SERTIT, P.O. Box 814, N-1306 Sandvika, NORWAY Phone: +47 67 86 40 00 Fax: +47 67 86 40 09 E-mail: post@sertit.no Internet: www.sertit.no Sertifiseringsmyndigheten for IT-sikkerhet Norwegian Certification Authority for IT Security SERTIT-063 CR Certification Report Issue 1.0 09 December 2015 Good Work System CERTIFICATION REPORT - SERTIT STANDARD REPORT TEMPLATE SD 009E VERSION 1.1 01.07.2015 Good Work System EAL 4 augmented with ALC_FLR.1 Page 2 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY SERTIT, the Norwegian Certification Authority for IT Security, is a member of the above Arrangement and as such this confirms that the Common Criteria certificate has been issued by or under the authority of a Party to this Arrangement and is the Party’s claim that the certificate has been issued in accordance with the terms of this Arrangement The judgements contained in the certificate and Certification Report are those of SERTIT which issued it and the evaluation facility (EVIT) which carried out the evaluation. There is no implication of acceptance by other Members of the Agreement Group of liability in respect of those judgements or for loss sustained as a result of reliance placed upon those judgements by a third party. [*] "The Common Criteria Recognition Arrangement logo printed on the certificate indicates that this certification is recognised under the terms of the CCRA May 23rd 2000. The recognition under CCRA is limited EAL 4 and ALC_FLR CC part 3 components." Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 3 of 18 Contents 1 Certification Statement 4 2 Abbreviations 5 3 References 6 4 Executive Summary 7 4.1 Introduction 7 4.2 Evaluated Product 7 4.3 TOE scope 7 4.4 Protection Profile Conformance 8 4.5 Assurance Level 8 4.6 Security Policy 8 4.7 Security Claims 8 4.8 Threats Countered 8 4.9 Threats and Attacks not Countered 9 4.10 Environmental Assumptions and Dependencies 9 4.11 Security Objectives for the TOE 9 4.12 Security Objectives for the environment 10 4.13 Security Functional Components 10 4.14 Evaluation Conduct 11 4.15 General Points 11 5 Evaluation Findings 13 5.1 Introduction 13 5.2 Delivery 13 5.3 Installation and Guidance Documentation 13 5.4 Misuse 13 5.5 Vulnerability Analysis 13 5.6 Developer’s Tests 14 5.7 Evaluators’ Tests 14 6 Evaluation Outcome 15 6.1 Certification Result 15 6.2 Recommendations 15 Annex A: Evaluated Configuration 16 TOE Identification 16 TOE Documentation 16 TOE Configuration 18 Good Work System EAL 4 augmented with ALC_FLR.1 1 Certification Statement Good Technology Corporation's Good Work System is an end to end solution for securing and managing email, calendar, contact, presence, instant messaging, secure browsing and other mobile applications. Good Work System (for versions see chapter 4.2) has been evaluated under the terms of the Norwegian Certification Scheme for lT Security and has met the Common Criteria Part 3 (lSO/lEC 15408) conformant components of Evaluation Assurance Level EAL 4 augmented with ALC_FLR.1 for the specified Common Criteria Part 2 (lSO/lEC 15408) extended functionality when running on the platforms specified in Annex A. Author iRage, Arne Høye I I ,t ta ' ( tu( ['l'(4r.r,i,k** QualityAssurance LarsBorgos ,4 ,/ ,'t " ''LLt ' ltz7"'' Quality Assurance'L' / Approved Date approved Øystein Hole Head of SERTIT oe-D;;rb;r ro i5 M^t+dl* SERTIT-063 CR lssue 1.0 09 December 2015 Page 4 of 18 Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 5 of 18 2 Abbreviations CC Common Criteria for Information Technology Security Evaluation(ISO/IEC 15408) CCRA Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level EOR Evaluation Observation Report ETR Evaluation Technical Report EVIT Evaluation Facility under the Norwegian Certification Scheme for IT Security EWP Evaluation Work Plan ISO/IEC 15408 Information technology –- Security techniques –- Evaluation criteria for IT security POC Point of Contact QP Qualified Participant SERTIT Norwegian Certification Authority for IT Security SPM Security Policy Model ST Security Target TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy Good Work System EAL 4 augmented with ALC_FLR.1 Page 6 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 3 References [1] Security Target Release 1.0 for Good Work System, 22 October 2015. [2] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, CCMB-2012-09-001, Version 3.1 R4, September 2012. [3] Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, CCMB-2012-09-002, Version 3.1 R4, September 2012. [4] Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, CCMB-2012-09-003, Version 3.1 R4, September 2012. [5] The Norwegian Certification Scheme, SD001E, Version 9.0, 02 April 2013. [6] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, CCMB-2012-09-004, Version 3.1 R4, September 2012. [7] ETR for the evaluation project SERTIT-063, v.1.1, November 12, 2015. [8] Good Work Security Best Practices, v1.1, October 19, 2015 [9] Good Work Common Criteria Supplement, v.1.4. Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 7 of 18 4 Executive Summary 4.1 Introduction This Certification Report states the outcome of the Common Criteria security evaluation of Good Work System (for versions see chapter 4.2) to the sponsor/developer, Good Technology Corporation, and is intended to assist prospective consumers when judging the suitability of the IT security of the product for their particular requirements. Prospective consumers are advised to read this report in conjunction with the Security Target[1] which specifies the functional, environmental and assurance evaluation components. 4.2 Evaluated Product The evaluated product is Good Work System. Product version numbers included in this evaluation:  Good Work Client for iOS: 1.5.3.247  Good Work Client for Android: 1.5.3.162  Good Access Client for iOS: 2.4.3.734  Good Access Client for Android: 2.4.3.657  Good Dynamics SDK for iOS: 2.0.4413  Good Dynamics SDK for Android: 2.0.1226  Good Connect Client for iOS: 2.3.10.0.458445.12  Good Connect Client for Android: 2.3.10.0.456604.571  Good Control Server: 2.0.3.11  Good Proxy Server: 2.0.3.7  Good Enterprise Mobility Server: 1.5.35.45 This product is described in this report as the Target of Evaluation (TOE). The developer was Good Technology Corporation Details of the evaluated configuration, including the TOE’s supporting guidance documentation, are given in Annex A. 4.3 TOE scope The scope of the evaluation includes software that forms the TOE and the TOE security functions that are stated in the Section 7 of the Security Target for Good Work System. The following product features have been excluded from the CC evaluated configuration:  Windows clients are not part of this evaluation  Domino server interface to GEMS is not supported in this evaluation  Cloud service is not part of this evaluation Good Work System EAL 4 augmented with ALC_FLR.1 Page 8 of 18 SERTIT-063 CR Issue 1.0 09 December 2015  GFE Client is not part of this evaluation (GFE is covered under separate evaluation). The settings are described in the document Good Work Security Best Practices[8]. 4.4 Protection Profile Conformance The Security Target[1] did not claim conformance to any protection profile. 4.5 Assurance Level The Security Target[1] specified the assurance components for the evaluation. Predefined evaluation assurance level EAL 4 augmented with ALC_FLR.1 was used. Common Criteria Part 3[4] describes the scale of assurance given by predefined assurance levels EAL1 to EAL7. An overview of CC is given in CC Part 1[2]. 4.6 Security Policy The TOE security policies are detailed in the ST[1], chapter 3. 4.7 Security Claims The Security Target[1] fully specifies the TOE’s security objectives, the threats and policies which these objectives counter and security functional components and security functions to elaborate the objectives. Most of the SFR’s are taken from CC Part 2[3]; use of this standard facilitates comparison with other evaluated products. The extended security functional components and the rationale are detailed in the ST[1], chapter 5. 4.8 Threats Countered  TT.Eavesdropping: Malicious actor(s) eavesdropping on intelligible information on mobile devices, and/or data communications in transit between mobile devices.  TT.Theft: A malicious actor or an unauthorized user may get access to corporate information on the mobile device, by theft and/or loss of mobile devices.  TT.Tampering: An unauthorized user or process may be able to bypass the TOE’s security mechanisms by tampering with the TOE or TOE environment.  TT.Access_Info: A malicious actor passes off as a mobile device user, and erases the corporate information on the mobile device.  TT.Mod_Conf: A malicious actor or an unauthorized user may modify the TOE configuration to gain unauthorized access to mobile devices. Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 9 of 18 4.9 Threats and Attacks not Countered No threats or attacks that are not countered are described. 4.10 Environmental Assumptions and Dependencies  A.Install: The TOE has been installed and configured according to the appropriate installation guides, and all traffic between clients and servers flows through it.  A.Manage: There is one or more competent individual (administrator) assigned to manage the TOE and the security of the information it contains.  A.No_Evil: The administrators of the TOE are non-hostile, appropriately trained, and follow all guidance.  A.Locate: The processing resources of the TOE servers will be located within controlled access facilities, which will prevent unauthorized physical access. 4.11 Security Objectives for the TOE  O.Secure_Communications: The TOE shall use secure communications functions to maintain the confidentiality and allow for detection of modification of user data that is transmitted to the TOE.  O.Protect: The TOE must ensure the integrity of audit, system data and corporate information by protecting itself from unauthorized modifications and access to its functions and data, and preserve correct operations during specified failure events.  O.Admin: The TOE must include a set of functions that allow management of its functions and data, ensuring that TOE administrators with the appropriate training and privileges and only those TOE administrators, may exercise such control.  O.Authenticate_Admin: The TOE must be able to identify and authenticate administrators prior to allowing access to TOE administrative functions and data.  O.Authenticate_User: The TOE must be able to identify and authenticate users prior to allowing access to Good applications and data.  O.Audit: The TOE must record the actions taken by administrators, prevent unauthorized deletion of the audit records stored on the TOE, and provide the authorized administrators with the ability to review the audit trail.  O.Access_Int: The TOE must allow access to server resources on protected/internal network only as defined by the Access Control SFP. Good Work System EAL 4 augmented with ALC_FLR.1 Page 10 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 4.12 Security Objectives for the environment  OE.Secure_Communications: The Operational Environment will provide secure communications functions to the TOE including encryption and decryption functions.  OE.Manage: Sites deploying the TOE will provide competent, non- hostile TOE administrators who are appropriately trained and follow all administrator guidance. TOE administrators will ensure the system is used securely. The reliability of the TOE’s timestamps will be ensured via periodic manual checks by the TOE administrator.  OE.Physical: The physical environment must be suitable for supporting TOE servers in a secure setting.  OE.Install: Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and operated in a manner which is consistent with IT security.  OE.Person: Personnel working as authorized administrators shall be carefully selected and trained for proper operation of the TOE. 4.13 Security Functional Components Security Audit  FAU_GEN.1 Audit data generation  FAU_GEN.1B Client audit data generation  FAU_GEN.2 User identity association User Data Protection  FDP_ACC.1A Subset access control - Administrator  FDP_ACC.1B Subset access control - User  FDP_ACF.1A Security attribute based access control - Administrator  FDP_ACF.1B Security attribute based access control - User  FDP_ITC.2 Import of user data with security attributes  FDP_SWA_EXP.1 Secure web access  FDP_CDD_EXP.1 Client Data Deletion Identification and Authentication  FIA_AFL.1 Authentication failure handling  FIA_ATD.1 User attribute definition  FIA_UAU.1A Timing of authentication - Administrator  FIA_UAU.1B Timing of authentication - User  FIA_UID.1 Timing of identification  FIA_USB.1 User-subject binding Security Management  FMT_MOF.1A Management of security functions behaviour - Administrator  FMT_MOF.1B Management of security functions behaviour - User Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 11 of 18  FMT_MSA.1A Management of Security Attributes - Administrator  FMT_MSA.1B Management of Security Attributes - User  FMT_MSA.3A Static Attribute Initialisation - Administrator  FMT_MSA.3B Static Attribute Initialisation - User  FMT_SMF.1A Specification of management functions - Administrator  FMT_SMF.1B Specification of management functions - User  FMT_SMR.1 Security roles Protection of the TSF  FPT_ITT_EXP.1 Basic internal TSF data transfer protection  FPT_STM.1 Reliable time stamps  FPT_TDC.1 Inter-TSF basic TSF data consistency Trusted Channel/Path  FTP_ITC_EXP.1 Inter-TSF trusted channel  FTP_TRP_EXP.1 Inter-TSF trusted path 4.14 Evaluation Conduct The evaluation was carried out in accordance with the requirements of the Norwegian Certification Scheme for IT Security as described in SERTIT Document SD001E[5]. The Scheme is managed by the Norwegian Certification Authority for IT Security (SERTIT). As stated on page 2 of this Certification Report, SERTIT is a member of the Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security (CCRA), and the evaluation was conducted in accordance with the terms of this Arrangement. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target[1], which prospective consumers are advised to read. To ensure that the Security Target[1] gave an appropriate baseline for a CC evaluation, it was first itself evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were performed in accordance with CC Part 3[4] and the Common Evaluation Methodology (CEM)[6]. SERTIT monitored the evaluation which was carried out by the Advanced Data Security Commercial Evaluation Facility (EVIT). The evaluation was completed when the EVIT submitted the Evaluation Technical Report (ETR)[7] to SERTIT in 12 November 2015. SERTIT then produced this Certification Report. 4.15 General Points The evaluation addressed the security functionality claimed in the Security Target[1] with reference to the assumed operating environment specified by the Security Target[1]. The evaluated configuration was that specified in Good Work System EAL 4 augmented with ALC_FLR.1 Page 12 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 Annex A. Prospective consumers are advised to check that this matches their identified requirements and give due consideration to the recommendations and caveats of this report. Certification does not guarantee that the IT product is free from security vulnerabilities. This Certification Report and the belonging Certificate only reflect the view of SERTIT at the time of certification. It is furthermore the responsibility of users (both existing and prospective) to check whether any security vulnerabilities have been discovered since the date shown in this report. This Certification Report is not an endorsement of the IT product by SERTIT or any other organization that recognizes or gives effect to this Certification Report, and no warranty of the IT product by SERTIT or any other organization that recognizes or gives effect to this Certification Report is either expressed or implied. Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 13 of 18 5 Evaluation Findings 5.1 Introduction The evaluation addressed the requirements specified in the Security Target[1]. The results of this work were reported in the ETR[7] under the CC Part 3[4] headings. The following sections note considerations that are of particular relevance to either consumers or those involved with subsequent assurance maintenance and re-evaluation of the TOE. 5.2 Delivery On receipt of the TOE, the consumer is recommended to check that the evaluated version has been supplied, and to check that the security of the TOE has not been compromised in delivery. The delivery and acceptance procedures are described in section 6 of the document Good Work Common Criteria Supplement document[9]. 5.3 Installation and Guidance Documentation Installation of the TOE must be performed completely in accordance with all the documents that comprise the administrator guidance, user guidance and installation guidance provided by the developer. These documents are a collection of all security relevant operations and settings that must be observed to ensure that the TOE operates in a secure manner. 5.4 Misuse There is always a risk of intentional and unintentional misconfigurations that could possibly compromise confidential information. Users of the TOE should follow the guidance for the TOE in order to ensure that it operates in a secure manner. The guidance documents adequately describe the mode of operation of the TOE, all assumptions about the intended environment and all requirements for external security. Sufficient guidance is provided for the consumer to effectively use the TOE’s security functions. 5.5 Vulnerability Analysis The Evaluators’ vulnerability analysis was based on both public domain sources and the visibility of the TOE given by the evaluation process. The evaluators have searched for potential vulnerabilities and penetration tests have been devised and performed. The evaluators have not found any exploitable vulnerabilities or residual vulnerabilities in the TOE. Good Work System EAL 4 augmented with ALC_FLR.1 Page 14 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 5.6 Developer’s Tests The evaluators have examined the developers test plan and determined that it describes the scenarios for performing each test, including any ordering dependencies on results of other tests. The test plan provides information about the test configuration being used: both on the configuration of the TOE and on any test equipment being used, as well as information about how to execute the tests. All TSFIs are covered by the developer’s tests. 5.7 Evaluators’ Tests The evaluators have deviced a test subset and testing strategy with the intent to cover the TSFI, Security Functions, subsystems and modules to the maximum extent possible. The independent tests concentrated on critical functionality of the TOE, and all tests are passed. Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 15 of 18 6 Evaluation Outcome 6.1 Certification Result After due consideration of the ETR[7], produced by the Evaluators, and the conduct of the evaluation, as witnessed by the Certifier, SERTIT has determined that Good Work System (for versions see chapter 4.2) meet the Common Criteria Part 3 conformant components of Evaluation Assurance Level EAL 4 augmented with ALC_FLR.1 for the specified Common Criteria Part 2 extended functionality, in the specified environment, when running on platforms specified in Annex A. 6.2 Recommendations Prospective consumers of Good Work System (for versions see chapter 4.2) should understand the specific scope of the certification by reading this report in conjunction with the Security Target[1]. The TOE should be used in accordance with a number of environmental considerations as specified in the Security Target. Only the evaluated TOE configuration should be installed. This is specified in Annex A with further relevant information given above in Section 4.3 “TOE Scope” and Section 5 “Evaluation Findings”. The TOE should be used in accordance with the supporting guidance documentation included in the evaluated configuration. Good Work System EAL 4 augmented with ALC_FLR.1 Page 16 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 Annex A: Evaluated Configuration TOE Identification The TOE consists of:  Good Work Client for iOS: 1.5.3.247  Good Work Client for Android: 1.5.3.162  Good Access Client for iOS: 2.4.3.734  Good Access Client for Android: 2.4.3.657  Good Dynamics SDK for iOS: 2.0.4413  Good Dynamics SDK for Android: 2.0.1226  Good Connect Client for iOS: 2.3.10.0.458445.12  Good Connect Client for Android: 2.3.10.0.456604.571  Good Control Server: 2.0.3.11  Good Proxy Server: 2.0.3.7  Good Enterprise Mobility Server: 1.5.35.45 TOE Documentation The supporting guidance documents evaluated were: [a] [1] Security Target Release 1.0 for Good Work System, 22 October 2015 [b] Good Work Product Guide, Version 1.4 [c] Determining Versions of Good Work Servers and Clients Document (Dec. 3, 2014) [d] Good Work Software Development Tools Document (January 22, 2015) [e] Good Technology Acceptable User Policy, v3.1 [f] Good Work Common Criteria Supplement, Version: 1.4 [g] Collaboration - Good Connect Client Licenses Document [h] Open Source Components Document [i] Collaboration - Good 3 Client Licenses – Android Document [j] Collaboration - Good 3 Client Licenses – iOS Document [k] GMA on GD - Approved Open Source Licenses Document [l] GEMS Third Party Library Inventory Document [m] Good Work Exchange Active Sync Security and Guidance document, Version 0.1 [n] Good Work Cloud Deployment Guide, Version 1.0 [o] Good Work iOS User's Guide, v1.4.3, May 19, 2015 [p] Good Work iOS Release Notes, Version 1.1.1 [q] Good Work Android User's Guide, Version 1.0 [r] Good Work Android Release Notes, Version 1.1.1 [s] Good Access Secure Browser Product Guide, Version 2.1 [t] Good Access Release Notes – iOS, Version 2.1 [u] Good Access Release Notes – Android, Version 2.1 [v] Presence API Specification document, Version 1.0 Good Work System EAL 4 augmented with ALC_FLR.1 SERTIT-063 CR Issue 1.0 09 December 2015 Page 17 of 18 [w] Good Dynamics Direct Connect, Version 1.8 [x] Good Work Security White Paper, Version 1.02, October 23, 2015 [y] Good Dynamics Server Deployment Planning and Installation Guide, Version 1.8 (Oct. 21, 2014) [z] Good Dynamics Kerberos Constrained Delegation, Version 1.8 [æ] Good Control Web Services, June 8, 2015 [GD_Web] [ø] Good Control Console Online Help, Version 1.8 [å] Good Dynamics Backup and Restore, Version 1.8 [aa] Good Dynamics Easy Activation Feature Overview, Version 1.8 [bb] Good Control Cloud Online Help, Version 1.8 [cc] Good Dynamics Secure Mobile Platform for Administrators and Developers [dd] GEMS Deployment Planning Guide, v2.4 Product Version: 1.4, Doc Rev 3.5.1, June 15, 2015 [ee] GEMS Installation and Configuration Guide, v2.6 Product Version: 1.4, Doc Rev 3.12.2, Last Updated: June 12, 2015 [ff] GEMS Release Notes, Version 1.1 [gg] Good Connect User Guide – iOS, Version 2.0 [hh] Good Connect User Guide – Android, Version 2.0 [ii] Good Access Release Notes – Android, V. 2.1 (Nov. 3, 2014) [jj] Good Access Release Notes – iOS, V. 2.1 (Nov. 3, 2014) [kk] Good Dynamics: Good Proxy 1.8.42.11 Release Notes (Dec. 22, 2014) [ll] Good Dynamics Direct Connect Feature Summary and Configuration Guide, 2014 [mm] Good Dynamics Security White Paper, GD Version 1.6 [nn] Good Dynamics Introducing Good Dynamics, 2013 [oo] Good Work Security Best Practices, v1.1, October 19, 2015 [pp] Good Control Web Services, June 8, 2015 [GD_Web] Good Work System EAL 4 augmented with ALC_FLR.1 Page 18 of 18 SERTIT-063 CR Issue 1.0 09 December 2015 TOE Configuration The following configuration was used for testing: