atsec information security is pleased to announce completion of the first-ever Labeled Security Protection Profile (LSPP) Common Criteria evaluation of the AIX operating system. IBM AIX 5.2 maintenance level 05 (AIX 5200-05) was successfully evaluated at evaluation assurance level (EAL) 4 augmented by ALC_FLR.1, compliant with LSPP. LSPP defines requirements for products supporting access controls that are capable of enforcing access limitations on individual users and data objects.
AIX 5200-05 was certified by the Bundesamt für Sicherheit in der Informationstechnik (BSI). The operating system is certified on IBM Power series p520, p570, and p595 servers. IBM sponsored the evaluation effort.
In addition to verifying LSPP compliance, the evaluation marks the first examination of enhanced access control mechanisms implemented in AIX. In addition to the standard discretionary access control (DAC) and mandatory access control (MAC) mechanisms defined by LSPP requirements, AIX 5200-05 implements these new mechanisms:
- mandatory integrity control (MIC)
- trusted computing base (TCB)
- advanced security networking (ASN)
- privileges and authorizations (splits root privileges into a set of privileges relevant to the kernel and authorizations relevant to the user space)
Of course, operating system evaluations are always demanding, but because of the additional access control mechanisms implemented in AIX 5200-05, this evaluation was particularly complex. Stephan Mueller, atsec Lead Evaluator for the project notes: “Because AIX 5200-05 LSPP includes radically different access control functionality from earlier AIX versions, just defining the requirements within the context of the Common Criteria model took a creative approach”.
In fact, atsec information security is the world leader in Common Criteria evaluation of operating systems. Operating system evaluation is the greatest test of competence in the field, and atsec continues to earn its reputation as the world leader in this sphere. Helmut Kurth, atsec Chief Scientist, notes: “Of the 45 successful operating system evaluations performed world-wide as listed on the official Common Criteria Portal web site (www.commoncriteriaportal.org), 24 were performed by atsec.”
About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone.
