When it comes to big enterprise IT deployments in the U.S., there is no enterprise bigger than the federal government itself. Linux vendor Red Hat is hoping for a larger portion of the government’s multi-billion dollar IT spending with its widest-ever array of security certifications, thanks to assistance from HP.
HP today released new Multi-Level Security (MLS) Services for Red Hat Enterprise Linux 5 in support of the open source OS vendor’s government push.
At the core of MLS Services is the fact that HP has achieved Common Criteria certification at the EAL 4 level with the Labeled Security Protection Profile (LSPP) — certifications that mean HP, and now Red Hat, are can meet high-level government security requirements. Common Criteria certifications, for instance, are key government certifications that ensure a degree of security compliance against known criteria.
The announcement comes as Red Hat kicks off its third annual Government Users and Developers Conference in Washington, D.C.
The HP effort “helps validate not only MLS requirements in government but also the fact that government customers want choice,” Paul Smith, Red Hat’s vice president of government sales operations told InternetNews.com. “HP’s announcement sends the resounding messaging that government customers want collaboration and flexibility in their solutions, a move away from the proprietary vendor lock-in that once dominated.”
Erik Lillestolen, HP’s government program manager for open source and Linux organization, said the effort will help curb concerns about implementing new technologies. (Red Hat Enterprise Linux 5 debuted in March.)
“We’re putting together a service that we’re offering to the federal government to help them implement MLS environment in their own infrastructure,” Lillestolen told InternetNews.com. “We’re looking at things like infrastructure reviews, design, implementation services, support services and an on-site knowledge transfer to bring them up to speed.”
To receive LSPP certification, Lillestolen said a vendor must demonstrate data labeling as well as strong audit capabilities. RHEL 5 achieves LSPP in part by way of a SELinux policy mechanism that enables users to label processes or objects with “secret” or “top secret” labels. SELinux provides access controls for the
Linux kernel itself, and was developed in cooperation with the National Security Agency.
The EAL 4 LSPP certification is also tied directly to the hardware on which the operating system will run, which is why the participation of hardware vendors in certification is critical.
Red Hat isn’t the sole Linux distribution that HP sells and supports. Novell’s SUSE Linux as well as Debian Linux are both supported by HP. Yet Lillestolen said neither Novell nor Debian has gone through Common Criteria certifications for the same level of security as RHEL 5.
“With this announcement for multi-level security, if you’re using Linux, you pretty much have to use RHEL 5,” Lillestolen said. “You have two aspects to Common Criteria: You have your assurance level and you have your protection profile. The Novell protection profile doesn’t have labeled protection profile, which is what you need for MLS.”
Compared to RHEL 5’s approach, Novell’s SUSE Linux also uses a framework called AppArmor, which provides the same type of access control in the Linux kernel.
In addition to HP, HP also has certified RHEL 5 to EAL 4 with LSPP. Lillestolen said, however, that HP has gone further than Big Blue by certifying a wider range of hardware.
“We went all the way from our top end integrity server to notebooks,” he said. “It lets customers choose the areas where they need to be which is the broadest platform set in the industry. We are not aware of a specific service by IBM that is comparable for the MLS customer.”
IBM was not immediately available for comment.