Skip to main content

 
IBM Systems  > Mainframe servers  > Advantages  > 

Common Criteria Security Certification

  
Learn More
Security evaluations for IBM products
Common Criteria
Unparalleled growth in public networks and an ever rising number of network threats make it necessary for you to trust the information technology is secure at your company. But how?—Through industry certifications based on a universal set of criteria from a non-biased third-party evaluator.

The Common Criteria is an internationally recognized International Standards Organization (ISO) standard used by governments and other organizations to assess the security and assurance of technology products. Under the Common Criteria, products are evaluated according to strict standards for various features, such as security functionality and the handling of security vulnerabilities.

Seven levels of evaluation
There are seven levels of evaluation designed to meet the variety of security levels required within government and commercial entities. The higher the Evaluation Assurance Level (EAL), the higher level of security assurance you can expect for the certified product.
  • EAL-1 examines the product and its documentation for conformity, establishing that the product does what its documentation claims.
  • EAL-2 tests the structure of the product through an evaluation, which includes the product's design history and testing.
  • EAL-3 evaluates a product in design stage, with independent verification of the developer's testing results, and evaluates the developer's checks for vulnerabilities, the development environmental controls, and the product's configuration management.
  • EAL-4 is an even greater in-depth analysis of the development and implementation of the product and may require more significant security engineering costs.
  • EALs 5-7 require even more formality in the design process and implementation, analysis of the product's ability to handle attacks and prevent covert channels, specifically for high-risk environments. In the United States, evaluation to EALs 5-7 must be done by the National Security Agency (NSA) for the U.S. Government.

Featured product certifications
May 5, 2009 - System z10 BC Achieves EAL5 Certification
The IBM System z10 Business Class (z10 BC) now joins previous IBM mainframes as the world's only servers with the highest level of hardware security certification, Common Criteria Evaluation Assurance Level 5 (EAL5).
Please see a listing of other IBM System z security evaluations.
October 29, 2008 - System z10 EC Achieves EAL5 Certification
The IBM System z10 Enterprise Class (z10 EC) now joins previous IBM mainframes as the world's only servers with the highest level of hardware security certification, Common Criteria Evaluation Assurance Level 5 (EAL5).

The EAL5 ranking will give companies confidence that they can run many different applications running on different operating systems such as: z/OS, z/VM, z/VSE, z/TPF and Linux-based applications containing confidential data - such as payroll, human resources, e-commerce, ERP and CRM systems - on one z10 EC divided into partitions that keep each application's data secure and distinct from the others. That is, the z10 EC architecture is designed to prevent the flow of information among logical partitions on a single system.

All customers who currently trust their critical business transactions to the IBM mainframe will benefit from the privacy certification afforded to z10 EC, as well as government agencies who deal with national security issues.
May, 2007 - z/OS Version 1 Release 8 now certified at EAL4+ for CAPP and LSPP
z/OS Version 1.8 was evaluated under the Common Criteria, using the CAPP and the LSPP, at Evaluated Assurance Level 4, augmented by ALC_FLR.1. Please see a listing of other IBM security evaluations.
September 4, 2006 - System z9 EC & BC Achieve EAL5 Certification
On March 14, 2003, IBM eServer™ System z® 900 was the first server to be awarded EAL5 security certification. In the past three years the System z 800, z990, z890 and now the z9 Enterprise Class and Business Class have joined the ranks of this elite group. The System z™ architecture is designed to prevent the flow of information among logical partitions on a system, thus helping to ensure that confidential or sensitive data remains within the boundaries of a single partition. The EAL5 ranking should give companies confidence that they can run many z/OS, z/VM and Linux-based applications containing confidential data–such as payroll, human resources, e-commerce, ERP and CRM systems–on one System z™ server.
z/OS® V1.7 Now Security Certified at EAL4+ for CAPP and LSPP
On March 2, 2006, only a year after receiving Common Criteria Security Certification of EAL3+, z/OS V1.7 with the RACF optional feature has achieved EAL4+ for Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP). This prestigious certification assures customers that z/OS V1.7 has gone through a long and rigorous testing process and conforms to standards sanctioned by the International Standards Organization. Achieving EAL4+ certification will further enable z/OS to be adopted by governments and government agencies for mission-critical and command-and-control operations.

Certification to Common Criteria Evaluation Assurance Level 4 requires in-depth analysis of product design and development methodology, backed by extensive testing. EAL4 certificates are currently recognized by the following countries: United States, Canada, Australia, New Zealand, France, Germany, Finland, Greece, Israel, Italy, The Netherlands, Norway, Spain and the United Kingdom.


Left to right: Bernd Kowalski (BSI), Gerald Krummeck (atsec), Martina Koederitz (IBM), Roland Trauner (IBM), William Penny (IBM)

The evaluation was completed by atsec information security GmbH (link resides outside of ibm.com), one of the world's leading vendor-independent IT security consulting companies, and accredited in Germany by the Federal Office for Information Security (BSI).

In 2005, BSI awarded IBM EAL3+ certification for its flagship operating system z/OS 1.6 with the RACF optional feature. The certification also encompassed CAPP and LSPP. z/OS 1.5 and later with the RACF optional feature and DB2 Version 8, provides our customers with a Multilevel security (MLS) solution.

MLS is designed to prevent individuals from accessing or declassifying information they are unauthorized to see. With this new functionality you can consolidate large amounts of data into one database and tag each row with a specific level of authorization rather than create distinct databases for each level of authorization.

MLS can help you:
  • simplify your infrastructure by eliminating or reducing unnecessary duplication of data
  • save on storage
  • save on additional database administration staff

But most importantly you can rest easier knowing that advanced mainframe security is helping to protect your customer's sensitive information. Positioning your mainframe as the hub of security for your enterprise has never made more sense. The mainframe has a strong heritage of built-in security features and can provide you with wide range of security-rich capabilities designed to protect each data element. Ane with MLS you can create a single database with stringent control over row level access authentication, authorization and tracking. Multilevel security can address government and commercial requirements for highly secure data which can be shared between agencies and lines of business on demand.

New z/VM V5.1 Certification Achieved
On October 26, 2005, the German Federal Office of Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) issued its certification that z/VM V5.1 conforms to the requirements of the Controlled Access Protection Profile (CAPP) and the Labeled Security Protection Profile (LSPP), both at Evaluation Assurance Level 3+. IBM intends to evaluate z/VM V5.2 with the RACF for z/VM optional feature for conformance to the Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4).
New SUSE LINUX Certification
On February 15, 2005, IBM and Novell announced that SUSE LINUX Enterprise Server 9 has successfully completed a Common Criteria (CC) evaluation to achieve a new level of security certification (CAPP/EAL4+) that will further enable Linux to be adopted by governments and government agencies for mission-critical and command-and-control operations. IBM and Novell also achieved US DoD Common Operating Environment (COE) compliance, a Defense Information Systems Agency requirement for military computing products.
z/VM V5.3 Achieves Common Criteria Certification
z/VM V5.3 with the RACF Security Server optional feature has been certified to conform to the Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4+ (EAL4+). The Certification Report (BSI-DSZ-CC-0472-2008) was published on 28 July 2008 by the German Federal Office of Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The security target is also available from the BSI's web site.

 
Acrobat
Get Adobe® Reader®