Common Criteria EAL4 Certification for SQL19

In May 2022, representatives of the Spanish certification body CCN (Centro Cryptológico National), the Spanish evaluation facility DEKRA Testing and Certification, S.A.U., and Microsoft met at Microsoft for the official handover of the Microsoft SQL Server 2019 Database Engine (EAL4+) certificate and to share their views on IT product certifications in cloud environments.

From left to right:

- Pablo Franco, Head of Certification Body, CCN

- Wolfgang Peter, Principal Security Program Manager, Database Platform Security Fundamentals & Compliance, Microsoft

- Yolanda Muñoz Muñoz, Support Engineering Manager, Spain-Site Lead, Microsoft

- Jose Emilio Rico, Cybersecurity Division Director, DEKRA Testing and Certification S.A.U.

- Alejandro Torrecilla Torregrosa, Managing Director, DEKRA Testing and Certification S.A.U.

The SQL Server 2019 (SQL19) Common Criteria (CC) certification consisted of a comprehensive examination conducted by the evaluation facility, based on document reviews for various design representations, independent functional and penetration testing, code analysis, site audits for development sites, data centers and support sites, and a vulnerability assessment. Scope and rigor of this investigation were defined by the security assurance requirements compiled in the Evaluation Assurance Level 4 (EAL4) and the applied DBMS PP. The results obtained by the evaluation facility were continuously monitored by the certification body to confirm their accuracy and to ensure comparability with other independent evaluations of the same product type.

Compared to previous version, the SQL19 CC process included "Systematic Flaw Remediation". Specifically, this means that user communication pertaining to flaws, flaw status communication, and the timeliness of updates and reports issued for SQL19 were assessed and confirmed as compliant to the highest eligible assurance component within the CC.

To see an extract of the extensive CC history of SQL Server, please refer to the SQL Server security page (Click on “View our Common Criteria certification”). Additionally, this document provides important information for understanding and using SQL19 as evaluated and certified according to the CC.

About the CC

CC is an international program which is broadly used as a (cyber) security standard (ISO 15408) to test and improve the IT security measures of commercial products for use in National Security Systems (see e.g. EUCSA, NIAP). As such it serves as a world-wide compliance obligation across regulated industries and authorities and can be applied to almost any type of IT product implemented in hardware, firmware, or software.

IT security measures in the context of the CC are usually a means to protect information (or in other words ‘assets’) from unauthorized disclosure, modification, or loss of use, covering, for example, areas such as identification and authentication, access control, accountability, audit, object re-use, error recovery. Appropriate confidence in the correct and effective implementation of those measures (expressed in terms of assurance requirements and typically specified in an EAL) is needed to help determine whether IT products fulfill their security needs. A competence-tested and authorized (i.e., accredited) evaluation facility therefore evaluates an IT product against a pre-defined security specification, called (collaborative) Protection Profile (PP). A (collaborative) PP represents the security functional and assurance requirements for technology classes and is recently developed and maintained by an international Technical Community (iTC), made up of CC and technology area experts such as vendors, certification bodies, evaluation facilities, and consultants (see e.g. DBMS-iTC). Under the international Common Criteria Recognition Arrangement (CCRA) and the European Senior Officials Group Information Systems Security (SOG-IS) agreement, all signatories agree to recognize the CC certificates produced by any certificate-authorizing participant. Each participating country in the CC operates a certification body that oversees evaluations conducted by accredited commercial evaluation facilities.

Learn more about the CC

Please visit the Common Criteria Portal.

Looking forward

The CC certification of the upcoming release of SQL Server 2022 will include an Azure Arc-enabled server configuration as another step towards the cloud and to support users to deploy their products as tested and certified.