Firm leverages unique qualifications

When preparing for a test, your chances of passing are better if your study buddy helped write it. That's the idea IBM had when it hired atsec, an information technology security consulting firm, to help it get Common Criteria certification for eServers running Red Hat's Enterprise Linux operating system.

The Common Criteria are a set of internationally recognized standards of assurance for sharing classified information within and across government agencies. Meeting those standards is essential for companies that want federal contracts that include handling classified information.

Last month, IBM submitted the next version of Red Hat Enterprise Linux -- Version 5 -- for Common Criteria certification at Evaluation Assurance Level (EAL) 4. IBM has worked with atsec since 2003, when the latter company evaluated an earlier enterprise version of Linux for EAL 2 certification.

The Common Criteria reflect the Information Technology Security Evaluation Criteria (ITSEC) used throughout Europe. The ITSEC standards are, in turn, based on the German IT security scheme written in the late 1980s by Helmut Kurth, now chief scientist and lab director at atsec.

Kurth and two other IT security gurus formed atsec in 2000 to provide a novel service in the security sphere.

The principle is simple: Customers have a better chance of managing their risk and earning the security certifications to prove it, if they are guided through the process from the start by the experts who helped develop the standards they want to meet.

The company helps its customers identify their areas of critical risk and develop management strategies to lower that risk to an acceptable level and keep it there, Kurth said.

"We're not just helping our customers go through the evaluation but also to enormously improve the quality of their products," said Salvatore La Pietra, atsec's president and co-founder. As a former chief IT security specialist for IBM's European operations, he conducted the first security evaluation of the AIX operating system.

"We enable them to sell their products where security is required, and they need to show their products are really secure," La Pietra said.

All of atsec's consultants are trained in both versions of Common Criteria evaluation: the German Bundesamt für Sicherheit in der Informationstechnik (BSI) and the U.S. National Information Assurance Partnership (NIAP) sponsored by the Defense Department and the National Institute of Standards and Technology.

Since 2000, atsec has helped A-list customers meet demanding IT security goals. In the United States, atsec helped Opteron Computers get Common Criteria certification, which led to the Army Research Lab buying the company. Other atsec customers include Hewlett-Packard, Axalto and Siemens.

IBM has been happy with atsec's performance. A large part of getting security certifications is submitting the right documentation and test results, said Scott Handy, IBM's vice president for worldwide Linux.

"Process is 70 percent of the work," Handy said, and atsec's experts helped write the book on those processes.

"They helped plan our strategy and execution. We couldn't have done it without them this fast," said Kittur "Doc" Shankar, IT architect in IBM's System and Technology Group.

More importantly, Handy said, acquiring Common Criteria certification for Linux has broadened the opportunity to use the operating system in more bids on federal projects.

The security-certification angle of atsec's business, however, interests only a narrow niche of organizations that make security products or sell them to the federal government, said Kelly Kavanagh, a research analyst at Gartner.

"What our customers are most concerned about is assuring their customers, partners and board members that they are taking measures to maintain sufficient security," Kavanagh said.