Assurance Continuity - SailPoint IdentityIQ v8.2p2
Date of Maintenance Completion: 2022.05.04CC Certificate Validation Report Assurance Activity
Product Type: Enterprise Security Management
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Enterprise Security Management - Identity and Credential Management Version 2.1
Original Evaluated TOE: 2020.05.08 - SailPoint IdentityIQ v8.0
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report Administrative Guide
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with this latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
Each of the changes to “SailPoint IdentityIQ v8.2p2” was analyzed to determine whether it fell into the categorization of “Major Changes” or “Minor Changes”. The conclusion was that all of the changes were minor and had either minor or no impact on the evaluated product.:
The TOE was revised with the following changes SailPoint IdentityIQ v8.2p2.
1. Hardware changes – none
2. Changes to the operating environment: The database used in the environment for the evaluated configuration has changed from Oracle 18c to Oracle 19c. The overall list of product supported databases and cloud platforms has also changed, but Oracle 19c is the only one relevant to the evaluated configuration. Regression testing has been conducted by the vendor with the TOE using Oracle 19c as its remote database. These results were reviewed, and it was determined that the results were consistent with the previous validated TOE
3. New features. Most of the new features were for functionality that are excluded from the evaluated configuration and have no impact on the TOE. For the new features with minor security impacts, the vendor has demonstrated that these new features are properly implemented by providing evidence of regression testing to demonstrate that the new features will not have adversely affected the behavior of the TSF.
4. Changes to features that are not part of the evaluated configuration. Those changes did not impact the evaluated configuration.
5. Changes to connectors: There were changes to many of the connectors and connectors to products that were deprecated were removed. The only connector that is relevant to the evaluated configuration is the Active Director connector. The changes to the connector for Active Directory were shown to be for usage outside the scope of the evaluation and to not impact evaluated behaviour of the TOE.
6. Changes for Active Directory: The changes for Active Director were explicitly identified as a separate category but were mostly related to new capabilities that are not part of the evaluated configuration. These were feature additions and modification that had minor impact or no impact.
7. Bug fixes:The vendor provided a summary of the bug fixes. While there were numerous bug fixes, none of those bugs were identified in security-relevant behavior during initial validation testing. Most of the bug fixes were not considered to be security relevant because they represent changes to functionality that was not included as part of the TSF or were considered to be general performance/diagnostic/stability issues that were unrelated to security. Other bug fixes applied to issues that were at a lower level of detail than what was tested. In general, these bug fixes did not change how the TSF are performed; more precisely they allow the TOE to continue to implement the TSF in a manner that is consistent with what the Security Target.. There were some bug fixes for vulnerabilities that were identified after the original evaluation and were fixed for this updated version of the product. Among those potential vulnerabilities the only ones that would have been visible in a vulnerability search of the standard databases were found to be in third party libraries and were fixed by updating to a new version of the library. Since the TOE only relies on the behavior of those libraries at the interfaces and those were not changed, the impact on the TOE for each of the vulnerability fixes was minor.
SailPoint Technologies, Inc.