VMware products receive EAL4+ certification
In order to be used in some organizations, systems must pass rigorous security testing. In October of 2010, VMware received the Common Criteria Evaluation & Validation (CCEVS) Evaluation Assurance Level 4+ (EAL4+) security certification which allows it to be used for secure governmental needs. The specific products that have been certified at the EAL 4+ level are:
- VMware ESX/ESXi 4.0 and vCenter 4.0
- VMware ESX Server 3.5 vCenter 2.5
- VMware ESX Server 3.0 vCenter 2.
There are actually 7 EAL levels with 7+ being the highest level. As you might suspect because of the "+" after the 7, while there are 7 levels, there is a little wiggle room within some of the levels, which is also the case for the fourth level. Level 4 is the level at which evaluation teams actually do a deep review on a product's source code in an attempt to identify potential security holes that could compromise the product.
It should be noted that the October 2010 certification only certifies VMware's 4.0 product wave. The 4.1 products have not yet been certified and it's likely that testing will take quite a while.
Very few products ever make it all the way through testing to level 7+. According to the group that issues the certifications, "Common Criteria is an international set of guidelines (ISO 15408) that provides a common framework for evaluating security features and capabilities of Information Technology (IT) security products, and EAL4+ is the highest assurance level that is recognized globally by all signatories under the Common Criteria Recognition Agreement (CCRA)."
So, if you're in charge of something secure, ESX 4.0 should be on your hypervisor short list.