more complete and sophisticated security systems.

"As the list of products grows for [Common Criteria] certification, it will only provide greater assurances in the component products that will be used to build much more secure information systems for the federal government," said Ron S. Ross,  with the National Institute of Standards and Technologies.

IBM said it will also make additional investments in ongoing Common Criteria certifications for z/VM mainframe operating system, which aids users in running up to thousands of instances of Linux from one server. The company also intends to pursue Common Criteria certification for its complete suite of middleware applications including DB2, MQSeries, Lotus Notes, and Tivoli.

In a related announcement IBM officials also said that they expect their eServer platforms to meet the Common Operating Environment (COE) standard, also by year's end.

The evaluation was carried out by atsec information security, a large independent IT security consulting company, which is accredited in Germany by the Federal Office for Information Security.

Explaining how the Common Criteria testing is done, atsec officials explained that products are evaluated against standards for a variety of features including the development environment, security functionality, the handling of numerous security vulnerabilities, security-related documentation, and product testing.

More information about the certification can be found at www.ibm.com/linux or www.suse.com.