IBM's AIX is First Operating System in a 64-bit Environment to Receive C2 Security Certification

Select a topic or year

RSA - 18 Jan 1999: . . . IBM's AIX is the first UNIX operating system supporting a 64-bit environment to be certified at the C2 level of trust classification, meeting the growing needs for secure operating environments for both government and business.

The certificate, issued by the United States National Security Agency, will be presented to IBM on January 20, 1999. Dinesh Vakharia, manager, IBM AIX Security Development will accept the certificate on behalf of Gerry Hackett, vice president, IBM AIX Development, during a public ceremony held at the RSA Data Security Conference.

"Security evaluations are important because they provide customers an assurance that the software they are using has gone through an independent, expert evaluation," said Ms. Hackett. "From the beginning AIX Version 4 was designed to meet C2. This evaluation shows our customers the value IBM places on security and our commitment in both time and money so that our operating system meets strict standards."

AIX 4.3.1 Evaluated C2 Security was assessed under the rigorous standards set up for the C2 class ranking in accordance with the Trusted Computer Systems Evaluation Criteria (TCSEC). The TCSEC was originally developed to meet the high security needs of government organizations, like the Department of Defense; however, with the explosion of Internet technology, businesses -- especially those in finance and banking -- are increasingly demanding similar features.
AIX 4.3.1 Evaluated C2 Security was certified in record time through the use of the new Trust Technology Assessment Program (TTAP), a program that allows evaluations to be performed by licensed commercial laboratories. Arca Systems*, a provider of advanced network and system security consulting services, was able to complete the evaluation in just 10 months. Under the previous program, the Trusted Products Evaluation Program (TPEP), C2 evaluations could take an average of two and one half years to complete.

"The TTAP program has allowed us to offer the credibility of C2 evaluations within the product development timeframe," says Bill Wilson, President of Arca Systems. "IBM customers benefit from this new program because it allows IBM to offer an evaluated version of the latest AIX release."

A system that has been rated C2 enforces a discretionary access control policy to protect information. It allows users to share information under their control only with other specified users. It identifies and authenticates users in order to control access to the system and enforces accountability. It prevents access to residual information from a previous user's actions, and provides for the selectable auditing of security related events.

AIX has achieved other security certifications including, the first UNIX operating system in a 64-bit environment to receive the ITSEC E3/F-C2 certification from the German government authority Bundesamt fuer Sicherheit Informationstechnik (BSI) and the first server operating system with Virtual Private Network certification by ICSA.

# # #

For more RS/6000 information, see

For more information about the certificate, see

AIX and RS/6000 are registered trademarks of the International Business Machines Corporation in the United States and/or other countries. UNIX is a registered trademark in the United States and/or other countries licensed exclusively through X/Open Company Limited. * Arca Systems, a wholly-owned subsidiary of Exodus Communications, is a premier provider of advanced network and system security consulting services. Arca designs and develops state-of-the-art security technology solutions for complex and sensitive information networks and systems. The company has headquarters in San Jose, CA, and operational facilities in Virginia, Maryland, Texas, and Massachusetts. Exodus Communications and Arca Systems are trademarks of Exodus Communications, Inc. and may be registered in certain jurisdictions. Other company, product and service names, may be trademarks or service marks of others.