IBM and atsec achieve independent certification of Red Hat Enterprise Linux 5 at Common Criteria EAL4+ under NIAP scheme

FOR IMMEDIATE RELEASE

Media Contact:
Andreas Fabis, fabis@atsec.com
Marketing Director
atsec information security
(512) 615-7317


IBM and atsec achieve independent certification of Red Hat Enterprise
Linux 5 at Common Criteria EAL4+ under NIAP scheme

atsec completes complex evaluation with CAPP, LSPP and RBAC compliance.

atsec information security is pleased to announce that the U.S. National
Information Assurance Partnership (NIAP) Common Criteria Evaluation and
Validation Scheme (CCEVS) has certified Red Hat Enterprise Linux 5 as
conformant to EAL4+ and the following Protection Profiles: Controlled
Access Protection Profile (CAPP), Role Based Access Control (RBAC)
Protection Profile and Labeled Security Protection Profile (LSPP). The
operating system is certified on several IBM server platforms. The
evaluation work was performed by atsec information security corporation,
and the effort was sponsored by IBM.

Steve Walker, President of Walker Ventures, founder and former President
of Trusted Information Systems Inc., commented: “Since the origins of
the Orange Book, it has always been our goal that trusted or multi-level
secure systems would be implemented as part of mainstream operating
systems.  And so I am very pleased to see that Red Hat's Enterprise
Linux has now been certified to the Common Criteria EAL4 and LSPP and
that the evaluation was completed just a few months after the operating
system's release.  This shows that mainstream operating systems like
Linux are capable of achieving higher levels of trust and our evaluation
procedures have matured to the point that such evaluations can be done
in a timely manner.  This is a very positive development in the
evolution of computing systems!“

The completion of this evaluation adds to atsec’s unparalleled
reputation for timely completion of Linux evaluations. Since August
2003, atsec has initiated and completed fourteen Linux evaluations at
EAL3+ and EAL4+ for five different Linux distributions on a large range
of hardware platforms. atsec’s customers have valued atsec’s record of
timely completion of projects in conjunction with development schedules
in order to reach their markets effectively and take the maximum benefit
from their evaluation investment.

Dan Frye, vice president of open systems with IBM, commented earlier in
an infoworld.com article: "This is the highest level of security
function that anybody has," Frye said. "We have delivered LSPP (Labeled
Security Protection Profile) functionality in Red Hat Enterprise Linux
5, and we have certified that at the EAL4 level of assurance."

atsec has extensive experience with the Common Criteria. Applying the
methodology to Open Source Software has presented the opportunity to
demonstrate that although rigorous, the Common Criteria can be flexible
and adaptable to a variety of software paradigms; for instance, it was
possible to evaluate existing product and design documentation without
the need to refactor this evidence specifically for the evaluation.

Fiona Pattinson, Lab Manager for atsec U.S., notes: “atsec is proud to
be the first lab to evaluate a Linux product with the SE-Linux security
enhancement against the Controlled Access Protection Profile (CAPP),
Role Based Access Control (RBAC) Protection Profile and Labeled Security
Protection Profile (LSPP). As Linux industry experts have noted, this
evaluation is particularly important because it represents a historic
opportunity to integrate security features previously specific to the
security Linux branch back into the mainstream commercial Linux branch.”

atsec is one of only four companies worldwide that is accredited to
perform evaluations under more than one national scheme. atsec labs have
been accredited by NIAP CCEVS in the U.S., BSI in Germany, and CSEC in
Sweden to perform evaluations using the Common Criteria standard.
Eligibility to perform evaluations under multiple schemes and the
availability of a large (50+) staff of qualified evaluators enable atsec
to offer its customers both maximum flexibility and proven expertise and
experience in Common Criteria evaluations. For more information about
atsec’s qualifications and competence, see www.atsec.com. For
independent confirmation of atsec’s competence and reputation, visit the
NIAP, BSI or CSEC websites.

About atsec information security
atsec information security is an independent, standards-based IT
(information technology) security consulting and evaluation services
company that combines a business-oriented approach to information
security with in-depth technical knowledge and global experience. atsec
was founded in Munich (Germany) in January 2000 and has extensive
international operations with offices in the US, Germany, Sweden, the
UK, and China. atsec leverages its deep security, process, and standards
expertise to consult on a wide range of IT security needs, enabling
clients to establish integrated security management procedures in order
to manage security risk and improve data, product, and business process
reliability. atsec works with leading global companies such as IBM, HP,
Oracle, Cray, BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf. For
more information please visit www.atsec.com.

-- 
Andreas Fabis                                 Phone: +1-512-615-7317
atsec information security                      Fax: +1-512-615-7301
9130 Jollyville Road #260, Austin, TX 78759       Web: www.atsec.com
GnuPG Fingerprint: A326 E89A 0421 602F 7985 9B7B FD58 1713 5176 4A00

Test your knowledge of IT security at
http://www.atsec.com/it-security-rally