Compliant Product - Privileged Access Security-Digital Vault Server (EPV) version 10.4
Certificate Date: 2019.09.30CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11004-2019
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.2
CC Testing Lab: DXC.technology
CyberArk Privilege Access Security – Digital Vault Server Including Enterprise Password Vault (EPV)v10.4 is a core component of the CyberArk Privilege Access Security Solution (PAS) which comprises the Digital Vault Server (EPV), the Windows Components (CPM, PVWA and PSM) and the Linux Components (OPM and PSMP). The TOE manages storage and access to the privileged accounts files created by the other PAS components.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the CyberArk Privilege Access Digital Vault Server TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 4. DXC determined that the product is conformant to requirements for Protection Profile for Application Software, version 1.2, 04-22-2016. The product satisfies all of the security functional requirements stated in the Security Target. Two validators, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by DXC. The evaluation was completed in September 25, 2019 Results of the evaluation can be found in Assurance Activity Report for CyberArk Privilege Access Security – Digital Vault Server Including Enterprise Password Vault (EPV)v10.4 prepared by DXC.
The CyberArk Privileged Access Security – Digital Vault Server Including Enterprise Password Security (EPV) v10.4 TOE implements the following security functions:
Cryptographic Support — The TOE implements the OpenSSL FIPS Object Module v2.0.14 with the CyberArk libraries to provide the following cryptographic services: encryption and decryption, hashing, digital signature generation and verification, key generation, and random number generation. The TOE uses TLS to protect communication between itself and an LDAP server as well other PAS components in the operational environment. The TOE uses AES encryption and decryption to protect sensitive data at rest.
User Data Protection — The TOE encrypts all sensitive data stored in non-volatile memory. The TOE will limit its access to network connectivity when accessing the platform’s hardware resources. The network connection is used for communications between the TOE and its OE components. The connection is user-initiated from a PAS component. The TOE initiates the communication to the LDAP server.
Identification and Authentication — The TOE uses X.509v3 certificates for TLS communications mutual authentication between the itself and other PAS components in the operational environment. The TOE uses a certificate revocation list (CRL) to check certificate revocation status.
Security Management— The TOE provides the capability to manage its functions; it is not configured with default credentials; and invokes mechanisms recommended by the platform vendor for storing and setting configuration options.
Protection of the TSF — The TOE implements anti-exploitation capabilities. It provides the capability to check for update and protect the integrity of the installation and update processes. The TOE protects data in-transit between itself and other trusted entities using encryption.
Trusted Path/Channels — The TOE uses TLS to provide a trusted channel to protect communication between itself and the LDAP server as well communication with the PAS Windows Components (PSM, CPM, PVWA) and Linux Components (PSMP and OPM) in its operational environment. The TOE implements mutual authentication for trusted channel communication.
CyberArk Software Ltd.