Hi Eric,
I too would be interested in the reasons for the drop in assurance level for vSphere 5.1 compared with evaluations of earlier versions. Although it appears there is a continuing commitment to submit VMware products to independent security evaluation, this update should reasonably raise a few suspicions.
It is not as if the use of other vCloud Suite products obviates many needs for security in the core vSphere components, and it is not the case that they are more mature VMware products per se.
As VMware has been able to satisfy security evaluators a number of times in the past of the methods it uses to develop and test previous major releases of vSphere, it is difficult to appreciate how the currently-used methods would differ and preclude certification at EAL4.
Certainly there has been a pattern of maintenance of certification for minor (.1) releases, so it can be appreciated how re-evaluation of 5.1 may have required a greater commitment from VMware than, say, 4.1. But then again, two other products have been submitted for evaluation including one at EAL4.
Is it the Single Sign On component in vSphere 5.1 that made re-evaluation a practical requirement? And is it the yearly release cadence that has made EAL4 certification unreasonable?
I'm speculating, and perhaps unfairly. Whatever the reason, I recall very little explanation of the approach.
You might well imagine the head-scratching that could follow from the inconsistent leveling, including when a designer is trying to understand assumptions and assurances when considering a mix of the products mentioned here. And let's not forget those in procurement or operations roles who may become uncertain about the risks of implementing or upgrading to the current version.
Until the security target documentation is published, implementers and users won't really know if the security of vSphere 5.1 is weaker, in an important way to their own uses, than 5.0. Surely if the commitment to security (and compliance) is unwavering then reassuring the public and users about security in vSphere 5.1 would assuage any unreasonable speculation and fear? Particularly after the unfortunate publication of leaked kernel code in recent months, and the response to that.
Perhaps some of the parts of the vCNS Target of Evaluation will relate to similar functionality in the current vSphere ToEs (say, virtual networking)? If so, more users may be inclined to deploy and use, for example, vShield Edge. But, I suspect, many would also be circumspect while details - and particularly certification details - are not public or predictable.
And perhaps more importantly, patching...
I would also expect that lifecycle processes are in place for vSphere 5.1 so that users are advised of, and given fixes and mitigations for, security vulnerabilities reported in that product.
Should vSphere users be more concerned about vulnerabilities and patches now than when vSphere 5.0 was certified?
I hope that VMware would meet the flaw remediation security assurance requirement, and that it is included in the evaluation augmentations that VMware is submitting vSphere 5.1 to, as part of the stated commitment.
VMware's clear and established Security Response Policy is suggestive of the highest assurance level of that requirement (i.e. ALC_FLR.3). I would hope that VMware would be aiming to catch-up and achieve the same evaluated level for this SAR as competitive, certified hypervisor products already have. It would be a shame to see VMware set its sights any lower than the current ALC_FLR.2.
I would hope that you, or one of your colleagues, could provide a further explanation relating to this update.
Thanks.