On July 22, 2010, IBM issued this Statement of Direction regarding z/VM security:
“IBM intends to evaluate z/VM V6.1 with the RACF Security Server optional feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).”
The full text is accessible at www.vm.ibm.com/security/ under the heading “Statement of Direction: EAL4 Certification for z/VM 6.1.”
This Statement of Direction indicates intentions to validate z/VM’s security functions in accordance with the Common Criteria. To date, it has neither been fulfilled nor discarded; and as with all such statements, it “may be subject to change or withdrawal.” However, certifying body BSI has preannounced a certificate for z/VM V6.1 (BSI-DSZ-CC-0752). This suggests that an evaluation of z/VM—of some sort—is under way.
While z/VM’s adherence to IT security standards is a recognizable benefit, someone unfamiliar with the Common Criteria may find this statement befuddling. Additionally, those who remember previous z/VM evaluations may note that the statement contains some new acronyms. This article will explore the concepts behind both the Common Criteria and the specifics in the statement of direction. By detailing the implications of evaluation, and exploring Protection Profiles old and new, a bit of light can be shed on what this statement might suggest for future z/VM security configurations.
Explicating the Statement of Direction
There are many acronyms involved in any security evaluation process, and the Common Criteria is no exception. To illustrate what it represents, we will parse the Statement of Direction into separate ideas, starting from back to front.
Consider the phrase “Evaluation Assurance Level 4 (EAL4+).” A product evaluated under the Common Criteria will receive a rating from EAL1 to EAL7. Despite popular misconception, however, this number isn’t an indicator of strength of security. Instead, the assurance level indicates the amount of evidence provided regarding claims made about the product.
An issuance of EAL1 might suggest that, in regard to claims made, only minimal evidence has been presented. Conversely, a rating of EAL7 would suggest a mathematical amount of precision in evaluation. EAL4 indicates a reasonable amount of evidence against claims, and is a popular rating in the industry.
These claims, under the Common Criteria, represent the security functions a product is purported to have. It’s these claims that an evaluating body will examine, and for which a company will provide evidence. The claims work together in conjunction with assurance; the security value is in both the functionality provided and the assurance inherent in the level.
There are two types of claims you can make against a product. The first is where a Security Target (the fancy name for a list of claims plus an expected EAL) enumerates its functions without adhering to a particular checklist. This is an appropriate means of certifying a wide variety of products, especially ones unique in the industry (e.g., PR/SM). The other method is to use a Protection Profile, which is a standardized checklist of claims developed by the industry. These provide a baseline for security needs among similar products.