Vormetric Data Security Manager Version 6.3 Security Target Version 3.3 October 7, 2020 Prepared For: Evaluated By: 1000 Innovation Drive, Ottawa, Ontario, K2K 3E7 Vormetric Data Security Manager Version 6.3 Security Target 2 of 93 Table of Contents Section Page 1 SECURITY TARGET INTRODUCTION.............................................................................................6 1.1 SECURITY TARGET REFERENCE ...................................................................................................6 1.2 TOE REFERENCE ........................................................................................................................6 1.3 CONFORMANCE CLAIMS ...............................................................................................................6 1.4 PROTECTION PROFILE CLAIM .......................................................................................................7 1.5 PACKAGE CLAIM ..........................................................................................................................7 1.6 CONFORMANCE RATIONALE..........................................................................................................7 1.7 TECHNICAL DECISIONS.................................................................................................................7 2 TOE DESCRIPTION ..........................................................................................................................9 2.1 PRODUCT OVERVIEW ...................................................................................................................9 2.2 TOE OVERVIEW ........................................................................................................................10 2.2.1 Vormetric Data Security Manager (DSM) ...........................................................................10 2.2.1.1 DSM Software..........................................................................................................................10 2.2.1.2 DSM Hardware ........................................................................................................................11 2.2.1.3 Remote Administrative Management .......................................................................................12 2.2.1.4 Vormetric Agents......................................................................................................................12 2.3 PHYSICAL SCOPE OF THE TOE...................................................................................................13 2.4 PROTOCOLS AND SERVICES EXCLUDED FROM EVALUATION..........................................................14 2.5 LOGICAL SCOPE OF THE TOE.....................................................................................................15 2.5.1 System Monitoring ..............................................................................................................15 2.5.2 Robust TOE Access............................................................................................................15 2.5.3 Authorized Management .....................................................................................................15 2.5.4 Policy Definition...................................................................................................................15 2.5.5 Dependent Product Configuration.......................................................................................16 2.5.6 Confidential Communications .............................................................................................16 2.5.7 Access Bannering ...............................................................................................................16 2.5.8 Cryptographic Services .......................................................................................................16 2.6 TOE GUIDANCE.........................................................................................................................16 3 SECURITY PROBLEM DEFINITION...............................................................................................17 3.1 THREATS...................................................................................................................................17 3.2 ORGANIZATIONAL SECURITY POLICIES (OSPS) ...........................................................................17 3.3 ASSUMPTIONS ...........................................................................................................................18 4 SECURITY OBJECTIVES ...............................................................................................................19 4.1 SECURITY OBJECTIVES FOR THE TOE.........................................................................................19 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ....................................................20 5 EXTENDED COMPONENTS DEFINITION .....................................................................................21 5.1 EXTENDED SECURITY FUNCTIONAL COMPONENTS.......................................................................21 5.1.1 ESM_ACD.1 Access Control Policy Definition....................................................................21 5.1.2 ESM_ACT.1 Access Control Policy Transmission..............................................................22 5.1.3 ESM_ATD.1 Object Attribute Definition ..............................................................................22 5.1.4 ESM_ATD.2 Subject Attribute Definition.............................................................................22 5.1.5 ESM_EAU.2 Reliance on Enterprise Authentication ..........................................................23 Vormetric Data Security Manager Version 6.3 Security Target 3 of 93 5.1.6 ESM_EID.2 Reliance on Enterprise Identification...............................................................23 5.1.7 FAU_SEL_EXT.1 External Selective Audit .........................................................................23 5.1.8 FAU_STG_EXT.1 External Audit Trail Storage ..................................................................23 5.1.9 FCS_CKM_EXT.4 Cryptographic Key Zeroization .............................................................24 5.1.10 FCS_HTTPS_EXT.1 HTTPS ..........................................................................................24 5.1.11 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation) .........................24 5.1.12 FCS_TLS_EXT.1 TLS ....................................................................................................25 5.1.13 FMT_MOF_EXT.1 External Management of Functions Behaviour ................................25 5.1.14 FMT_MSA_EXT.5 Consistent Security Attributes ..........................................................26 5.1.15 FPT_APW_EXT.1 Protection of Stored Credentials.......................................................26 5.1.16 FPT_SKP_EXT.1 Protection of Secret Key Parameters ................................................26 5.2 EXTENDED SECURITY FUNCTIONAL COMPONENTS RATIONALE .....................................................26 6 SECURITY REQUIREMENTS .........................................................................................................27 6.1 SECURITY FUNCTIONAL REQUIREMENTS .....................................................................................27 6.1.1 Class ESM: Enterprise Security Management....................................................................29 6.1.1.1 ESM_ACD.1 Access Control Policy Definition .........................................................................29 6.1.1.2 ESM_ACT.1 Access Control Policy Transmission ...................................................................29 6.1.1.3 ESM_ATD.1 Object Attribute Definition....................................................................................29 6.1.1.4 ESM_ATD.2 Subject Attribute Definition..................................................................................30 6.1.1.5 ESM_EAU.2 (1) Reliance on Enterprise Authentication (Password authentication) ................30 6.1.1.6 ESM_EID.2 (1) Reliance on Enterprise Identification (Password authentication) ....................30 6.1.1.7 ESM_EAU.2 (2) Reliance on Enterprise Authentication (LDAP authentication).......................30 6.1.1.8 ESM_EID.2 (2) Reliance on Enterprise Identification (LDAP authentication)...........................30 6.1.2 Class FAU: Security Audit...................................................................................................31 6.1.2.1 FAU_GEN.1 Audit Data Generation.........................................................................................31 6.1.2.2 FAU_SEL.1 Selective Audit .....................................................................................................32 6.1.2.3 FAU_SEL_EXT.1 External Selective Audit ..............................................................................32 6.1.2.4 FAU_STG_EXT.1 External Audit Trail Storage........................................................................32 6.1.3 Class FCS: Cryptographic Support.....................................................................................33 6.1.3.1 FCS_CKM.1 Cryptographic Key Generation (for Asymmetric Keys)........................................33 6.1.3.2 FCS_CKM_EXT.4 Cryptographic Key Zeroization...................................................................33 6.1.3.3 FCS_COP.1 (1) Cryptographic Operation (for Data Encryption/Decryption)............................33 6.1.3.4 FCS_COP.1 (2) Cryptographic Operation (for Cryptographic Signature).................................33 6.1.3.5 FCS_COP.1 (3) Cryptographic Operation (for Cryptographic Hashing)...................................34 6.1.3.6 FCS_COP.1 (4) Cryptographic Operation (for Keyed-Hash Message Authentication).............34 6.1.3.7 FCS_HTTPS_EXT.1 HTTPS ...................................................................................................34 6.1.3.8 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation)....................................34 6.1.3.9 FCS_TLS_EXT.1(1) TLS (Syslog and LDAP)..........................................................................34 6.1.3.10 FCS_TLS_EXT.1(2) TLS (Agents)...........................................................................................35 6.1.3.11 FCS_TLS_EXT.1(3) TLS (Web Interface)................................................................................35 6.1.4 Class FIA: Identification and Authentication .......................................................................35 6.1.4.1 FIA_AFL.1 Authentication Failure Handling .............................................................................35 6.1.4.2 FIA_SOS.1 Verification of Secrets ...........................................................................................36 6.1.4.3 FIA_USB.1 User-Subject Binding.............................................................................................36 6.1.5 Class FMT: Security Management......................................................................................37 6.1.5.1 FMT_MOF.1 Management of Functions Behavior ...................................................................37 6.1.5.2 FMT_MOF_EXT.1 External Management of Functions Behavior ............................................37 6.1.5.3 FMT_MSA_EXT.5 Consistent Security Attributes ....................................................................37 6.1.5.4 FMT_MTD.1 Management of TSF Data...................................................................................37 6.1.5.5 FMT_SMF.1 Specification of Management Functions..............................................................37 6.1.5.6 FMT_SMR.1 Security Management Roles...............................................................................38 6.1.6 Class FPT: Protection of the TSF .......................................................................................38 6.1.6.1 FPT_APW_EXT.1 Protection of Stored Credentials ................................................................38 6.1.6.2 FPT_SKP_EXT.1 Protection of Secret Key Parameters ..........................................................38 6.1.6.3 FPT_STM.1 Reliable Time Stamps..........................................................................................39 Vormetric Data Security Manager Version 6.3 Security Target 4 of 93 6.1.7 Class FTA: TOE Access .....................................................................................................39 6.1.7.1 FTA_SSL.3 TSF-initiated Termination .....................................................................................39 6.1.7.2 FTA_SSL.4 User-initiated Termination.....................................................................................39 6.1.7.3 FTA_TAB.1 TOE Access Banner.............................................................................................39 6.1.8 Class FTP: Trusted Paths/Channels...................................................................................39 6.1.8.1 FTP_ITC.1 Inter-TSF Trusted Channel....................................................................................39 6.1.8.2 FTP_TRP.1 Trusted Path.........................................................................................................39 6.2 SECURITY ASSURANCE REQUIREMENTS FOR THE TOE................................................................41 6.2.1 TOE Security Assurance Requirements .............................................................................41 7 TOE SUMMARY SPECIFICATION .................................................................................................45 7.1 SYSTEM MONITORING ................................................................................................................46 7.1.1 SM-1: Audit Generation.......................................................................................................46 7.1.2 SM-2: Audit Storage............................................................................................................48 7.2 ROBUST TOE ACCESS...............................................................................................................49 7.2.1 TA-1: Strength of Secrets....................................................................................................49 7.2.2 TA-2: Authentication Failure................................................................................................51 7.2.3 TA-3: Session Termination..................................................................................................51 7.3 AUTHORIZED MANAGEMENT .......................................................................................................52 7.3.1 AM-1: Management I&A......................................................................................................52 7.3.2 AM-2: Management Roles ..................................................................................................53 7.3.3 AM-3: Remote Administration .............................................................................................55 7.4 POLICY DEFINITION....................................................................................................................55 7.4.1 PD-1: Policy Definition ........................................................................................................55 7.5 DEPENDENT PRODUCT CONFIGURATION .....................................................................................62 7.5.1 PC-1: TOE Management Functions....................................................................................62 7.5.2 PC-2: Agent Configuration ..................................................................................................64 7.6 CONFIDENTIAL COMMUNICATIONS...............................................................................................64 7.6.1 CC-1: Agent Communications.............................................................................................66 7.6.2 CC-2: User Communications ..............................................................................................67 7.6.3 CC-3: External Server Communications .............................................................................68 7.6.4 CC-4: Key Protection ..........................................................................................................68 7.7 ACCESS BANNERING..................................................................................................................69 7.7.1 AB-1: Banner.......................................................................................................................69 7.8 CRYPTOGRAPHIC SERVICES .......................................................................................................69 7.8.1 CS-1: Crypto........................................................................................................................69 Key..............................................................................................................................................................70 Generation Input .........................................................................................................................................70 Storage .......................................................................................................................................................70 Zeroization ..................................................................................................................................................70 Use..............................................................................................................................................................70 8 SECURITY PROBLEM DEFINITION RATIONALE ........................................................................78 9 ACRONYMS AND TERMINOLOGY................................................................................................86 9.1 CC ACRONYMS..........................................................................................................................86 9.2 CC TERMINOLOGY.....................................................................................................................86 9.3 PRODUCT ACRONYMS AND TERMINOLOGY ..................................................................................89 Vormetric Data Security Manager Version 6.3 Security Target 5 of 93 Figures and Tables Figures Page FIGURE 1: VORMETRIC DATA SECURITY PRODUCT..........................................................................................9 FIGURE 2: TOE BOUNDARY .........................................................................................................................14 FIGURE 3: SECURITY RULE STRUCTURE.......................................................................................................57 FIGURE 4: DSM FUNCTIONAL BLOCK DIAGRAM ............................................................................................77 Tables Page TABLE 2-1: DSM APPLIANCE HARDWARE FEATURES ....................................................................................11 TABLE 2-2: ST REFERENCE DOCUMENTS.....................................................................................................16 TABLE 3-1: TOE THREATS...........................................................................................................................17 TABLE 3-2: ORGANIZATIONAL SECURITY POLICIES........................................................................................17 TABLE 3-3: CONNECTIVITY ASSUMPTIONS ....................................................................................................18 TABLE 4-1: TOE SECURITY OBJECTIVES......................................................................................................19 TABLE 4-2: SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ....................................................20 TABLE 5-1: EXTENDED COMPONENTS ..........................................................................................................21 TABLE 6-1: TOE SECURITY FUNCTIONAL COMPONENTS ...............................................................................28 TABLE 6-2: AUDITABLE EVENTS ([ESM PP PM] TABLE 3.)............................................................................31 TABLE 6-3: MANAGEMENT FUNCTIONS WITHIN THE TOE ([ESM PP PM] TABLE 4.)........................................37 TABLE 6-4: ASSURANCE COMPONENTS ........................................................................................................41 TABLE 6-5: ADV_FSP.1 BASIC FUNCTIONAL SPECIFICATION........................................................................42 TABLE 6-6: AGD_OPE.1 OPERATIONAL USER GUIDANCE ............................................................................42 TABLE 6-7: AGD_PRE.1 PREPARATIVE PROCEDURES .................................................................................43 TABLE 6-8: ALC_CMC.1 LABELING OF THE TOE .........................................................................................43 TABLE 6-9: ALC_CMS.1 TOE CM COVERAGE ............................................................................................43 TABLE 6-10: ATE_IND.1 INDEPENDENT TESTING – CONFORMANCE..............................................................43 TABLE 6-11: AVA_VAN.1 VULNERABILITY SURVEY......................................................................................44 TABLE 7-1: SECURITY FUNCTIONAL REQUIREMENTS MAPPED TO SECURITY FUNCTIONS.................................45 TABLE 7-2: MESSAGE LOG INFORMATION .....................................................................................................46 TABLE 7-3: PASSWORD POLICY PARAMETERS ..............................................................................................49 TABLE 7-4: SECURITY RULE ACTIONS ..........................................................................................................58 TABLE 7-5: SECURITY RULE EFFECTS ..........................................................................................................59 TABLE 7-6: DSM MANAGEMENT FUNCTIONS BY ADMINISTRATOR TYPE..........................................................62 TABLE 7-7: PORTS AND PROTOCOLS FOR EXTERNAL COMMUNICATIONS........................................................64 TABLE 7-8: DSM KEY GENERATION .............................................................................................................70 TABLE 7-9: DSM CRYPTOGRAPHIC OPERATIONS..........................................................................................75 TABLE 8-1: ASSUMPTIONS, ENVIRONMENTAL OBJECTIVES, AND RATIONALE...................................................78 TABLE 8-2: POLICIES, THREATS, OBJECTIVES, AND RATIONALE.....................................................................80 TABLE 9-1: CC ACRONYMS .........................................................................................................................86 TABLE 9-2: CC TERMINOLOGY FROM [ESM PP PM].....................................................................................86 TABLE 9-3: PRODUCT-SPECIFIC ACRONYMS AND TERMINOLOGY....................................................................89 Vormetric Data Security Manager Version 6.3 Security Target 6 of 93 1 Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is the Vormetric Data Security Manager (DSM). The DSM creates, stores, and manages policies that protect data residing on manage hosts. The DSM operates by integrating with an access control product, called Transparent Encryption Agent, installed on the host machines that contain protected data and to specify data access policies that are sent to these agents. Administrators access the DSM through a browser-based user interface. 1.1 Security Target Reference ST Title: Vormetric Data Security Manager, Version 6.3 Security Target ST Version: v3.3 ST Author: Cygnacom Solutions ST Date: October 7, 2020 1.2 TOE Reference TOE Identification: Vormetric Data Security Manager V6000, Version 6.3 Build 14515 TOE Developer: Thales DIS CPL USA, Inc. Evaluation Sponsor:Thales 1.3 Conformance Claims This TOE is conformant to the following CC specifications: • Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1, Revision 4, September 2012, CCMB-2012-09-002 • Part 2 Conformant with additional extended functional components as specified by the protection profile. • Information Technology Security Evaluation Part 3: Security Assurance Components, Version 3.1, Revision 4, September 2012, CCMB-2012-09-003 • Part 3 Conformant with additional assurance activities as specified by the protection profile Vormetric Data Security Manager Version 6.3 Security Target 7 of 93 1.4 Protection Profile Claim The TOE claims exact conformance to Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1, October 24, 2013 [ESM PM PP]. 1.5 Package Claim The TOE does not claim to be conformant with any pre-defined packages. 1.6 Conformance Rationale This Security Target (ST) claims exact conformance to only one Protection Profile – the ESM PM PP. The security problem definition of this ST is consistent with the statement of the security problem definition in the PP, as the ST claims exact conformance to the PP and no other threats, organizational security policies, or assumptions are added. The security objectives of this ST are consistent with the statement of the security objectives in the PP as the ST claims exact conformance to the PP and no other security objectives are added. The security requirements of this ST are consistent with the statement of the security requirements in the PP as the ST claims exact conformance to the PP. 1.7 Technical Decisions • TD0320 – TLS ciphers in ESM PPs o Removal of mandatory ciphersuites o Applied • TD0245 – Updates to FTP_ITC and FTP_TRP for ESM PPs o Mandatory inclusion of protocol SFRs in the ST o Applied • TD0079 – RBG Cryptographic Transitions per NIST SP 800-131A Revision 1 o Removal of ANS X9.31 o Not applicable to the evaluation, FCS_RBG_EXT.1 not claimed • TD0071 – Use of SHA-512 in ESM PPs o Added SHA-512 algorithm to FCS_COP.1 selections o Applied • TD0066 – Clarification of FAU_STG_EXT.1 Requirement in ESM PPs o External audit reconciliation clarified as optional o Applied • TD0055 – Move FTA_TAB.1 to Selection-Based Requirement Vormetric Data Security Manager Version 6.3 Security Target 8 of 93 o Inclusion of FTA_TAB.1 is conditional; • TD0042 – Removal of Low-level Crypto Failure Audit from PPs o Removal of audit events for FCS_CKM.1, FCS_CKM_EXT.4, FCS_COP.1(*), FCS_RBG_EXT.1 o Applied Vormetric Data Security Manager Version 6.3 Security Target 9 of 93 2 TOE Description 2.1 Product Overview Vormetric Data Security Manager is a policy-based data protection and encryption system. It provides policy-specified access control and encryption for the following types of data repositories: • Files and file systems. • Oracle Database and Microsoft SQL Server Transparent Data Encryption (TDE). • Applications that use a PKCS11 interface. • Other data encryption systems – securely stores inventory of symmetric and asymmetric encryption keys and certificates from any application, and tracks key expiration dates. The active components of Vormetric Data Security are the Vormetric Data Security Manager (DSM1 ), also called the Security Server, and Transparent Encryption Agent, an access control product residing on the host machines containing data to be protected. Figure 1: Vormetric Data Security Product Note 1: DSM is the only component covered by the evaluation. For Transparent Encryption Agents, the DSM allows administrators to specify data access policies, create new administrators and administrative domains, generate usage reports, register new hosts, access security logs, and perform other management functions. Vormetric Data Security Manager Version 6.3 Security Target 10 of 93 Administrators access the DSM through a browser-based user interface called the Data Security Remote Administrative Management. The DSM is available as a hardened appliance. The Vormetric Transparent Encryption Agents are installed on the host machines that contain the data to be protected. The Transparent Encryption Agents manage and implement the security polices stored on the DSM. The DSM manages Transparent Encryption Agents authentication credentials and securely transmits policy data. 2.2 TOE Overview The TOE is the appliance-based Vormetric Data Security Manager (DSM). The TOE includes all DSM appliance hardware and all software installed on the appliance. The TOE hardware appliance model is V6000. The DSM is the Policy Management product that serves as a trusted source for policy information that is ultimately consumed be the Transparent Encryption Agent (the Access Control product) as defined in [ESM PM PP]. The Transparent Encryption Agent is outside the scope of the ESM PM PP evaluation. The current Transparent Encryption Agent does not meet the definition options identified in ESM PP AC and will therefore not be submitted as a separate evaluation until such a time that the AC definition is updated to allow it into evaluation. This testing conducted in this evaluation will be limited to the Transparent Encryption Agent successfully receiving and loading the policy. The correctness of the enforcement of that policy will not be tested. 2.2.1 Vormetric Data Security Manager (DSM) 2.2.1.1 DSM Software The Vormetric Data Security Manager (DSM) comprises a policy engine and a central cryptographic key and policy manager. The policies are defined and keys are generated by the DSM and downloaded to the Transparent Encryption Agent through a secure network connection. The policy update requests are evaluated by using agent-system parameters and administrator-defined policy constraints. The AC agents (Transparent Encryption Agents) which run on protected hosts implement policies set by DSM administrators. Authenticated secure channel is used to protect all communications between the agents and DSM. Vormetric Data Security Manager employs X.509 digital certificates and TLS for agent/server communication as well as communication to domain controller and audit servers. The DSM administrator configures policies comprised of sets of security rules that must be satisfied in order to allow or deny access. Each security rule evaluates who, what, when, and how protected data is accessed and, if these criteria match, the policy either permits or denies access. Furthermore, the security rule can be constructed to encrypt data in the Transparent Encryption Agent. If the encryption effect on the security rule is matched, the access control component will perform encryption. Vormetric Data Security Manager Version 6.3 Security Target 11 of 93 The security rules specify: • Data being accessed: Administrators can configure a mix of files and directories by specifying them individually or by using variables. • Applications that are authorized: Administrators can specify which executables and tools are permitted to access data. • The user attempting to access the protected data: Administrators can configure one or more users. Users can be identified by user name, identification number, group, or group number. • When the data is being accessed: Administrators can configure a range of hours and days of the week to allow access. • How the data is being accessed: Administrators can configure a security rule that considers how files and directories, and their attributes, are being accessed. The security rule can note attempts to read, write, delete, rename, create, and more. When the conditions specified in a security rule match, the policy dictates whether to permit or deny access. If encryption is used, the policy can be configured to permit read access but without including the key to decrypt encrypted data. This way the underlying encrypted (unintelligible) data can be backed up. The DSM also provides auditing capabilities. The Transparent Encryption Agent notifies security administrators of policy violations in near real time. The DSM records all context attributes of an access attempt, enabling traceability of host intrusion and data access events at the application and user level, and maintains an extensive log for detailed forensic analysis. In addition, the DSM provides audit logging to monitor all activities and transactions. 2.2.1.2 DSM Hardware The V6000 DSM Appliance is a 1u, rack-mountable chassis. Its dimensions are 17”x20.5”x1.75”. Network connectors, a serial console connector, and IPMI connector are on the back. It comes with two auto-switching, 100-240V power supplies. Power connectors are on the back while the power switch is on the front. There are four drive bays but only two bays are populated with disks. Table 2-1: DSM Appliance Hardware Features Feature Description Hardware Model V6000 Chassis 1U rack-mountable; 17” wide x 20.5” long x1.75” high (43.18 cm x 52.07cm x 4.5 cm) Weight V6000: 21.5 lbs (9.8 kg) Hard Disk Dual SAS RAID 1 configured Serial Port 1; DB-9 RS-232 serial console interface to configure, or log onto, the DSM Appliance. Ethernet 2x1Gb; Ethernet interface used in the Remote Administrative Management to administer the DSM Appliance and Vormetric Agents. Also used to carry policy evaluation information between the DSM and its agents. Power Supplies 2 removable 80+certified (100VAC-240VAC/50-60Hz) 400W Operating Temperature 10° to 35° C (50° to 95° F) CPU 1 Intel Xeon E5 (6 physical cores) Vormetric Data Security Manager Version 6.3 Security Target 12 of 93 Memory 16GB 2.2.1.3 Remote Administrative Management The DSM includes a Web-based interface, referred to as the “Remote Administrative Management”. This interface is used to create policies, configure hosts, and assign keys. The DSM provides a secure connection between itself and the host administering the DSM. The Remote Administrative Management provides a robust security environment in which administrative control is distributed based upon administrative type. The menus displayed by the Remote Administrative Management and the tasks administrators can perform are dependent upon their administrator type. An administrator is assigned one administrative type and is allowed to perform the tasks for that one administrative type only. A domain is self-contained environment comprised of policies, keys, hosts, users, and audit records. The configuration data that administrators can see is dependent upon the domain in which they are working. The Remote Administrative Management provides fully separated domains, where the work and configuration data in one domain is invisible to administrators in other domains. Note: The DSM also includes a Command Line Interface (CLI). The CLI is used to configure the DSM at the system level. An administrator connects to the CLI locally or via SSH. The CLI is a limited Linux command line interface that is used only for installation of the TOE and off- line maintenance. This interface cannot be used to access, import, or export cryptographic keys or authentication credentials. The CLI is a maintenance mode interface and is not included in the scope of the evaluation and is not considered a TSFI. Note: Vormetric has developed a command line tool called VMSSC, which provides a subset of the administrative functions of the Remote Administrative Management. VMSSC is a separate utility that is not part of the TOE distribution and must be installed separately. VMSSC is not included in the scope of the evaluation. 2.2.1.4 Vormetric Agents There are several types of Vormetric agents, Transparent Encryption Agent, Key agent for Oracle and SQL Database, and Application Encryption Agent. Vormetric agents come with different installation packages and are not distributed as a part of DSM. All Vormetric Agents are installed on the host machines that contain the data to be protected. The Transparent Encryption Agent enables data-at-rest encryption, file access control, and the collection of security intelligence audit logs. The DSM is capable of producing a policy and the Transparent Encryption Agent can consume and enforce the policy from DSM. The testing conducted in this evaluation is limited to the Transparent Encryption Agent successfully receiving and loading the policy. The correctness of the enforcement of that policy is only coincidentally tested. The Key Agent for Oracle and SQL database centralize the key storage for Oracle and SQL encryption key while the Application Encryption agent provides a framework to deliver Vormetric Data Security Manager Version 6.3 Security Target 13 of 93 application-layer encryption such as column-level encryption in the database. However, the Key Agent for database and Application Encryption Agent cannot process policy from DSM. DSM is also capable of registering one external non-Vormetric agent called KMIP client. KMIP client is used to store and retrieve keys from DSM. However, KMIP client is a third-party software and Vormetric does not package or ship KMIP client. This feature is not enabled by default. 2.3 Physical Scope of the TOE The physical boundary of the TOE is the Vormetric Data Security Manager (DSM), which includes: • The DSM Appliance hardware • All software installed on the DSM Appliance o Remote Administrative Management Interface Required external access control product components: • One or more Vormetric Transparent Encryption Agents The Operational Environment of the TOE includes: • The web browser that is used for the Remote Administrative Management • The workstation that hosts the Remote Administrative Management web browser • The host platforms for the Vormetric Transparent Encryption Agents • Optional external servers o NTP Server (use of an external NTP Server is highly recommended) o SMTP Server o The DNS server that provides host name resolution service o LDAP Authentication Server o Syslog Server for external storage of the audit log o RSA Authentication Manager and an RSA SecurID device for each administrator o External Certificate Authority (CA) Vormetric Data Security Manager Version 6.3 Security Target 14 of 93 The TOE Boundary is depicted in the following figure: 1 U Management workstation Servers with Vormetric Agents LDAP server Network switch Vormetric Data Security Manager TOE Syslog server Internet firewall HTTPS/TLS TLS TLS SNMP server NTP server DNS server TLS TLS Router Management workstation Local CLI IPMI Eth0, Eth1 Serial Management Data Figure 2: TOE Boundary 2.4 Protocols and Services Excluded from evaluation 1. The CLI should be only used for initial configuration and off-line maintenance. 2. CLI over SSH is not evaluated and must be disabled. Local CLI access is not evaluated and the DSM appliance must be physically secured. 3. VMSSC (An external Vormetric command line tool for administering the DSM) - VMSSC is a separate utility that is not part of the TOE distribution and must be installed separately. VMSSC is not included in the scope of the evaluation. 4. Transparent Encryption Agent – This is an external agent that is not a part of TOE distribution. The scope of testing is limited to the Transparent Encryption Agent successfully receiving and loading the policy. 5. SNMP service – Use of the SNMPv1 and SNMPv2 functionality is excluded and it is disabled by default. The use of SNMPv3 with read-only community strings is not restricted in the evaluated configuration; however, it is not evaluated. 6. IPMI – This service offers the same TOE off-line maintenance capability as CLI. IPMI can not be used to import or export DSM cryptographic keys. IPMI service should be disabled in the evaluated configuration. Vormetric Data Security Manager Version 6.3 Security Target 15 of 93 7. Failover DSM – failover is not restricted in the evaluated configuration; however, it is not evaluated. Failover configuration is disabled by default. This interface uses standard database data replication method. When configured, the database replication does not transmit plaintext data. 8. Auto-backup via SCP and CIFS are not evaluated. 9. Application Encryption Agent – This is an external agent that is not a part of the TOE distribution. The agent functionality is not evaluated. 10. Key Agents for SQL and Oracle Database – These are external agents that are not a part of the TOE distribution. These two agents are not evaluated. 11. KMIP client – This is an external client that is not a part of the TOE distribution. This client is not evaluated. 12. Email notification – email notification is disabled by default. SMTP is not evaluated. 13. Optional RSA Authentication Manager is not evaluated. 14. Optional External Certificate Authority is not evaluated. 2.5 Logical Scope of the TOE The TOE provides the security functionality described in the following subsections. 2.5.1 System Monitoring The TOE provides the ability to generate audit events In order to identify unauthorized TOE configuration changes and attempted malicious activity against protected objects. The audit trail identifies changes to subject data and usage of the authentication function. The audit data can be stored in an external repository 2.5.2 Robust TOE Access The TOE implements mechanisms via a configurable password policy that improve security relative to the attempts of unsophisticated attackers to authenticate to the TOE using repeated guesses. The TOE can also enforce an externally-defined LDAP authentication policy. The TOE provides capabilities to terminate established sessions. 2.5.3 Authorized Management Policy Administrators are designated by the TSF and given various responsibilities for managing the TOE and creating policies. The TSF has its own internal method of enforcing controlled access so that no actions can be performed against it unless the subject is identified, authenticated, and authorized. 2.5.4 Policy Definition The TSF is able to manage policy attributes that are consistent with the corresponding technology type(s) described in the User Data Protection requirements in the Standard Protection Profile for Enterprise Security Management Access Control. In addition, the TSF is able to detect or prevent inconsistencies in the application of policies so that policies are Vormetric Data Security Manager Version 6.3 Security Target 16 of 93 unambiguously defined. Finally, the TOE is able to identify uniquely policies it creates so that it can be used to determine what policies are being implemented by remote products. 2.5.5 Dependent Product Configuration The TOE is able to configure the behavior of the functions of the Access Control products that consume the policies it provides. This includes the configuration of what events they audit, what policies they enforce, and how they react in the event of a failure state or lack of connectivity. 2.5.6 Confidential Communications The TOE uses sufficiently strong and sufficiently trusted encryption algorithms to protect data in transit to and from the TOE. The TOE implements cryptographic protocol to protect these data in transit. 2.5.7 Access Bannering The TOE displays a banner prior to authentication that defines its acceptable use. This banner provides legal notification for monitoring that allows audit data to be admissible in the event of any legal investigations. 2.5.8 Cryptographic Services The TOE uses cryptographic primitives (encryption, decryption, random bit generation, etc.) in order to ensure the confidentiality and integrity of the policy data it transmits and to provide trusted communications between itself and the Operational Environment where necessary. 2.6 TOE Guidance The following user guidance document is provided to customers and is considered part of the TOE: • Vormetric Data Security Manager (DSM) Common Criteria Addendum, Version 1.2, July 23, 2020 The documents in the following table were used as reference materials to develop this ST. Table 2-2: ST Reference Documents Reference Title ID Common Criteria for Information Technology Security Evaluation, CCMB-2012-09- 001, Version 3.1, Revision 4, September 2012 [CC] Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1, 24 October 2013 [ESM PM PP] Vormetric Data Security Platform DSM Administration Guide Release 6 Version v6.3.0 August 21, 2019 v2 [ADMIN] Data Security Manager (DSM) Common Criteria Addendum, Version 1.2, July 23, 2020 [ADDEND] Vormetric Data Security Manager Version 6.3 Security Target 17 of 93 3 Security Problem Definition The U.S. Government Enterprise Security Management Policy Management Protection Profile, [ESM PP PM] provides the following policies, threats and assumptions about the TOE. 3.1 Threats This section identifies the threats applicable to the U.S. Government Enterprise Security Management Policy Management Protection Profile, [ESM PP PM] as specified in the Protection Profile, verbatim. Table 3-1: TOE Threats Threat Name Threat Definition T.ADMIN_ERROR An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms. T.CONDTRADICT A careless administrator may create a policy that contains contradictory rules for access control enforcement. T.EAVES A malicious user could eavesdrop on network traffic to gain unauthorized access to TOE data. T.FORGE A malicious user may exploit a weak or nonexistent ability for the TOE to provide proof of its own identity in order to send forged policies to an Access Control product. T.MASK A malicious user may attempt to mask their actions, causing audit data to be incorrectly recorded or never recorded. T.UNAUTH A malicious user could bypass the TOE’s identification, authentication, or authorization mechanisms in order to illicitly use the TOE’s management functions. T.WEAKIA A malicious user could be illicitly authenticated by the TSF through brute- force guessing of authentication credentials. T.WEAKPOL A Policy Administrator may be incapable of using the TOE to define policies in sufficient detail to facilitate robust access control, causing an Access Control product to behave in a manner that allows illegitimate activity or prohibits legitimate activity. 3.2 Organizational Security Policies (OSPs) This section identifies the organizational security policies applicable to the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM] as specified in the Protection Profile, verbatim. Table 3-2: Organizational Security Policies Policy Name Policy Definition P.BANNER The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the system. Vormetric Data Security Manager Version 6.3 Security Target 18 of 93 3.3 Assumptions This section identifies assumptions applicable to the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM] as specified in the Protection Profile, verbatim. Table 3-3: Connectivity Assumptions Assumption Name Assumption Definition A.ESM The TOE will be able to establish connectivity to other ESM products in order to share security data. A.ROBUST The Operational Environment will provide mechanisms to the TOE that reduce the ability for an attacker to impersonate a legitimate user during authentication. A.SYSTIME The TOE will receive reliable time data from the Operational Environment. A.USERID The TOE will receive identity data from the Operational Environment. Table 3-4: Personnel Assumptions Assumption Name Assumption Definition A.MANAGE There will be one or more competent individuals assigned to install, configure, and operate the TOE. Vormetric Data Security Manager Version 6.3 Security Target 19 of 93 4 Security Objectives This section defines the security objectives of the TOE and its supporting environment. 4.1 Security Objectives for the TOE This section identifies Security Objectives for the TOE applicable to the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM], verbatim. Table 4-1: TOE Security Objectives Objective TOE Security Objective Definition O.ACCESSID The TOE will contain the ability to validate the identity of other ESM products prior to distributing data to them. O.AUDIT The TOE will provide measures for generating and recording security relevant events that will detect access attempts to TOE-protected resources by users. O.AUTH The TOE will provide a mechanism to securely validate requested authentication attempts and to determine the extent to which any validated subject is able to interact with the TSF. O.BANNER The TOE will display an advisory warning regarding use of the TOE. O.CONSISTENT The TSF will provide a mechanism to identify and rectify contradictory policy data. O.CRYPTO The TOE will provide cryptographic primitives that can be used to provide services such as ensuring the confidentiality and integrity of communications. O.DISTRIB The TOE will provide the ability to distribute policies to trusted IT products using secure channels. O.INTEGRITY The TOE will contain the ability to assert the integrity of policy data. O.MANAGE The TOE will provide the ability to manage the behavior of trusted IT products using secure channels. O.POLICY The TOE will provide the ability to generate policies that are sufficiently detailed to satisfy the Data Protection requirements for one or more technology types in the Standard Protection Profile for Enterprise Security Management Access Control. O.PROTCOMMS The TOE will provide protected communication channels or administrators, other parts of a distributed TOE, and authorized IT entities. O.ROBUST The TOE will provide mechanisms to reduce the ability for an attacker to impersonate a legitimate user during authentication. O.SELFID The TOE will be able to confirm its identity to the ESM deployment upon sending data to other processes within the ESM deployment. Vormetric Data Security Manager Version 6.3 Security Target 20 of 93 4.2 Security Objectives for the Operational Environment This section identifies operational environment security objectives applicable to the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM] as specified in the Protection Profile, verbatim. Table 4-2: Security Objectives for the Operational Environment Objective Environmental Security Objective Definition OE.ADMIN There will be one or more administrators of the Operational Environment that will be responsible for managing the TOE. OE.INSTALL Those responsible for the TOE shall ensure that the TOE is delivered, installed, managed, and operated in a secure manner. OE.PERSON Personnel working as TOE administrators shall be carefully selected and trained for proper operation of the TOE. OE.PROTECT One or more ESM Access Control products will be deployed in the Operational Environment to protect organizational assets. OE.ROBUST The Operational Environment will provide mechanisms to reduce the ability for an attacker to impersonate a legitimate user during authentication. OE.SYSTIME The Operational Environment will provide reliable time data to the TOE. OE.USERID The Operational Environment shall be able to identify a user requesting access to the TOE. Vormetric Data Security Manager Version 6.3 Security Target 21 of 93 5 Extended Components Definition The components listed in the following table have been defined in the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM]. The extended components are denoted by adding “_EXT” in the component name. The extended class is denoted by “ESM_” in the component name. 5.1 Extended Security Functional Components Table 5-1: Extended Components Item SFR ID SFR Title 1 ESM_ACD.1 Access Control Policy Definition 2 ESM_ACT.1 Access Control Policy Transmission 3 ESM_ATD.1 Object Attribute Definition 4 ESM_ATD.2 Subject Attribute Definition 5 ESM_EAU.2 Reliance on Enterprise Authentication 6 ESM_EID.2 Reliance on Enterprise Identification 7 FAU_SEL_EXT.1 External Selective Audit 8 FAU_STG_EXT.1 External Audit Trail Storage 9 FCS_CKM_EXT.4 Cryptographic Key Zeroization 10 FCS_HTTPS_EXT.1 HTTPS 11 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation) 12 FCS_TLS_EXT.1 TLS 13 FMT_MOF_EXT.1 External Management of Functions Behavior 14 FMT_MSA_EXT.5 Consistent Security Attributes 15 FPT_APW_EXT.1 Protection of Stored Credentials 16 FPT_SKP_EXT.1 Protection of Secret Key Parameters 5.1.1 ESM_ACD.1 Access Control Policy Definition Hierarchical to: No other components. Dependencies: No dependencies. ESM_ACD.1.1 The TSF shall provide the ability to define access control policies for consumption by one or more compatible Access Control products. ESM_ACD.1.2 Access control policies defined by the TSF shall be capable of containing the following: Subjects: [assignment: list of subjects that can be used to make an access control decion and the source from which they are derived] and Vormetric Data Security Manager Version 6.3 Security Target 22 of 93 Objects: [assignment: list of objects that can be used to make an access control decision and the source from which they are derived]; and Operations: [assignment: list of operations that can be used to make an access control decision and the source from which they are derived]; and Attributes: [assignment: list of attributes that can be used to make an access control decision and the source from which they are derived] ESM_ACD.1.3 The TSF shall associate unique identifying information with each policy. 5.1.2 ESM_ACT.1 Access Control Policy Transmission Hierarchical to: No other components. Dependencies: ESM_ACD.1 Access Control Policy Definition. ESM_ACT.1.1 The TSF shall transmit policies to compatible and authorized Access Control products under the following circumstances: [selection: choose one or more of: immideately following creation of a new or updated policy, at a periodic interval, at the request of a compatible Secure Configuration Management product, [assignment: other circumsntaces]]. 5.1.3 ESM_ATD.1 Object Attribute Definition Hierarchical to: No other components. Dependencies: No dependencies. ESM_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual objects: [assignment: list of object security attributes]. ESM_ATD.1.2 The TSF shall be able to associate security attributes with individual objects. 5.1.4 ESM_ATD.2 Subject Attribute Definition Hierarchical to: No other components. Dependencies: No dependencies. ESM_ATD.2.1 The TSF shall maintain the following list of security attributes belonging to individual subjects: [assignment: list of subject security attributes]. Vormetric Data Security Manager Version 6.3 Security Target 23 of 93 ESM_ATD.2.2 The TSF shall be able to associate security attributes with individual subjects. 5.1.5 ESM_EAU.2 Reliance on Enterprise Authentication Hierarchical to: No other components. Dependencies: ESM_EID.2 Reliance on Enterprise Identification. ESM_EAU.2.1 The TSF shall rely on [selection: [assignment: identified TOE compont(s) responsible for subject authentication, [assignment: identified Operational Environment component(s) responsible for subject authentication]] for subject authentication. ESM_EAU.2.2 The TSF shall require each subject to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject. 5.1.6 ESM_EID.2 Reliance on Enterprise Identification Hierarchical to: No other components. Dependencies: No dependencies. ESM_EID.2.1 The TSF shall rely on [selection: [assignment: identified TOE component(s) responsible for subject identification], [assignment: identified Operational Environment component(s) responsible for subject identification]] for subject identification. ESM_EID.2.2 The TSF shall require each subject to be successfully identified before allowing any other TSF-mediated actions on behalf of that subject. 5.1.7 FAU_SEL_EXT.1 External Selective Audit Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit Data Generation, FMT_MTD.1 Management of TSF Data. FAU_SEL_EXT.1.1 The TSF shall be able to select the set of events to be audited by an ESM Access Control product from the set of all auditable events based on the following attributes: a) [selection: object identity, user identity, subject identity, host identity, event type]; and b) [assignment: list of additional attributes that audit selectivity is based upon]. 5.1.8 FAU_STG_EXT.1 External Audit Trail Storage Hierarchical to: No other components. Vormetric Data Security Manager Version 6.3 Security Target 24 of 93 Dependencies: FAU_GEN.1 Audit Data Generation, FTP_ITC.1 Inter-TSF Trusted Channel. FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to [assignment: non-empty list of external IT entities and/or “TOE- internal storage”]. FAU_STG_EXT.1.2 The TSF shall ensure that transmission of generated audit data to any external IT entity uses a trusted channel defined in FTP_ITC.1. FAU_STG_EXT.1.3 The TSF shall ensure that any TOE-internal storage of generated audit data: a) protects the stored audit records in the TOE-internal audit trail from unauthorized deletion; and b) prevents unauthorized modifications to the stored audit records in the TOE-internal audit trail. 5.1.9 FCS_CKM_EXT.4 Cryptographic Key Zeroization Hierarchical to: No other components. Dependencies: No dependencies. FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and cryptographic security parameters when no longer required. 5.1.10 FCS_HTTPS_EXT.1 HTTPS Hierarchical to: No other components. Dependencies: FCS_TLS_EXT.1 TLS. FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818. FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1 5.1.11 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation) Hierarchical to: No other components. Dependencies: No dependencies. FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in accordance with [selection, choose on of: NIST Special Publication 800-90A using [selection: Hash DRBG (any), HMAC_DRBG (any), CTR_DRBG (AES)]] seeded by an entropy source that accumulates Vormetric Data Security Manager Version 6.3 Security Target 25 of 93 entropy from [selection: a software-based noise source; a hardware- based noise source]. FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of [selection, choose one of: 128 bits, 256 bits] of entropy at least equal to the greatest security strength of the keys and hashes that it will generate. Note: Modified by TD0079. 5.1.12 FCS_TLS_EXT.1 TLS Hierarchical to: No other components. Dependencies: FCS_COP.1 Cryptographic Operation. FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following ciphersuites: [selection: · TLS_RSA_WITH_AES_128_CBC_SHA · TLS_RSA_WITH_AES_256_CBC_SHA · TLS_DHE_RSA_WITH_AES_128_CBC_SHA · TLS_DHE_RSA_WITH_AES_256_CBC_SHA · TLS_RSA_WITH_AES_128_CBC_SHA256 · TLS_RSA_WITH_AES_256_CBC_SHA256 · TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 · TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 · TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ]. Note: Modified by TD0320. 5.1.13 FMT_MOF_EXT.1 External Management of Functions Behaviour Hierarchical to: No other components. Dependencies: FMT_SMF.1 Specification of Management Functions, FMT_SMR.1 Security Roles. FMT_MOF_EXT.1.1 The TSF shall restrict the ability to query the behavior of, modify the functions of Access Control products: audited events, repository for audit storage, Access Control SFP, policy version being implemented, Access Control SFP behavior to enforce in the event of communications outage, [assignment: other functions] to [assignment: the authenorized identified roles]. Vormetric Data Security Manager Version 6.3 Security Target 26 of 93 5.1.14 FMT_MSA_EXT.5 Consistent Security Attributes Hierarchical to: No other components. Dependencies: FMT_MOF_EXT.1 External Management of Functiona Behaviour FMT_MSA_EXT.5.1 The TSF shall [selection: identify the following internal inconsistencies within a policy prior to distribution: [assignment: non-empty list of inconsistencies], only permit definition of unambiguous policies]. FMT_MSA_EXT.5.2 The TSF shall take the following action when an inconsistency is detected: [selection: issue a prompt for an administrator to manually resolve the inconsistency, [assignment: other action that ensures that an inconsisten policy is not implemented]]. 5.1.15 FPT_APW_EXT.1 Protection of Stored Credentials Hierarchical to: No other components. Dependencies: No dependencies. FPT_APW_EXT.1.1 The TSF shall store credentials in non-plaintext form. FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext credentials. 5.1.16 FPT_SKP_EXT.1 Protection of Secret Key Parameters Hierarchical to: No other components. Dependencies: No dependencies. FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys. 5.2 Extended Security Functional Components Rationale All extended security functional components are sourced directly from the PP and applied verbatim, except where modified by a technical decision. Vormetric Data Security Manager Version 6.3 Security Target 27 of 93 6 Security Requirements 6.1 Security Functional Requirements Conventions The following conventions have been applied in this document: • Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. o Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a letter in parenthesis placed at the end of the component. For example FDP_ACC.1 (a) and FDP_ACC.1 (b) indicate that the ST includes two iterations of the FDP_ACC.1 requirement, “a” and “b”. o Assignment: allows the specification of an identified parameter. Assignments are indicated using bold italics and are surrounded by brackets (e.g., [assignment]). o Selection: allows the specification of one or more elements from a list. Selections are indicated using bold italics and are surrounded by brackets (e.g., [selection]). o Refinement: are identified with "Refinement:" right after the short name. Additions to the CC text are specified in italicized bold and underlined text. Note: Operations already performed in the [ESM PP PM] are not identified in this Security Target • Application notes provide additional information for the reader, but do not specify requirements. Application notes are denoted by italicized text. • Explicitly stated Security Functional Requirements (i.e., those not found in Part 2 of the CC) are identified “_EXT” or “ESM” in the component name.) • Case - [ESM PP PM] uses an additional convention which defines parts of an SFR that apply only when corresponding selections are made or some other identified conditions exist. Only the applicable cases are identified in this ST. The TOE security functional requirements are listed in Table 6-1. All SFRs are based on requirements defined in Part 2 of the Common Criteria or defined in the Standard Protection Profile for Enterprise Security Management Policy Management [ESM PP PM]. Vormetric Data Security Manager Version 6.3 Security Target 28 of 93 Table 6-1: TOE Security Functional Components Functional Component 1 1 ESM_ACD.1 Access Control Policy Definition 2 2 ESM_ACT.1 Access Control Policy Transmission 3 3 ESM_ATD.1 Object Attribute Definition 4 4 ESM_ATD.2 Subject Attribute Definition 5 5 ESM_EAU.2 (1) Reliance on Enterprise Authentication (Password authentication) 6 6 ESM_EID.2 (1) Reliance on Enterprise Identification (Password authentication) 7 7 ESM_EAU.2 (2) Reliance on Enterprise Authentication (LDAP authentication) 8 8 ESM_EID.2 (2) Reliance on Enterprise Identification (LDAP authentication) 9 1 FAU_GEN.1 Audit Data Generation 10 1 FAU_SEL.1 Selectable Audit 11 1 FAU_SEL_EXT.1 External Selective Audit 12 1 FAU_STG_EXT.1 External Audit Trail Storage 13 1 FCS_CKM.1 Cryptographic Key Generation (for Asymmetric Keys) 14 1 FCS_CKM_EXT.4 Cryptographic Key Zeroization 15 1 FCS_COP.1 (1) Cryptographic Operation (for Data Encryption/Decryption) 16 1 FCS_COP.1 (2) Cryptographic Operation (for Cryptographic Signature) 17 1 FCS_COP.1 (3) Cryptographic Operation (for Cryptographic Hashing) 18 2 FCS_COP.1 (4) Cryptographic Operation (for Keyed-Hash Message Authentication) 19 2 FCS_HTTPS_EXT.1 HTTPS 20 2 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation) 21 2 FCS_TLS_EXT.1 (1) TLS (Syslog and LDAP) 22 FCS_TLS_EXT.1 (2) TLS (Agents) 23 FCS_TLS_EXT.1 (3) TLS (Web interface) 24 2 FIA_AFL.1 Authentication Failure Handling 25 2 FIA_SOS.1 Verification of Secrets 26 2 FIA_USB.1 User-Subject Binding 27 2 FMT_MOF.1 Management of Functions Behavior 28 2 FMT_MOF_EXT.1 External Management of Functions Behavior 29 2 FMT_MSA_EXT.5 Consistent Security Attributes 30 3 FMT_MTD.1 Management of TSF Data 31 3 FMT_SMF.1 Specification of Management Functions 32 3 FMT_SMR.1 Security Management Roles 33 3 FPT_APW_EXT.1 Protection of Stored Credentials 34 3 FPT_SKP_EXT.1 Protection of Secret Key Parameters 35 3 FPT_STM.1 Reliable Time Stamps 36 FTA_SSL.3 TSF-initiated Termination 37 3 FTA_SSL.4 User-initiated Termination 38 3 FTA_TAB.1 TOE Access Banner 39 3 FTP_ITC.1 Inter-TSF Trusted Channel 40 4 FTP_TRP.1 Trusted Path Vormetric Data Security Manager Version 6.3 Security Target 29 of 93 6.1.1 Class ESM: Enterprise Security Management 6.1.1.1 ESM_ACD.1 Access Control Policy Definition ESM_ACD.1.1 The TSF shall provide the ability to define access control policies for consumption by one or more compatible Access Control products. ESM_ACD.1.2 Access control policies defined by the TSF shall be capable of containing the following: Subjects: [process accessing GuardPoint] and Objects: [resource set, user set, process set, time set]; and Operations: [create file, read file, write file, remove file, rename file, read file attribute, change file attribute, create directory, read directory, rename directory, remove directory, read directory attribute, change directory attribute, read file security attribute, change file security attribute, read directory security attribute, change directory security attribute, write file appending, link file]; and Attributes: [file name or path (resource set), user or group (user set), process hashed values (process set), time or day (time set)] ESM_ACD.1.3 The TSF shall associate unique identifying information with each policy. 6.1.1.2 ESM_ACT.1 Access Control Policy Transmission ESM_ACT.1.1 The TSF shall transmit policies to compatible and authorized Access Control products under the following circumstances: [immediately following creation of a new or updated policy, [upon startup of the authorized Access Control product]]. 6.1.1.3 ESM_ATD.1 Object Attribute Definition ESM_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual objects: [ Object: Resource Set Attribute: directory path and/or file name Object: User Set Attribute: user name, user id, group name or group id Object: Process Set Attribute: hashed value of trusted process binaries Vormetric Data Security Manager Version 6.3 Security Target 30 of 93 Object: Time Set Attribute: time and/or day ]. ESM_ATD.1.2 The TSF shall be able to associate security attributes with individual objects. 6.1.1.4 ESM_ATD.2 Subject Attribute Definition ESM_ATD.2.1 The TSF shall maintain the following list of security attributes belonging to individual subjects: [full path directory location on network host where the Transparent Encryption Agent is installed]. ESM_ATD.2.2 The TSF shall be able to associate security attributes with individual subjects. 6.1.1.5 ESM_EAU.2 (1) Reliance on Enterprise Authentication (Password authentication) ESM_EAU.2.1 (1) The TSF shall rely on [Vormetric Data Security Manager] for subject authentication. ESM_EAU.2.2 (1) The TSF shall require each subject to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject. 6.1.1.6 ESM_EID.2 (1) Reliance on Enterprise Identification (Password authentication) ESM_EID.2.1 (1) The TSF shall rely on [Vormetric Data Security Manager] for subject identification. ESM_EID.2.2 (1) The TSF shall require each subject to be successfully identified before allowing any other TSF-mediated actions on behalf of that subject. 6.1.1.7 ESM_EAU.2 (2) Reliance on Enterprise Authentication (LDAP authentication) ESM_EAU.2.1 (2) The TSF shall rely on [LDAP Authentication Server] for subject authentication. ESM_EAU.2.2 (2) The TSF shall require each subject to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject. 6.1.1.8 ESM_EID.2 (2) Reliance on Enterprise Identification (LDAP authentication) ESM_EID.2.1 (2) The TSF shall rely on [LDAP Authentication Server] for subject identification. ESM_EID.2.2 (2) The TSF shall require each subject to be successfully identified before allowing any other TSF-mediated actions on behalf of that subject. Vormetric Data Security Manager Version 6.3 Security Target 31 of 93 6.1.2 Class FAU: Security Audit 6.1.2.1 FAU_GEN.1 Audit Data Generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; and b) All auditable events identified in Table 3 for the not specified level of audit; and c) [no other auditable events]. Table 6-2: Auditable Events ([ESM PP PM] Table 3.) Component Event Additional Information ESM_ACD.1 Creation or modification of policy Unique policy identifier ESM_ACT.1 Transmission of policy to Access Control products Destination of policy ESM_ATD.1 Definition of object attributes Identification of the attribute defined ESM_ATD.1 Association of attributes with objects Identification of the object and the attribute ESM_ATD.2 Definition of subject attributes Identification of the attribute defined ESM_ATD.2 Association of attributes with subjects None ESM_EAU.2 (1) All use of the authentication mechanism None ESM_EAU.2 (2) All use of the authentication mechanism None ESM_EAU.2 (3) All use of the authentication mechanism None FAU_SEL_EXT.1 All modifications to audit configuration None FAU_STG_EXT.1 Establishment and disestablishment of communications with audit server Identification of audit server FCS_HTTPS_EXT.1 Failure to establish a session, establishment/termination of a session Non-TOE endpoint of connection (IP address), reason for failure (if applicable) FCS_TLS_EXT.1 Failure to establish a session, establishment/termination of a session Non-TOE endpoint of connection (IP address), reason for failure (if applicable) FIA_AFL.1 The reaching of an unsuccessful authentication attempt threshold, the actions taken when the threshold is reached, and any actions taken to restore the normal state Action taken when threshold is reached FIA_SOS.1 Rejection or acceptance by the TSF of any tested secret None FIA_SOS.1 Identification of any changes to the defined quality metrics The change made to the quality metric FMT_SMF.1 Use of the management functions Management function performed FMT_SMR.1 Modifications to the members of the management roles None FTA_SSL.3 All session termination events None Vormetric Data Security Manager Version 6.3 Security Target 32 of 93 Component Event Additional Information FTA_SSL.4 All session termination events None FTP_ITC.1 All use of trusted channel functions Identity of the initiator and target of the trusted channel FTP_TRP.1 All attempted uses of the trusted path functions Identification of user associated with all trusted path functions, if available FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [message ID, the additional information identified in Table 3]. 6.1.2.2 FAU_SEL.1 Selective Audit FAU_SEL.1.1 Refinement: The TSF shall be able to select the set of events to be audited from the set of all auditable events from [local definition] based on the following attributes: a) [event type]; and b) [no additional attributes] 6.1.2.3 FAU_SEL_EXT.1 External Selective Audit FAU_SEL_EXT.1.1 The TSF shall be able to select the set of events to be audited by an ESM Access Control product from the set of all auditable events based on the following attributes: a) [event type]; and b) [upload to server checkbox]. 6.1.2.4 FAU_STG_EXT.1 External Audit Trail Storage FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to [external syslog using TLS]. FAU_STG_EXT.1.2 The TSF shall ensure that transmission of generated audit data to any external IT entity uses a trusted channel defined in FTP_ITC.1. FAU_STG_EXT.1.3 The TSF shall ensure that any TOE-internal storage of generated audit data: a) protects the stored audit records in the TOE-internal audit trail from unauthorized deletion; and b) prevents unauthorized modifications to the stored audit records in the TOE-internal audit trail. Vormetric Data Security Manager Version 6.3 Security Target 33 of 93 6.1.3 Class FCS: Cryptographic Support 6.1.3.1 FCS_CKM.1 Cryptographic Key Generation (for Asymmetric Keys) FCS_CKM.1.1 Refinement: The TSF shall generate asymmetric cryptographic keys used for key establishment in accordance with: [ • NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography” for RSA-based key establishment schemes • NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for elliptic curve-based key establishment schemes and implementing “NIST curves” P-256, P-384 and [no other curves] (as defined in FIPS PUB 186-4, “Digital Signature Standard”) ] and specified cryptographic key sizes equivalent to, or greater than, 112 bits of security that meet the following: standards defined in first selection. 6.1.3.2 FCS_CKM_EXT.4 Cryptographic Key Zeroization FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and cryptographic security parameters when no longer required. 6.1.3.3 FCS_COP.1 (1) Cryptographic Operation (for Data Encryption/Decryption) FCS_COP.1.1 (1) Refinement: The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm AES operating in [CBC, GCM] and cryptographic key sizes 128-bits, 256-bits, and [no other key sizes] that meets the following: • FIPS PUB 197, “Advanced Encryption Standard (AES)” • [NIST SP 800-38A, NIST SP 800-38D] 6.1.3.4 FCS_COP.1 (2) Cryptographic Operation (for Cryptographic Signature) FCS_COP.1.1 (2) Refinement: The TSF shall perform cryptographic signature services in accordance with a [ (2) RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of 2048 bits or greater (3) Elliptic Curve Digital Signature Algorithm (ECDSA) with a key size of 256 bits or greater ] that meets the following: Vormetric Data Security Manager Version 6.3 Security Target 34 of 93 Case: RSA Digital Signature Algorithm o FIPS PUB 186-4, “Digital Signature Standard”; Case: Elliptic Curve Digital Signature Algorithm o FIPS PUB 186-4, “Digital Signature Standard”; 6.1.3.5 FCS_COP.1 (3) Cryptographic Operation (for Cryptographic Hashing) FCS_COP.1.1 (3) Refinement: The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [SHA-256, SHA- 384, SHA-512] and message digest sizes [256, 384, 512] bits that meet the following: FIPS Pub 180-4, “Secure Hash Standard.” 6.1.3.6 FCS_COP.1 (4) Cryptographic Operation (for Keyed-Hash Message Authentication) FCS_COP.1.1 (4) Refinement: The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm HMAC-[SHA-256, SHA-384], key size [256, 384 key size (in bits) used in HMAC], and message digest sizes [256, 384] bits that meet the following: FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code”, and FIPS Pub 180-4, “Secure Hash Standard.” 6.1.3.7 FCS_HTTPS_EXT.1 HTTPS FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818. FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1 6.1.3.8 FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation) FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in accordance with [NIST Special Publication 800-90A using [CTR_DRBG (AES)]] seeded by an entropy source that accumulates entropy from [a software-based noise source; a hardware-based noise source]. FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of [256 bits] of entropy at least equal to the greatest security strength of the keys and hashes that it will generate. 6.1.3.9 FCS_TLS_EXT.1(1) TLS (Syslog and LDAP) FCS_TLS_EXT.1.1(1) The TSF shall implement one or more of the following protocols [TLS 1.2 (RFC 5246)] supporting the following ciphersuites: Vormetric Data Security Manager Version 6.3 Security Target 35 of 93 [ TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ]. Note: This SFR modified to conform to TD0320. 6.1.3.10 FCS_TLS_EXT.1(2) TLS (Agents) FCS_TLS_EXT.1.1(2) The TSF shall implement one or more of the following protocols [TLS 1.2 (RFC 5246)] supporting the following ciphersuites: [ TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ]. Note: This SFR modified to conform to TD0320. 6.1.3.11 FCS_TLS_EXT.1(3) TLS (Web Interface) FCS_TLS_EXT.1.1(3) The TSF shall implement one or more of the following protocols [TLS 1.2 (RFC 5246)] supporting the following ciphersuites: [ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ]. Note: This SFR modified to conform to TD0320. 6.1.4 Class FIA: Identification and Authentication 6.1.4.1 FIA_AFL.1 Authentication Failure Handling FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [1 to 10]] unsuccessful authentication attempts occur related to [remote administrative management login]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [lock the account for an administrator Vormetric Data Security Manager Version 6.3 Security Target 36 of 93 configurable period of time]. 6.1.4.2 FIA_SOS.1 Verification of Secrets FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet the following: a) For environmental password-based authentication, the following rules apply: 1. Passwords shall be able to be composed of a subset of the following character sets: [Standard ASCII character set] that include the following values [alphabet characters: a-z, A-Z, integers: 0-9, and a limited set of special characters: !@#$%^&*(){}[] ]; and 2. Minimum password length shall settable by an administrator, and support passwords of 16 characters or greater; and 3. Password composition rules specifying the types and numbers of required characters that comprise the password shall be settable by an administrator; and 4. Passwords shall have a maximum lifetime, configurable by an administrator; and 5. New passwords shall contain a minimum of an administrator-specified number of character changes from the previous password; and 6. Passwords shall not be reused within the last administrator-settable number of passwords used by that user; b) For non-password-based authentication, the following rules apply: 1. The probability that a secret can be obtained by an attacker during the lifetime of the secret is less than 2-20 . 6.1.4.3 FIA_USB.1 User-Subject Binding FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [ • Username • Password • Role • Domain ] FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [user security attributes are associated upon successful identification and authentication]. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [user security attributes can be changed only by an administrator with type “System Administrator” or “All” through the Vormetric Data Security Manager Version 6.3 Security Target 37 of 93 management interfaces of the TOE]. 6.1.5 Class FMT: Security Management 6.1.5.1 FMT_MOF.1 Management of Functions Behavior FMT_MOF.1 The TSF shall restrict the ability to [determine the behavior of, modify the behavior of] the functions: [DSM auditing functions] to [administrators with type “System Administrator” or “All”]. 6.1.5.2 FMT_MOF_EXT.1 External Management of Functions Behavior FMT_MOF_EXT.1.1 The TSF shall restrict the ability to query the behavior of, modify the functions of Access Control products: audited events, repository for audit storage, Access Control SFP, policy version being implemented, Access Control SFP behavior to enforce in the event of communications outage to [administrators with type “Security Administrator”, “Domain and Security Administrator”, or “All” inside a given domain]. 6.1.5.3 FMT_MSA_EXT.5 Consistent Security Attributes FMT_MSA_EXT.5.1 The TSF shall [identify the following internal inconsistencies with a policy prior to distribution: Rule A: When a newly added or updated security rule is identical to an existing security rule, Rule B: when two security rules have identical security objects but the effects are contradictory (one security rule with permit effect while the other rule has deny effect), Rule C: When a security rule is a superset of subsequent security rule, then the subsequent security rule will not get executed]. FMT_MSA_EXT.5.2 The TSF shall take the following action when an inconsistency is detected: [issue a prompt for an administrator to manually resolve the inconsistency]. 6.1.5.4 FMT_MTD.1 Management of TSF Data FMT_MTD.1.1 The TSF shall restrict the ability to [modify, delete, [add]] the [authentication data: username and password] to [administrators with type “System Administrator” or “All”]. 6.1.5.5 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [the management activities listed in Table 6-3]. Table 6-3: Management Functions within the TOE ([ESM PP PM] Table 4.) Requirement Management Activities ESM_ACD.1 Creation of policies Vormetric Data Security Manager Version 6.3 Security Target 38 of 93 ESM_ACT.1 Transmission of policies ESM_ATD.1 Definition of object attributes Association of attributes with objects ESM_ATD.2 Definition of subject attributes Association of attributes with subjects ESM_EAU.2 Management of authentication data for both interactive users and authorized IT entities (if managed by the TSF) ESM_EID.2 Management of authentication data for both interactive users and authorized IT entities (if managed by the TSF) FAU_SEL.1 Configuration of auditable events FAU_SEL_EXT.1 Configuration of auditable events for defined external entities FAU_STG_EXT.1 Configuration of external audit storage location FIA_AFL.1 Configuration of authentication failure threshold value Configuration of actions to take when threshold is reached Execution of restoration to normal state following threshold action (if applicable) FIA_SOS.1 Management of the metric used to verify secrets FIA_USB.1 Definition of default subject security attributes, modification of subject security attributes FMT_MOF_EXT.1 Configuration of the behavior of other ESM products FMT_MSA_EXT.5 Configuration of what policy inconsistencies the TSF shall identify and how the TSF shall respond if any inconsistencies are detected (if applicable) FMT_MTD.1 Management of user authentication data FMT_SMR.1 Management of the users that belong to a particular role FTA_TAB.1 Maintenance of the banner FTP_ITC.1 Configuration of actions that require trusted channel (if applicable) FTP_TRP.1 Configuration of actions that require trusted path (if applicable) 6.1.5.6 FMT_SMR.1 Security Management Roles FMT_SMR.1.1 The TSF shall maintain the roles [“System Administrator”, “Domain Administrator”, “Security Administrator”, “Domain and Security Administrator”, “All”]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.1.6 Class FPT: Protection of the TSF 6.1.6.1 FPT_APW_EXT.1 Protection of Stored Credentials FPT_APW_EXT.1.1 The TSF shall store credentials in non-plaintext form. FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext credentials. 6.1.6.2 FPT_SKP_EXT.1 Protection of Secret Key Parameters FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys. Vormetric Data Security Manager Version 6.3 Security Target 39 of 93 6.1.6.3 FPT_STM.1 Reliable Time Stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. 6.1.7 Class FTA: TOE Access 6.1.7.1 FTA_SSL.3 TSF-initiated Termination FTA_SSL.3.1 Refinement: The TSF shall terminate a remote interactive session after an Authorized Administrator-configurable time interval of session inactivity. 6.1.7.2 FTA_SSL.4 User-initiated Termination FTA_SSL.4.1 Refinement: The TSF shall allow Administrator-initiated termination of the Administrator’s own interactive session. 6.1.7.3 FTA_TAB.1 TOE Access Banner FTA_TAB.1.1 Refinement: Before establishing a user session, the TSF shall display a configurable advisory warning message regarding unauthorized use of the TOE. 6.1.8 Class FTP: Trusted Paths/Channels 6.1.8.1 FTP_ITC.1 Inter-TSF Trusted Channel FTP_ITC.1.1 The TSF shall be capable of using [TLS] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: [audit server, authentication server, [Transparent Encryption Agent]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. FTP_ITC.1.2 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for transfer of policy data, [[transfer of authentication data, transfer of audit data]]. Note: This SFR modified to conform to TD0245. 6.1.8.2 FTP_TRP.1 Trusted Path FTP_TRP.1.1 The TSF shall be capable of using [TLS/HTTPS] to provide a communication path between itself and remote users that is logically distinct from other communication channels and provides assured identifications of its end points and protection of the communicated data Vormetric Data Security Manager Version 6.3 Security Target 40 of 93 from modification, disclosure, and [[substitution]]. FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication and execution of management functions. Note: This SFR modified to conform to TD0245. Vormetric Data Security Manager Version 6.3 Security Target 41 of 93 6.2 Security Assurance Requirements for the TOE 6.2.1 TOE Security Assurance Requirements This section defines the assurance requirements for the TOE. The assurance activities to be performed by the evaluator are defined in Sections 6 and Appendix C of the Standard Protection Profile for Enterprise Security Management Policy Management dated [ESM PM PP]. The ESM PM PP draws from the CC Security Assurance Requirements (SARs) to frame the extent to which the evaluator assesses the documentation applicable for the evaluation and performs independent testing. The TOE security assurance requirements, summarized in the table below, identify the management and evaluative activities required to address the threats identified in ESM PM PP. Table 6-4: Assurance Components Assurance Class Assurance Components Development ADV_FSP.1 Basic Functional Specification Guidance documents AGD_OPE.1 Operational User guidance AGD_PRE.1 Preparative User guidance Life cycle support ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM coverage Tests ATE_IND.1 Independent testing - conformance Vulnerability assessment AVA_VAN.1 Vulnerability analysis The following tables state the developer action elements, content and presentation elements and evaluator action elements for each of the assurance components. Vormetric Data Security Manager Version 6.3 Security Target 42 of 93 Table 6-5: ADV_FSP.1 Basic Functional Specification Developer action elements ADV_FSP.1.1D The developer shall provide a functional specification. ADV_FSP.1.2D The developer shall provide a tracing from the functional specification to the SFRs. Content and presentation elements ADV_FSP.1.1C The functional specification shall describe the purpose and method of use for each SFR-enforcing and SFR-supporting TSFI. ADV_FSP.1.2C The functional specification shall identify all parameters associated with each SFR-enforcing and SFR-supporting TSFI. ADV_FSP.1.3C The functional specification shall provide rationale for the implicit categorization of interfaces as SFR-non-interfering. ADV_FSP.1.4C The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. Evaluator action elements ADV_ FSP.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_ FSP.1.2E The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. Table 6-6: AGD_OPE.1 Operational User Guidance Developer action elements AGD_OPE.1.1D The developer shall provide operational user guidance. Content and presentation elements AGD_OPE.1.1C The operational user guidance shall describe, for each user role, the user- accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. AGD_OPE.1.2C The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. AGD_OPE.1.3C The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. AGD_OPE.1.4C The operational user guidance shall, for each user role, clearly present each type of security-relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. AGD_OPE.1.5C The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences, and implications for maintaining secure operation. AGD_OPE.1.6C The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. AGD_OPE.1.7C The operational user guidance shall be clear and reasonable. Evaluator action elements AGD_OPE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Vormetric Data Security Manager Version 6.3 Security Target 43 of 93 Table 6-7: AGD_PRE.1 Preparative Procedures Developer action elements AGD_PRE.1.1D The developer shall provide the TOE, including its preparative procedures. Content and presentation elements AGD_ PRE.1.1C The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer's delivery procedures. AGD_ PRE.1.2C The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. Evaluator action elements AGD_ PRE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AGD_ PRE.1.2E The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. Table 6-8: ALC_CMC.1 Labeling of the TOE Developer action elements ALC_CMC.1.1D The developer shall provide the TOE and a reference for the TOE. Content and presentation elements ALC_CMC.1.1C The TOE shall be labeled with its unique reference. Evaluator action elements ALC_CMC.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Table 6-9: ALC_CMS.1 TOE CM Coverage Developer action elements ALC_CMS.1.1D The developer shall provide a configuration list for the TOE. Content and presentation elements ALC_CMS.1.1C The configuration list shall include the following: the TOE itself; and the evaluation evidence required by the SARs. ALC_CMS.1.2C The configuration list shall uniquely identify the configuration items. Evaluator action elements ALC_CMS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Table 6-10: ATE_IND.1 Independent Testing – Conformance Developer action elements ATE_IND.1.1D The developer shall provide the TOE for testing. Content and presentation elements ATE_IND.1.1C The TOE shall be suitable for testing. Evaluator action elements ATE_IND.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ATE_IND.1.2E The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. Vormetric Data Security Manager Version 6.3 Security Target 44 of 93 Table 6-11: AVA_VAN.1 Vulnerability Survey Developer action elements AVA_VAN.1.1D The developer shall provide the TOE for testing. Content and presentation elements AVA_VAN.1.1C The TOE shall be suitable for testing. Evaluator action elements AVA_VAN.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VAN.1.2E The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VAN.1.3E The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential. Vormetric Data Security Manager Version 6.3 Security Target 45 of 93 7 TOE Summary Specification Section 7 describes the specific Security Functions of the TOE that meet the criteria of the security features that are described in Section 2.5 Logical Scope of the TOE. The following sub-sections describe how the TOE meets each SFR listed in Section 6. Table 7-1: Security Functional Requirements Mapped to Security Functions Security Functions Sub-Functions SFRs System Monitoring SM-1: System Monitoring FAU_GEN.1 FPT_STM.1 FAU_SEL.1 SM-2: Audit Storage FAU_STG_EXT.1 Robust TOE Access TA-1: Strength of Secrets FIA_SOS.1 TA-2: Authentication Failure FIA_AFL.1 TA-3: Session Termination FTA_SSL.3 FTA_SSL.4 Authorized Management AM-1: Management I&A ESM_EAU.2 (1) ESM_EID.2 (1) ESM_EAU.2 (2) ESM_EID.2 (2) ESM_EAU.2 (3) ESM_EID.2 (3) FIA_USB.1 FPT_APW_EXT.1 AM-2: Management Roles FMT_MOF.1 FMT_SMR.1 AM-3: Remote Administration FTP_TRP.1 Policy Definition PD-1: Policy Definition ESM_ACD.1 ESM_ATD.1 ESM_ATD.2 FMT_MOF.1 FMT_MSA_EXT.5 FMT_SMF.1 Dependent Product Configuration PC-1: TOE Management Functions FMT_MOF.1 FMT_MTD.1 FMT_SMF.1 PC-2: Agent Configuration FAU_SEL_EXT.1 FMT_MOF_EXT.1 Confidential Communications CC-1: Agent Communications ESM_ACT.1 FCS_TLS_EXT.1 FCS_HTTPS_EXT.1 FMT_MOF.1 FTP_ITC.1 Vormetric Data Security Manager Version 6.3 Security Target 46 of 93 Security Functions Sub-Functions SFRs CC-2: User Communications ESM_EAU.2 (1) ESM_EID.2 (1) ESM_EAU.2 (2) ESM_EID.2 (2) ESM_EAU.2 (3) ESM_EID.2 (3) FCS_HTTPS_EXT.1 FIA_USB.1 FMT_MOF FTP_TRP.1 CC-3: External Server Communications FMT_MOF FTP_ITC.1 CC-4: Key Protection FPT_SKP_EXT.1 Access Bannering AB-1: Banner FTA_TAB.1 Cryptographic Services CS-1: Crypto FCS_CKM.1 FCS_CKM_EXT.4 FCS_COP.1 (1) FCS_COP.1 (2) FCS_COP.1 (3) FCS_COP.1 (4) FCS_RBG_EXT.1 7.1 System Monitoring 7.1.1 SM-1: Audit Generation Log files and log data are generated on the DSM and its agents. The TSF generates audit records for the security significant events listed in Table 6-2: Auditable Events ([ESM PP PM] Table 3.). The DSM logs system-level events, such as failed login attempts, a broken network connection, and inoperable DSM database, and application-level events, such as evaluating a policy, applying GuardPoints, and adding administrators. Application-level Logs Application-level events from the DSM and the agents are collected in the Message Log and can be viewed in the “Logs” window of the Remote Administrative Management by administrators of type All or Security Administrator with Host role permission. The “Logs” window displays the following information: Table 7-2: Message Log Information Column Description ID Entries are numbered in the order in which the DSM enters them into the log database. Time The time at which the event occurred. Timestamps are in the form YYYY-MM-DD HH:MM:SS.mm,