Compliant Product - IBM MaaS360 v2.9 Cloud Extender
Certificate Date: 2018.06.14CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10896-2018
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.2
CC Testing Lab: atsec information security corporation
The Target of Evaluation (TOE) is the IBM MaaS360 v2.91Cloud Extender (CE) application. It includes four modules enabling communications functionality with various customer provided services as well as the supporting documentation and a configuration tool. These modules are:
• Certificate Authority: version 2.93
• Exchange Integration for Managing Active Sync Devices: version 2.93
• Corporate User Visibility: version 2.93
• Corporate Directory Authentication: version 2.93
In addition, the TOE comes with the IBM MaaS360 Cloud Extender configuration tool version 2.93.
The application is installed within a MaaS360 customer’s own network or Demilitarized Zone (DMZ) in order to enable services offered by the IBM MaaS360 Enterprise Mobility Management (EMM), a cloud-based multi-tenant platform that provides a fully featured mobile device management (MDM) solution.
The Cloud Extender is a small Windows application (approx. 12MB) that is installed behind the customer firewall with network access to the appropriate internal systems. In this case, Microsoft Windows Server 2012 R2 (x64), which has been evaluated for conformance with the U.S. Government PP Protection Profile for General Purpose Operating Systems Version 4.1, and is listed on the NIAP Product Compliant List (PCL).
The TOE is an example of [USE CASE 3] Communication described in [pp_app_v1.2] as:
“The application allows for communication interactively or non-interactively with other users or applications over a communications channel.”
The evaluated configuration includes the four Cloud Extender (CE) modules identified above, which are packages of scripts and actions that integrate with components of IBM MaaS360 customer’s infrastructure and provides full integration service with that component.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which IBM Maas360 Cloud Extender was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4 and the assurance activities given in the Protection Profile for Application Software Version 1.2. The product, when delivered and configured as identified in the MaaS360 Cloud Extender NIAP Protection Profile Setup and Operations Guide document, meets the requirements of the Protection Profile for Application Software Version 1.2.
The MaaS360 Cloud Extender NIAP Protection Profile Setup and Operations Guide document satisfies all of the security functional requirements stated in the IBM MaaS360 v2.91 Cloud Extender Security Target. The project underwent CCEVS Validator review. The evaluation was completed in June 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID10896-2018, prepared by CCEVS.
The Cloud Extender provides cryptographic support using the Windows platform provided cryptographic services via the Cryptography API: Next Generation (CNG) for the following:
3. Encrypting registry entries using the Data Protection Application Programming Interface (DAPI).
The inclusion of the OpenSSL for the IBM MaaS360 Cloud Extender libraries with the TOE provides cryptographic functionality for the following functions:
1. TLS connections to the MaaS360 Portal and SCEP certificate servers. (HTTPS using cURL).
2. Encryption of configuration profiles.
User Data Protection
The application provides user data protection services through restricting access by the application to only those platform-based resources (sensitive data repositories, and network communications) that are needed in order to provide the needed application functionality.
Sensitive application data is encrypted using platform-provided encrypted file system (EFS) services, when stored in non-volatile memory, such as the hard disk drive(s).
Identification and Authentication
The TOE supports authentication by X.509 certificates by the application and using the platform API.
The Cloud Extender application provides the ability to set various configuration options for the TOE. These options are stored, as recommended by Microsoft, in the Windows Registry and are protected using the Data Protection application programming interface (DPAPI).
During installation, the files installed on the platform are allocated appropriate file-permissions, supporting the protection of the application, and its data from unauthorized access
Protection of the TOE Security Functionality
The Cloud Extender application uses only documented Windows APIs. It is packaged with third party libraries which provide supporting functionality
The Cloud Extender application is compiled using stack buffer overrun protection and uses Address Space Layout Randomization (ASLR) techniques.
The Cloud Extender application is packaged and delivered in the Windows Application Software (.EXE) format signed using the Microsoft Authenticode process using the Microsoft Sign Tool.exe (v6.3). It is compiled by IBM with stack-based buffer overflow protection enabled.
Timely Security Updates
The TOE is not subject to updates. Security updates require a new version of the TOE to be installed. Installers for the TOE are digitally signed by IBM in accordance to the Microsoft Authenticode process using a Class 3 SHA-256 provided by Symantec.
The Cloud Extender application does not specifically request Personally Identifiable Information (PII).
The Cloud Extender application protects all transmitted data by using TLS 1.2 protected trusted channels.