Copyright © 2005

All rights reserved

The need to share information among different governmental agencies has risen dramatically due to the war to combat terrorism. This increased emphasis on information-sharing has placed greater responsibilities for handling national security information on local and federal agencies that, in the past, have been outside the normal channels of classified information processing. This has prompted urgent interest in the capabilities offered by multi-level security (MLS) standards since it supports collaborative operations among multiple agencies.

There has been a simultaneous trend in the federal government to consolidate and simplify the extremely complicated and splintered enterprise infrastructures of most agencies tasked with national security responsibilities. As agencies move to consolidate enterprise resources and improve performance to support the collaborative imperatives associated with today’s national security missions, mainframe computing platforms are shaping up to play an increasingly important role.

The ability to coalesce classified information sharing onto consolidated infrastructures provides significant cost savings for these agencies, while also helping to streamline DoD and intelligence community infrastructures that must connect to many more locations and agencies. IBM’s approach to supporting MLS is designed to address these challenges.

IBM has integrated multi-level security support into its mainframe operating system, z/OS Version 1 Release 5. Designed together with DB2 UDB for z/OS Version 8, z/OS provides federal agencies with a high assurance solution for MLS on the zSeries mainframe. This support provides row-level security labeling in DB2, and protection in z/OS, designed to meet the stringent security requirements of cross-domain access to data. This solution leverages zSeries leadership in scalability, high availability, and self-managing capabilities.

The z/OS system achieved compliance with the Common Criteria Controlled Access Protection Profile (CAPP) at Evaluating Assurance Level 3 (EAL3) and Labeled Security Protection Profile (LSPP) at EAL3+. EAL3 indicates that the product was evaluated in its design stage for vulnerabilities and that the developers’ testing results were independently verified. Level 3 is a moderate level of independent assessed security.

CAPP compliance indicates that the z/OS supports access controls that enforce limitations on individual users. The system also provides for a level of protection against inadvertent or casual attempts to break the security system. Compliance establishes that the z/OS supports specific requirements for auditing security critical events and, through the security function, protects network transmitted data. LSPP compliance is a superset of CAPP and indicates that the system restricts or grants access to data only after verifying the clearance level of the user to the security level of the data. It also means that the system supports security at the level necessary for processing highly confidential information.

Consequently, the zSeries mainframe solution from IBM can address government requirements for highly secure data exchange. New security features in DB2 V8 and z/OS 1.5 enable agencies to have a single highly secure repository of data that has different sensitivity attributes and which can be accessed by different agencies and by people with different clearance levels. This secure access is managed at the row level in DB2 to provide the granularity that is required.

Consequently, agencies will be able to:

The zSeries platform can provide this MLS security for applications using the latest open industry standard technologies. The z/OS environment supports technologies such as Enterprise JavaBeans, XML, HTML, Unicode, distributed IP networking, and Public Key Infrastructure services (PKI). The z/OS UNIX System Services allows agencies to develop and run UNIX programs on z/OS and exploit the reliability and scalability of the IBM eServer zSeries servers. It also supports distributed print services, storage management, and advanced workload management capabilities.

Since zSeries customers are some of the largest and most security-sensitive organizations in the world, security has always been an important component of the zSeries strategy. Security is a key design point for zSeries servers, operating systems, middleware and applications.

IBM’s current MLS offerings take into account the need for a sustainable business case. The IBM business case is based on the current concerns of federal agencies and the desires for higher degrees of inter-organizational integration. IBM is making the investments and is establishing partnerships with government agencies and major contractors to make these capabilities a reality.