Sleep Safe!: SUSE Linux Enterprise Server 12 Now Has Common Criteria Certification at EAL4+
If you are running SUSE Linux Enterprise Server 12, you can now sleep better at night with assurance of the quality, security and compliance of your SUSE operating system. The reason is simple. Last month SUSE Linux Enterprise Server 12 achieved Common Criteria (CC) Certification at the Evaluation Assurance Level 4 (EAL4). The SUSE partner for certification was the atsec information security corp. and the certification body was the German Federal office for Information Security (BSI).
What does this mean?
Common Criteria (CC) is a common set of guidelines and specifications for evaluating if information security products meet the international security standard (ISO/IEC 15408) for government deployments. The CC evaluation covers a Protection Profile defining a standard set of security requirements for a specific type of product (e.g., operating system, firewall) and the Evaluation Assurance Level defining how thoroughly the product is tested.
What does this mean for you?
Verified security functionality and quality assurance. CC is more than a simple stamp, for more than just OS hardening. The evaluation also verified our development processes and development environment, like physical security and access control methods. That means that the certification is relevant for other SUSE products built according to the same standards (in addition to the SUSE OS). So the certification indicates the inherent quality of the SUSE product process in general.
Worldwide recognition, for increased business. If your company does or wants to do business with the U.S. Federal Government and other governmental markets in Europe or Asia, CC-EAL4 is recognized—even mandatory– in more than 25 countries worldwide. Many commercial businesses also demand the proven security assurance of CC-EAL to handle sensitive information affordably for operations around the world. SUSE has now been proven to fulfill the international standard (ISO/IEC 15408).
Unique in the Linux market. The certification is for the latest version of the SUSE Linux Enterprise OS (12) and is available on two hardware architectures: Intel 64 (x86-64) and on IBM z Systems (s390x). For customers of existing and future z Systems in areas where certification is required, it’s the only Linux OS with this certification.
Other security advantages. SUSE has also achieved Federal Information Processing Standard (FIPS) 140-2 certification—available in the SUSE Linux Enterprise Server 12 Certifications Module. This is a U.S. government computer security standard used to accredit cryptographic modules. SUSE gets 7 modules certified which are: OpenSSL, the Linux kernel, OpenSSH client, OpenSSH server, libgcrypt, strongSwan (IPsec), Mozilla NSS (at Level 2!). So now your company can have both CC and FIPS-140-2, not just one or the other—a competitive advantage for doing business that requires great security assurance in the U.S.
How can you take advantage of this security now?
Just set up a certified system by downloading a special ISO image based on SUSE Linux Enterprise Server 12 that also contains some FIPS 140-2 certified packages and additional patches for critical security packages. You also need to download the “certification-sles-eal” RPM from the SLES12 update channels and follow the instructions in the configuration guide (ECG).
Now, while security is not static, but a process which needs you being involved:
Work with less worries – and sleep more securely.