CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

Acronis SCS Cyber Backup 12.5 Hardened Edition Agent (also known as Acronis SCS Backup Agent) is part of an advanced data protection solution that provides reliable backup and recovery of physical, virtual, and cloud workloads with a wide range of storage options. It may be used to protect data residing on-premises, in remote locations, in the cloud, and on mobile devices. Centralized and remote management of backups is performed via the Management Server’s web-based Management Console, with customizable dashboards, advanced reporting, and auditing. Backup Agents installed on protected platforms perform data backup and recovery of physical or virtual machines, hypervisors, applications, and mobile devices. Acronis SCS Backup Agent supports application-aware backup and recovery features for Oracle database, Microsoft Office 365, Microsoft Exchange, Microsoft SQL Server, Microsoft SharePoint, and Microsoft Active Directory.

Acronis SCS Backup Agent may be deployed in an on-premise or cloud configuration. With the on-premise configuration, the Management Server is installed on a customer’s local network. With the cloud configuration, it is installed in a secure Acronis Data Center.

Acronis SCS Backup Agent includes the Acronis SCS Cryptographic Library and Acronis SCS Protocol Library in both the Management Server and Backup Agents. They provide the underlying cryptographic and protocol functionality necessary to support the use of secure communications protocols, encrypted backups, and secure file sharing.

The scope of the evaluation was limited to the functional and assurance requirements specified in Security Evaluation Summary, which are summarized in the Environmental Strengths.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4 with the Functional Package for Transport Layer Security (TLS), Version 1.1 applied. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all the security functional requirements stated in the Acronis SCS Cyber Backup 12.5 Hardened Edition Server Security Target. The evaluation was completed in October 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

To ensure adequate resolution of all CVEs associated with the product, build number 17000 or higher must be used.

Cryptographic Support

The TOE provides cryptographic functions to secure sessions between the Management Server and the TOE using TLS v1.2. The Acronis SCS Cryptographic Library and Acronis SCS Protocol Library are used to provide the required algorithms and protocols for all cryptographic operations. The TOE also stores its application token in the Windows Data Protection API (DPAPI) and the Linux keyring, depending on the OS.

User Data Protection

The TOE protects sensitive data in non-volatile memory according to the requirements in FCS_STO_EXT.1. The TOE restricts its access to network connectivity provided by the platform’s hardware resources. Specifically, it will only use network connectivity for connections from itself to the Management Server and from itself to the CA server. The TOE does not access any of the platform’s sensitive information repositories.

Identification and Authentication

To facilitate secure communications using TLS, the TOE provides a mechanism to validate X.509v3 certificates as defined by RFC 5280. The TOE uses a CRL to check the certificate’s revocation status and will not permit certificates to be used when the CRL is not available or if the certificate is invalid.

Security Management

The TOE does not provide default credentials. It uses the service accounts on the platform and does not have an authenticated user interface. The TOE does not provide any management features that write or change settings. Non-security-related settings are stored on the Management Server and are queried when performing tasks. The TOE and its data are protected against unauthorized access by default file permissions.

Privacy

The TOE does not transmit Personally Identifiable Information (PII).

Protection of the TSF

The TOE does not allocate memory with both write and execute permissions and does not write user-modifiable files to directories that contain executable files. The TOE is compiled with the /GS flag to enable stack-based buffer overflow protection on the Windows Agent and Stack Smashing Protector (SSP) on the Linux Agent. Both agents are compatible with their platform’s security features. The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE is versioned with SWID tags that comply with the minimum requirements from ISO/IEC 19770-2:2015 and provides the ability to check for updates to the application software.

The TOE is distributed as an additional software package to the platform OS. The TOE is packaged such that its removal results in the deletion of all traces of the application, except for configuration settings, output files, and audit/log events. The TOE does not download, modify, replace or update its own binary code.

Trusted Path/Channels

The TOE provides trusted channels using its cryptographic functions to encrypt transmitted sensitive data. The TOE secures communications using TLS v1.2 between itself and the Management Server.

Vendor Information