NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - RSA Identity Governance and Lifecycle v7.0

Certificate Date:  2017.05.31

Validation Report Number:  CCEVS-VR-VID10769-2017

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management - Identity and Credential Management Version 2.1

CC Testing Lab:  Leidos Common Criteria Testing Laboratory


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is RSA Identity Governance and Lifecycle v7.0.1.

RSA Identity Governance and Lifecycle is a platform that helps organizations meet their security, regulatory, and business access needs through a collaborative set of business processes. By automating manual access control tasks, providing access management workflows to gather the appropriate business approvals, and gathering evidence of compliance to access control policy, organizations can confidently manage, control, and enforce access to applications and data, across their organization. This functionality is enabled by a set of collectors that gather user credentials and access information from various repositories and store it in a central data repository. RSA Identity Governance and Lifecycle also provides a set of data connectors to provision external data repositories with updated information.

The RSA Identity Governance and Lifecycle platform contains functionality that is not covered by Standard Protection Profile for Enterprise Security Management Identity and Credential Management.  As with all evaluations claiming conformance to a NIAP-approved protection profile, only the functionality specified in the profile is evaluated.  The RSA Identity Governance and Lifecycle v7.0.1 TOE consists of the following platform components:

·         Access Certification Manager

·         Business Role Manager

·         Access Request Manager

·         Rules

·         Access Fulfillment Express (AFX)

·         Collectors (agents)

·         Graphical User Interface (GUI), and

·         Web Services API.

The TOE components identified above collectively provide functionality defined in the Standard Protection Profile for Enterprise Security Management Identity and Credential Management.  Specifically the functionality included in the evaluation is:

·         Provision subjects (enroll new subjects to an organizational repository, associate and disassociate subjects with organizationally-defined attributes)

·         Issue and maintain credentials associated with user identities

·         Publish and change credential status (such as active, suspended or terminated)

·         Enforce password strength rules for enterprise users

·         Establish appropriate trusted channels between itself and Authentication Server ESM products

·         Generate an audit trail of configuration changes and subject identification and authentication activities

·         Write audit trail data to a trusted repository


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme.  The criteria against which the RSA Identity Governance and Lifecycle v7.0.1 was judged are described in Standard Protection Profile for Enterprise Security Management Identity and Credential Management (Version 2.1, 24 October 2013) and the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 4 as refined by the assurance activities in the protection profile. The product satisfies all of the security functional requirements stated in the RSA Identity Governance and Lifecycle v7.0.1 Security Target, version 1.0, 11 April 2017, when delivered and configured as identified in the following documents:

·         RSA Identity Governance and Lifecycle Supplemental Administrative Guidance V7.0.1

·         RSA Identity Governance and Lifecycle7.0.1 Release Notes

·         RSA Identity Governance and Lifecycle7.0.1 Installation Guide

·         RSA Identity Governance and Lifecycle7.0.1 Upgrade and Migration Guide

·         RSA Identity Governance and Lifecycle7.0.1 Help (Built-in Documentation)

·         RSA Identity Governance and Lifecycle7.0.1 Database Setup and Management Guide

·         RSA Identity Governance and Lifecycle7.0.1 Public Database Schema Reference

·         RSA Identity Governance and Lifecycle Active Directory Application Guide, Version 1.1 | Nov 2016

·         RSA Identity Governance and Lifecycle Connector Data Sheet for Oracle Database

·         RSA Identity Governance and Lifecycle Collector Data Sheet for Oracle Database.

The project underwent CCEVS Validator review.  The evaluation was completed in May 2017.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

Enterprise Security Management

The TOE maintains security attributes belonging to individual objects and relies on Active Directory in the operational environment to authenticate users.

The TOE provides the capability to define and securely transmit identity and credential data for use with other ESM products: Oracle and Active Directory authentication servers.  The TOE provides a password restriction policy mechanism to ensure secure passwords are defined for enterprise users.

Security Audit

The TOE generates logs for security relevant events including the events specified in Standard Protection Profile for Enterprise Security Management Identity and Credential Management. The TOE sends the logs to an Oracle database external to the TOE for storage.  Reliable timestamps are provided by the operational environment.

Identification and Authentication

The TOE associates roles, entitlements, and other user attributes with enterprise users and relies on the operational environment to authenticate enterprise users.

Security Management

The TOE provides the management functions identified in the Standard Protection Profile for Enterprise Security Management Identity and Credential Management such as management of subject attributes; authentication data; configuration and management of the security functions; and management of the users that belong to a particular role. The TOE restricts access to the management functions to users with the following roles: the System Administrator Role, Application Administrator Role, Password Management Role, Role Administrator Role, and Access Request Administrator Role and to users with entitlements to the functions.  The TOE maintains all Administrator roles.

Protection of the TSF

Credentials/keys used by the TOE are stored in the operational environment.  The TOE does not offer any interfaces to view the credentials/keys.

TOE Access

The TOE terminates local and remote interactive sessions after a System Administrator configurable time period of inactivity. It provides users the capability to terminate their own interactive sessions. An administrator can configure an advisory warning message regarding unauthorized use of the TOE, which the TOE displays before establishing a user session using the GUI.

Trusted Path/Channels

The TOE provides trusted communication channels using TLS v1.1 and TLS v1.2 for Active Directory authentication and transfer of policy data.

The TOE provides trusted communication paths using TLS v1.1 and TLS v1.2 for remote administrators and users accessing the GUI and for Web Service Clients accessing the Web Services API. 

The TOE relies on BSAFE Crypto-J 6.2.1 in the operational environment for cryptographic functions.  In particular, the module is used for TLS v1.1 and v1.2 connections with trusted external IT entities, and with users accessing the TOE. The TOE itself does not implement any cryptographic functions. Consequently, the Cryptographic Support (class FCS) requirements from the Architectural Variations section of the ESM ICM PP do not apply to the TOE. The security target does not claim any requirements from the FCS class and so the FCS requirements were outside the scope of evaluation and were not evaluated.


Vendor Information

Logo
RSA Security LLC
Sean Miller
(519) 954 8162
Sean.Miller@rsa.com

https://www.rsa.com/en-us
Site Map              Contact Us              Home