Things have been so busy with motion practice, I missed this press release from IBM and Red Hat from the first day at LinuxWorld, and it's important to have as part of our collection, so we're prepared for the FUD about open source and security. It's also important for people to know, in government and in business, that this level of security certification is now achievable on GNU/Linux systems.
This quotation from the Department of Defense says it all:
"'The Department of Defense commends IBM and Red Hat for their recent Common Criteria evaluation of Red Hat Enterprise Linux 3,' said Gary Zelanko, Chief, Enterprise Integration Advanced Analysis Laboratory, Department of Defense. 'Meeting the EAL3 security standard gives the U.S. Department of Defense a greater assurance level when using commercial technology to build secure information systems for the federal government. We appreciate the significant effort that IBM and Red Hat have undertaken to comply with this international standard and their ongoing commitment to achieving even higher assurance levels.'"
Here is the press release.
IBM and Red Hat Achieve Common Criteria Security Certification Across All IBM eServer Systems
SAN FRANCISCO, CA -- Aug 3, 2004 -- In a move expected to further enable the adoption of Linux by businesses and governments around the world, Red Hat and IBM today announced they have achieved a new level of security certification for Red Hat across IBM servers.
The announcement was made at the opening of LinuxWorld in San Francisco.
Red Hat Enterprise Linux 3, Update 2 on IBM eServers has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line, with Red Hat Enterprise Linux WS on xSeries, and Red Hat Enterprise Linux AS on xSeries, iSeries, pSeries, zSeries as well as Opteron-based systems.
"The Department of Defense commends IBM and Red Hat for their recent Common Criteria evaluation of Red Hat Enterprise Linux 3," said Gary Zelanko, Chief, Enterprise Integration Advanced Analysis Laboratory, Department of Defense. "Meeting the EAL3 security standard gives the U.S. Department of Defense a greater assurance level when using commercial technology to build secure information systems for the federal government. We appreciate the significant effort that IBM and Red Hat have undertaken to comply with this international standard and their ongoing commitment to achieving even higher assurance levels."
The Common Criteria (CC) is an internationally recognized ISO standard (ISO/IEC 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The CC provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.
Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security related documentation and product testing.
"Red Hat Enterprise Linux has become a standard platform in governments around the world," said Brian Stevens, vice president of Operating Systems Development at Red Hat. "Achieving this latest certification underscores the position of Linux in environments that demand high levels of security. We look forward to working with IBM to expand government deployments of Red Hat Enterprise Linux."
"Today's announcement that Red Hat has achieved a new level of Common Criteria certification is another validation of the high level of security Linux is delivering to businesses and governments alike," said Jim Stallings, general manager, Strategic Growth Initiatives, IBM. "This certification will further drive Linux into the heart of the enterprise and ensure that it is increasingly used in mission critical environments."
CAPP/EAL3+ certification of Linux requires exhaustive testing and review and expands both the functional capabilities and confidence in Linux security. This is achieved through the addition of an auditing subsystem in Red Hat Enterprise Linux 3 that provides auditing of security critical events and through security functions that protect network transmitted data.
The evaluation was completed by atsec information security GmbH, one of the world's leading vendor-independent IT security consulting companies, and accredited in Germany by the Federal Office for Information Security (BSI).
In addition to CAPP/EAL3+ certification, Red Hat and IBM are committed to working in partnership to obtain CAPP/EAL4+ certification for Red Hat across IBM's entire eServer product family.
IBM and Red Hat are committed to supporting the development and certification of Linux and will make available to the open source development community key components of the Common Criteria evaluation.
IBM plans to continue to invest in ongoing certifications for new and existing IBM products. z/VM V5.1, IBM's premier virtualization technology with the RACF for z/VM optional feature, is in evaluation for Common Criteria certification to conform to the requirements of the Labeled Security Protection Profile (LSPP) and the Controlled Access Protection Profile (CAPP), both at EAL3+. z/VM helps enable mainframe customers to run tens to even hundreds of instances of the Linux operating system on a single IBM zSeries server.
z/OS 1.6 with the RACF optional feature, is also in evaluation for Common Criteria certification to conform to the requirements of the LSPP and the CAPP, both at EAL3+. z/OS, IBM's flagship mainframe operating system, provides Labeled Security Protection with multilevel security support. Designed together with DB2 Version 8, this support can provide row-level security labeling in DB2 and protection in z/OS, designed to meet the stringent security requirements for multi-agency access to data.
IBM's suite of middleware products are also in line for Common Criteria certification on Linux. Common Criteria certifications have been awarded to IBM Directory Server, Tivoli Access Manager, and WebSphere MQ. Many other IBM Software products are now in evaluation for Common Criteria certification. Additional IBM Software products are being prepared to enter the evaluation process.
For more information about our current certifications, visit http://www-3.ibm.com/security/standards/st_evaluations.shtml
About Red Hat, Inc.
Red Hat, the world's leading open source and Linux provider, is headquartered in Raleigh, NC with satellite offices spanning the globe. Red Hat is leading Linux and open source solutions into the mainstream by making high quality, low cost technology accessible. Red Hat provides operating system software along with middleware, applications and management solutions. Red Hat also offers support, training and consulting services to its customers worldwide and through top-tier partnerships. Red Hat's Open Source strategy offers customers a long term plan for building infrastructures that are based on and leverage open source technologies with focus on security and ease of management. Learn more: http://www.redhat.com
IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. Drawing on resources from across IBM and key IBM Business Partners, IBM offers a wide range of services, solutions and technologies that enable customers, large and small, to take full advantage of the new era of e-business. For more information about IBM and Linux, visit www.ibm.com/linux.