atsec information security evaluates PR/SM on IBM zEnterprise EC12 GA2 and BC12 GA1 Driver Level D15F at Common Criteria Certification EAL 5+

2014-05-09

Munich, Germany – The IBM Processor Resource/System Manager (PR/SM) on IBM zEnterprise EC12 GA2 and BC12 GA1 Driver Level D15F continues to be one of the cornerstones of IBM's mainframe security. PR/SM's logical partitioning facility enables the resources of a single physical IBM mainframe machine to be divided and shared by distinct logical machines, each capable of running z/VM, z/OS, or Linux.

IBM have certifications of PR/SM at level EAL5+ performed on a regular, almost yearly basis to demonstrate to their customers that they may rely on the security functionality claimed for the product.

The system administrator is able configure the logical machines to ensure complete isolation from each other. In such a configuration, a logical machine cannot gain knowledge about any other logical machine's available I/O resources nor on operations performed.

This enables PR/SM to meet stringent requirements with respect to the confidentiality of processed information and being certified by Germany's Federal Office for Information Security (BSI) at evaluation assurance level 5+. The evaluated version of PR/SM also allows for setting up cooperating logical partitions that can freely exchange information, while co-existing with other partitions that require complete isolation.

Reimar Karlsburger, evaluator for atsec stated: “The continuous cooperation of the PR/SM project management, development and test teams with atsec and BSI enables PR/SM to be evaluated at a higher assurance level than other products of this complexity and, therefore, to remain the reliable platform for customers' enterprise information processing.”

The product knowledge gained by the atsec team and BSI during their initial scrutiny of the product was carried forward to later PR/SM evaluations for now more than a decade. The almost continuous re-evaluation of newer PR/SM versions ensures that customers are provided with timely assurance of the PR/SM security features.

In addition to a methodical search for potential exploits considering an attacker with a substantial attack potential, evaluation against EAL5+ requires the developer to provide the evaluator with a considerably deeper insight into design details and to provide evidence that significantly more testing of security functionality has been performed. This supports the confidence in both the correctness and the effectiveness of IBM PR/SM security features.

The PR/SM on IBM zEnterprise EC12 GA2 and BC12 GA1 Driver Level D15F evaluation is the latest in a series of successful projects by atsec to certify complex systems at ambitious assurance levels. From early in its history as a Common Criteria evaluation lab, atsec has led the way in operating system evaluations under both the German BSI and U.S. CCEVS schemes.

The BSI certificate can be found here:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte09/0900a_pdf.pdf?__blob=publicationFile

About atsec information security
atsec information security is an independent, standards-based information technology security services company with offices in the U.S., Germany, Sweden, China and South East Asia. atsec's services include formal laboratory testing and evaluation of information assurance (IA) and IA-enabled commercial off the shelf (COTS) information technology, as well as information security consultancy.
atsec offers evaluation and testing services leading to formal certification of information security technology, including evaluations under Common Criteria schemes in the U.S., Germany, and Sweden. In addition, the atsec U.S. organization operates a Cryptographic and Security Testing Laboratory accredited under the Cryptographic Module Validation and the Cryptographic Algorithm Validation Programs of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada for validating cryptographic modules under the FIPS 140-2 standard.
atsec works with any company, regardless of size or locale, that is serious about IT security.