CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: Acronis SCS Cyber Backup 12.5 Hardened Edition Server v12.5, Guidance Document Supplement - Document Version 0.5 

Administrative Guide: Acronis Cyber Backup SCS 12.5 Update 4.7, User Guide 

Acronis SCS Cyber Backup 12.5 Hardened Edition Server (also known as Acronis SCS Backup Server) is an advanced data protection solution that provides reliable backup and recovery of physical, virtual, and cloud workloads with a wide range of storage options. It may be used to protect data residing on-premises, in remote locations, in the cloud, and on mobile devices. Centralized and remote management of backups is performed via the Management Server’s web-based Management Console, with customizable dashboards, advanced reporting, and auditing. Backup Agents installed on protected platforms perform data backup and recovery of physical or virtual machines, hypervisors, applications, and mobile devices. Acronis SCS Backup Server supports application-aware backup and recovery features for Oracle database, Microsoft Office 365, Microsoft Exchange, Microsoft SQL2 Server, Microsoft SharePoint, and Microsoft Active Directory.

Acronis SCS Backup Server may be deployed in an on-premise or cloud configuration. With the on-premise configuration, the Management Server is installed on a customer’s local network. With the cloud configuration, it is installed in a secure Acronis Data Center.

Acronis SCS Backup Server includes the Acronis SCS Cryptographic Library and Acronis SCS Protocol Library in both the Management Server and Backup Agents. They provide the underlying cryptographic and protocol functionality necessary to support the use of secure communications protocols, encrypted backups, and secure file sharing.

The scope of the evaluation was limited to the functional and assurance requirements specified in Security Evaluation Summary, which are summarized in the Environmental Strengths.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4 with the Functional Package for Transport Layer Security (TLS), Version 1.1 applied. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all the security functional requirements stated in the Acronis SCS Cyber Backup 12.5 Hardened Edition Server Security Target. The evaluation was completed in September 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Cryptographic Support

The TOE provides cryptographic functions to secure sessions between the administrator workstation connecting via a web browser to the Management Console of the TOE using HTTPS and TLS v1.2. Cryptographic functions are also used to secure communications between the TOE and the Backup Agents in the TOE environment using TLS v1.2. The Acronis SCS Cryptographic Library and Acronis SCS Protocol Library are used to provide the required algorithms and protocols for all cryptographic operations. The TOE also stores its sensitive data in the Windows Data Protection API.

User Data Protection

The TOE protects sensitive data in non-volatile memory according to the requirements in FCS_STO_EXT.1. The TOE restricts its access to network connectivity provided by the platform’s hardware resources. Specifically, it will only use network connectivity for administrative actions over trusted paths to its Management Console and connections via trusted channels from Backup Agents in the TOE environment. The TOE accesses the platform’s system logs to store audit information and does not access any other sensitive information repositories.

Security Management

The TOE does not provide default credentials. It uses the existing administrator accounts on the platform for authentication. The TOE creates a group that is assigned to administrators and used to identify the accounts that have access. The application invokes the mechanisms recommended by the platform vendor for storing and setting configuration options. The TOE and its data are protected against unauthorized access by default file permissions.

Privacy

The TOE does not transmit Personally Identifiable Information (PII).

Protection of the TSF

The TOE does not allocate memory with both write and execute permissions and does not write user-modifiable files to directories that contain executable files. The TOE is compiled with the /GS flag to enable stack-based buffer overflow protection and is compatible with the platform’s security features. The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE is versioned with SWID tags that comply with the minimum requirements from ISO/IEC 19770-2:2015 and provides the ability to check for updates to the application software.

The TOE is distributed as an additional software package to the platform OS. The TOE is packaged such that its removal results in the deletion of all traces of the application, except for configuration settings, output files, and audit/log events. The TOE does not download, modify, replace or update its own binary code.

Trusted Path/Channels

The TOE provides trusted paths and trusted channels using its cryptographic functions. The TOE secures administrative communications using HTTPS over TLS v1.2 to its Management Console. The TOE provides trusted communications channels between the TOE and Backup Agents using TLS v1.2.

Vendor Information