VMware Earns Security Rating
A number of core VMware products have earned the highest security rating possible from the Common Criteria
security evaluation. According to a VMware press release
, VMI 3, ESX and VirtualCenter have earned Common Criteria Evaluation Assurance Level 4 (EAL4+).
EAL is a substantive certification, and EAL4+ is its highest rating. That's good news for VMware, since virtualization security is a growing concern for businesses as the technology moves into the mainstream.
Many moons ago, when I was working for sister publication Redmond magazine, we ran an article on Common Criteria certfication from our then-security guru, Roberta Bragg. She had some interesting things to say about CC, that are relevant to this discussion. These comments are referring to an older Windows product that earned the rating, but are equally applicable to VMware:
"Be careful, though: CC validation doesn't mean that Win2K is a secure operating system. Rather, it means that it's a securable operating system. Just as an MCSE certification doesn't guarantee that the holder is competent to administer Windows enterprise networks, the CC certification doesn't guarantee that any implementation of Win2K is secure. Like previous government product-specific security standards -- E3/F and C2 -- CC certification certifies that the product, when configured as it is in the evaluation, meets some security profile. It says, in effect, that Win2K can be secure if properly patched and configured to specific criteria."
In other words, don't assume that just because you're using ESX, VMI or VirtualCenter, that you're secure, since it has the rating. Due diligence is absolutely necessary. "Secure" and "securable" are related, but very different, concepts.
Posted by Keith Ward on 06/04/2008 at 12:48 PM