A consortium of developers, including Paris-based Linux seller Mandrakesoft, has won the right to improve Linux security by boosting the open source operating system to meet the Common Criteria Evaluation Assurance Level 5 (EAL5) certification.
The three-year contract was secured by Mandrakesoft and a series of French technology vendors, including Bertin Technologies, Surlog, Jaluna and Oppida, for more than $8.5 million. Each vendor will develop an environment that will be tested to see if it meets the requirements for an EAL5 certification.
EAL5 status is rare within the industry and will be the highest security level attained by any previous versions of the Linux operating system. IBM's zSeries mainframes currently hold the EAL5 certification.
Over the course of the past year other Linux vendors, including Red Hat Inc. and Novell's SuSE Linux, attained EAL3+. Microsoft's Windows 2000 holds EAL4 certification.
Common Criteria is an international approval requirement before most governments will allow Linux and other open source software to be used for sensitive work. Common Criteria certifies that software meets certain security requirements, as well as ensuring that companies meet requirements for documenting security features, handling vulnerabilities and testing products.
Tony Iams, a vice president and senior analyst with Port Chester, N.Y.-based D.H. Brown and Associates Inc., said the contract is significant because it reinforces Linux's reputation as a secure open source operating system, especially in the international community.
"It's not too surprising that an European government would want to take [Linux security] to the next level," Iams said, commenting that the French Ministry of Defense funded the project.
"This [EAL5 certification] is needed by the French Army as part of a secure operating project," said Mandrakesoft co-founder Gael Duval.
Duval added that the contract will be excellent for Mandrakesoft's credibility -- the company recently emerged from bankruptcy protection.
When the project is completed in three years, Duval said his company will release the result -- a full operating system, certified EAL5 -- so that others may use it in different areas, including civil applications.
What's the big EAL?
Iams attributed the rarity of EAL5 to the simple fact that the process is very expensive.
"All these steps take money; it's not rocket science exactly, but then again you have to hit all these levels [EAL1 through 5]," Iams explained. "It's checking and double checking; a matter of investment. You're not developing new technology; you are scrutinizing existing technology to make sure it lives up to the level of security [of EAL5]."
Linux gains more ground with EAL5
Charles King, an independent analyst in the San Francisco area, said EAL5 for a Linux operating system creates an opportunity that Microsoft clearly does not have at this point within the government sector.
"Linux-based applications are very much within the tradition of a lot of government-related applications," King said. "Frankly, Linux offers government entities opportunities to be more hands-on in a way more so than what Microsoft is offering."
King said he believed the government sector can be a place that is "extremely painful" to get involved in due to high regulation and security clauses. Because of the relatively small number of vendors in the space, King said it is a location where Mandrakesoft's Linux with EAL5 certification can thrive for the time being.
This slight edge could exist until the release of the next Windows OS, code-named Longhorn, which King said should have EAL5 certification, considering the erosion Linux has caused to Redmond's influence in the government space.