Innovation Without Disruption: Introducing SUSE Linux Enterprise 15 SP4 and Security
[This blog post is contributed by Blaine Stone, Certification Compliance Program Manager at SUSE.]
At SUSE, we take security seriously. The major areas of our focus are:
- Secure the Foundations;
- Secure the Product;
- Secure the Supply Chain; and
- Confidential Computing
SUSE has been working on a security for a long time now, because we believe in resilience, reliability, and the ability to secure the foundations, our product, and the supply chain, that your product relies on. To accomplish this, SUSE is working in four key areas:
- Secure the Foundations
- DISA STIG – obtaining certification for system hardening
- NIST FIPS 140-3 – acquiring validation of all cryptographic modules
- Automated SCAP Profiles
- PCI-DSS and HIPAA Hardening Profiles
- Pre-hardened Images for the Cloud
Broad governmental certifications around the world provide assurances to our customers and partners that compliance and a secure software supply chain ultimately position SUSE Linux as leaders in this space.
- Secure the Product
- Common Criteria EAL4+ certification – ensuring our product is functionally tested; structurally tested; methodically tested and checked; and methodically designed, tested and reviewed. SUSE is proud to be the only Linux producer with this certification.
- US Federal Government NIAP Protection Profile
- Spain OC-CCN Certification
- Korea GS Certification
- Secure the Supply ChainSUSE has added SLSA Level 4 compliance to existing security certifications. SUSE Linux Enterprise (SLE) 15 SP4 is the first Linux distribution to deliver packages under the demanding Google SLSA standard distinctly adding a SLSA Level 4 Compliant Supply Chain that helps to protect against the increasing software security and supply chain threats customers face today. Our SLSA: Securing the Software Supply Chain (https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/index.html document details how SUSE, as a long-time champion and expert of software supply chain security, prepared for SLSA Level 4 compliance. You may also access the SUSECON Digital 22 presentation ( https://susecon.com/) by Markus Noga, General Manager Linux Business Unit, where he talks with Google about this achievement.
- Confidential ComputingThere are a couple of layers to confidential computing:
- data at rest;
- data in transit; and
- very new data in actual use.
SUSE in our products has supported data at rest encryption for your SSDs, your volumes and your partitions for a long time. And we’ve also secured data in transit between machines, or between data centers and networks with zero-trust network encryption for quite a while. What is new with SLE 15 is that you can also protect data that is actually in use in main memory or in CPU registers that get dumped to main memory when a context changes.
- Confidential Virtual Machines is a game changer for data protection in the cloud. It involves data in use, and securing data that is actively being accessed by an application or a user and stored in memory. Our SUSE Linux Enterprise Server supports Confidential Virtual Machines on Google Cloud Platform, accelerating migrations to the cloud for on-premises and regulated workloads that require the utmost security & compliance. This helps protect against remote attacks, privilege escalations, and malicious insiders.
- With shielded VMs that protect Compute Engine instances, you can securely use data that gets migrated to the cloud and safely process sensitive data while maintaining encryption in memory. This has NO exposure to the rest of the system and no change to workload or code.
- SUSE and AMD have a long history of upstream collaboration across key AMD initiatives, including confidential computing. Starting with Secure Encrypted Virtualization in 2016, followed by Encrypted State SEV (SEV-ES) to Secure Nested Paging (SEV-SNP). As a result of this upstream collaboration, SUSE has an early mover advantage when it comes to SEV technologies making their way into our enterprise Linux distribution.
- AMD and SUSE are working together to bring Confidential Computing into the Linux ecosystem. SUSE helped to add support for AMD SEV and SEV-ES to a wide range of products like the Linux kernel, LibVirt, and Kubevirt.
- SUSE is blazing a new trail with confidential computing with AMD as a key partner of ours and their ultra secure AMD-SEV chipsets.
That is what customers of SUSE can experience today, and that is what the “innovation without disruption” translates to at SUSE.
Thanks for reading!