IBM and SuSE Linux — now owned by Novell — announced they have reached new heights in Linux security with a standards certification that the companies claim will boost Linux adoption in government agencies, including the U.S. Department of Defense.
The newly earned Common Criteria for Information Security Evaluation EAL3+ certification is a step up from the companies’ EAL2+ security certification earned last August. The EAL3+ certification is a first for Linux. IBM and SuSE said the achievement covers SuSE Linux Enterprise Server 8 software with Service Pack 3 across the IBM eServer line, including iSeries, xSeries, pSeries and zSeries systems as well as AMD Opteron-based systems.
“Today’s announcement with SuSE Linux is another key development fueling the rapid rise of Linux in the government sector,” IBM Linux general manager James Stallings said in a statement. “The Common Criteria certification across our server line further validates the security and quality of open-source software.”
Yankee Group senior analyst Dana Gardner told LinuxInsider that the certification marks both the maturing of Linux and the mitigation of security concerns and perceptions around the open-source operating system. “It just shows the burgeoning level of maturity for Linux as a government and enterprise-class solution,” Gardner said. “It shows the issue of security is being addressed. There are concerns across systems, but [the certification] is putting to rest the perception that Linux has security problems.”
Deemed OK for Defense
“Certification under Common Criteria is a requirement for security-related products in our environment,” said William Wolf of the U.S. Navy, Space and Naval Warfare Systems Center of San Diego. “We are encouraged by EAL3 certification for Linux, as new doors will open to build flexible, cost-effective solutions for our end users.”
Along with the security certification, IBM and SuSE announced Common Operating Environment (COE) compliance of Linux Enterprise Server 8 on IBM xSeries and zSeries platforms. Support for the COE on pSeries and iSeries platforms will be available in the first half of this year, according to IBM.
The COE is a collection of standards, specifications and methodologies that establishes an environment on which a system can be built for use in government or military environments in the United States. The COE was formerly known as the Defense Information Infrastructure Common Operating Environment (DII COE). The terms are interchangeable.
SuSE spokesperson Joe Eckert told LinuxInsider that the latest certification marks the first time — not only among open-source software, but among any software — that five platforms were simultaneously certified in this way. “What it shows is a real robustness to the development process,” he said. “This does add a few more levels of security for places like the DOD, financial institutions and people who need to follow strict guidelines for their data.”
Deeper into the Datacenter
Industry analyst Bill Claybrook, who said IT professionals are no longer more concerned about security of Linux than they are about other systems, told LinuxInsider that the new security certification will help push Linux further into government and other environments, mainly for cost savings.
The analyst said the government is likely to adopt more Linux solutions to replace aging Unix systems, which have been heavily used in the public IT sector. Claybrook said he doubts the government will replace its Unix solutions with Windows.
Eckert also indicated that SuSE and IBM are expecting more interest in Linux from the private sector, particularly financial institutions. “We would expect to see a greater level of security for financial institutions, who by the way were among the leading wave for Linux,” he said. “Now they can take it further into their data centers.”
Eckert said that while the security certifications for SuSE Linux were achieved with IBM hardware, SuSE is in discussions with other hardware vendors to achieve similar security badges.
Eckert also pointed out that while other Linux vendors have announced their intentions to pursue and procure security certifications, SuSE, partnered with IBM, is the only company to have achieved any of the Common Criteria assurance-level certifications.
“It shows that we have this process down pretty good,” he said.