VMware vSphere is secure enough for government work

vSphere 4.0 achieves an EAL4+ rating from Common Criteria -- the highest-level security certification

If you are a government agency considering using VMware vSphere 4.0, get ready for some good news. VMware announced it has received the Common Criteria certification for vSphere 4.0 at Evaluation Assurance Level 4 (EAL4+) under the Common Criteria Evaluation and Certification Scheme (CSS). This certification covers VMware ESX 4.0, ESXi 4.0, and vCenter 4.0.

This is a big win for VMware and will enable the virtualization giant to more easily solicit government agencies to purchase or upgrade to VMware's latest hypervisor platform.

[ To learn more about security in the virtualization world, read what Virtual Computer and Sophos are doing to secure the endpoint. | And keep up to date on virtualization with InfoWorld's Virtualization channel. ]

The Common Criteria is an international certification standard (ISO 15408) from North American and European governments that provides a common framework for evaluating security features and capabilities of IT security products. In effect since 1999, the security evaluation is given different EAL ratings, with EAL7+ being the highest grade assigned. However, EAL4+ is the highest assurance level that is globally recognized by all signatories under the Common Criteria Recognition Agreement (CCRA).

Common Criteria is an important certification for government and defense consumers and is often a requirement for many of their IT environments. But beyond government, the test and rating system is also very valuable to other types of consumers because it represents an objective measure of a software product's security. Having Common Criteria certification is often used to gauge whether a product should be considered for use in security-sensitive environments, such as a financial organization or the military.

As you might expect, going through one of these heavy certification processes can be an extremely long journey. A product must undergo a rigorous set of testing and meet extensive documentation requirements in order to pass. It's also important to keep in mind, the EAL level achieved does not measure the security of the system itself, it merely states at which level the system was tested.

According to VMware, "Achieving EAL4+ certification marks the completion of an intensive effort during which VMware vSphere 4.0 and VMware vCenter Server 4.0 were examined, tested and certified at EAL4+, validating that VMware vSphere is one of the most proven, trusted platforms for modern IT infrastructure."

As you might imagine, many organizations sticking their big toe in the virtualization waters are looking at the hypervisor as a black box, a virtual unknown, and that can usually keep the hypervisor locked away in dev/test and out of production. In many cases, since the hypervisor is running multiple virtual machines on top of it, organizations running such a platform often need to prove to upper management that these virtual environments are even more secure than a physical server that is simply tasked with running a single operating system and application. These EAL ratings are one good way to accomplish that.

VMware completed the first Common Criteria certification for a virtualization product on x86 hardware back in March 2006 with the Common Criteria certification of VMware ESX Server 2.5 and VMware VirtualCenter 1.2. To date, VMware ESX 3.5, VMware VirtualCenter 2.5, VMware Infrastructure 3, VMware ESX Server 3.0.2, and VMware VirtualCenter 2.0.2 have also earned certification at EAL4+ level.

But VMware isn't the only virtualization platform going after this security distinction. Windows Server 2008 and Hyper-V are also currently certified at the EAL4+ level, earning that right on July 24, 2009. Citrix has also undergone testing and received an EAL2+ certification for Citrix XenServer 5.6 Platinum Edition on Aug. 20, 2010.

VMware most recently entered its latest hypervisor stack, vSphere 4.1, into evaluation for certification at the EAL4+ level, and it will probably take a similar amount of time for it to undergo the same type of security and documentation testing as its predecessor. Don't expect anything until possibly the end of 2011.

This article, "VMware vSphere is secure enough for government work," was originally published at InfoWorld.com. Follow the latest developments in virtualization and cloud computing at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.