PRODUCT DESCRIPTION

The CONTROL-SA product is a set of software applications that provides enterprise-wide security management of information systems produced by BMC Software, Inc., 2101 City West Boulevard, Houston, TX 77042. BMC CONTROL-SA provides the Administrator with the necessary tools to manage the organization’s two invaluable assets, users and information resources, regardless of number or variety of platforms.

The primary component of CONTROL-SA is a central Enterprise SecurityStation (ESS) server. The component accepts administrator instructions via a batch interface, a web interface, or via a custom ESS Console interface. While the batch interface is collocated with the ESS server, the web interface allows remote administration via an ESS Web Console server and the ESS Console application can be installed on any number of remotely accessible operating systems. Note that the server stores its configuration in a DBMS system established in the TOE’s environment.

The ESS server interacts with agent components of the TOE installed on managed Solaris, Windows Server 2003, and RACF operating systems. The agents accept configuration changes from the ESS server and report changes that may occur on the managed system back to the ESS server.

The TOE includes the server, agent, and administrative application pieces all of which are installed in third party operating systems available in the TOE’s intended environment. Given the distributed nature of the TOE components, the TOE components are designed to use cryptography to protect its own communications and as well as with components in the environment (i.e., DBMS and web browsers).

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the BMC CONTROL-SA TOE meets the security requirements contained in the Security Target – BMC CONTROL-SA Security Target, Version 1.0, 8 July 2005.

The criteria against which the BMC CONTROL-SA TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the BMC CONTROL-SA TOE is EAL2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.

A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in July 2005. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.

For this evaluation, it was appropriate for the Security Target to claim compliance with the external standards for DES and Triple-DES for the definitions of the encryption algorithms. There are many ways of determining compliance with a standard. BMC CONTROL-SA has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meetings the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user’s requirements.

ENVIRONMENTAL STRENGTHS

The BMC CONTROL-SA TOE provides security audit, cryptographic support, user data protection, identification and authentication, security management and protection of the TSF features as they relate to the management of the TOE and associated information systems.

Security audit - Audit records are generated when security related auditable events occur. Refer to Security audit section in the TSS for a complete list of auditable events. The information that is recorded in the audit record includes the date/time, the responsible user, the event, the outcome of the event, and if applicable, the unique identification of the Managed System. The TOE provides the functionality necessary for authorized administrators to review audit logs.

Cryptographic support - The TOE supports cryptographic operations such as data encryption/decryption of the data that is transmitted between the ESS and the Managed Systems.

User data protection - The TOE enforces an ESS Access Control policy, which restricts access to Managed System attributes (and associated operations) controlled by the TOE. This protection requires that users (authorized administrator) of the TOE be identified and authenticated before any access to the Managed System attributes is granted. Access is granted based on privileges granted to the user (authorized administrator) for access to controlled Managed System attributes.

Identification and authentication - All users must be identified and authenticated before access to the TSF is allowed. The user is required to provide a user ID and password, if the verification is successful, access into the TOE is granted.

Security management - The TOE is managed through the Enterprise SecurityStation (ESS) Server, which is the central point of control through which administrators can perform all key security administration tasks including: Management of Audit Data, Management of ESS Access Control, and Management of ESS and Managed System data.

Protection of the TSF - The TOE implements a set of security mechanisms to protect the transmission and integrity of its data. The TOE uses data encryption to protect the data transmitted between components of the TOE. The TOE also ensures the consistency of TSF data when replicated between components of the TOE.

Vendor Information

BMC Software, Inc.
Ilan Sherman
+972.3.6451161
+972.3.7664617 (Fax)
ilan.sherman@bmc.com

http://www.bmc.com