IBM, Oracle sponsor Linux security certifications

Linux may get the security credentials it needs for use in sensitive government jobs, thanks to IBM Corp. and Oracle Corp.

Each company announced this week that it will independently sponsor a Common Criteria evaluation of a version of the open source operating system.

Industry observers have long speculated that Linux would not be sponsored for Common Criteria evaluation due to the costs involved - usually ranging from $500,000 to $1 million, according to Oracle, Redwood Shores, Calif. - and the fact that no competitive advantage would ensue from sponsorship because open source licensing allows for free distribution. However, both companies are sponsoring evaluations to further use of their own hardware and software within government.

In addition, Red Hat Inc., Raleigh, N.C., announced this week that its version of Linux for servers won Defense Information Systems Agency's Common Operating Environment certification.

The National Information Assurance Partnership, a joint office of the National Institute of Standards and Technology and the National Security Agency, administers Common Criteria.

Last October, the Windows 2000 operating system from Redmond, Wash.'s Microsoft Corp. won Common Criteria certification from Science Applications International Corp., San Diego, which performed the third party testing. Oracle's evaluation will be handled by London IT services provider LogicaCMG Plc. IBM did not disclose its evaluator.

Oracle is also submitting a package of its Oracle9i Database Release 2 on top of a Linux operating system for review as well.

"Increasingly Oracle's security-conscious customers are interested in deploying Linux," said Mary Ann Davidson, chief security officer at Oracle.

IBM's sponsorship, which is independent of Oracle's, will submit a version of Linux used in its own eServer platforms.

"This investment represents the next step in IBM's ongoing commitment to accelerate the development of Linux as a secure, industrial strength operating system," said Jim Stallings, an IBM general manager of Linux solutions.

Red Hat announced that a configuration of its Red Hat Linux Advanced Server running on IBM's eServer won the Defense Information Systems Agency's Common Operating Environment, or COE, certification. COE certification is used by the Department of Defense Joint Technical Architecture to validate software for use in Defense Department command and control, computers, communications and intelligence systems.

"The COE certification of Red Hat Linux Advanced Server opens low-cost computing solution avenues to federal agencies for new open source server deployments," Stallings said.

(Updated Feb. 13, 2003, 3:57 p.m.)