Compliant Product - Micro Focus Data Protector Premium Edition, 2020.05 (A.10.70)
Certificate Date: 2020.05.26CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11048-2020
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The TOE is Micro Focus Data Protector Premium Edition, release 2020.05, software version A.10.70. Data Protector provides backup and restore functionality tailored for enterprise-wide and distributed environments. Data Protector is an enterprise-level software application for Windows. It includes cryptographic modules providing NIST-validated implementations of cryptographic functionality to support secure storage of credentials and secure communications with external IT entities. Data Protector restricts network connections to those required for it to perform its intended functions. Data Protector supports the use of X.509 certificates for authentication of TLS connections. Data Protector is implemented to utilize anti-exploitation capabilities provided by its execution environment. The application installation package and application updates are digitally signed by an authorized source.
The TOE is Micro Focus Data Protector Premium Edition, release 2020.05, software version A.10.70.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.3 and Functional Package for Transport Layer Security (TLS), Version 1.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Micro Focus Data Protector Security Target. The evaluation was completed in May 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Data Protector incorporates OpenSSL to provide its cryptographic functionality.
Data Protector provides cryptographic mechanisms for symmetric encryption and decryption, cryptographic signature services, cryptographic hashing services, keyed-hash message authentication services, deterministic random bit generation seeded from a suitable entropy source, key establishment, and secure credential storage. The cryptographic mechanisms support TLS used for secure communication, both as client and server.
User Data Protection
Data Protector leverages the BitLocker functionality of its Windows platform to protect backed-up data written to disk on a Media Agent instance.
Data Protector does not access sensitive information repositories as defined and intended by the Protection Profile for Application Software, Version 1.3.
Data Protector restricts network communications to application-initiated network communication for scheduled backup and restore operations.
Identification and Authentication
The TOE supports the use of X.509 certificates for authentication of TLS connections.
The TOE will not accept a certificate if it is unable to determine the revocation status of the certificate.
Data Protector does not create credentials by default. The user logged into the underlying Windows system with admin privileges performs the installation and the TOE subsequently ensures only that user is able to run the TOE.
Data Protector does not collect Personally Identifiable Information (PII) from administrators or users.
Protection of the TSF
Data Protector uses only documented platform APIs.
Data Protector does not perform memory mapping to explicit addresses.
Data Protector does not make any memory mapping requests with both write and execute permissions.
Data Protector runs successfully with process exploit mitigations enabled on the underlying Windows Server platform
Data Protector documentation describes the procedure for users to check for the availability of updates. Data Protector is packaged in the standard Windows Installer (.MSI) format and signed by a code-signing certificate.
Data Protector provides the ability to query the current version of the application software.
All data transmitted by Data Protector is assumed to be sensitive data.
A Data Protector instance uses TLS to protect all data it transmits to other Data Protector instances.
Micro Focus, LLC
+1 203 512 8057