z/OS Version 1 Release 5 and later versions provide multilevel security support in z/OS. Designed together with DB2 Version 8, z/OS provides a solution for multilevel security on System z™ mainframes. This support provides row-level security labeling in DB2, and protection in z/OS, designed to meet the stringent security requirements of multi-agency access to data. The solution also leverages zSeries leadership in scale, high availability, and self-managing capabilities.
EAL4+ Certification Achieved:
BSI (PDF, 589KB) awarded IBM EAL4+ certification for its flagship operating system z/OS 1.7 with the RACF optional feature on March 2, 2006. The certification encompasses Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP) both at the EAL 4+ level. This prestigious certification assures customers that z/OS V1.7 has gone through a long and rigorous testing process and conforms to standards sanctioned by the International Standards Organization. Achieving EAL4+ certification will further enable z/OS to be adopted by governments and government agencies for mission-critical and command-and-control operations.
For more on Common Criteria see http://niap.nist.gov/cc-scheme/
Multilevel security addresses government requirements for highly secure data which can be shared between agencies on demand. Security features in DB2 V8 and z/OS 1.5 and later enable customers to have a secure single repository of data which can be accessed by different agencies, by people with different need-to-know authority. This secure access is managed at the row level in DB2 to provide the required granularity.
A multilevel security system has two primary goals: first, the controls are intended to prevent unauthorized individuals from accessing information at a higher classification than their authorization. Second, the controls are intended to prevent individuals from declassifying information. Multilevel security function will allow customers more stringent access control to resources than is provided by user permissions.
- Faster access to merged inter-agency data
- Easier to manage multiple security classifications
- Helps eliminate the need for multiple databases
- Leverage System z™ mainframe scale, availability, manageability
- Parallel Sysplex
- System Managed Storage
- Workload Manager and Intelligent Resource Director
- Leverage zSeries security capabilities
- Certified logical partitions
- System z™ Cryptography for Clear Key and Secure Key
- z/OS Security Server, including RACF
Review the article " Database on Demand" (PDF, 60KB) to find out more on the business value that MLS provides.
While multilevel security began as a government requirement, as security controls become more critical in emerging on demand, virtual environments, it is now apparent that this new technology has applications in general business sectors as well.
For more details on Harnessing MLS Compliance Requirements to Improve Agency Operations see the white paper Multi-Level Security Strategies for the Federal Government" (PDF, 92KB), or download a copy of the Multilevel Security Offering with z/OS brochure" (PDF, 262KB).
| 
