NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Varonis Data Security Platform v8.6

Certificate Date:  2023.03.02

Validation Report Number:  CCEVS-VR-VID11336-2023

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.4

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide: Varonis Data Security Platform v8.6 Common Criteria Configuration Guide [PDF]

Administrative Guide: Configure LDAPS on a Windows Server [PDF]

Administrative Guide: Configure TLSCipherSuites [PDF]

Administrative Guide: Data Security Platform Installation [PDF]

Administrative Guide: Enable exploit protection [PDF]

Administrative Guide: Enable Windows Defender Firewall with Advanced Search [PDF]

Administrative Guide: Importing Certificates [PDF]

Administrative Guide: SQL Server 2016 installation [PDF]

Administrative Guide: Installing BitLocker [PDF]

Product Description

The TOE is an application running on a general-purpose operating system. The TOE consists of a set of application binaries (executable runtimes, DLLs, etc.), web-based UIs, configuration files, and data that correspond with the application components discussed in the ST. The TOE leverages the Windows platform to secure connectivity with third party products using TLS/HTTPS. In addition, the Windows platform provides the secure TLS/HTTPS functionality as necessary to protect the trusted path to TOE administrators.

The TOE is evaluated on the Microsoft Windows Server 2019 build 10 (also known as version 1809) platform.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Varonis Data Security Platform was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in the Varonis Data Security Platform v8.6 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Varonis Data Security Platform v8.6 Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in March 2023.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Logical Scope of the TOE

The TOE provides the security functions required by [SWAPP].

Cryptographic Support

The Microsoft Windows Server 2019 platform provides TLS/HTTPS functionality for users communicating with the TOE via its remote web interfaces, as well as TLS/HTTPS connections from the TOE to third party devices including Microsoft Active Directory and Microsoft SharePoint.

The TOE invokes the platform cryptography for secure credential storage including database connection strings, credentials for third party applications, and X.509 certificates and keypairs.

There are no cryptographic algorithms implemented within the TOE.

User Data Protection

Access to TOE platform resources is restricted to network communications and application logs. The TOE initiates communications to third party applications and allows initiation to the TOE from remote users for management.

The TOE leverages the Windows platform to securely store sensitive data.

Security Management

The TOE stores configuration data using the recommended platform configuration storage mechanisms.

The TOE provides no access to any TSF functionality by default. No credentials are provided with the application on a default install and must be configured during the TOE installation process.

The TOE’s binary and data files are protected with file permissions that prevent modification from unprivileged users.

The TOE is managed by the DatAdvantage Management Console, DatAdvantage UI, DatAdvantage Web, and DataPrivilege Web.


The TOE does not transmit PII.

Protection of the TSF

The TOE uses only documented platform APIs and third-party libraries as specified in the ST.

The TOE does not request memory mapping at any explicit addresses, does not allocate any memory regions with both write and execute permissions, and does not write user-modifiable files to directories containing executable files. The TOE is built with stack-based buffer overflow protection enabled, and is compatible with the platform security features.

Application Note: This requirement applies only to PII that is specifically requested by the application; it does not apply if the user volunteers PII without prompting from the application into a general (or inappropriate) data field. A dialog box that declares intent to send PII presented to the user at the time the application is started is sufficient to meet this requirement.


The evaluator shall inspect the TSS documentation to identify functionality in the application where PII can be transmitted.


If require user approval before executing is selected, the evaluator shall run the application and exercise the functionality responsibly for transmitting PII and verify that user approval is required before transmission of the PII.

Updates to the TOE are performed manually by the TOE administrator. The TOE provides the ability to check for updates and verify the currently installed version. All TOE installation and update files are distributed in an executable format supported by Windows and binaries are signed to provide integrity of the update file.

Evaluation Activity

The evaluator will inspect every native executable included in the TOE to ensure that stack-based buffer overflow protection is present.

Application Note: This requirement is about the ability to "check" for updates. The actual installation of any updates should be done by the platform. This requirement is intended to ensure that the application can check for updates provided by the vendor, as updates provided by another source may contain malicious code.


The evaluator shall check to ensure the guidance includes a description of how updates are performed.


The evaluator shall check for an update using procedures described in either the application documentation or the platform documentation and verify that the application does not issue an error. If it is updated or if it reports that no update is available this requirement is considered to be met.

SWID tags are used to uniquely identify the TOE binaries.

Trusted Path/Channels

The TOE invokes the Windows platform to encrypt transmitted data between itself and third-party systems using TLS/HTTPS.

Vendor Information

Varonis Systems, Inc.
Ilan Caner
Site Map              Contact Us              Home