Community
Search Options
Search Options
Log in
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Power
Topic areas
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
User groups
Events
IBM TechXchange Conference
Upcoming Power Events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Gamification Program
Getting Started
Community Manager's Welcome
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Power Users
All IBM TechXchange Community Users
Resources
IBM TechXchange Group
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
TechXchange Conference
IBM TechXchange Conference 2024
Marketplace
Marketplace
IBM Power
Connect, learn, share, and engage with IBMPower.
Join / Log in
Skip main navigation (Press Enter).
Toggle navigation
Search Options
PowerVM
Virtualization
View Only
Group Home
Discussion
355
Library
15
Blogs
103
Events
0
Members
1.2K
Share
Common Criteria POWER9 Power10
By
Veena Ganti
posted
Tue August 23, 2022 03:37 PM
1
Like
Common Criteria Security Certification
for POWER9 and Power10
Information security has always been an important consideration in providing a complete enterprise solution, but with all the current attacks and exploits, this certainly has become a focus area for every customer. The PowerVM and Power hardware teams always put security at the center of our designs. Protection of client data is one of the key values of a PowerVM solution. The following blog covers a recently achieved security certification of PowerVM.
Value of Security Certification
One reason a vendor might pursue a security certification would be to meet a specific requirement that a product hold a security certification to meet an explicit requirement as part of a contractual obligation. In this situation, the consumer of the product may want to only run on that specific level of hardware, firmware and/or software as that is the certified configuration. Technically, as soon as a fix is applied to the environment, this changes the evaluated configuration and usually the certification is no longer valid. Some certifications, including this PowerVM certificate, also consider the vendor’s flaw remediation process, which may provide some level of confidence in the fixes that would be applied to the base certification.
Another reason for doing a security certification is that it provides some level of validation that the product is following secure development and maintenance practices as required by the certification. Most software products are really a modification or evolution from a previous generation, so it’s likely if secure engineering practices have been followed by a vendor in the past, that the vendor will continue to follow these practices in new product development.
IBM has a corporate policy that products produced by IBM follow the
IBM Security and Privacy by Design principles (SPdD@IBM)
. The basic principles involve threat assessments, security testing (like this PowerVM security evaluation) and release reviews.
Note that a security certification does not guarantee that the product is free from all defects, as exposure can be found long after a product has been released. For example, even though many products from many different vendors carried security certifications, the spectre/meltdown security vulnerability allowed for the capture of private data via side channel attacks.
Details of Recent PowerVM Common Criteria Certification
Recently, the PowerVM team completed a
Common Criteria security certification
that evaluated both the POWER9 E980 and Power10 E1080 running VIOS level 3.1.3.10. The target of evaluation (TOE) covered both the Virtual I/O Server (VIOS) and the PowerVM Hypervisor as shown in figure 1.
The
security target
covers the following threats:
1. An entity operating within a partition may be able to gain access to resource that belong to another partition as configured by an authorized user. An example of this threat would be a user running in a virtual machine (Logical Partition-LPAR) gaining access to memory, processor or I/O resources that were assigned to another partition.
2. An entity operating within a partition may be able to establish a communication channel with another partition. An example of this threat would be allowing two partition that are NOT configured to communicate via virtual ethernet to pass data over this connection.
3. An entity operating within a partition may be able to disrupt the operation of another partition. An example of this threat would be that a partition is able to reboot itself but should not be able to reboot other partitions.
All of these threats can be concerns for on-premise and cloud environments like
PowerVS
. When you virtualize your hardware to run multiple instances, you need protection from a virtual machine sharing data or affecting the operation with other virtual machines.
Common Criteria
evaluations require three different parties all participating in the evaluation. You have a vendor, a licensed laboratory and a certification body. For this certification, the vendor is IBM which was represented by a team from the PowerVM hypervisor and VIOS development organization. It was IBM’s responsibility to provide detailed design documents, documents covering
how to configure the supported configuration,
development of testcases for the interfaces under test and the execution of the testcases.
The auditor is a
Common Criteria licensed laboratory
that guides the vendor (IBM) in the process of the certification, creates the security target document, reviews the documents produced by the vendor, uses the information from the documentation to review the test case coverage, review and independently execute the vendor testcase, develop and run additional security tests including penetration testing, review existing vulnerabilities and work directly with the certification body.
There are currently 17 different governments that can act as the certificate authorizing members and 14 additional governments that accept Common Criteria certificates. Depending on the evaluated assurance level (EAL), the security certification will be accepted by one or more member countries. All certificate members and all additional consuming members accept the PowerVM security certification. It is the responsibility of the certificate authority to validate all the data provided by the licensed laboratory to ensure that it meets all the current requirements for a Common Criteria license. The certification authority can request additional documentation, additional testing and so on until they are satisfied that a product under evaluation can be certified.
Summary
This overview provided an insight into why and how security evaluations are performed along with the value these evaluations provide to consumers. Have questions about security or want to learn more about PowerVM? Follow our discussion group on LinkedIn
IBM PowerVM
.
0 comments
100 views
Permalink
IBM Community Home
Browse
Discussions
Resources
Groups
Events
IBM TechXchange Conference 2023
IBM Community Webinars
All IBM Community Events
Participate
Gamification Program
Community Manager's Welcome
Post to Forum
Share a Resource
Blogging on the Community
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Marketplace
Marketplace
Power
Topic areas
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
User groups
Events
IBM TechXchange Conference
Upcoming Power Events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Gamification Program
Getting Started
Community Manager's Welcome
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Power Users
All IBM TechXchange Community Users
Resources
IBM TechXchange Group
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
TechXchange Conference
IBM TechXchange Conference 2024
Marketplace
Marketplace
Copyright © 2020 IBM Corporation. All rights reserved.
Powered by Higher Logic