NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Vormetric Data Security Manager V6000, Version 5.3

Certificate Date:  2016.04.05

Validation Report Number:  CCEVS-VR-VID10737-2016

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  CygnaCom Solutions, Inc

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is the appliance-based policy management platform, Vormetric Data Security Manager (DSM), Version 5.3. The TOE includes all DSM appliance hardware and firmware installed on the appliance. The evaluated appliance model designation is V6000.

The DSM is the Policy Management product that serves as a trusted source for policy information that is ultimately consumed by the Transparent Encryption Agent (the Access Control product) as defined in [ESM PP PM]. 

The Transparent Encryption Agent is outside the scope of this evaluation and its functionality was not evaluated. Product testing conducted during evaluation was limited to the Transparent Encryption Agent receiving the policy from the TOE.  The correctness of the enforcement of such policy was not tested.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R4.

The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R4. 

CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies compliance with Protection Profile for Enterprise Security Management Policy Management, 24 October 2013, Version 2.1 [ESM PP PM].

A team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed March 2016.

Environmental Strengths

The TOE is classified as an ESM Policy Management product.

The TOE is designed to provide the following functionality:

·         System Monitoring

The TOE provides the ability to generate audit events In order to identify unauthorized TOE configuration changes and attempted malicious activity against protected objects. The audit trail identifies changes to subject data and usage of the authentication function. The audit data can be stored in an external repository

·         Robust TOE Access

The TOE implements mechanisms via a configurable password policy that improve security relative to the attempts of unsophisticated attackers to authenticate to the TOE using repeated guesses. The TOE can also enforce an externally-defined LDAP authentication policy. The TOE provides capabilities to terminate established sessions.

·         Authorized Management

Policy Administrators are designated by the TSF and given various responsibilities for managing the TOE and creating policies. The TSF has its own internal method of enforcing controlled access so that no actions can be performed against it unless the subject is identified, authenticated, and authorized.

·         Policy Definition

The TSF is able to manage policy attributes that are consistent with the corresponding technology type(s) described in the User Data Protection requirements in the Standard Protection Profile for Enterprise Security Management Access Control. In addition, the TSF is able to detect or prevent inconsistencies in the application of policies so that policies are unambiguously defined. Finally, the TOE is able to identify uniquely policies it creates so that it can be used to determine what policies are being implemented by remote products.

·         Dependent Product Configuration

The TOE is able to configure the behavior of the functions of the Access Control products that consume the policies it provides. This includes the configuration of what events they audit, what policies they enforce, and how they react in the event of a failure state or lack of connectivity.

·         Confidential Communications

The TOE uses sufficiently strong and sufficiently trusted encryption algorithms to protect data in transit to and from the TOE. The TOE implements cryptographic protocol to protect these data in transit.

·         Access Bannering

The TOE displays a banner prior to authentication that defines its acceptable use. This banner provides legal notification for monitoring that allows audit data to be admissible in the event of any legal investigations.

·         Cryptographic Services

The TOE uses cryptographic primitives (encryption, decryption, random bit generation, etc.) in order to ensure the confidentiality and integrity of the policy data it transmits and to provide trusted communications between itself and the Operational Environment where necessary.

Vendor Information

Vormetric Inc.
Ashvin Kamaraju
Site Map              Contact Us              Home