atsec information security today announced that Red Hat Enterprise Linux 5 has been certified by the U.S. National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) as conformant to EAL4+ and the Controlled Access Protection Profile (CAPP), Labeled Security Protection Profile (LSPP) and Role Based Access Control (RBAC). The operating system is certified on HP Integrity and HP ProLiant servers.
According to Burton Group Principal Analyst Bob Blakley, “Ineffective security functions are in many cases worse than no security functions at all, because they invite users to do dangerous things based on a false sense of security. But it's not easy to tell the difference between a false sense of security and justifiable confidence in a system's security. Assurance methodologies are what give businesses and end-users justifiable confidence in a system's security. The International Common Criteria is the gold standard for assurance. It's very encouraging to see the progress commercial and open source vendors have made in completing Common Criteria evaluations of their systems over the last five years. atsec and HP are to be congratulated on the successful evaluation of RHEL 5 at EAL4+ (the highest "commercial" assurance level). It is notable that RHEL5 is the first SELinux-enabled distribution that successfully conducted an evaluation against the LSPP and RBAC Protection Profiles; previously the only operating systems with evaluated mandatory access control features were proprietary."
The completion of this evaluation adds to atsec’s unparalleled reputation for timely completion of Linux evaluations. Since August 2003, atsec has initiated and completed 14 Linux evaluations at EAL3+ and EAL4+ of five different distributions on a broad range of hardware platforms. HP sponsored this latest evaluation effort.
atsec’s customers value timely completion of projects in conjunction with their development schedules in order to reach their markets effectively and take the maximum benefit from their evaluation investment.
Stephan Mueller, Lead evaluator for atsec U.S., notes: “Continuing its pioneering efforts, atsec conducted the first ever evaluation of a Linux product with the SELinux security enhancement against the Labeled Security Protection Profile (LSPP). Linux industry experts have noted that this is particularly important because it might represent a historic opportunity to integrate security features that are currently specific to the security Linux branch back into the mainstream commercial Linux branch.”
"We see more and more customers taking advantage of the support, flexibility and cost effectiveness of HP ProLiant and HP Integrity servers running Linux in secure environments," said Christine Martino, vice president, Open Source & Linux Organization, HP. "HP’s open source and Linux R&D engineers worked closely with atsec, Red Hat and the Linux community to add the functionality required for highly secure environment as well as for security certification testing. HP is excited to complete this breadth of certifications to promote customer confidence implementing Linux with HP for highly secure environments, including Multi-Level Security deployments."
atsec has extensive experience with Common Criteria, and applying the methodology to Open Source Software has meant convincing customers that, although rigorous, Common Criteria can be flexible and adapts to a variety of software paradigms. For instance, it was possible to evaluate existing product and design documentation without the need to refactor this specifically for the evaluation.
atsec is one of only four companies worldwide with multiple evaluation labs accredited to perform evaluations under more than one national scheme. atsec labs have been accredited by NIAP CCEVS in the U.S., BSI in Germany and CSEC in Sweden to perform evaluations using the Common Criteria standard. Eligibility to perform evaluations under both major schemes and the availability of a large (50+) staff of qualified evaluators, enable atsec to offer its customers both maximum flexibility, and proven expertise and experience in Common Criteria evaluations. For independent confirmation of atsec’s competence and reputation, visit the NIAP, BSI or CSEC websites.
About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in January 2000 and has extensive international operations with offices in the US, Germany, Sweden, the UK, and China. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, Oracle, Cray, BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf.