Health care, federal governments, and financial services are three major sectors that are strictly governed by regulatory compliances. Regulatory compliances are a set of specifications or laws enacted by the government or industry that not only helps implement best practices but also makse sure that the respective businesses are operated in such a manner to help prevent fraud and malicious practices, manage risk and external threats, and help safeguard investors as well as consumers. One key aspect is security, which includes digital information security. When securing digital information, it is important to implement end-to-end security. In order to implement end-to-end security, you must compartmentalize the security requirements and also evaluate the products available.
This article describes the need for regulatory compliance, defines the importance of common criteria, and compartmentalizes some of the security aspects required in regulatory compliance and how AIX V6.1 helps achieve those aspects. This article gives practitioners an outlook of some of the AIX V6.1 security features and how they fit in the categorized security needs derived from general regulatory compliance.
Please note that this article must not be treated as a formal guide or a reference for regulatory compliances. You are advised to refer to formal compliance documents for complete details.
In generic terms, compliance is adherence to a specification, law, or standard defined by the government or industry forums. Depending on the type of industry, different regulatory compliances are necessary:
- The health care industry in the USA is regulated with the Health Insurance Portability and Accountability Act (HIPAA), which was passed by the U.S. Congress in 1996. It has a Security Rule, issued in 2003, which comprises of the security standards to be followed by this industry.
- Payment Card Industry Data Security Standard (PCI DSS) is a security standard accepted worldwide. This compliance is to be followed by any business that processes card payments (in other words, not only by the financial services sector) to help prevent credit card fraud.
- Federal Financial Institutions Examination Council (FFIEC) defines a set of standards for financial service sectors such as online banking.
- The SOX Compliance (Sarbanes-Oxley Act of 2002) mandates a set of processes and procedures to help ensure accurate financial disclosure, which helps prevent major corporate and accounting scandals.
Most of the compliance requirements (but not all) involve information security and the associated business risk. Also, as defined by Gartner Inc (the world's leading information technology research and advisory company), "Senior managers across industries are focusing on compliance concerns because of their impact on all aspects of business operations. Efforts to comply with regulatory requirements must be supported by appropriate IT systems" (see Resources).
Since meeting regulatory compliances is mandated, it is vital to select appropriate IT systems and products to help ensure that your business is in compliance. IBM® Power Systems™ with AIX V6.1 is a security-rich system that can help compliment the business-specific applications running on it .
Common Criteria certification
What is Common Criteria?
Common Criteria helps assure the buyer that the computer security system or system that incorporates security features underwent a rigorous standardized process during its specification, development, and evaluation. A more formal definition of Common Criteria as defined by IBM is "Common Criteria is an internationally recognized (ISO/IEC 15408) standard used by businesses and governments around the world to assess security and development process assurance of technology products. Under Common Criteria, products are evaluated against strict standards that validate the product's design process, development environment, functionality, vulnerability handling, testing and documentation. Over twenty countries recognize the security certifications defined by the Common Criteria standard" (see Resources). Common Criteria certification is typically required for federal deals across the world. Though Common Criteria is very generic, it can also aid a regulatory-governed industry in selection of computer systems or products to suit their business and compliance needs.
Is AIX V6.1 Common Criteria certified?
IBM AIX V6 has received the top security certification of Common Criteria. As claimed by IBM, "AIX V6.1 and the Power 570 system based on the Power6™ processor have been certified compliant under the Controlled Access Protection Profile under the Common Criteria for Information Security Evaluation (CC), at the Evaluation Assurance Level 4 Augmented (commonly referred to as CAPP/EAL4+)", (see Resources).
AIX V6.1 Compartmentalized security chart
The following table generalizes some of the security requirements from common regulatory compliances. The table is categorized as per security criteria and projects a checklist indicating its availability with AIX V6.1 systems.
Table 1. Security requirement checklist
|Security Criteria||Feature||Availability in AIX V6.1||Remarks|
|Secure Data at rest|
|File system Level Encryption||Yes||Encrypted File System (EFS) Support|
|Device Level Encryption||Yes||Achieved via ISV|
|Backup Encryption||Yes||Tape Encryption Support|
|Secure Data in Transit|
|End to End Kerberos Support (all login channels)||Yes||Kerberized telnet, integrated login, ftp, ssh|
|IPV6 support||Yes||For more details on IPV6 on AIX see Resources|
|NFS V4||Yes||Supports Kerberized NFS with per message encryption|
|LDAP Authentication||Yes||For details see Resources|
|Kerberos Authentication||Yes||Provides Kerberos Server Facility, Supports Active Directory|
|Two Factor Authentication||No||-|
|One Time Password||No||-|
|Long Password Support||Yes||AIX V61 supports long password and Pass Phrases for authentication of users. The size of the password can be up to 255 characters.|
|Single Sign On Support||Yes||For details see Resources|
|Authorization and Access Control|
|Role Based Access Control||Yes||Part of AIX V6.1 Multi-level Security|
|Mandatory Access Control||Yes||Trusted AIX supports MAC (Mandatory Access Control)|
|Mandatory Integrity Control||Yes||Trusted AIX supports MIC (Mandatory Integrity Control)|
|Centralized and Customized Polocies||Yes||AIX Security Expert Feature provides this facility|
|Automated Audit Support||Yes||AIX Security Expert feature provides consumable facility for Administrators/Auditors|
|Log Alerts||No||Can easily integrate with third-party audit alert software|
|Node Protection And Availability|
|Intrustion Prevention||Yes||AIX Intrusion prevention via AIX IPsec features|
|Antivirus Support||Yes||Achieved via third-party antivirus products|
|Manage Privilege Program||Yes||AIX V6.1 File Permission Manager helps manage privileged programs|
|Integrity Verification||Yes||AIX V6.1 Trusted Execution provides for integrity verification|
|Hardened Installation||Yes||AIX V6.1 supports Secure by Default, an install option to facilitate operating system hardening|
|Immutable File Support|
|Tamper Resistant Support for Files/Documents||Yes||Future release of Filesystems should help explicitly support such features|
|Write Once Read Many (WORM) Time support for Files/Documents||Yes||Future release of Filesystems should help explicitly support such features|
|Common Criteria certification||Yes||AIX V6.1 Certified with CAPP/EAL4+ (see Resources)|
|AES Encryption Support||Yes||AIX V6.1 supports Advanced Encryption Standard (AES) for almost all of its related modules|
|Data Remanence/Secure Delete||No||Possibly via third-party tools.|
The AIXPert (AIX Security Expert) is a network and security hardening tool. It incorporates many functions bundled into one system and includes over 300 security configuration settings. It is an outstanding tool for AIX administrators who have to work with compliances such as Sarbones-Oxley (SOX)-COBIT (see Resources for more information).
The previous checklist should not be treated as a complete list and may not necessarily be comprehensive from a compliance or AIX V6.1 security features perspective. For comprehensive details of AIX V6.1 security features, please refer to the AIX V6.1 documentation or IBM Redbooks (see Resources).
This article touched on the importance of regulatory compliances and how security is a key aspect for meeting these compliances. It showed the need of Common Criteria certification and finally summarized how AIX V6.1 can be a suitable system by listing a few of its security features with requirements derived from common compliances.
- View AIX 6 and POWER6 top security certifications.
- Read IBM Redbook titled "AIX V6 Advanced Security Features Introduction and Configuration" for details on AIX V6 security features.
- "Using AIX Security ExpertAIXPert features new to AIX V6.1" (developerWorks, Dec 2008) is a step-by-step guide to understand AIXPert.
- View AIX 6 and POWER6 top security certifications
- Refer to IBM System Information Center to learn details over AIX 6.1 security.
- "Configure single sign-on authentication on AIX" (developerWorks, Sept 2009) explains in details on how to configure single sign-on authentication on AIX.
- Learn all about IPV6, its configuration and support over AIX with "IPV6 on AIX5L" white paper.
- "Configuring an AIX Client System for User Authentication and Management Through LDAP" is a IBM white paper which focuses on configuring AIX systems as clients of directory servers.
- View Gartners Research Papers on Regulatory Compliances.
- Follow developerWorks on Twitter.
- Get involved in the My developerWorks community.
- Participate in the AIX and UNIX forums: