Linux Conversations | Episode 9: SUSE Security – The Gold Standard of Enterprise Linux Security and Compliance with Dietrich Banschbach and Knut Trepte

Welcome back to “Linux Conversations,” our blog series where we explore the world of Linux with experts from SUSE. In this episode, we dive deep into the crucial world of product security, compliance and certifications. We’re joined by two key figures in this domain: Dietrich Banschbach, Head of Solution & Product Security and Release Engineering, and Knut Trepte, Product Manager for Product Security. Both bring extensive experience from within SUSE, ensuring that SUSE Linux Enterprise products meet the highest security standards.

Join us as Dietrich and Knut explain SUSE’s unique leadership in security certifications to ensure compliance, discuss why these validations are vital for enterprises, and reveal the comprehensive processes – from proactive design to rapid incident response – that keep SUSE Linux at the forefront of secure operating systems.

Interview Transcript:

Rick Spencer: Welcome, Dietrich and Knut. Thanks for being here. Could you each take a moment to introduce yourselves?

Dietrich Banschbach: I’m Dietrich Banschbach. I’ve been with SUSE for eight and a half years. I’m in charge of a department that looks after solution and product security, security certifications, release engineering (affectionately called the build service), and some internal tools.

Knut Trepte: My name is Knut Trepte. I’m the product manager for product security for everything that’s somehow called SUSE Linux Enterprise. I’ve been with SUSE for seven years, and I’m dedicated to product security, including compliance, government topics, security features, and hardening.

Rick Spencer: SUSE often states that we have the highest level of certifications available for a general-purpose operating system. Can you explain what we mean by that?

Knut Trepte: Yes, we are basically the only general-purpose operating system that is hardware-independent and holds a Common Criteria Evaluation Assurance Level (EAL) EAL4+ certification, including ALC_DVS.3 for systematic flaw remediation, which covers security updates.

Rick Spencer: And don’t we have a slew of other certifications too?

Knut Trepte: Absolutely. We have almost all the certifications our competition has, like the Common Criteria NIAP protection profile for the North American market, and FIPS certifications, which are crucial for banking and government, targeting cryptographic modules.

Dietrich Banschbach: Beyond that, we have country-specific certifications for markets like China (GB18030) and Korea. It’s not just about certifications, though. We also provide extensive hardening guides, hundreds of security controls, to help customers configure their SUSE Linux Enterprise Server instances for maximum security. Think of it like enabling all the security features in a car—fastening seatbelts, turning on lights, putting on winter tires.

Rick Spencer: Why would an enterprise care about all these certifications and hardening efforts? Why do customers value them so much?

Knut Trepte: In regulated markets like North America, selling to the US federal government often requires a Common Criteria certification with a NIAP protection profile. For cryptography, FIPS certification is mandatory by law for banking and government. Additionally, new regulations like NIS 2 in Europe put CEOs into direct private liability for their supply chain’s security. State-backed certifications offer the highest level of assurance to demonstrate due diligence and avoid liability.

Dietrich Banschbach: Exactly. This significantly reduces the work customers have to do to validate their supply chain or cryptographic libraries. Furthermore, an exploited operating system can be a weapon of mass disruption, making its security crucial. We opt for the highest level of external validation from renowned government bodies like the German BSI, confirming our compliance with standards like Common Criteria EAL4+ and FIPS 140-3. We’re in a cyber war, and we must equip our customers to keep up.

Rick Spencer: This seems like a massive task across different Linux versions and SUSE products. How do we achieve and maintain all these certifications?

Knut Trepte: Dietrich’s team has done an excellent job setting up a structure that produces these certifications almost on a conveyor belt with maximum reliability. We also have a very high level of speed, though external authorities sometimes dictate the pace. It’s a voluminous job requiring precision and dedicated knowledge of interdependencies between certifications. We are a highly valued partner because we can automate and execute on these things already.

Dietrich Banschbach: And I can give you three recent examples: We achieved the first-ever Common Criteria certification for SLE Micro 5.3 (NIAP GPOS profile). We also attained SOC 2 compliance and SOC 3 certification for the entire company, in addition to Hosted Rancher. This demonstrates that our security encompasses the entire product and service lifecycle, from design to delivery.

Rick Spencer: So, there’s a lot of automation behind this.

Dietrich Banschbach: Precisely. Automation is key to our efficiency and enables us to keep up with the ever-growing number of certification requests and compliance work.

Knut Trepte: This automation even allows us to engage with regulatory bodies like the BSI in discussions about future reporting requirements for operating systems, such as SBOMs (Software Bill of Materials). Our opinion is highly valued.

Dietrich Banschbach: That’s an excellent point. Software Bill of Materials (SBOMs) are metadata collections that describe what’s in a package. If a vulnerability hits the news, customers can quickly determine if they’re affected without contacting hundreds of suppliers manually. We ship our products with SBOMs, making it easy for customers to take decisive action. We also go the extra mile to secure the entire software supply chain, ensuring integrity throughout the build process, validated by certifications like ISO 27001, 27701, SOC 2/3, and Common Criteria EAL4+.

Rick Spencer: And you mentioned the Open Build Service. How does that fit in?

Dietrich Banschbach: The Open Build Service is our offering that anyone can freely use, download, and adapt. Many companies use copies of our OBS. It’s an industry-scale build service, processing millions of builds per week, offering unparalleled scalability.

Knut Trepte: This ability to produce at an enterprise level elevates the entire open-source ecosystem. It allows applications not directly provided by us to achieve similar quality levels, offering a robust industry build system instead of less structured internal labs. It helps the whole ecosystem, and we are friendly, which also helps us.

Rick Spencer: Very cool. Any last thoughts?

Dietrich Banschbach: We hope you found it useful and learned something.

Knut Trepte: This proactive work, like discussing future regulations with communities like Debian, helps us a lot with the ecosystem, benefiting everyone.

Conclusion:

In a world where cyber threats are constantly evolving, SUSE’s unwavering commitment to product security and certifications is paramount. As Dietrich and Knut eloquently explained, SUSE goes beyond merely offering a secure product; it provides verifiable assurance through the highest levels of independent validation, enabling customers to navigate complex regulatory landscapes and protect their mission-critical operations. From rigorous design and automated testing to proactive incident response and leadership in the broader open-source security community, SUSE delivers a comprehensive and continuously improving security posture. This dedication not only instills confidence but also empowers enterprises to adopt new technologies with peace of mind, knowing their underlying Linux infrastructure is hardened, certified, and actively defended.

More from this Series:

• Linux Conversations | Episode 1: Running Multi-Linux Environments in Production with Donald Vosburg
• Linux Conversations | Episode 2: The Future of SUSE Multi-Linux with Johannes Hahn
• Linux Conversations | Episode 3: Fixing the Unfixable with William Preston
• Linux Conversations | Episode 4: 25 Years of Linux Evolution with Matthias Eckermann
• Linux Conversations | Episode 5: Securing the Untrusted: How Confidential Computing Protects Your Data with Joerg Roedel
• Linux Conversations | Episode 6: 25 Years of SUSE Expertise on SAP Infrastructure Supporting SAP’s Hybrid Cloud Journey with Tobias Kutning
• Linux Conversations | Episode 7: SUSE Security – Protecting Enterprise Linux with Marcus Meissner
• Linux Conversations | Episode 8: Ensuring SAP Quality: The Collaborative Automation Journey with Haris Sehic
• Linux Conversations | Episode 9: SUSE Security – The Gold Standard of Enterprise Linux Security and Compliance with Dietrich Banschbach and Knut Trepte

Stay tuned for more interviews in our Linux Conversations series—follow our blog or subscribe for the latest insights from SUSE Linux experts.

*Disclaimer: This transcript has been lightly edited for clarity and readability.*