Compliant Product - IBM MaaS360 2.106.500.016 Cloud Extender
Certificate Date: 2022.09.12CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11113-2022
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: atsec information security corporation
The TOE is IBM MaaS360 version 2.106.500.016 Cloud Extender.
The TOE is a Microsoft Windows application installed within the customer’s network to enable services offered by the cloud-based multi-tenant platform MDM solution called the IBM MaaS360 Enterprise Mobility Management (EMM).
The TOE consists of a Microsoft Windows service called Core Installer and the following four Cloud Extender modules:
· Exchange Integration for Active Sync Devices Module
· Corporate Directory Authentication Module
· Corporate User Visibility Module
· Certificate Authority Module
The Exchange Integration for Active Device Module interacts with the Microsoft Exchange Server to automatically discover ActiveSync-connected devices and upload that device information to MaaS360 Cloud.
The Corporate Directory Authentication Module interacts with Microsoft Active Directory and LDAP directories to provide user authentication service for various MaaS360 functions including self-service enrollment, MaaS360 Portal login and user management portal.
The Corporate User Visibility Module synchronizes user and group information from LDAP or Microsoft Active Directory to the MaaS360 SaaS (Software as a Service) application.
The Certificate Authority Module facilitates automatic provisioning, distribution and renewal of digital identity certificates to managed mobile devices using Certificate Authorities.
The TOE is software-only which consists of the application installer executable running on the following platforms:
· Operating system: Microsoft Windows Server 2019 Standard version 1809 (x64)
· Hardware: Dell PowerEdge R740 with an Intel Xeon Gold 5118 processor (SkyLake microarchitecture).
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the IBM Maas360 Cloud Extender was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1, R5. The product, when delivered and configured as identified in the MaaS360 Cloud Extender Admin Guide and MaaS360 Cloud Extender Common Criteria and Operations Guide, meets the requirements of the Protection Profile for Application Software, Version 1.3 and Functional Package for Transport Layer Security (TLS), Version 1.1.
IBM MaaS360 Cloud Extender
MaaS360 Cloud Extender Admin Guide and MaaS360 Cloud Extender Common Criteria Operations Guide documents satisfy all the security functional requirements stated in the IBM MaaS360 2.105.500.16 Cloud Extender Security Target, version 1.4. The evaluation was subject to CCEVS Validator review. The evaluation was completed in August 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID11113-2022, prepared by CCEVS.
The TOE provides cryptographic support using the Windows platform provided cryptographic services via the Cryptography API: Next Generation (CNG) for the following:
1. TLS connections: CNG is used by Secure Channel (SChannel), enabling the Cloud Extender to communicate with the Exchange Server, Domain Controller, and PKI Certificate Servers using HTTPS, limiting the protocol to TLS 1.2, and only using a subset of the TLS 1.2 ciphers.
2. Protecting data-at-rest using the Encrypted File System (EFS) for directory that contains all configuration and log information.
3. Encrypting registry entries using the Data Protection Application Programming Interface (DAPI).
4. Generating an Exchange Server certificate during the installation process.
The TOE comes with OpenSSL which provides the following cryptographic services:
1. TLS connections to the MaaS360 Portal and SCEP certificate servers (HTTPS using cURL.)
2. Encryption of configuration profiles stored in an EFS directory
3. Device and user certificate generation for certificate signing requests to a SCEP server using the device and user templates. These requests are completed by the SCEP server and certificates returned to the TOE.
User Data Protection
The application provides user data protection services through restricting access by the application to only those platform-based resources (sensitive data repositories, and network communications) that are needed in order to provide the needed application functionality.
Sensitive application data is encrypted using platform-provided encrypted file system (EFS) services, when stored in non-volatile memory, such as the hard disk drive(s).
Identification and Authentication
The TOE supports TLS authentication using X.509 certificates by the application and using the platform API.
The TOE provides the ability to set various configuration options for the TOE. These options are stored in the Windows Registry and are protected using the Data Protection Application Programming Interface (DPAPI).
During installation, the files installed on the TOE platform are allocated appropriate file-permissions, protecting the TOE and its data from unauthorized access.
Protection of the TOE Security Functionality
The TOE uses only documented Windows APIs. The TOE is packaged with third party libraries, which are listed in the Security Target, to provide supporting functionality. The TOE does not write user-modifiable files to directories that contain executable files.
The TOE is compiled by IBM using stack buffer overrun protection. The TOE is packaged and delivered in the Microsoft Windows Application Software (.EXE) format that is signed with the Microsoft Sign Tool.exe using the Microsoft Authenticode process.
The TOE also provides Address Space Layout Randomization (ASLR) techniques and does not request memory mapping at explicit addresses.
The TOE protects all transmitted data between itself and another trusted IT product by using TLS v1.2 and HTTPS as trusted path/channels.