VMware has proclaimed that it earned Common Criteria Evaluation Assurance Level 4 (EAL4 ) for VMware vSphere 4.0 and vCenter Server 4. The Usual Criteria is an outside set of guidelines that provides a common model for evaluating security features and capabilities of Information Technology (IT) security products, and EAL4 is the highest assurance even that is recognized globally by all signatories under the Usual Criteria Recognition Agreement (CCRA).
For VMware Infrastructure 3 the EAL4 certification was achieved in June 2008. And VMware announced in August 2009 that it submitted vSphere 4.0 for Common Criteria certification and at that time it expected to make the credentials in H2 2010. Also vSphere 4.1 has been submitted for evaluation.
The reference model used for EAL4 is called a Protection Profile, which are scripted by the industry groups. The Protection Profile is exploited to control the functionality and the security levels of a sealed sort of solutions. Based on the Protection Profile, the seller who wants to take its product certified, writes a Security Target document using the Protection Profile as a template. The Security Target document details the security properties of their solution.
Its crucial to observe that for hypervisors these certifications are still based on Protection Profiles for operating systems, since there still isn`t a protection profile for hypervisors available at this place in time, even though the certification gives a full estimate on how the production is performing security wise though.
Because the vendor itself specifies the Security Target document, it`s very interesting to live what isn`t included, especially when you wish to equate the production with comparable products which are also EAL4 certified.
For ESX/ESXi functionalities not included in the Security Target are:
- Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP), Telnet
- The use of any authentication method on ESX(i) other than the local password database
- VMware Software Development Kit (SDK) tools
- The procfs interface (used to manage CPU resources) on the ESX host Service Console
- VMware Scripting Application Programming Interface (API) on the ESX host.
- VMware Consolidated Backup
- Guest OS patch updates via Update Manager
By earning this certification VMware stays way ahead of Citrix for which XenServer 5.6. and XenDesktop 4.0 achieved EAL2 certification in September this year.
No comments:
Post a Comment