Skip to main content

IBM and SUSE LINUX Achieve a Higher Level of Linux Security Certification across All IBM eServer Systems

Companies Also Reach Common Operating Environment (COE) Standard Necessary for Command and Control Operations

NEW YORK - 21 Jan 2004: IBM and Novell's SUSE LINUX business unit today announced they had achieved new levels of security and operations certification for SUSE that will further enable the adoption of Linux by governments, as well as the Department of Defense for critical command-and-control operations.

SUSE LINUX Enterprise Server 8 with Service Pack 3 on IBM eServers has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+.

"Certification under Common Criteria is a requirement for security related products in our environment," said William Wolf, U.S. Navy, Space & Naval Warfare Systems Center, San Diego. "We are encouraged by EAL 3 certification for Linux, as new doors will open to build flexible, cost effective solutions for our end users."

This represents a major expansion from last August, when IBM and SUSE announced they had achieved the first ever security certification for Linux. At that time, EAL2+ certification was announced for IBM's eServer xSeries line. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line - iSeries, xSeries, pSeries and zSeries systems, as well as Opteron-based systems.

CAPP/EAL3+ certification of Linux expands both the functional capabilities and confidence in Linux security beyond that met with the EAL2+. This was achieved through the addition of an auditing subsystem in SUSE LINUX Enterprise Server 8 that provides auditing of security critical events and through security functions that protect network transmitted data. In addition, the CAPP/EAL3+ certification required more exhaustive testing and review.

IBM and SUSE LINUX also announced Common Operating Environment (COE) compliance on IBM xSeries and zSeries platforms with SUSE LINUX Enterprise Server 8, with support for pSeries and iSeries available in the first half of 2004. This achievement means that SUSE LINUX is the first Linux distributor to offer both Common Criteria and COE compliance in the same package, creating the opportunity to run operational applications in a secure environment. COE, a specification created by the US Department of Defense (DoD), addresses functionality and interoperability requirements for commercially acquired IT products within its command and control systems.

"Today's announcement with SUSE LINUX is another key development fueling the rapid rise of Linux in the government sector," said James Stallings, general manager of Linux for IBM. "The Common Criteria certification across our server line further validates the security and quality of open source software. Additionally, the achievement of the operating environment standard necessary for critical command and control operations signifies that Linux can now be considered on equal footing with other operating systems."

The evaluation was completed by atsec information security GmbH, one of the world's leading vendor-independent IT security consulting companies, and accredited in Germany by the Federal Office for Information Security (BSI).

"Securing the EAL3+ certification is another clear testament to the strength of SUSE's processes," said Roman Drahtmueller, head of security, SUSE LINUX. "Thanks to the close collaboration between SUSE, IBM and atsec, as well as atsec's broad experience in security evaluation, customers now can benefit from security assurances across all IBM platforms that are unique in the Linux market."

The Common Criteria (CC) is an internationally recognized ISO standard (ISO/IEC 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The CC provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.

Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security related documentation and product testing. In certifying SUSE LINUX Enterprise Server 8 across IBM eServer systems, atsec information security GmbH evaluated how SUSE LINUX develops, tests and maintains its products, as well as assessing the processes in place at the company for handling security issues in its software.

"BSI considers the increasing number of IT security certificates for IT products as a significant progress in advancing IT security on a broad scale, said Udo Helmbrecht, President of the German Federal Office for Information Security (BSI). "At the same time, certification has a positive effect on the quality of IT products. The certification of SuSE Linux Enterprise Server V 8 also demonstrates that the Common Criteria can definitely be used as basis for IT security certification of Open Source products."

IBM's commitment to accelerate the development and certification of Linux as a secure, industrial strength operating system is further demonstrated by the joint IBM/SUSE LINUX plan to pursue a higher level of security certification for SUSE Linux - CAPP/EAL4+- across the IBM eServer product line for next year.

In addition to Linux, IBM plans to obtain Common Criteria certification of z/VM, its premier virtualization technology, in 2004. It is anticipated that z/VM will be certified to conform to the requirements of the Labeled Security Protection Profile (LSPP) and the Controlled Access Protection Profile (CAPP), both at EAL3+. z/VM helps enable mainframe customers to run tens to even hundreds of instances of the Linux operating system on a single IBM zSeries server. And in a future release of z/OS, IBM intends to certify z/OS to the CAPP/EAL3 and the LSPP/EAL3+ levels.

IBM's suite of middleware products are also in line for Common Criteria certification on Linux. Common Criteria certifications have been awarded to IBM Directory Server and Tivoli Access Manager. Many other IBM Software products are now in evaluation for Common Criteria certification. Additional IBM Software products are being prepared to enter the evaluation process. For more information about our current certifications, visit http://www-3.ibm.com/security/standards/st_evaluations.shtml

Contact(s) information

Mike Darcy
IBM Media Relations
(914) 588-8355
mdarcy@us.ibm.com

Joe Eckert
SUSE LINUX Media Relations
(203) 270-3711
eckert@suse.com

Clint Roswell
IBM Media Relations
(914) 499-4045
roswellc@us.ibm.com

Related XML feeds
Topics XML feeds
Business partners
Business partner information including strategic alliances
Software
Information Management, Lotus, Tivoli, Rational, WebSphere, Open standards, open source