IBM SYSTEMS SECURITY
Contents


Announcement Letter Number 289-581 dated October 24, 1989
US - Last Revised on October 24, 1989



Brief Description of Announcement, Charges, and Availability

       In today's business environment, information is one of the
most valuable resources.  This information is basic to operational
and decision-making processes, is often confidential, and is
essential in maintaining an organization's competitive edge.  In
today's announcement, IBM is defining those facilities which can be
used for a secure business solution:  identification and
authentication, access control, confidentiality, data integrity, and
security management.  These facilities provide IBM's basis for
selecting the products and services needed to implement enterprise
security.  In addition, information is provided about related
announcements in support of these facilities.


Customer Letter Section

HIGHLIGHTS
o   Provides a basis for granular and flexible security solutions
    based on unique enterprise security policies and objectives.
o   Extends business controls for an enterprise's assets with
    expanded audit capability, better control over privileged users,
    and stronger isolation to facilitate business alliances.
o   Allows dynamic customizing and "fine tuning" of security
    enforcement by providing granular minimum to maximum security
    options.
o   Expands the enterprise's ability to control sensitive information
    by protecting more resources and providing more control of
    processing options.
o   Simplifies security policy implementation and administration by
    automating processes and providing more security default
    protection.
o   Offers security expertise to enterprises through a variety of
    consulting, education, and implementation options.
DESCRIPTION
       In today's business environment, information is one of the
most valuable resources.  The protection of enterprise information is
essential in maintaining an organization's competitive edge.  Each
enterprise needs to appraise the value of its data, determine
potential security threats, and develop an appropriate security
policy.  IBM provides education, consultation, services and products
help in this process.  The following defines the basic security
facilities.
SYSTEM INTEGRITY
       System integrity is an important characteristic of IBM's MVS
and VM operating systems.  While there are precise definitions of
system integrity which differ for each system, in general terms,
system integrity is the ability of an operating system to prevent the
circumvention or bypassing of its security mechanisms.  IBM continues
to accept APARs (Authorized Program Analysis Reports) that describe
exposures to the system integrity of MVS and VM.
       Today, IBM is announcing the acceptance of Security APARs for
MVS and VM and for IBM products which run on these systems.  Security
APARs are for reporting problems in existing security mechanisms
where the problem descriptions do not meet the precise definition of
system integrity for a particular system, but do constitute an
exposure to the security of the system as a whole or to an IBM
product which runs on the system.
SECURITY FACILITIES
A secure enterprise system contains a set of distinct security
facilities, working in combination, to provide a secure environment.
These fundamental security facilities are defined as:
o   Identification and authentication of users
o   Access control for protected information
o   Confidentiality to prevent information disclosure
o   Data integrity to detect data modification
o   Security management facilities to administer and audit security.
       IBM is committed to providing secure computing environments,
as described in the following sections:
IDENTIFICATION AND AUTHENTICATION
Users can identify themselves to the system and prove their identity
by supplying one or more of the following:
o   Something the user knows (password values)
o   Something the user has (key, token, smart card, etc.)
o   Something the user is (biometrics such as signature dynamics)
       Authenticated user identification provides the basis for
additional security functions, for example, access control and
auditing.  Thus, installations can implement a policy of individual
accountability.
       IBM currently provides passwords across a wide range of
systems, applications, and subsystems.  On MVS and VM, RACF working
in combination with NetView (TM)/Access Services provides a single
sign-on point for terminal users to access multiple systems and
applications.  Additionally, users of the current versions of OS/2
(R) Extended Edition and the IBM PC LAN Program are provided a single
signon point for access to files, printers, applications, and serial
device resources controlled by one or more OS/2 LAN Servers.
NEW IDENTIFICATION AND AUTHENTICATION SUPPORT:
o   In MVS and VM environments, RACF can now be used to provide
    authentication support for LU 6.2 sessions.  See IBM  Programming
    Announcement 289-584, dated October 24, 1989.
o   Authentication of remote RJE/RJP station userids will be provided
    by JES and RACF.  See IBM Programming Announcement 289-580, dated
    October 24, 1989.
o   Identification and authentication facilities are extended to
    MVS/ESA (TM) console operators.  See IBM Programming Announcement
    289-580, dated October 24, 1989.
o   OS/400 (TM) has extended the user password facilities and now
    supports the expiration of passwords and optional rules to
    control password content.  In addition, OS/400 provides system
    specified user time-out for inactive workstations.  See IBM
    Programming Announcement 289-317, dated June 20, 1989.
o   Workstation users can be authenticated via a PIN or signature
    dynamics, using the IBM 4754 Security Interface Unit with the IBM
    Personal Security Card (chip card) or the IBM Signature
    Verification feature.  See IBM Product Announcement 189-174,
    dated October 24, 1989.
       IBM will continue to evaluate user authentication support as
biometric and other technologies evolve.
 (R) Registered trademark of International Business Machines
   Corporation.
 (TM) Trademark of International Business Machines Corporation.
ACCESS CONTROL
Access control allows the installation to provide different levels of
protection for resources based on business value.  Depending on the
environment, the resource owner can specify who can access the
information, how it can be accessed, when it can be accessed, and
under what conditions it can be accessed (for example, when executing
specific applications, programs, or transactions).
       IBM currently offers a wide range of basic access control
facilities across a variety of environments such as MVS, VM, OS/400,
OS/2 LAN Server, AIX (TM), IMS, CICS, DB2 (TM), SQL/DS, and VTAM.
These facilities allow protection of system, application, and user
resources such as data sets, files, volumes, tapes, minidisks,
databases, transactions, programs, commands, and the vector facility.
NEW ACCESS CONTROL SUPPORT:
o   Access control is extended to new MVS resources, including
    operator commands, spool files, messages, printers, and
    hiperbatch.  See IBM Programming Announcement 289-580, dated
    October 24, 1989.
o   Access control is extended to new VM
    resources, including files of the shared file system, messages,
    and spool files.  See IBM Programming Announcement 289-584, dated
    October 24, 1989.
o   MVS and VM installations can use the new RACF support for
    sensitivity labels and categories to implement a wide variety of
    enterprise security policies.  See IBM Programming Announcement
    289-584, dated October 24, 1989.
o   Installations can use new support in JES to conditionally accept
    jobs and printing based on the node from which it is received.
    For NJE networks which do not have a homogeneous user
    identification or security labeling scheme, a translation
    mechanism is provided.  See IBM Programming Announcement 289-580,
    dated October 24, 1989.
o   DB2 Version 2 Release 2 extends distributed relational DB2
    security support across multiple MVS environments by supporting
    end user name translation and password propagation.  See IBM
    Programming Announcement 289-469, dated September 19, 1989.
o   CICS/ESA Version 3 Release 1 enhances its use of RACF by
    providing the capability of applying granular access control to
    all system programming commands.  See IBM Programming
    Announcement 289-305, dated June 20, 1989.
       IBM systems will continue to evaluate new access control
support for additional  types of resources and additional levels of
granularity.
CONFIDENTIALITY
Confidentiality protects an enterprise's sensitive information from
disclosure.  When it is stored locally, sensitive data can be
protected by access controls or encryption mechanisms.  For network

communication security, sensitive data can be encrypted as it is
transmitted from system to system.
       IBM currently supports the Data Encryption Algorithm (DEA) of
the Data Encryption Standard (DES) for session encryption,
authentication information (PINS, passwords), files, and
application-specific requests.  IMS and DB2 permit the use of DEA
through user exits.  Other examples of IBM environments which support
confidentiality include VTAM, IBM 4700, 3848/CUSP, PCF, IPS, OS/400,
and System/88.
NEW CONFIDENTIALITY SECURITY SUPPORT:
o   It is IBM's intent that VTAM will support session-level mandatory
    encryption (the encryption of all messages that flow on a
    session) and selective data encryption for LU 6.2 application
    programs.
o   It is IBM's intent that in an XRF environment, VTAM will support
    cryptography for active and backup sessions.  If a failure of the
    active system should occur, the sessions using cryptography can
    be switched from the active to the alternate system.
o   Encryption and decryption capabilities are provided via a new set
    of consistent services.  Initially this support is available with
    the IBM 4753 Network Security Processor and the IBM 4753 MVS
    Support Program (5706-028).  See IBM Product Announcement 189-171
    and IBM Programming Announcement 289-585, dated October 24, 1989.
o   The IBM 4753 Network Security Processor provides Data Encryption
    Algorithm (DEA/DES) cryptographic support to systems requiring
    secure transaction processing and other cryptographic services on
    a System/370 MVS host system.  It is designed to be used for
    cryptographic transaction processing in a network.  Workstation
    encryption and decryption are provided by the IBM 4754 Security
    Interface Unit and the IBM 4755 Cryptographic Adapter.  See IBM
    Product Announcements 189-171 and 189-174, dated October 24,
    1989.
       IBM will continue to evaluate new confidentiality support
based on data encryption services.  Additionally, IBM will continue
to participate on ISO standards committees working to develop
encryption standards.
DATA INTEGRITY
Data integrity provides detection of the unauthorized modification of
data.  Enterprises must allow the usage of data, by authorized users
and applications locally or remotely where the information resides,
as well as the transmission of data for remote processing.  Data
integrity facilities can indicate whether information has been
altered.
       IBM currently offers basic hardware checking internally on all
of its processors in support of data integrity, such as cyclic
redundancy checking and parity checking.  In the network
communications environment, IBM supports message authentication
checking, for instance on the IBM 4700.
NEW DATA INTEGRITY ANNOUNCEMENT SUPPORT:
o   It is IBM's intent that VTAM will support session-level mandatory
    encryption (the encryption of all messages that flow on a
    session) and selective data encryption for LU 6.2 application
    programs.
o   Message Authentication Code generation and verification
    capabilities are provided by a new set of consistent services.
    This support can provide a base for data integrity services in a
    network environment.  Initially host support is available with
    the IBM 4753 Network Security Processor MVS Support Program
    5706-028.  See IBM Programming Announcement 289-585, dated
    October 24, 1989.
o   Workstation data integrity support is provided by the IBM 4754
    Security Interface Unit and the IBM 4755 Cryptographic Adapter.
    See IBM Product Announcements  189-171 and 189-174, dated
    October 24, 1989; and IBM Programming Announcement 289-585 dated
    October 24, 1989.
       IBM will continue to evaluate new data integrity services for
non-repudiation, digital signatures, callable services, and enhanced
key management as technology evolves.
SECURITY MANAGEMENT
Security management is the administration, control, and review of an
enterprise's security policy.  Security managers make use of
procedures and system security facilities to implement policies
consistent with the enterprise objectives.  System auditability can
provide checks and balances on the privileged users and
administrators to ensure that security management policies are
enforced.
       Currently, IBM provides capabilities for security management
in MVS, VM, TSO, CICS, IMS, DB2, SQL/DS, VTAM, NetView/Access
Services, DFSMS, OS/400, System/38 CPF, OS/2 (R) LAN Manager, OS/2
LAN Server, and AIX.  Additional auditing facilities are available
with the RACF Report Writer, RACF Data Security Monitor, and DB2
Performance Monitor (DB2PM).
       New Security Management Announcement Items:
o   Currently, RACF offers user enrollment for TSO, VM, IMS, DB2 and
    DFSMS.  In addition, CICS operator data, currently held in the
    signon table, will be moved out of CICS tables to the user
    information maintained by RACF (or equivalent security package).
    For more information, see the Statement of Direction in IBM
    Programming Announcement 289-305 dated June 20, 1989.
o   MVS/ESA extends auditing support to journal operator actions,
    actions by surrogate users, and selective audit based on the
    installation defined sensitivity of labelled resources.  See IBM
    Programming Announcements 289-580 and 289-584, dated October 24,
    1989.
o   RACF/VM provides new security administration and auditing
    options.  An installation  may optionally tailor RACF command
    syntax to its environment through the use of new REXX EXECs and
    IBM-supplied code.  RACF/VM journaling is extended to log
    operator actions (based on operator userid), actions by surrogate
    users, and selective events based on the installation-defined
    sensitivity of labelled resources.  A highly granular selective
    audit capability tailorable by individual userids has been added
    to VM/SP environments via RACF support.  See IBM Programming
    Announcements 289-582 and 289-584, dated October 24, 1989.
o   IBM's National Service Division (NSD) offers security consulting
    services to perform system penetration testing and system site
    security review, assist with project planning and risk analysis,
    and implement RACF security solutions.  For further information,
    contact your IBM marketing representative.
o   IBM's System Integration Division (SID) offers skills, services
    and computer-assisted auditing tools to support enterprise audit
    and business control executives in evaluating the control and
    compliance posture of their key business processes.  For further
    information on the Computer-Assisted Auditing Tools and
    Techniques Services Offering, contact your IBM marketing
    representative.
o   NSD announces the limited availability of the IBM Business
    Recovery Services offering.  This offering provides operations
    and services in the event of a disaster through IBM Business
    Recovery Services Centers.  This includes testing, planning,
    education, support services, network and computing center
    facilities.  For more information, see IBM Marketing Announcement
    389-154, dated October 3, 1989.
       IBM will continue to evaluate new security management and
audit functions consistent with appropriate system management
capabilities.
MEASURES USED TO PROTECT AGAINST HARMFUL CODE
The threat of harmful code (viruses, worms) to the information assets
of all computer users is of growing concern to IBM.  As a result, IBM
has instituted broad measures to protect IBM products from
contamination by unauthorized code and to provide technology and
information to non-IBM groups working on security-related issues.
       In general, IBM products are developed under formally
controlled processes, which include:  formal specifications, detailed
test plans, assurance reviews,  and inspections of code and test
cases.  In addition, virus detection tools and anti-virus procedures
are used prior to code shipment in order to prevent the spread of

known microcomputer viruses.
       Protection against unauthorized code entering a system during
and after installation requires that all owners of information
systems develop a comprehensive security policy, educate employees
and users about secure computing practices, and administer the policy
and practices.
       Within IBM, security policy and practices are augmented by
security facilities implemented on IBM's internal systems.  These
same security facilities are used to protect users and data on IBM's
Information Network.  See the IBM Information Network Security
Bulletin (GC34-2206).
NEW MEASURES:
o   IBM has established a High Integrity Computing Lab in its T. J.
    Watson Research Center at Hawthorne, N.Y., to research issues of
    integrity in complex, distributed systems and transfer the
    skills, information, and technology to IBM products and the
    industry at large.
o   IBM provides assistance to customers in many aspects of secure
    computing based on IBM's own internal security programs and
    expertise.  In addition, IBM plans to provide selected tools,
    sample code, and information based on IBM experience in
    preventing, detecting, and recovering from known computer viruses
    and worms.  For further information, contact your IBM marketing
    representative.
o   IBM's new cryptographic products offer customers powerful
    facilities for protecting the integrity of high-value data and
    programs.  Additional information is provided in the
    Confidentiality and Data Integrity sections of this document.
       IBM products and the processes used for development and
manufacturing will continue to be evaluated and improved over time as
more is understood about malicious code and corresponding
counter-measures.
UNITED STATES DEPARTMENT OF DEFENSE SECURITY
IBM's objective is to provide systems that are designed to meet the
current interpretations of the various levels of security criteria as
defined in the United States Department of Defense publication
"Trusted Computer System Evaluation Criteria."
       Complete systems, composed of several products, including a
major operating system and a security monitor, are required for each
Trusted Computer Base.  The full set of products comprising each
Trusted Computer Base is defined in the referenced announcements.
       IBM has designed functions to meet the criteria and
implemented the following currently available product support:
o   An MVS/XA (TM) and RACF-based Trusted Computer Base has completed
    evaluation at the C2 level.  See Evaluated Products List Serial:
    CSC-EPL-88/003, dated June 15, 1988.
o   A VM/SP and RACF-based Trusted Computer Base, with or without
    High Performance Option (HPO), is generally available for use at
    the C2 level.  See IBM Programming Announcements 288-657 and
    288-665, dated November 15, 1988, for the full Trusted Computer
    Base content.
o   A VM/XA (TM) and RACF-based Trusted Computer Base is generally
    available for use at the C2 level.  See IBM Programming
    Announcements 289-349, dated July 6, 1989; and 289-340, dated
    June 27, 1989, for complete Trusted Computer Base definition.  It
    continues to be IBM's intent to provide the functions designed to
    meet the currently defined B1 criteria for VM large systems
    customers.  The Trusted Computer Base (specific software
    products, processor models, and peripherals) will be defined at a
    later date for possible initiation of formal National Computer
    Security Center (NCSC) evaluation by December 1990.
NEW TRUSTED SYSTEMS ANNOUNCEMENTS:
o   An MVS/ESA and RACF-based Trusted Computer Base that is designed
    to meet the B1 criteria will be available for use.  See IBM
    Programming Announcement 289-583, dated October 24, 1989.
o   A VM/SP and RACF-based Trusted Computer Base, with or without
    HPO, that is designed to meet the B1 criteria will be available
    for use.  See IBM Programming Announcement 289-582, dated
    October 24, 1989, for complete Trusted Computer Base definition.
o   IBM intends to offer future versions of AIX designed to meet the
    mandatory access control policies defined by the current criteria
    for B1 level systems.  The Trusted Computer Base definitions
    (specific software products, processor models, and peripherals)
    will be provided at a later date.
IBM endorses the concept of the National Computer Security Center
(NCSC) Ratings Maintenance Program in order to keep its evaluated
systems as current as possible.  In addition, IBM will continue to
evaluate additional controls in our system, network, data base,
application, and virtual machine monitor offerings.
IBM systems that are designed to meet Department of Defense (DoD) C2
and B1 criteria may be accredited for use in system high and
compartmented mode operating environments, as described in the
"Industrial Security Manual for Safeguarding Classified Information"
(DoD 5220.22-M).  These industrial security requirements are
applicable to all contractors, subcontractors, and suppliers who have
access to classified information, as well as specified Federal
Government departments and agencies.
USER GROUP REQUIREMENTS
Many items in this announcement address issues raised in two strategy
papers from GUIDE and SHARE.  IBM has responded positively to these
papers, and these announcements represent IBM's continued commitment
to provide our customers with the security facilities which meet
their needs.
The GUIDE paper is entitled "Future Direction for an Information
Security Architecture," presented at GUIDE 65 in session number
PM-7241 and entered as GUIDE requirement number GD9STR85001.  The
SHARE paper is entitled "Security Requirements for IBM Developed
Program Products."