The National Security Agency has for years been calling for someone--anyone--to develop a secure, mainstream operating system that can address system access and other security concerns at the very heart of an IT infrastructure. Now a coalition of open-source technology providers plans to heed the government's call by using Linux as the platform for delivering a highly secure operating system to the masses.
Red Hat, with help from IBM and Trusted Computing Solutions, said Tuesday that it plans to put its Red Hat Enterprise Linux operating system through the paces of the National Information Assurance Partnership's Common Criteria evaluation program in a move to create the first "trusted" Linux operating system. When the next iteration of Red Hat Enterprise Linux, version 5, is released in late 2006, it's expected to have a rating of Evaluation Assurance Level 4, or EAL4, and achieve "trusted" status by including labeled security protection profile, controlled access protection profile, and role-based access control protection profile security capabilities.
"The big thing here is that it makes Red Hat Enterprise Linux 5 the only other trusted operating system in the world, beyond Trusted Solaris," says Ed Hammersla, chief operating officer of Trusted Computer Solutions, a provider of security software and services. "It's a big milestone in the maturity of Linux."
A trusted operating system is valuable for government agencies and businesses because it allows system administrators to deliver different levels of security on the same system. For example, an intelligence agency can manage access to secret and top-secret data on a single system, even if users have different security clearance levels. This is useful in the business world as well, as companies seek to provide access to different types of information to different users, whether they're employees, customers, or business partners.
The trusted version of Red Hat Enterprise Linux will build upon the Security Enhanced Linux, or SELinux, guidelines the NSA developed to make the operating system more secure. The Linux community in 2003 included SELinux's mandatory access control capabilities in version 2.6 of the kernel, upon which Red Hat built version 4 of its Red Hat Enterprise Linux.