In December 2004 VMware submitted ESX 2.5 and VirtualCenter 1.2 to Common Criteria, the international standard for computer security, obtaining the Evaluation Assurance Level (EAL) 2 over two years later.
The company submitted VMware Infrastructure 3 as well, obtaining the EAL 4+ this week.
The EAL4+, which means that the product is methodically designed, tested and reviewed, is a high level in the Common Criteria ranking (reaching up to EAL7) but the certification value is really meaningful only when compared against a reference model, the Protection Profile, used to verify the functionality and security levels of a certain class of solutions, and a definition document prepared by the vendor, the Security Target, used to describe the security properties of the specific solution.
The protection profiles are written by the industry groups and a security target may use one of more of them as a template.
For example: to certify Windows 2000 Microsoft submitted a security target which used the Operating System protection profile as reference model.
The OS (without any security patches) was ranked EAL4+ in 2005, accordingly to these documents.
At today there is not a protection profile for the hypervisors or the virtual infrastructures, so that VMware has been free to shape the security target without any constrain and being certified for the definition it provided.
This doesn’t mean that the certification is useless, but that the EAL ranking alone doesn’t imply a secure product.
VMware already submitted VI 3.5 for the same EAL4+ certification.