NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Pure Storage FA-400 Series and FlashArray //m Appliances version 4.7

Certificate Date:  2016.03.07

Validation Report Number:  CCEVS-VR-VID10664-2016

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Network Devices Version 1.1

CC Testing Lab:  UL Verification Services Inc. (Formerly InfoGard)

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Pure Storage FlashArray (TOE) is classified as a Network Device, for the purposes of this Common Criteria evaluation. It is an enterprise Network Attached Storage solution that includes a Linux-based operating system, SAN protocols and interfaces (iSCSI, Fiber Channel, SAS), and custom software to provide network storage with high performance and reliability.

The TOE is designed to act as a data storage endpoint for a SAN. The TOE supports remote administration over HTTPS/TLS and Secure Shell (SSH), with cryptographic encryption and authentication using CAVP Validated algorithms. The TOE also supports use of external authentication and audit servers, protected using TLS.

The TOE consists of one or two physical PCs that are connected together via InfiniBand for high availability purposes. The PCs (TOE) are grouped and sold as six possible models:

  • FA-405
  • FA-450
  • FA-m20
  • FA-m50
  • FA-m70

The TOE acts as a SAN storage endpoint over the Fibre Channel and 10GbE interfaces, and allows TLS connections to its 1GbE Ethernet management interface.

The TOE operating system, Purity 4.7, is built on the Ubuntu Linux kernel and an Intel Xeon x64 CPU.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target, based on the Security Functional Requirements of the Network Devices Protection Profile, Version 1.1.

The criteria for which the TOE was evaluated against, are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The methodology used by the evaluation team to conduct the evaluation is contained in the Common Methodology for Information Technology Security Evaluation, Version 3.1.

InfoGard Laboratories, Inc. determined that the TOE, configured as specified in the operational guidance, satisfies all of the security functional requirements stated in the Security Target.

Environmental Strengths

The evaluation of the TOE, provides assurance that the Security Functional Requirements (SFR) of the Network Devices Protection Profile, Version 1.1, has been met.

The TOE consists of the following Security Functions:

  • Security Audit (FAU)
  • Cryptographic Support (FCS)
  • User Data Protection (FDP)
  • Identification and Authentication (FIA)
  • Security Management (FMT)
  • Protection of the TSF (FPT)
  • TOE Access (FTA)
  • Trusted Path/Channels (FTP)


The TOE audits all events and information defined by the Network Device Protection Profile, Version 1.1. Audit logs include the identity of the user that caused the event (if applicable), date and time of the event, type of event, and the outcome of the event. Audit events are transmitted to an external IT entity using the TLS protocol. The TOE also protects storage of audit information from unauthorized deletion and modifications.

Cryptographic Operations

The TOE implements CAVP validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the SSH and TLS protocols.

The TOE zeroizes all plaintext secret and private cryptographic keys and CSPs once they are no longer required.

User Data Protection

The TOE ensures that any previous information content of network packets are not re-used in subsequent network packets by leveraging the Linux kernel's network packet processing mechanisms. All network resources are zeroized upon allocation of that buffer.

Identification and Authentication

The TSF supports passwords consisting of alphanumeric and all printable ASCII characters, as well as SSH public key authentication. The TSF also allows administrators to set a minimum password length and support passwords with 15 characters or more.

The TSF requires all administrative-users to authenticate before allowing the user to perform any actions other than viewing the warning banner.

Security Management

The TOE provides management over TLS, SSH, and a local console. The TOE authenticates administrative users using a username/password combination or a username/SSH_RSA key combination. The TSF does not allow access to any administrative functions prior to successful authentication. The TOE also has capability of being updated, and to verify updates via digital signature.

The TSF includes four administrative roles within the Authorized Administrator role: Internal Administrator, Array Administrator, Storage Administrator, and Read-Only Administrator. All roles are considered authorized administrators for the remainder of this document. The device ships with two hard-coded users, but allows for additional users to be authenticated through the use of Active Directory.

Protection of the TSF

The TOE uses several protection methods to ensure correct and secure operation: the TOE runs a suite of self-tests during the initial start-up (upon power on), it provides a means to verify firmware/software updates using a digital signature mechanism prior to installing those updates, the reading of secret and private keys is not allowed, and the TOE provides reliable time stamps for itself.

TOE Access

The TOE, for local and remote interactive sessions, terminates sessions after an Authorized Administrator-specified period of session inactivity. The TOE also allows Administrator-initiated termination of the Administrator’s own interactive session.

Before establishing an administrative user session, the TOE is capable of displaying an Authorized Administrator-specified advisory notice and consent warning message regarding unauthorized use of the TOE.

Trusted Path/Channels

The TOE uses TLS to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. The TOE initiates communication via the trusted channel, and also allows remote IT entities to initiate communication.

The TOE permits remote administrators to initiate a trusted path via SSH and HTTPS/TLS. The TOE requires the use of the trusted path for initial administrator authentication and all remote administration actions.

Vendor Information

Pure Storage, Inc.
Nitin Nagpal
Site Map              Contact Us              Home