We are very pleased to announce that SQL Server 2019 has obtained Common Criteria certification for the Windows and the Linux version.
SQL19 on Windows certificate
Overall, SQL Server 2019 is the 7th major release that has successfully completed this security attestation. It started with Yukon in 2005, followed by Katmai (2008) and Denali (2012), and continued with SQL Server 2014, 2016, and 2017. Thanks to several internal and external changes to the process, we were able to accomplish the SQL Server 2019 certification in a much shorter time compared to SQL Server 2017 and earlier versions. SQL Server 2017 was the first version that supports Linux and obtained Common Criteria certification for RHEL. The current certificate for SQL Server 2019 on Linux has now been extended to support RHEL as well as SLES and Ubuntu.
SQL19 on Linux certificate
About Common Criteria
The Common Criteria (CC) is an international program which is broadly used as a (cyber) security standard (ISO 15408) to test and improve the IT security measures of commercial products for use in National Security Systems (see e.g. EUCSA, NIAP ). As such it serves as a world-wide compliance obligation across regulated industries and authorities and can be applied to almost any type of IT product implemented in hardware, firmware, or software, like operating systems, database management systems, network devices, firewalls, intrusion detection systems, smart cards, biometric devices, IoT devices.
IT security measures in the context of CC are usually a mean to protect information (or in other words ‘assets’) from unauthorized disclosure, modification, or loss of use, covering, for example, areas such as I&A, access control, accountability, audit, object re-use, error recovery. Appropriate confidence in (the correct and effective implementation of) those measures is needed to help consumers determine whether IT products fulfil their security needs. Competence-tested and thus authorized (i.e., accredited) laboratories therefore evaluate those IT products against pre-defined security specifications called Protection Profiles (PPs). These PPs represent the security functional and assurance requirements for technology classes and are developed and maintained by international Technical Communities (iTCs) made up of CC and technology area experts such as vendors, validation schemes, laboratories, and consultants (see e.g. DBMS-iTC). Under the Common Criteria Recognition Arrangement (CCRA), all signatories, thus current 31 countries, agree to recognize CC certificates produced by any certificate-authorizing participant. Each participating country in the CC operates a certification body that oversees evaluations conducted by accredited commercial evaluation facilities.
The CC Certification process
Each vendor must contract an accredited evaluation laboratory in one of the certificate-authorizing CCRA participant countries and then have the evaluation certified by the governmental certification body of that laboratory. This has been DEKRA TC and CCN for SQL Server 2019. The evaluation then is based on a comprehensive investigation performed by the laboratory on the basis of document reviews for various design representations, independent functional and penetration testing, code analysis, site audit(s) for used development sites, data centers and support sites, and a vulnerability assessment. The scope and rigor of this investigation is basically defined by the security assurance requirements compiled or referenced in the applied PP (DBMS PP for SQL Server 2019). The results obtained by the laboratory are continuously monitored by the certification body in order to confirm their accuracy and to ensure comparability with other independent evaluations of the same product type. In the positive case, a certificate is issued at the end of the CC process. The certificate is typically mutually recognized within the CCRA member countries and published along with a certification report and links to documents or sources that are important for using the product in its certified version, such as the Security Target, the CC user guidance, the installer for login triggers, etc. for us (see SQL Server 2019 on Windows and SQL Server 2019 on Linux).
The CC certificate validity
The CCRA has approved a resolution restricting the validity of mutually recognized CC certificates over time. This means that a certificate should have a definite period of validity, which is typically set at five (5) years. Nonetheless, a CC certificate states the assurance requirements reached by a product at the time it is issued. As such it is valid for a specific release of the product only, which is SQL Server 2019, CU4 (build version 15.0.4033.1) in our case.