CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: CC Guide HYCU for Enterprise Clouds Administrative Guide 

Administrative Guide: User Guide HYCU Data Protection for Enterprise Clouds 

The TOE is the HYCU, Inc. HYCU for Enterprise Clouds. HYCU for Enterprise Clouds provides application-consistent and virtualization-native data protection, data migration and disaster recovery. HYCU for Enterprise Clouds allows administrators to protect and manage clusters of a virtualized infrastructure with one integrated interface.

HYCU for Enterprise Clouds is a TOE that is installed as a virtual machine. The deployed virtual machine is accessed via a web GUI.

The TOE is HYCU for Enterprise Clouds virtual appliance and management access, LDAP/S, SMTP and DNS. The NTP, storage, and hypervisor are not included in TOE.

The following environmental components are required to operate the TOE in the evaluated configuration:

The following product functionality is not included in the CC evaluation:

·        Linux and Windows based targets (NFS/CIFS)

·        Cloud-based targets (Google, Amazon, Azure)

·        iSCSI targets

·        File-level recovery

·        Reporting

·        Nutanix File Server Backup

·        VMware Virtual Machine Backup and Physical Machine Backup

·        Virtual Machine Backup for Nutanix (AHV and ESXi)

·        Application Awareness and Backup (Microsoft Active Directory, Exchange, SQL Server, Oracle Database)

·        SSH

·        Mutually authenticated TLS

·        Encrypted backups

·        S3 Compatible Targets

·        NTP time synchronization

·        Web GUI certificate authentication

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the HYCU for Enterprise Clouds was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in the Common Criteria Guide, HYCU for Enterprise Clouds Administrative Guide, December 2023, satisfies all of the security functional requirements stated in the HYCU for Enterprise Clouds Security Target, Version 0.2.9, January 2024. The project underwent CCEVS Validator review.  The evaluation was completed in January 2024.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CEVS-VR-VID11409-2024) prepared by CCEVS.

The logical boundaries of the TOE are realized in the security functions it implements. Each of these security functions is summarized below.

Security Audit

The HYCU for Enterprise Clouds provides extensive auditing capabilities. The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include:

·        failure on invoking cryptographic functionality such as establishment, termination and failure of cryptographic session establishments and connections

·        modifications to the group of users that are part of the Authorized Administrator roles

·        all use of the user identification mechanism

·        any use of the authentication mechanism

·        administrator lockout due to excessive authentication failures

·        any change in the configuration of the TOE

·        changes to time

·        initiation of TOE update

·        indication of completion of TSF self-test

·        maximum sessions being exceeded

·        termination of a remote or local session

·        attempts to unlock a termination session

·        initiation and termination of a trusted channel

·        failure of the trusted channel functions

·        initiation and termination of a trusted path

·        failure of the trusted channel path

The TOE is configured to transmit its audit messages to an external audit server. Communication with the audit server is protected using TLS and the TOE can determine when communication with the audit server fails. If that should occur, the TOE will store all audit records locally and when the connection to the remote audit server is restored, all stored audit records will be transmitted to the remote audit server.

The audit logs can be viewed on the TOE. The records include the date/time the event occurred, the event/type of event, the user associated with the event, and additional information of the event and its success and/or failure. The TOE does not have an interface to modify audit records.

Cryptographic Support

The TOE utilizes TLS (via HTTPS, SMTP/S and LDAPS) to securely communicate, both with external services (audit server, authentication server, mail server) and external clients (HTTPS for GUI administration). Both RSA and ECDSA keys are supported. Cryptographic support is restricted to the approved set of algorithms using a combination of system-wide policies and application-specific configuration. Random bit generation is served by underlying OS facilities (/dev/random).

Identification and Authentication

The TOE allows the Administrator to securely login to the management interface using a username and password. Usernames and passwords can be managed within the TOE or delegated to an external authentication server (AD/LDAPS). A lockout period protects against repeated authentication failures. The TOE can be configured with a custom login banner.

The private key and certificate for the TLS server can be imported or generated on the TOE. The TOE can issue a certificate signing request to be signed by an external certificate authority and then imported for use by the TLS server.

Trusted roots can be imported to establish trust with external servers. The TOE validates certificates of external servers – invalid or untrusted certificates result in rejected communication attempts. Online Certificate Status Protocol can be used to manage revocation.

Security Management

The TOE is managed remotely via a web user interface. Some functionality requires local console access. Roles and groups (tenants) can be defined and the roles can be assigned to users. TOE management is scoped within a built-in “Infrastructure group”. The TOE restricts configuration of security-related functions to the Administrator role of the Infrastructure group.

The Administrator is able to perform the following security-related functions:

·       start and stop services

·       update the TOE

·       modify the behavior of the transmission of audit data to an external IT entity

·       manage the cryptographic keys

·       configure the cryptographic functionality

·       set the time which is used for time-stamps

·       manage the TOE's trust store and designate X509.v3 certificates as trust anchors

·       import X.509v3 certificates to the TOE's trust store

·       configure the session inactivity time before session termination or locking

·       ability to configure the authentication failure parameters for FIA_AFL.1

·       ability to configure access banner

·       ability to update the TOE, and to verify the updates using hash comparison capability prior to installing those updates

·       ability to administer the TOE locally and remotely

Protection of the TSF

Passwords of TOE-managed users are stored in a non-reversible encoding in the internal database.

Private keys and passwords for external services are stored in an encrypted form within the TOE database. Password input is obscured by default (password reveal is optional).

The administrator can set the local TOE time using the console.

The TOE performs power-on self-tests to verify the integrity of the primary application server and supporting components. Self-tests can be performed on-demand.

The TOE has an update mechanism. Before performing updates, the administrator should manually validate the update image using the published hash available via HTTPS.

TOE Access

Idle sessions are terminated by the TOE after a configurable period of inactivity. In the web user interface, a short time before the inactivity period expires, a dialog is shown to notify of an impending session termination. The TOE lets the user sign out of their session on demand using a dedicated sign-out button (for web user interface) or the user can terminate the current shell (for the console).

The TOE can be configured with a custom login banner, for both the web user interface and the console.

Trusted Path/Channels

The TOE uses TLS to securely communicate with the following authorized IT entities:

·        authentication server (Active Directory via LDAP/S)

·        mail server (via SMTP/S)

·        audit server (via HTTPS webhooks)

Administrator access to the web user interface is protected using TLS (via HTTPS).

Vendor Information