Today, Microsoft announced that SQL Server 2005 SP2 has received its Common Criteria certification. As published in late November by the Bundesamt für Sicherheit in der Informationstechnik (BSI), the central IT security service provider for the German government based in Bonn, Germany, SQL Server 2005 SP2 received its certification at the Evaluation Assurance Level (EAL) 4+, which evaluates the quality and strength of the vendor’s evidence to support its security claims.
Level 4+ is the highest level recognized by the Common Criteria Recognition Arrangement (CCRA), the world’s most widely accepted IT security evaluation agreement. Currently, 25 countries formally recognize the Arrangement and up to 50 additional countries informally recognize it. This is the second EAL certification for SQL Server; SQL Server 2005 SP1 received the certification at EAL 1+ in March 2007.
Database security is one of the primary purchasing considerations for organizations planning a major database software investment. Most vendors provide self-assessments of the security of their products, but many organizations and governments require third-party verification of vendor security claims prior to purchasing software.
Microsoft is committed to upholding the highest levels of internationally accepted security evaluation criteria as a guarantee to its customers and partners of the quality and value of their investments in SQL Server. If you have any questions about Microsoft’s participation in Common Criteria certification or any other third-party IT evaluation program, please let me know.