Sun Raises Stakes for Solaris Trust
Sun is taking a new approach to rolling out its trusted version of Solaris. Rather than a completely separate version of Solaris, it's now in "early access" for something called Trusted Extensions, which overlay Solaris 10. Sun is taking Solaris 10 to EAL4+ certification and changing the way it develops Trusted Solaris.
Sun has also announced that Solaris 10 has the formal green light and has entered into Common Criteria evaluation EAL4+, a process that began in February. Common Criteria evaluation includes standards are accepted by over 22 different countries.
Mark Thacker, product line manager of Solaris security at Sun Microsystems, told internetnews.com that Sun is going above and beyond what is normal for EAL certification by conducting Controlled Access Protection Profile (CAPP) and Role Based Access Control Protection Profile (RBACPP) evaluations.
Sun is also now taking a different approach to building its "trusted" version of the operating system.
"Trusted Solaris has always been a separate OS currently based on Solaris 8, so it's called Trusted Solaris 8," Thacker explained. "We're in early access now for a product that we call Solaris Trusted Extensions, and what that will do is layer on top of Solaris 10 to provide a multi-level environment that will run on top of Solaris 10."
Thacker added that with Trusted Extensions there is no longer a separate kernel or a separate operating system.
"It is in fact a security configuration of Solaris 10," Thacker said. "It also gets us out of an interesting lag issue that we've had in the past with Trusted Solaris not always being up to date with the latest Solaris release."
Sun's Thacker sees both value and challenges in putting an OS into evaluation before it's complete.
"There is so much that is going to change in an OS before you get into evaluation that when you do that, you run the risk of changing your security targets significantly and doing a lot of additional work," Thacker said.
Earlier this week, Linux vendor Red Hat announced that it was pursuing EAL4 certification with partners IBM and Trusted Computer Systems. (TCS). The evaluation is for Red Hat's upcoming Enterprise Linux version 5, which is set to be released in 2006.
Thacker said what Sun is doing with Trusted Extensions is starting to work on it now with the understanding that there will be some things that change before the product ships.
"I have no idea where Red Hat Enterprise Linux 5 is; I can't comment on that, but I do know where Trusted Extensions is and I'm comfortable with the fact that we're in early access," Thacker said. "And we're starting the process for evaluation without being at point where code reviewers will ask to step in and look at the code."
Though the evaluation labs are independent, Sun doesn't pull in a sponsor to help it for the evaluation like Red Hat does.
"Unlike other vendors, we don't need a sponsor," Thacker said. "We consider this to be mission critical to our business and we do this ourselves. Sun is its own sponsor and we do not need an outside sponsor to help fund the development."
This article was originally published on internetnews.com.