 |
|
DAILY NEWS AND INFORMATION
FOR THE GLOBAL GRID COMMUNITY /
|
Breaking News -
Security:
IBM, SUSE LINUX Achieve Higher
Level Of Linux Security
IBM and Novell's SUSE LINUX business unit announced they had achieved new
levels of security and operations certification for SUSE that will further
enable the adoption of Linux by governments, as well as the Department of
Defense for critical command-and-control operations.
SUSE LINUX Enterprise Server 8 with Service Pack 3 on IBM eServers has
achieved Controlled Access Protection Profile compliance under The Common
Criteria for Information Security Evaluation (CC), commonly referred to as
CAPP/EAL3+.
"Certification under Common Criteria is a requirement for security related
products in our environment," said William Wolf of the U.S. Navy Space & Naval
Warfare Systems Center in San Diego. "We are encouraged by EAL 3 certification
for Linux, as new doors will open to build flexible, cost effective solutions
for our end users."
This represents a major expansion from last August, when IBM and SUSE
announced they had achieved the first ever security certification for Linux.
At that time, EAL2+ certification was announced for IBM's eServer xSeries
line. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line --
iSeries, xSeries, pSeries and zSeries systems, as well as Opteron-based
systems.
CAPP/EAL3+ certification of Linux expands both the functional capabilities
and
confidence in Linux security beyond that met with the EAL2+. This was achieved
through the addition of an auditing subsystem in SUSE LINUX Enterprise Server
8 that provides auditing of security critical events and through security
functions that protect network transmitted data. In addition, the CAPP/EAL3+
certification required more exhaustive testing and review.
IBM and SUSE LINUX also announced Common Operating Environment (COE)
compliance on IBM xSeries and zSeries platforms with SUSE LINUX Enterprise
Server 8, with support for pSeries and iSeries available in the first half of
2004. This achievement means that SUSE LINUX is the first Linux distributor to
offer both Common Criteria and COE compliance in the same package, creating
the opportunity to run operational applications in a secure environment. COE,
a specification created by the US Department of Defense (DoD), addresses
functionality and interoperability requirements for commercially acquired IT
products within its command and control systems.
"Today's announcement with SUSE LINUX is another key development fueling
the
rapid rise of Linux in the government sector," said James Stallings, general
manager of Linux for IBM. "The Common Criteria certification across our server
line further validates the security and quality of open source software.
Additionally, the achievement of the operating environment standard necessary
for critical command and control operations signifies that Linux can now be
considered on equal footing with other operating systems."
The evaluation was completed by atsec information security GmbH, one of the
world's leading vendor-independent IT security consulting companies, and
accredited in Germany by the Federal Office for Information Security
(BSI).
"Securing the EAL3+ certification is another clear testament to the
strength
of SUSE's processes," said Roman Drahtmueller, head of security for SUSE
LINUX. "Thanks to the close collaboration between SUSE, IBM and atsec, as well
as atsec's broad experience in security evaluation, customers now can benefit
from security assurances across all IBM platforms that are unique in the Linux
market."
The CC is an internationally recognized ISO standard (ISO/IEC 15408) used
by
the Federal government and other organizations to assess security and
assurance of technology products. The CC provides a standardized way of
expressing security requirements and defines the respective set of rigorous
criteria by which the product will be evaluated. It is widely recognized among
IT professionals, government agencies, and customers as a seal of approval for
mission-critical software.
Under Common Criteria, products are evaluated against strict standards for
various features, such as the development environment, security functionality,
the handling of security vulnerabilities, security related documentation and
product testing. In certifying SUSE LINUX Enterprise Server 8 across IBM
eServer systems, atsec information security GmbH evaluated how SUSE LINUX
develops, tests and maintains its products, as well as assessing the processes
in place at the company for handling security issues in its software.
"BSI considers the increasing number of IT security certificates for IT
products as a significant progress in advancing IT security on a broad scale,
said Udo Helmbrecht, president of the German Federal Office for Information
Security (BSI). "At the same time, certification has a positive effect on the
quality of IT products. The certification of SUSE Linux Enterprise Server V 8
also demonstrates that the Common Criteria can definitely be used as basis for
IT security certification of Open Source products."
IBM's commitment to accelerate the development and certification of Linux
as
a
secure, industrial strength operating system is further demonstrated by the
joint IBM/SUSE LINUX plan to pursue a higher level of security certification
for SUSE Linux -- CAPP/EAL4+ -- across the IBM eServer product line for next
year.
In addition to Linux, IBM plans to obtain Common Criteria certification of
z/VM, its premier virtualization technology, in 2004. It is anticipated that
z/VM will be certified to conform to the requirements of the Labeled Security
Protection Profile (LSPP) and the Controlled Access Protection Profile (CAPP),
both at EAL3+. z/VM helps enable mainframe customers to run tens to even
hundreds of instances of the Linux operating system on a single IBM zSeries
server. And in a future release of z/OS, IBM intends to certify z/OS to the
CAPP/EAL3 and the LSPP/EAL3+ levels.
|