Compliant Product - Acronis Cyber Backup 12.5 SCS Hardened Edition Server v12.5
Certificate Date: 2020.08.27CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11071-2020
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The TOE is Acronis Cyber Backup 12.5 SCS Hardened Edition Server v12.5. It is a standalone software application that runs on a Windows OS and provides a web-based centralized Management Console with customizable dashboards, advanced reporting, and auditing for managing backups. It includes cryptographic libraries providing NIST-approved implementations of cryptographic functionality to support secure communications with external IT entities. The TOE restricts network connections to those required for it to perform its intended functions, uses a digital signature to protect the integrity of the installation and update files, versions the software with SWID tags, and uses anti-exploitation capabilities such as not mapping memory to explicit addresses, file permission protections, and stack buffer overflow protections. It also secures remote access to its Management Console and communications between the TOE and Backup Agents.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.3 and Functional Package for Transport Layer Security (TLS), Version 1.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Acronis Cyber Backup 12.5 SCS Hardened Edition Server v12.5 Security Target. The evaluation was completed in August 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Acronis Cyber Backup includes the Acronis SCS Cryptographic Library that provides cryptographic mechanisms for encryption and decryption, cryptographic signature services, cryptographic hashing services, keyed-hash message authentication services, deterministic random bit generation seeded from a suitable entropy source, key establishment, and key generation. The cryptographic mechanisms support HTTPS and TLS used for secure communication. The TOE secures its sensitive data using Windows Data Protection API.
User Data Protection
The TOE restricts its access to network connectivity provided by the platform’s hardware resources. Specifically, it will only use network connectivity for administrative actions over trusted paths to its Management Console and connections via trusted channels from Backup Agents in the TOE environment. The TOE accesses the platform’s system logs to store audit information and does not access any other sensitive information repositories.
Acronis Cyber Backup does not provide default credentials. It uses the existing administrator accounts on the platform for authentication. The TOE creates a group that is assigned to administrators and used to identify the accounts that have access. The application invokes the mechanisms recommended by the platform vendor for storing and setting configuration options. The TOE and its data are protected against unauthorized access by default file permissions.
The TOE does not collect or transmit Personally Identifiable Information (PII) from administrators or users.
Protection of the TSF
The TOE does not allocate memory with both write and execute permissions and does not write user-modifiable files to directories that contain executable files. The TOE is compiled with the /GS flag to enable stack-based buffer overflow protection and is compatible with the platform’s security features. The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE is versioned with SWID tags and provides the ability to check for updates to the application software.
The TOE is distributed as an additional software package to the platform OS. The TOE is packaged such that its removal results in the deletion of all traces of the application, except for configuration settings, output files, and audit/log events. The TOE does not download, modify, replace or update its own binary code.
The TOE provides trusted paths and trusted channels using its cryptographic functions. The TOE secures administrative communications using HTTPS to its Management Console. The TOE provides trusted communications channels between the TOE and Backup Agents using TLS v1.2.
1 781 782 9000