NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - IBM MaaS360 v2.9 Cloud Extender

Certificate Date:  2018.06.14

Validation Report Number:  CCEVS-VR-VID10896-2018

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  atsec information security corporation

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Target of Evaluation (TOE) is the IBM MaaS360 v2.91Cloud Extender (CE) application. It includes four modules enabling communications functionality with various customer provided services as well as the supporting documentation and a configuration tool. These modules are:

           Certificate Authority: version 2.93

           Exchange Integration for Managing Active Sync Devices: version 2.93

           Corporate User Visibility: version 2.93

           Corporate Directory Authentication: version 2.93

In addition, the TOE comes with the IBM MaaS360 Cloud Extender configuration tool version 2.93.

The application is installed within a MaaS360 customer’s own network or Demilitarized Zone (DMZ) in order to enable services offered by the IBM MaaS360 Enterprise Mobility Management (EMM), a cloud-based multi-tenant platform that provides a fully featured mobile device management (MDM) solution.

The Cloud Extender is a small Windows application (approx. 12MB) that is installed behind the customer firewall with network access to the appropriate internal systems. In this case, Microsoft Windows Server 2012 R2 (x64), which has been evaluated for conformance with the U.S. Government PP Protection Profile for General Purpose Operating Systems Version 4.1, and is listed on the NIAP Product Compliant List (PCL).

The TOE is an example of [USE CASE 3] Communication described in [pp_app_v1.2] as:

“The application allows for communication interactively or non-interactively with other users or applications over a communications channel.”

Evaluated Configuration

The evaluated configuration includes the four Cloud Extender (CE) modules identified above, which are packages of scripts and actions that integrate with components of IBM MaaS360 customer’s infrastructure and provides full integration service with that component.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which IBM Maas360 Cloud Extender was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4 and the assurance activities given in the Protection Profile for Application Software Version 1.2. The product, when delivered and configured as identified in the MaaS360 Cloud Extender NIAP Protection Profile Setup and Operations Guide document, meets the requirements of the Protection Profile for Application Software Version 1.2.

The MaaS360 Cloud Extender NIAP Protection Profile Setup and Operations Guide document satisfies all of the security functional requirements stated in the IBM MaaS360 v2.91 Cloud Extender Security Target. The project underwent CCEVS Validator review. The evaluation was completed in June 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID10896-2018, prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The Cloud Extender provides cryptographic support using the Windows platform provided cryptographic services via the Cryptography API: Next Generation (CNG) for the following:

1.    TLS connections—CNG is used by Secure Channel (SChannel), enabling the Cloud Extender to communicate with the Exchange Server, Domain Controller, and PKI Certificate Servers using HTTPS, limiting the protocol to TLS 1.2.

2.    Protecting data-at-rest using the Encrypted File System (EFS).

3.    Encrypting registry entries using the Data Protection Application Programming Interface (DAPI).

The inclusion of the OpenSSL for the IBM MaaS360 Cloud Extender libraries with the TOE provides cryptographic functionality for the following functions:

1.    TLS connections to the MaaS360 Portal and SCEP certificate servers. (HTTPS using cURL).

2.    Encryption of configuration profiles.

3.    Device and User Certificate generation for certificate signing requests to a SCEP server.

User Data Protection

The application provides user data protection services through restricting access by the application to only those platform-based resources (sensitive data repositories, and network communications) that are needed in order to provide the needed application functionality.

Sensitive application data is encrypted using platform-provided encrypted file system (EFS) services, when stored in non-volatile memory, such as the hard disk drive(s).

Identification and Authentication

The TOE supports authentication by X.509 certificates by the application and using the platform API.

Security Management

The Cloud Extender application provides the ability to set various configuration options for the TOE. These options are stored, as recommended by Microsoft, in the Windows Registry and are protected using the Data Protection application programming interface (DPAPI).

During installation, the files installed on the platform are allocated appropriate file-permissions, supporting the protection of the application, and its data from unauthorized access

Protection of the TOE Security Functionality

The Cloud Extender application uses only documented Windows APIs. It is packaged with third party libraries which provide supporting functionality

The Cloud Extender application is compiled using stack buffer overrun protection and uses Address Space Layout Randomization (ASLR) techniques.

The Cloud Extender application is packaged and delivered in the Windows Application Software (.EXE) format signed using the Microsoft Authenticode process using the Microsoft Sign Tool.exe (v6.3). It is compiled by IBM with stack-based buffer overflow protection enabled.

Timely Security Updates

The TOE is not subject to updates. Security updates require a new version of the TOE to be installed. Installers for the TOE are digitally signed by IBM in accordance to the Microsoft Authenticode process using a Class 3 SHA-256 provided by Symantec.


The Cloud Extender application does not specifically request Personally Identifiable Information (PII).

Trusted Path/Channels

The Cloud Extender application protects all transmitted data by using TLS 1.2 protected trusted channels.

Vendor Information

IBM Corporation
Jeff Ward
Site Map              Contact Us              Home