Compliant Product - Acronis Cyber Backup 12.5 SCS Hardened Edition Agent v12.5
Certificate Date: 2020.08.27CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11072-2020
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The TOE is Acronis Cyber Backup 12.5 SCS Hardened Edition Agent v12.5 and includes a separately installed version-check tool: Acronis SCS Version-check v1.8. The TOE is a standalone software application that runs on both Windows and Linux operating systems and is responsible for performing specific backup, recovery, replication, and data-manipulation tasks on its host machine. The version-check tool allows a user to query the current version of the TOE and will report if an update is available. Acronis Cyber Backup 12.5 SCS Hardened Edition supports application-aware backup and recovery features for Oracle database, Microsoft Office 365, Microsoft Exchange, Microsoft SQL1 Server, Microsoft SharePoint, and Microsoft Active Directory. It includes cryptographic libraries providing NIST-approved implementations of cryptographic functionality to support secure communications with the Management Server. The TOE restricts network connections to those required for it to perform its intended functions, uses a digital signature to protect the integrity of the installation and update files, versions the software with SWID tags, and uses anti-exploitation capabilities such as not mapping memory to explicit addresses, file permission protections, and stack buffer overflow protections.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.3 and Functional Package for Transport Layer Security (TLS), Version 1.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Acronis Cyber Backup 12.5 SCS Hardened Edition Agent v12.5 Security Target. The evaluation was completed in August 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Acronis Cyber Backup includes the Acronis SCS Cryptographic Library that provides cryptographic mechanisms for encryption and decryption, cryptographic signature services, cryptographic hashing services, keyed-hash message authentication services, deterministic random bit generation seeded from a suitable entropy source, key establishment, and key generation. The cryptographic mechanisms support TLS used for secure communication with the Management Server. The TOE secures its application token in the Windows Data Protection API (DPAPI) or the Linux keyring, depending on the OS.
User Data Protection
The TOE restricts its access to network connectivity provided by the platform’s hardware resources. Specifically, it will only use network connectivity for connections from itself to the Management Server, from itself to the CA server, and from itself to GitHub for version checking. The TOE does not access any of the platform’s sensitive information repositories.
Identification and Authentication
To facilitate secure communications using TLS, the TOE provides a mechanism to validate X.509v3 certificates as defined by RFC 5280. The TOE uses a CRL to check the certificate’s revocation status and will not permit certificates to be used when the CRL is not available or if the certificate is invalid.
The TOE does not provide default credentials. It uses the service accounts on the platform and does not have an authenticated user interface. The TOE does not provide any management features that write or change settings. Non-security-related settings are stored on the Management Server and are queried when performing tasks. The TOE and its data are protected against unauthorized access by default file permissions.
The TOE does not request, collect, or transmit Personally Identifiable Information (PII).
Protection of the TSF
The TOE does not allocate memory with both write and execute permissions and does not write user-modifiable files to directories that contain executable files. The TOE is compiled with the /GS flag to enable stack-based buffer overflow protection and is compatible with the platform’s security features. The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE is versioned with SWID tags and provides the ability to check for updates to the application software.
The TOE is distributed as an additional software package to the platform OS. The TOE is packaged such that its removal results in the deletion of all traces of the application, except for configuration settings, output files, and audit/log events. The TOE does not download, modify, replace or update its own binary code.
The TOE provides trusted channels using its cryptographic functions to encrypt transmitted sensitive data. The TOE secures communications using TLS v1.2 between itself and the Management Server.
1 781 782 9000