IBM, SuSE secure Linux

Linux took another step in its evolution Tuesday when IBM and SuSE Linux announced that the open source operating system had achieved an international security certification used by the federal government.

At LinuxWorld in San Francisco, the companies announced that SuSE Linux Enterprise Server 8 running on Intel-based IBM servers had achieved a Common Criteria Security certification. IBM has been shepherding SuSE through the Common Criteria process.

Common Criteria is an internationally recognized standards organization created specifically to develop criteria for IT security. To earn Common Criteria certification, products must meet strict standards in areas such as development environments, security functionality, how security vulnerabilities are handled, security-related documentation and product testing.

A year ago, the National Security Agency mandated that all national security systems use Common Criteria-evaluated products, but has since relaxed that directive because of the dearth of accredited products. Instead, vendors whose products are used for national security systems must commit to getting their products through Common Criteria testing.

With the certification, Linux joins a handful of products that have been OK’d by Common Criteria. The certification “will be a critical factor as Linux is applied to mission critical environments,” says Fritz Schulz of the Defense Information Systems Agency.

SuSE Linux Enterprise Server 8 on IBM eServer xSeries earned an Evaluation Assurance Level 2+ certification (EAL2), and IBM and SuSE say that they have filed for a higher level of security certification and expect to achieve that later this year.

In addition to the Common Criteria certification, IBM and SuSE Linux also announced that the SuSE Linux product on IBM eServer platforms is expected to meet the Defense Department’s Common Operating Environment requirements, which deal with the functionality and interoperability of software with customized government code.

The Common Criteria evaluation of Linux was completed by Atsec Information Security, an independent IT security consulting company in Germany. In its evaluation, Atsec evaluated how SuSE Linux develops, tests and maintains its products and what its policies are when it comes to handling security issues in its software.

With the certification, IBM and SuSE agree to release key components of the evaluation to the Linux development community by the end of August.  In addition, IBM and SuSE say they will continue to work with the open source community to further enhance Linux security.

SuSE Linux Enterprise 8 is just one of the software products IBM has or intends to have in the Common Criteria certification process, IBM says. IBM plans to seek certification for z/VM, which is mainframe virtualization technology that enables customers to run hundreds of instances of Linux on a single IBM zSeries server.

In addition, IBM Directory has completed evaluation under the Common Criteria process, and WebSphere Application Server and Tivoli Access Manager are in the evaluation process today.