AIX V6.1 security and regulatory compliance

An outlook

IBM® AIX® Version 6.1 is packed with security enhancements. Many of these features can be mapped with the security requirements laid by the regulatory compliances for federal, financial, and health care sectors. This article looks at AIX V6.1 security features and their mapping with the security criteria that can be derived from some of the compliances. The article helps security practitioners to get a compartmentalized view of the features and why AIX V6.1 can be a system to consider for compliance driven industry.

Sandeep Ramesh Patil (rsandeep@in.ibm.com), Advisory Software Engineer, EMC

Photo of SandeepRamesh PatilSandeep Ramesh Patil is an Advisory Software Engineer for the IBM India System and Technology Lab. His professional experience has been on distributed technology and security products such as the IBM Network Authentication Services (IBM Kerberos). He is an IBM developerWorks Professional Author with most of his articles on information security. He also plays a active role in IP generation. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at rsandeep@in.ibm.com .


developerWorks Master author
        level

12 January 2010

Also available in Chinese

Introduction

Health care, federal governments, and financial services are three major sectors that are strictly governed by regulatory compliances. Regulatory compliances are a set of specifications or laws enacted by the government or industry that not only helps implement best practices but also makse sure that the respective businesses are operated in such a manner to help prevent fraud and malicious practices, manage risk and external threats, and help safeguard investors as well as consumers. One key aspect is security, which includes digital information security. When securing digital information, it is important to implement end-to-end security. In order to implement end-to-end security, you must compartmentalize the security requirements and also evaluate the products available.

This article describes the need for regulatory compliance, defines the importance of common criteria, and compartmentalizes some of the security aspects required in regulatory compliance and how AIX V6.1 helps achieve those aspects. This article gives practitioners an outlook of some of the AIX V6.1 security features and how they fit in the categorized security needs derived from general regulatory compliance.

Please note that this article must not be treated as a formal guide or a reference for regulatory compliances. You are advised to refer to formal compliance documents for complete details.


Regulatory compliance

In generic terms, compliance is adherence to a specification, law, or standard defined by the government or industry forums. Depending on the type of industry, different regulatory compliances are necessary:

  • The health care industry in the USA is regulated with the Health Insurance Portability and Accountability Act (HIPAA), which was passed by the U.S. Congress in 1996. It has a Security Rule, issued in 2003, which comprises of the security standards to be followed by this industry.
  • Payment Card Industry Data Security Standard (PCI DSS) is a security standard accepted worldwide. This compliance is to be followed by any business that processes card payments (in other words, not only by the financial services sector) to help prevent credit card fraud.
  • Federal Financial Institutions Examination Council (FFIEC) defines a set of standards for financial service sectors such as online banking.
  • The SOX Compliance (Sarbanes-Oxley Act of 2002) mandates a set of processes and procedures to help ensure accurate financial disclosure, which helps prevent major corporate and accounting scandals.

Most of the compliance requirements (but not all) involve information security and the associated business risk. Also, as defined by Gartner Inc (the world's leading information technology research and advisory company), "Senior managers across industries are focusing on compliance concerns because of their impact on all aspects of business operations. Efforts to comply with regulatory requirements must be supported by appropriate IT systems" (see Resources).

Since meeting regulatory compliances is mandated, it is vital to select appropriate IT systems and products to help ensure that your business is in compliance. IBM® Power Systems™ with AIX V6.1 is a security-rich system that can help compliment the business-specific applications running on it .


Common Criteria certification

What is Common Criteria?

Common Criteria helps assure the buyer that the computer security system or system that incorporates security features underwent a rigorous standardized process during its specification, development, and evaluation. A more formal definition of Common Criteria as defined by IBM is "Common Criteria is an internationally recognized (ISO/IEC 15408) standard used by businesses and governments around the world to assess security and development process assurance of technology products. Under Common Criteria, products are evaluated against strict standards that validate the product's design process, development environment, functionality, vulnerability handling, testing and documentation. Over twenty countries recognize the security certifications defined by the Common Criteria standard" (see Resources). Common Criteria certification is typically required for federal deals across the world. Though Common Criteria is very generic, it can also aid a regulatory-governed industry in selection of computer systems or products to suit their business and compliance needs.

Is AIX V6.1 Common Criteria certified?

IBM AIX V6 has received the top security certification of Common Criteria. As claimed by IBM, "AIX V6.1 and the Power 570 system based on the Power6™ processor have been certified compliant under the Controlled Access Protection Profile under the Common Criteria for Information Security Evaluation (CC), at the Evaluation Assurance Level 4 Augmented (commonly referred to as CAPP/EAL4+)", (see Resources).


AIX V6.1 Compartmentalized security chart

The following table generalizes some of the security requirements from common regulatory compliances. The table is categorized as per security criteria and projects a checklist indicating its availability with AIX V6.1 systems.

Table 1. Security requirement checklist
Security CriteriaFeatureAvailability in AIX V6.1Remarks
Secure Data at rest
File system Level EncryptionYesEncrypted File System (EFS) Support
Device Level EncryptionYesAchieved via ISV
Backup EncryptionYesTape Encryption Support
Secure Data in Transit
End to End Kerberos Support (all login channels)YesKerberized telnet, integrated login, ftp, ssh
IPV6 supportYesFor more details on IPV6 on AIX see Resources
IPsec supportYes-
NFS V4YesSupports Kerberized NFS with per message encryption
Centralized Authentication
LDAP AuthenticationYesFor details see Resources
Kerberos AuthenticationYesProvides Kerberos Server Facility, Supports Active Directory
Two Factor Authentication No-
One Time Password No-
Long Password SupportYesAIX V61 supports long password and Pass Phrases for authentication of users. The size of the password can be up to 255 characters.
Single Sign On SupportYesFor details see Resources
Authorization and Access Control
Role Based Access ControlYesPart of AIX V6.1 Multi-level Security
Mandatory Access Control YesTrusted AIX supports MAC (Mandatory Access Control)
Mandatory Integrity ControlYesTrusted AIX supports MIC (Mandatory Integrity Control)
Auditing
Centralized and Customized PolociesYesAIX Security Expert Feature provides this facility
Automated Audit SupportYesAIX Security Expert feature provides consumable facility for Administrators/Auditors
Log Alerts NoCan easily integrate with third-party audit alert software
Node Protection And Availability
Intrustion PreventionYesAIX Intrusion prevention via AIX IPsec features
Antivirus SupportYesAchieved via third-party antivirus products
Manage Privilege ProgramYesAIX V6.1 File Permission Manager helps manage privileged programs
Integrity VerificationYesAIX V6.1 Trusted Execution provides for integrity verification
System Hardening
Hardened InstallationYesAIX V6.1 supports Secure by Default, an install option to facilitate operating system hardening
Immutable File Support
Tamper Resistant Support for Files/DocumentsYesFuture release of Filesystems should help explicitly support such features
Write Once Read Many (WORM) Time support for Files/DocumentsYesFuture release of Filesystems should help explicitly support such features
Common Criteria
Common Criteria certificationYesAIX V6.1 Certified with CAPP/EAL4+ (see Resources)
Others
AES Encryption SupportYesAIX V6.1 supports Advanced Encryption Standard (AES) for almost all of its related modules
Data Remanence/Secure DeleteNoPossibly via third-party tools.

The AIXPert (AIX Security Expert) is a network and security hardening tool. It incorporates many functions bundled into one system and includes over 300 security configuration settings. It is an outstanding tool for AIX administrators who have to work with compliances such as Sarbones-Oxley (SOX)-COBIT (see Resources for more information).

The previous checklist should not be treated as a complete list and may not necessarily be comprehensive from a compliance or AIX V6.1 security features perspective. For comprehensive details of AIX V6.1 security features, please refer to the AIX V6.1 documentation or IBM Redbooks (see Resources).


Conclusion

This article touched on the importance of regulatory compliances and how security is a key aspect for meeting these compliances. It showed the need of Common Criteria certification and finally summarized how AIX V6.1 can be a suitable system by listing a few of its security features with requirements derived from common compliances.

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=461210
ArticleTitle=AIX V6.1 security and regulatory compliance
publish-date=01122010