NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - One Identity Manager v8.1.5

Date of Maintenance Completion:  2022.01.27

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management - Identity and Credential Management Version 2.1

Original Evaluated TOE:  2020.02.04 - One Identity Manager v8.1

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The following summarizes the new features and product improvements added to One Identity Manager since the previous One Identity Manager v8.1 evaluation to v8.1.5. The changes and rationale for Minor verdicts are categorized and summarized as shown it the following table. There is some overlap between the categories.

Category

Justification for Minor Verdicts

Basic functionality

These changes are generally for functionality that is outside the TOE in the environment. Examples are switching to Azure SQL database and 2 Factor Authentication. The ESM TOE uses the Active Directory server in the environment for authentication. There were no changes to the ST or guidance documentation, does not affect claimed security functionality, and has no effect on the result of any Assurance Activity test.

Web Applications

Examples include Hot Spot recognition, updates to connection wizards and formatting table columns. Changes to the Web Portal are not security related. These changes results in no changes to the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Target system connections

 

Adding support for separate products does not affect the claimed SFRs in the One Identity Manager Security Target or the claimed security functionality.

Identity and Access Governance

The ESM TOE uses Active Directory authentication server in the environment. Examples of these changes: overview forms for application roles, and improved support for peer group analysis for attestation. These enhancements are not security relevant and does not affect the SFRs or the claimed security functionality. These features result in no changes to the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

General Enhancements

Examples include performance improvements, protection from damaging SQL statements, and new field definitions. These enhancements do not affect the claimed security functionality. These features do not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

General known issues Enhancement

Examples include updated support to the FileComponent and ScriptComponent processes. This enhancement is not security relevant and does not affect the SFRs or the claimed security functionality.

These updates result in no changes to the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

General web applications Enhancement

Examples are improvements to correct database non-conformities with ONE, job queue processes, process parameters, and options to change shopping cart priorities. These changes are not security relevant and does not affect the SFRs or the claimed security functionality. These features result in no changes to the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Identity and Access Governance Enhancement

Examples are updated to business roles and resource assignments and password creation logs in the authentication server in the environment. These enhancements result in no changes to the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Deprecated features

The following features have been deleted from the product. Oracle Database is no longer supported, Google ReCAPTCHA Version 1 is no longer supported, SvnComponent has been removed.

The MailNotification, DefaultCultureFormat configuration parameters are removed. Ten scripts have been removed because their functions are obsolete or no longer ensured:

           VI_Del_ADSAccountInADSGroup

           VI_GetDNSHostNameOfHardware

           VI_GetDomainsOfForest

           VI_GetServerFromADSContainer

           VI_Make_Ressource

           VID_CreateDialogLogin

           VI_Discard_Mapping

           VI_Export_Mapping

           VI_GenerateCheckList

           VI_GenerateCheckListAll

The tables in Appendix A are summarized from the IAR. The tables provide brief explanation of the product changes. Each table categorizes changes for a particular product version from ONE v8.1.1, v8.1.2, v8.1.3, 8.1.4 and 8.1.5. Some of the changes from earlier versions are carried forward to later version tables. The redundant entries have been greyed-out to make it easier to see what changed in each version. The validation Team has reviewed the rationale for being minor and agree with the verdicts.

Vendor Information


One Identity LLC
Jeff Zupan
1-949-754-8000
jeff.zupan@oneidentity.com

www.oneidentity.com
Site Map              Contact Us              Home