Compliant Product - Veeam ONE v12
Certificate Date: 2023.08.18CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11371-2023
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.4
CC Testing Lab: Leidos Common Criteria Testing Laboratory
Administrative Guide: Veeam ONE v12 Common Criteria Evaluated Configuration Guide (CCECG)
Administrative Guide: Reporting Guide
Administrative Guide: Quick Start Guide
Administrative Guide: Monitoring Guide
Administrative Guide: Deployment Guide
Administrative Guide: CC Hardening Guide for 12a
The Target of Evaluation (TOE) is Veeam ONE v12. The TOE provides a monitoring and analytics solution for backup, virtual and physical environments, providing support for Veeam Backup & Replication™ and Veeam Agents, as well as VMware, Hyper-V and Nutanix AHV.
Veeam ONE v12 is a software application. In its evaluated configuration, it is installed on an instance of Microsoft Windows Server 2019 executing on an x86-64 processor with the following additional software components, which are included in the Veeam ONE setup package:
• Microsoft .NET Framework 4.7.2 or later
• Microsoft .NET Core Runtime 3.1.16
• Microsoft Visual C++ 2015-2019 Redistributable (x64)
• Microsoft System CLR Types for SQL Server 2014
• Microsoft SQL Native Client 2012
• Microsoft SQL Server 2014 Management Objects
• Microsoft SQL Server 2012 Management Objects
• Microsoft OLE DB Driver for SQL Server
• Microsoft XML 6.0 Parser and SDK
• Microsoft ASP.NET Core Shared Framework 3.1.16
• Microsoft Universal C Runtime
• Microsoft SQL Server 2016 (Microsoft SQL Server 2016 Express edition is included in Veeam ONE setup).
The TOE additionally requires Microsoft SQL Server installed on the same host platform and a workstation with a web browser to connect to the TOE’s user interface.
The TOE connects to an instance of the separately evaluated Veeam Backup and Replication (VBR) software to retrieve event logs of backup and recovery tasks performed by VBR and infrastructure information of the hosts to which VBR connects.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Veeam ONE v12 Security Target, Version 1.6, 9 July 2023. The evaluation was completed in August 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11371-2023) prepared by CCEVS.
The TOE invokes platform-provided cryptography to protect data at rest and in transit.
User Data Protection
The TOE accesses the minimum amount of Windows Server hardware and data in order to perform its function. The TOE stores database connectivity information in the Windows Registry and stores other TOE configuration information in the SQL Server database.
Both the TOE binary components themselves and the configuration settings they use are stored in locations recommended for Microsoft Windows Server.
The TOE includes a console user interface (UI). Users must login to Windows and have permissions to access the UI in order to access the TOE.
Administrators may configure which VBR instances have their Event Logs analyzed by the TOE, and access reports resulting from that analysis.
The TOE does not process any personally identifiable information (PII).
Protection of the TSF
The TOE enforces various mechanisms to prevent itself from being used as an attack vector to its Windows platform. The TOE implements address space layout randomization (ASLR), does not allocate any memory with both write and execute permissions, does not write user-modifiable files to directories that contain executable files, and is compatible with the Windows Defender security features of its host platform.
The TOE contains libraries and invokes system APIs that are well known and explicitly identified.
The TOE has a mechanism to display its current software version. The TOE can be used to determine if software updates for it are available. If so, an administrator uses out of band mechanisms to acquire, validate, and install the update securely.
The TOE developer provides a secure mechanism for receiving reports of security flaws. Product vulnerabilities are tracked and addressed. Availability of updates is announced via email sent to customers as well as via the Veeam website.
The TOE protects data in transit with remote administrators by invoking the platform-provided IIS.
Veeam Software Corporation
Jose R. Mendoza