In a development that could have far-reaching consequences for companies that want secure certification for their operating systems but have no prospect of getting them certified by the US Department of Defense, Tandem Computers Inc has been awarded security approval from GISA, the German Information Security Agency, for its Guardian proprietary operating system. This is the first time that Tandem has received a security certification, and it is also the first certification that GISA has announced. The Agency was established as an offshoot of German Intelligence which has been reorganised into separate public and military divisions. The public arm is sponsored by and reports into the Ministry of the Interior. GISA has drawn up its own Green Book in conjunction with with commercial and academic bodies and a number of hardware and software vendors such as IBM, DEC, Unisys, GEI Rechnersysteme GmbH, and the University of Aachen. The European computer community has long complained about the US Orange Book security classifications, claiming that the standards are not applicable to non-US equipment, and largely irrelevant to commercial users. Unless a company is American, it is notoriously difficult to gain Orange Book certification, and furthermore, the classifications are accused of being outdated and biased towards military requirements. Consequently, GISA hopes its Green Book will form the basis of a European-wide set of standards. The first step towards that end is being taken in September when the UK, France, Germany, and the Netherlands are to publish the first draft of jointly agreed standards. Green Book certifications are described as a matrix of functionality classes measuring security features and assurance levels, and there are 10 classifications. F1 to F5 are concerned with functionality, and F6 to F10 are with high integrity, confidentiality, and the safeguarding of data, including the evaluation of security in databases which is an area that has been neglected. The Orange Book mixes security functions and assurance levels, and GISA believes this is often inappropriate to the commercial market. Tandem has been awarded functionality level F2, said to be equivalent to Orange Book C2 controlled access classification. It covers user identification, au thorisation, administration and verification of rights, audit of users and usage and re-use of stor age media. Tandem was also awarded F7 status for fault tolerance and continued availability, which are not covered by the Orange Book.
