EMC®
ViPR®
SRM 4.0
Security Target
Evaluation Assurance Level (EAL): EAL2+
Doc No: 1915-000-D102
Version: 1.1
10 August 2016
EMC Corporation
176 South Street
Hopkinton, Massachusetts
01748
Prepared by:
EWA-Canada
1223 Michael Street
Ottawa, Ontario, Canada
K1J 7T2
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page i of iii
CONTENTS
1 SECURITY TARGET INTRODUCTION.............................................1
1.1 DOCUMENT ORGANIZATION.............................................................1
1.2 SECURITY TARGET REFERENCE ........................................................ 1
1.3 TOE REFERENCE.............................................................................1
1.4 TOE OVERVIEW ..............................................................................2
Analysis ........................................................................................2
1.4.1
Optimization..................................................................................2
1.4.2
1.5 TOE DESCRIPTION..........................................................................3
Physical Scope ...............................................................................3
1.5.1
TOE Environment ...........................................................................4
1.5.2
TOE Guidance ................................................................................4
1.5.3
Logical Scope.................................................................................4
1.5.4
Functionality Excluded from the Evaluated Configuration.....................5
1.5.5
2 CONFORMANCE CLAIMS...............................................................6
2.1 COMMON CRITERIA CONFORMANCE CLAIM........................................ 6
2.2 ASSURANCE PACKAGE CLAIM........................................................... 6
2.3 PROTECTION PROFILE CONFORMANCE CLAIM .................................... 6
3 SECURITY PROBLEM DEFINITION................................................7
3.1 THREATS .......................................................................................7
3.2 ORGANIZATIONAL SECURITY POLICIES............................................. 7
3.3 ASSUMPTIONS ...............................................................................8
4 SECURITY OBJECTIVES................................................................9
4.1 SECURITY OBJECTIVES FOR THE TOE................................................ 9
4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ......... 10
4.3 SECURITY OBJECTIVES RATIONALE ................................................ 10
Security Objectives Rationale Related to Threats..............................11
4.3.1
Security Objectives Rationale Related to OSPs .................................14
4.3.2
Security Objectives Rationale Related to Assumptions.......................14
4.3.3
5 EXTENDED COMPONENTS DEFINITION......................................16
5.1 SECURITY FUNCTIONAL REQUIREMENTS ......................................... 16
Extended Family FPT_TPS: PROTECTION OF THIRD PARTY SECRETS ..16
5.1.1
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page ii of iii
FTA_SSL_EXT.5 Administrator-initiated termination..........................17
5.1.2
5.2 SECURITY ASSURANCE REQUIREMENTS .......................................... 18
6 SECURITY REQUIREMENTS ........................................................19
6.1 CONVENTIONS ............................................................................. 19
6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS................................... 19
Security Audit (FAU).....................................................................20
6.2.1
Cryptographic Support (FCS) .........................................................21
6.2.2
User Data Protection (FDP)............................................................22
6.2.3
Identification and Authentication (FIA)............................................23
6.2.4
Security Management (FMT) ..........................................................24
6.2.5
Protection of the TSF (FPT)............................................................25
6.2.6
TOE Access (FTA).........................................................................25
6.2.7
Trusted Path/Channels (FTP) .........................................................26
6.2.8
6.3 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE ........................ 26
SFR Rationale Related to Security Objectives ...................................27
6.3.1
6.4 DEPENDENCY RATIONALE.............................................................. 30
6.5 TOE SECURITY ASSURANCE REQUIREMENTS ................................... 32
7 TOE SUMMARY SPECIFICATION.................................................34
7.1 TOE SECURITY FUNCTIONS............................................................ 34
Security Audit..............................................................................34
7.1.1
Cryptographic Support ..................................................................34
7.1.2
User Data Protection.....................................................................35
7.1.3
Identification and Authentication....................................................35
7.1.4
Security Management ...................................................................36
7.1.5
Protection of the TSF ....................................................................37
7.1.6
TOE Access..................................................................................38
7.1.7
Trusted Path / Channels................................................................38
7.1.8
8 ACRONYMS ................................................................................39
LIST OF TABLES
Table 1 – Non-TOE Hardware and Software .................................................. 4
Table 2 – Logical Scope of the TOE ..............................................................5
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page iii of iii
Table 3 – Threats ......................................................................................7
Table 4 - Organizational Security Policy........................................................ 8
Table 5 – Assumptions ...............................................................................8
Table 6 – Security Objectives for the TOE..................................................... 9
Table 7 – Security Objectives for the Operational Environment...................... 10
Table 8 – Mapping Between Objectives, Threats, OSPs, and Assumptions ....... 11
Table 9 – Summary of Security Functional Requirements.............................. 20
Table 10 – Cryptographic Operation........................................................... 22
Table 11 – Mapping of SFRs to Security Objectives ...................................... 27
Table 12 – Functional Requirement Dependencies ....................................... 32
Table 13 – Security Assurance Requirements .............................................. 33
Table 14 - Audit Event Types .................................................................... 34
Table 15 - TOE User Role Descriptions ....................................................... 37
Table 16 – Acronyms ............................................................................... 40
LIST OF FIGURES
Figure 1 – EMC ViPR SRM 4.0 TOE Boundary ................................................. 3
Figure 2 – FPT_TPS_EXT: Protection of third party secrets Component Levelling
........................................................................................................ 16
Figure 3 – FTA_SSL: Session Locking and Termination Component Levelling... 17
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 1 of 40
1 SECURITY TARGET INTRODUCTION
This Security Target (ST) defines the scope of the evaluation in terms of the
assumptions made, the intended environment for the TOE, the Information
Technology (IT) security functional and assurance requirements to be met, and
the level of confidence (evaluation assurance level) to which it is asserted that
the TOE satisfies its IT security requirements. This document forms the baseline
for the Common Criteria (CC) evaluation.
1.1 DOCUMENT ORGANIZATION
Section 1, ST Introduction, provides the Security Target (ST) reference, the
Target of Evaluation (TOE) reference, the TOE overview and the TOE description.
Section 2, Conformance Claims, describes how the ST conforms to the
Common Criteria and Packages. The ST does not conform to a Protection
Profile.
Section 3, Security Problem Definition, describes the expected environment
in which the TOE is to be used. This section defines the set of threats that are
relevant to the secure operation of the TOE, organizational security policies with
which the TOE must comply, and secure usage assumptions applicable to this
analysis.
Section 4, Security Objectives, defines the set of security objectives to be
satisfied by the TOE and by the TOE operating environment in response to the
problem defined by the security problem definition
Section 5, Extended Components Definition, defines the extended
components which are then detailed in Section 6.
Section 6, Security Requirements, specifies the security functional and
assurance requirements that must be satisfied by the TOE and the Information
Technology (IT) environment.
Section 7, TOE Summary Specification, describes the security functions and
assurance measures that are included in the TOE to enable it to meet the IT
security functional and assurance requirements.
Section 8, Acronyms, defines the acronyms used in this ST.
1.2 SECURITY TARGET REFERENCE
ST Title: EMC®
ViPR®
SRM 4.0 Security Target
ST Version: 1.1
ST Date: 10 August 2016
1.3 TOE REFERENCE
TOE Identification: EMC®
ViPR®
SRM 4.0 – 2513 with M&R 6.7u1 - 63979
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 2 of 40
TOE Developer: EMC Corporation
TOE Type: Storage Resource Management Software (Other
Devices and Systems)
1.4 TOE OVERVIEW
EMC ViPR SRM is storage resource management software that provides a visual
representation of storage relationships, analysis of configurations and capacity
growth, and optimization of storage resources. ViPR SRM receives metrics from
network storage resources including applications, hosts, switches and arrays and
provides analysis of that information and presents it in a variety of ways to
facilitate optimization of those resources. ViPR SRM is designed to integrate
with the EMC ViPR Software-defined storage platform.
ViPR SRM was designed to manage large, complex, virtualized storage
environments. ViPR SRM provides detailed relationship and topology views from
the application, to the virtual or physical host, to the Logical Unit (LUN) to
identify service dependencies. Administrators may view performance trends and
identify hosts that may be competing for storage resources. This allows
administrators to understand and manage the impact that storage has on
applications, and with this information, optimize storage resources to manage
data growth.
Analysis
1.4.1
ViPR SRM provides functionality to analyze health, configurations and capacity
growth. Custom dashboards and reports may be created to meet the needs of a
wide range of users and roles. ViPR SRM also allows administrators to track
block, file and object capacity consumption across data centers with built in
views to indicate who is using capacity, how much they are using, and when
more will be required.
Optimization
1.4.2
ViPR SRM provides functionality that allows administrators to optimize capacity
and improve productivity of block, file and object storage. It shows historical
workloads and response times to determine if the most appropriate storage tier
has been implemented. It tracks capacity use, and analyzes relationships
between primary storage and replicas to identify the total capacity used to
support an application. ViPR SRM also tracks consumption of thin pools and
storage groups to predict when more capacity will be required, which supports
use of thin provisioning to improve utilization.
The TOE is a software only TOE.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 3 of 40
1.5 TOE DESCRIPTION
Physical Scope
1.5.1
The TOE is made up of the ViPR SRM software. The M&R platform consists of
core modules that provide monitoring and reporting functionality for a number of
EMC products, including ViPR SRM. Logically, ViPR SRM consists of the M&R core
platform and a set of solution packs designed to collect data from hosts,
switches and storage devices. In the evaluated configuration, the TOE is
installed using the four Virtual Machine (VM) vApp installation option. The VMs
are:
• Collector VM – This VM hosts collectors used to discover, collect and
process data from supported hosts, switches and storage devices
• Primary Backend VM – This VM hosts the primary database, back end
components, load balancing components and modules which support
capacity, alerting and topology
• Frontend VM – This VM hosts the web portal and centralized management
applications and controls licensing
• Additional Backend VM – This VM includes additional databases and back
end components used to scale back end processing
Front End
Primary Backend
Additional
Backend
Collector
Active
Directory
Server
Managed Storage
Resources
Management
Workstation
TOE Boundary
ViPR SRM
VMware Server
Figure 1 – EMC ViPR SRM 4.0 TOE Boundary
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 4 of 40
TOE Environment
1.5.2
The TOE is installed on a VMware Server. The following non-TOE components
are also required in the evaluated configuration. The versions shown are those
used in the evaluated configuration. A full list of installation requirement options
may be found in the EMC ViPR SRM 3.7 Support Matrix.
Non-TOE Component Software Hardware
VMware Server vCenter v5.5 General Purpose VMware
Computer Hardware
Active Directory Server Windows Server 2008 R2 General Purpose
Computer Hardware
Managed Storage Resources Unity VSA (Unisphere
4.0.0.7329527)
General Purpose
Computer Hardware
Management Workstation Windows 7 General Purpose
Computer Hardware
Table 1 – Non-TOE Hardware and Software
TOE Guidance
1.5.3
The TOE includes the following guidance documentation:
• EMC ViPR SRM Release number 3.7 SolutionPack Release Notes
• EMC ViPR SRM 3.7 Installation and Configuration Guide
• EMC ViPR SRM 3.7 SolutionPack Installation and Configuration Guide
• EMC M&R 6.6u1 Security Configuration Guide
• EMC ViPR SRM Version 3.7 Administrator’s Guide
Logical Scope
1.5.4
The logical boundary of the TOE includes all interfaces and functions within the
physical boundary. The logical boundary of the TOE may be broken down by the
security function classes described in Section 6. The following breakdown also
provides the description of the security features of the TOE, and follows the
security functional classes described in Section 1. Table 2 summarizes the logical
scope of the TOE.
Functional Classes Description
Security Audit Audit entries are generated for security related events.
The audit logs are stored and protected from unauthorized
modification and deletion and may be reviewed by
authorized administrators.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 5 of 40
Functional Classes Description
Cryptographic Support Cryptographic functionality is provided to allow the
communications links between TOE components and
between the TOE and its remote administrators to be
protected.
User Data Protection The TOE provides a role-based access control capability to
ensure that only authorized administrators are able to
administer the TOE.
Identification and
Authentication
Users must identify and authenticate prior to TOE access.
The TOE supports multiple authentication mechanisms.
Security Management The TOE provides management capabilities via user
interface. Management functions allow the administrators
to configure users and roles, system settings, and report
parameters.
Protection of the TSF The TOE stores and protects password information for
externally monitored devices.
TOE Access A banner is presented upon user login. The TOE supports
TSF-initiated and administrator-initiated session
termination.
Trusted Path/Channels The communications links between the TOE and its remote
administrators are protected using HTTPS (Transport Layer
Security (TLS)).
Table 2 – Logical Scope of the TOE
Functionality Excluded from the Evaluated
1.5.5
Configuration
The TOE issues SolutionPacks for discovery and monitoring of numerous
external storage resources, and provides out-of-box licenses for the following:
• SolutionPack for Brocade FC Switch
• SolutionPack for Cisco MDS/Nexus
• SolutionPack for EMC VNX
• SolutionPack for EMC VMAX
Since SolutionPacks are configurations and not additional software components,
they are included within the TOE boundary but are not tested as part of this
evaluation. The EMC Unity Virtual Storage Appliance (VSA) is used to simulate
managed storage resources in the evaluated configuration.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 6 of 40
2 CONFORMANCE CLAIMS
2.1 COMMON CRITERIA CONFORMANCE CLAIM
This Security Target claims to be conformant to Version 3.1 of Common Criteria
for Information Technology Security Evaluation according to:
• Common Criteria for Information Technology Security Evaluation, Part 1:
Introduction and General Model; CCMB-2012-09-001, Version 3.1,
Revision 4, September 2012
• Common Criteria for Information Technology Security Evaluation, Part 2:
Security Functional Components; CCMB-2012-09-002, Version 3.1,
Revision 4, September 2012
• Common Criteria for Information Technology Security Evaluation, Part 3:
Security Assurance Requirements CCMB-2012-09-003, Version 3.1,
Revision 4, September 2012
As follows:
• CC Part 2 extended
• CC Part 3 conformant
The Common Methodology for Information Technology Security Evaluation,
Version 3.1, Revision 4, September 2012 [CEM] has to be taken into account.
2.2 ASSURANCE PACKAGE CLAIM
This Security Target claims conformance to Evaluation Assurance Level 2+
augmented with ALC_FLR.2 Flaw Reporting Procedures
2.3 PROTECTION PROFILE CONFORMANCE
CLAIM
The TOE for this ST does not claim conformance with any Protection Profile (PP).
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 7 of 40
3 SECURITY PROBLEM DEFINITION
3.1 THREATS
Table 3 lists the threats addressed by the TOE. Potential threat agents are
authorized TOE users, and unauthorized persons. The level of expertise of both
types of attacker is assumed to be unsophisticated. TOE users are assumed to
have access to the TOE, extensive knowledge of TOE operations and to possess
a high level of skill. They have moderate resources to alter TOE parameters, but
are assumed not to be wilfully hostile. Unauthorized persons have little
knowledge of TOE operations, a low level of skill, limited resources to alter TOE
parameters and no physical access to the TOE.
Mitigation to the threats is through the objectives identified in Section 4.1,
Security Objectives.
Threat Description
T.ACCOUNT An authorized user of the TOE could gain unauthorized access to
TOE configuration information, or perform operations for which no
access rights have been granted, via user error, system error, or
other actions.
T.AUDACC Authorized users may not be accountable for the actions that
they perform because the audit records are not created and
reviewed, thus allowing an attacker to escape detection.
T.NOAUTH An unauthorized individual may gain access to the TOE security
management functions and use this to allow unauthorized access to
information protected by the TOE.
T.SENSDATA An unauthorized user may be able to view sensitive data passed
between the TOE and its administrators, and exploit this data to
gain unauthorized privileges on the TOE.
T.UNDETECT Authorized or unauthorized users may be able to access TOE data or
modify TOE behavior without a record of those actions in order to
circumvent TOE security functionality.
Table 3 – Threats
3.2 ORGANIZATIONAL SECURITY POLICIES
Organizational Security Policies (OSPs) are security rules, procedures, or
guidelines imposed upon an organization in the operational environment. Table
4 lists the OSPs that are presumed to be imposed upon the TOE or its
operational environment by an organization that implements the TOE in the
Common Criteria evaluated configuration.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 8 of 40
OSP Description
P.REPORT The TOE will create storage usage reports based on system
metrics.
Table 4 - Organizational Security Policy
3.3 ASSUMPTIONS
The assumptions required to ensure the security of the TOE are listed in Table 5.
Assumptions Description
A.NOEVIL The authorized administrators are not careless, wilfully negligent,
or hostile, are appropriately trained and will follow the
instructions provided by the TOE documentation.
A.PHYSICAL The server resources of the TOE will be located within controlled
access facilities, which will prevent unauthorized physical access.
A.SECCOM The communications between the TOE and the authentication
servers is secured.
A.TIME The operational environment provides reliable timestamps.
Table 5 – Assumptions
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 9 of 40
4 SECURITY OBJECTIVES
The purpose of the security objectives is to address the security concerns and to
show which security concerns are addressed by the TOE, and which are
addressed by the environment. Threats may be addressed by the TOE or the
security environment or both. Therefore, the CC identifies two categories of
security objectives:
• Security objectives for the TOE
• Security objectives for the environment
4.1 SECURITY OBJECTIVES FOR THE TOE
This section identifies and describes the security objectives that are to be
addressed by the TOE.
Security
Objective
Description
O.ACCESS The TOE must allow authorized users to access only appropriate TOE
functions and data. Access shall be terminated after a period of
inactivity, or as determined by an authorized administrator. Access
must be preceded by an advisory warning regarding unauthorized
use.
O.ADMIN The TOE will provide all the functions and facilities necessary to
support the administrators in their management of the security of
the TOE, and restrict these functions and facilities from unauthorized
use.
O.AUDIT The TOE must generate audit records for use of the TOE functions,
and provide a means to review those records.
O.ENCRYPT The TOE must make use of FIPS-validated cryptographic functions
for the protection of sensitive data.
O.IDENTAUTH The TOE must be able to identify and authenticate users prior to
allowing access to the administrative functions and data of the TOE
using both local and LDAP based authentication. Authentication
feedback must be obscured.
O.PATH The TOE must ensure the confidentiality of data passed between
itself and remote administrators.
O.PROTECT The TOE must ensure the confidentiality of password information
used to access third party resources.
O.REPORT The TOE must be able to gather storage system metrics and create
reports on usage.
Table 6 – Security Objectives for the TOE
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 10 of 40
4.2 SECURITY OBJECTIVES FOR THE
OPERATIONAL ENVIRONMENT
This section identifies and describes the security objectives that are to be
addressed by the IT domain or by non-technical or procedural means.
Security
Objective
Description
OE.ADMTRA Authorized administrators are carefully screened during the
selection process. All selected administrators are trained to
appropriately install, configure, and maintain the TOE in its
evaluated configuration according to the TOE guidance
documentation.
OE.PHYSICAL Those responsible for the TOE must ensure that those parts of
the TOE critical to the enforcement of security are protected from
any physical attack.
OE.SECCOM The operational environment will protect the communications
between the TOE and authentication servers.
OE.TIMESTAMP The operational environment will provide reliable timestamps for
use by the TOE.
Table 7 – Security Objectives for the Operational Environment
4.3 SECURITY OBJECTIVES RATIONALE
The following table maps the security objectives to the assumptions, threats,
and organisational policies identified for the TOE.
T.ACCOUNT
T.AUDACC
T.NOAUTH
T.SENSDATA
T.UNDETECT
P.REPORT
A.NOEVIL
A.PHYSICAL
A.SECCOM
A.TIME
O.ACCESS X
O.ADMIN X X
O.AUDIT X X
O.ENCRYPT X
O.IDENTAUTH X X
O.PATH X
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 11 of 40
T.ACCOUNT
T.AUDACC
T.NOAUTH
T.SENSDATA
T.UNDETECT
P.REPORT
A.NOEVIL
A.PHYSICAL
A.SECCOM
A.TIME
O.PROTECT X
O.REPORT X
OE.ADMTRA X
OE.PHYSICAL X
OE.SECCOM X
OE.TIMESTAMP X X X X
Table 8 – Mapping Between Objectives, Threats, OSPs, and Assumptions
Security Objectives Rationale Related to
4.3.1
Threats
The security objectives rationale related to threats traces the security objectives
for the TOE and the Operational Environment back to the threats addressed by
the TOE.
Threat:
T.ACCOUNT
An authorized user of the TOE could gain unauthorized access to
TOE configuration information, or perform operations for which no
access rights have been granted, via user error, system error, or
other actions.
Objectives: O.ACCESS The TOE must allow authorized users to
access only appropriate TOE functions and
data. Access shall be terminated after a period
of inactivity, or as determined by an
authorized administrator. Access must be
preceded by an advisory warning regarding
unauthorized use.
O.ADMIN The TOE will provide all the functions and
facilities necessary to support the
administrators in their management of the
security of the TOE, and restrict these
functions and facilities from unauthorized use.
O.IDENTAUTH The TOE must be able to identify and
authenticate users prior to allowing access to
the administrative functions and data of the
TOE using both local and LDAP based
authentication. Authentication feedback must
be obscured.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 12 of 40
Rationale: O.ACCESS mitigates this threat by limiting authorized users to
appropriate TOE functions and data. Prior to gaining access to the
TOE, users are presented with an advisory warning regarding
unauthorized use of the TOE, mitigating user error. User sessions
are terminated automatically after a period of inactivity or as
determined by and authorized administrator, limiting the impact of
possible errors.
O.ADMIN mitigates this threat by ensuring that the TOE
management functions prevent authorized users from gaining
unauthorized access to TOE configuration information.
O.IDENTAUTH mitigates this threat by deploying multiple
identification and authentication mechanisms to prevent authorized
users from gaining unauthorized access to TOE configuration
information. It also provides users with obscured feedback while
authentication is in progress, protecting authentication information
from being used by an unauthorized person.
Threat:
T.AUDACC
Authorized users may not be accountable for the actions that they
perform because the audit records are not created and reviewed,
thus allowing an attacker to escape detection.
Objectives: O.AUDIT The TOE must generate audit records for use
of the TOE functions, and provide a means to
review those records.
OE.TIMESTAMP The operational environment will provide
reliable timestamps for use by the TOE.
Rationale: O.AUDIT mitigates this threat by ensuring auditable events are
logged, securely stored, and made viewable to authorized
administrators.
OE.TIMESTAMP ensures that audit data is supported with accurate
time information.
Threat:
T.NOAUTH
An unauthorized individual may gain access to the TOE security
management functions and use this to allow unauthorized access to
information protected by the TOE.
Objectives: O.ADMIN The TOE will provide all the functions and
facilities necessary to support the
administrators in their management of the
security of the TOE, and restrict these
functions and facilities from unauthorized use.
O.IDENTAUTH The TOE must be able to identify and
authenticate users prior to allowing access to
the administrative functions and data of the
TOE using both local and LDAP based
authentication. Authentication feedback must
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 13 of 40
be obscured.
O.PROTECT The TOE must ensure the confidentiality of
password information used to access third
party resources.
Rationale: O.ADMIN mitigates this threat by ensuring that access to the
security functions of the TOE are restricted to authorized
administrators.
O.IDENTAUTH restricts access to authorized users by allowing
access only after proper identification and authorization has been
verified through one of the available mechanisms. It also provides
users with obscured feedback while authentication is in progress,
protecting authentication information from being used by an
unauthorized person.
O.PROTECT mitigates this threat by protecting the confidentiality of
password information used to access third party resources.
Threat:
T.SENSDATA
An unauthorized user may be able to view sensitive data passed
between the TOE and its administrators, and exploit this data to
gain unauthorized privileges on the TOE.
Objectives: O.ENCRYPT The TOE must make use of FIPS-validated
cryptographic functions for the protection of
sensitive data.
O.PATH The TOE must ensure the confidentiality of
data passed between itself and remote
administrators.
Rationale: O.ENCRYPT mitigates this threat by using FIPS-validated
cryptographic functions for the protection of sensitive data.
O.PATH mitigates this threat by using a trusted path for remote
administration of the TOE.
Threat:
T.UNDETECT
Authorized or unauthorized users may be able to access TOE data
or modify TOE behavior without a record of those actions in order
to circumvent TOE security functionality.
Objectives: O.AUDIT The TOE must generate audit records for use
of the TOE functions, and provide a means to
review those records.
OE.TIMESTAMP The operational environment will provide
reliable timestamps for use by the TOE.
Rationale: O.AUDIT mitigates this threat by ensuring auditable events are
logged and made viewable to authorized administrators.
OE.TIMESTAMP ensures that audit data is supported with accurate
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 14 of 40
time information.
Security Objectives Rationale Related to OSPs
4.3.2
The security objectives rationale related to OSPs traces the security objectives
for the Operational Environment back to the OSPs applicable to the TOE.
Policy:
P.REPORT
The TOE will create storage usage reports based on system
metrics.
Objectives: O.REPORT The TOE must be able to gather storage
system metrics and create reports on usage.
OE.TIMESTAMP The operational environment will provide
reliable timestamps for use by the TOE.
Rationale: O.REPORT supports this policy by ensuring that the TOE is able to
gather storage system metrics and create reports on usage.
OE.TIMESTAMP ensures that report data is supported with accurate
time information.
Security Objectives Rationale Related to
4.3.3
Assumptions
The security objectives rationale related to assumptions traces the security
objectives for the operational environment back to the assumptions for the
TOE’s operational environment.
Assumption:
A.NOEVIL
The authorized administrators are not careless, wilfully negligent,
or hostile, are appropriately trained and will follow the instructions
provided by the TOE documentation.
Objectives: OE.ADMTRA Authorized administrators are carefully
screened during the selection process. All
selected administrators are trained to
appropriately install, configure, and maintain
the TOE in its evaluated configuration
according to the TOE guidance documentation.
Rationale: OE.ADMTRA supports this assumption by ensuring that the
administrators managing the TOE have been specifically chosen to
be careful, attentive and non-hostile.
Assumption:
A.PHYSICAL
The server resources of the TOE will be located within controlled
access facilities, which will prevent unauthorized physical access.
Objectives: OE.PHYSICAL Those responsible for the TOE must ensure
that those parts of the TOE critical to the
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 15 of 40
enforcement of security are protected from
any physical attack.
Rationale: OE.PHYSICAL supports this assumption by ensuring the physical
protection of the server resources used by the TOE.
Assumption:
A.SECCOM
The communications between the TOE and the authentication
servers is secured.
Objectives: OE.SECCOM The operational environment will protect the
communications between the TOE and
authentication servers.
Rationale: OE.SECCOM supports this assumption by requiring that information
passed between the TOE and the authentication server is secured.
Assumption:
A.TIME
The operational environment provides reliable timestamps.
Objectives: OE.TIMESTAMP The operational environment will provide
reliable timestamps for use by the TOE.
Rationale: OE.TIMESTAMP supports this assumption by requiring that the
operational environment provide reliable timestamps for use by the
TOE.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 16 of 40
5 EXTENDED COMPONENTS DEFINITION
This section specifies the extended Security Functional Requirements (SFRs) and
extended Security Assurance Requirements (SARs) used in this ST.
5.1 SECURITY FUNCTIONAL REQUIREMENTS
Two extended SFRs have been created to address additional security features of
the TOE: Protection of external passwords (FTP_TPS_EXT.1) and Administrator-
initiated termination (FTA_SSL_EXT.5).
Extended Family FPT_TPS: PROTECTION OF
5.1.1
THIRD PARTY SECRETS
Protection of third party secrets addresses the collection of security information
from monitored devices, and the actions performed on that information. The
Protection of third party secrets family belongs to the Protection of the TSF
class, and was modelled after the family FPT_ITT Internal TOE TSF data transfer
(FPT_ITT). FPT_TPS.1 Protection of external passwords was based on FPT_ITT.1
Basic Internal TSF data transfer protection.
5.1.1.1 FPT_TPS_EXT Protection of Third Party Secrets
Family Behaviour
This family defines the requirements for the protection of third party secrets.
This family may be used to specify the protection provided for third party
secrets held by the TOE.
Component Levelling
Figure 2 – FPT_TPS_EXT: Protection of third party secrets Component Levelling
Management
There are no management activities foreseen.
Audit
There are no auditable events foreseen.
FPT_TPS_EXT.1 Protection of external passwords
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TPS_EXT.1.1 The TSF shall store and protect passwords required to access
external entities.
FPT_ TPS_EXT: Protection of
third party secrets 1
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 17 of 40
FPT_TPS_EXT.1.2 The TSF shall present the password to the external entity in
accordance with the requirements of the external entity.
FTA_SSL_EXT.5 Administrator-initiated
5.1.2
termination
This extended SFR is part of the Session locking and termination (FTA_SSL)
family.
Component Levelling
Figure 3 – FTA_SSL: Session Locking and Termination Component Levelling
Management
There are no management activities foreseen.
Audit
The TSF should create an audit entry when an administrator terminates a user’s
session.
FTA_SSL_EXT.5 Administrator-initiated termination
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_SSL_EXT.5.1 The TSF shall allow administrator-initiated termination of a user's
interactive session.
FTA_ SSL: Session locking and
termination
1
2
3
4
5
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 18 of 40
5.2 SECURITY ASSURANCE REQUIREMENTS
This ST does not include extended Security Assurance Requirements.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 19 of 40
6 SECURITY REQUIREMENTS
Section 6 provides security functional and assurance requirements that must be
satisfied by a compliant TOE. These requirements consist of functional
components from Part 2 of the CC, extended requirements, and an Evaluation
Assurance Level (EAL) that contains assurance components from Part 3 of the
CC.
6.1 CONVENTIONS
The CC permits four types of operations to be performed on functional
requirements: selection, assignment, refinement, and iteration. These
operations, when performed on requirements that derive from CC Part 2 are
identified in this ST in the following manner:
• Selection: Indicated by surrounding brackets, e.g., [selected item].
• Assignment: Indicated by surrounding brackets and italics, e.g., [assigned
item].
• Refinement: Refined components are identified by using bold for
additional information, or strikeout for deleted text.
• Iteration: Indicated by assigning a number in parenthesis to the end of
the functional component identifier as well as by modifying the functional
component title to distinguish between iterations, e.g., ‘FDP_ACC.1(1),
Subset access control (administrators)’ and ‘FDP_ACC.1(2) Subset access
control (devices)’.
6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS
The security functional requirements for this ST consist of the following
components from Part 2 of the CC and extended components defined in Section
5, summarized in Table 9 - Summary of Security Functional Requirements.
Class Identifier Name
Security Audit (FAU) FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
Cryptographic Support
(FCS)
FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key Destruction
FCS_COP.1 Cryptographic operation
User Data Protection
(FDP)
FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
FDP_ETC.1 Export of user data without security
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 20 of 40
Class Identifier Name
attributes
FDP_ITC.1 Import of user data without security
attributes
Identification and
Authentication (FIA)
FIA_UAU.2 User authentication before any action
FIA_UAU.5 Multiple authentication mechanisms
FIA_UAU.7 Protected authentication feedback
FIA_UID.2 User identification before any action
Security Management
(FMT)
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialisation
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles
Protection of the TSF
(FPT)
FPT_TPS_EXT.1 Protection of external passwords
TOE Access (FTA) FTA_SSL.3 TSF-initiated termination
FTA_SSL_EXT.5 Administrator-initiated termination
FTA_TAB.1 Default TOE access banners
Trusted path/channels
(FTP)
FTP_TRP.1 Trusted path
Table 9 – Summary of Security Functional Requirements
Security Audit (FAU)
6.2.1
6.2.1.1 FAU_GEN.1 Audit data generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following
auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [not specified] level of audit; and
c) [collection configuration events, reporting events, user management
events, start and stop of services, user events].
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 21 of 40
FAU_GEN.1.2 The TSF shall record within each audit record at least the following
information:
a) Date and time of the event, type of event, subject identity (if
applicable), and the outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of
the functional components included in the PP/ST, [no other
information].
6.2.1.2 FAU_SAR.1 Audit review
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FAU_SAR.1.1 The TSF shall provide [authorised administrators] with the capability to
read [all audit information] from the audit records.
FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the
user to interpret the information.
Cryptographic Support (FCS)
6.2.2
6.2.2.1 FCS_CKM.1 Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution,
or FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a
specified cryptographic key generation algorithm [Deterministic Random
Bit Generation] and specified cryptographic key sizes [128, 192, 256]
that meet the following: [NIST Special Publication 800-90A].
6.2.2.2 FCS_CKM.4 Cryptographic key destruction
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security
attributes, or
FDP_ITC.2 Import of user data with security
attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified
cryptographic key destruction method [zeroization] that meets the
following: [no standard].
6.2.2.3 FCS_COP.1 Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security
attributes, or
FDP_ITC.2 Import of user data with
security attributes, or
FCS_CKM.1 Cryptographic key
generation]
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 22 of 40
FCS_CKM.4 Cryptographic key
destruction
FCS_COP.1.1 The TSF shall perform [the cryptographic operations specified in Table
10] in accordance with a specified cryptographic algorithm [the
cryptographic algorithms specified in Table 10] and cryptographic key
sizes [cryptographic key sizes specified in Table 10] that meet the
following: [standards listed in Table 10].
Operation Algorithm Key Size
(bits) or
Digest
Standard CAVP
Certificate
Number
Random Bit
Generation
HMAC DRBG SHA-1, SHA-
224, SHA-
256, SHA-
384, SHA-
512/256
NIST Special
Publication 800-
90A
722
Encryption and
Decryption of
remote
administrator
sessions
AES (Advanced
Encryption
Standard)
128, 192, 256 FIPS PUB 197 3263
Encryption and
Decryption of
Third Party
passwords
AES (Advanced
Encryption
Standard)
128, 192, 256 FIPS PUB 197 3263
Table 10 – Cryptographic Operation
User Data Protection (FDP)
6.2.3
6.2.3.1 FDP_ACC.1 Subset access control
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 The TSF shall enforce the [Administrative Access Control SFP] on
[Subjects: Administrative users
Objects: TSF data
Operations: view, modify and delete TSF data to manage configuration,
users and reporting functions].
6.2.3.2 FDP_ACF.1 Security attribute based access control
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1 The TSF shall enforce the [Administrative Access Control SFP] to
objects based on the following:
[Subjects: Administrative users
Subject attributes: role
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 23 of 40
Objects: TSF data
Object attributes: none].
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: [the
Administrative user is able to access the TSF data and perform the
operations associated with an administrative function if the role allows
access to the administrative function].
FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: [users identified as Global administrators
have full access to all TSF data].
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on
the following additional rules: [users with accounts identified as Disabled
have no access to TSF data].
6.2.3.3 FDP_ETC.1 Export of user data without security
attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FDP_ETC.1.1 The TSF shall enforce the [Administrative Access Control SFP] when
exporting user data, controlled under the SFP(s), outside of the TOE.
FDP_ETC.1.2 The TSF shall export the user data without the user data's associated
security attributes.
6.2.3.4 FDP_ITC.1 Import of user data without security
attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_MSA.3 Static attribute initialisation
FDP_ITC.1.1 The TSF shall enforce the [Administrative Access Control SFP] when
importing user data, controlled under the SFP, from outside of the TOE.
FDP_ITC.1.2 The TSF shall ignore any security attributes associated with the user
data when imported from outside the TOE.
FDP_ITC.1.3 The TSF shall enforce the following rules when importing user data
controlled under the SFP from outside the TOE: [Authorized
administrative users may configure the TSF to retrieve performance data
from network storage resources].
Application note: Administrators configure SolutionPacks to establish the
connection to a storage resource and collect metrics.
Identification and Authentication (FIA)
6.2.4
6.2.4.1 FIA_UAU.2 User authentication before any action
Hierarchical to: FIA_UAU.1 Timing of authentication
Dependencies: FIA_UID.1 Timing of identification
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 24 of 40
FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before
allowing any other TSF-mediated actions on behalf of that user.
6.2.4.2 FIA_UAU.5 Multiple authentication mechanisms
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_UAU.5.1 The TSF shall provide [internal authentication, LDAP authentication] to
support user authentication.
FIA_UAU.5.2 The TSF shall authenticate any user's claimed identity according to the
[order of authentication mechanisms indicated in the configuration file].
6.2.4.3 FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1 The TSF shall provide only [obscured feedback] to the user while the
authentication is in progress.
6.2.4.4 FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1 Timing of identification
Dependencies: No dependencies.
FIA_UID.2.1 The TSF shall require each user to be successfully identified before
allowing any other TSF-mediated actions on behalf of that user.
Security Management (FMT)
6.2.5
6.2.5.1 FMT_MSA.1 Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Administrative Access Control SFP] to
restrict the ability to [query, modify, delete] the security attributes
[user security attributes, report parameters, collection configuration
parameters] to [Authorized Administrative users].
6.2.5.2 FMT_MSA.3 Static attribute initialisation
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 The TSF shall enforce the [Administrative Access Control SFP] to
provide [restrictive] default values for security attributes that are used
to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the [Authorized Administrative users] to specify
alternative initial values to override the default values when an object or
information is created.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 25 of 40
6.2.5.3 FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following management
functions: [user management functions, reporting functions, collection
configuration functions].
6.2.5.4 FMT_SMR.1 Security roles
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1 The TSF shall maintain the roles [Datacenter Administrator Users, Full
Control Users, NOC Operator Users, Network Administrator Users,
Storage Administrator Users, Web Service Role].
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Protection of the TSF (FPT)
6.2.6
6.2.6.1 FPT_TPS_EXT.1 Protection of external passwords
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TPS_EXT.1.1 The TSF shall store and protect passwords required to access
external entities.
FPT_TPS_EXT.1.2 The TSF shall present the password to the external entity in
accordance with the requirements of the external entity.
TOE Access (FTA)
6.2.7
6.2.7.1 FTA_SSL.3 TSF-initiated termination
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_SSL.3.1 The TSF shall terminate an interactive session after a [one hour of user
inactivity].
6.2.7.2 FTA_SSL_EXT.5 Administrator-initiated termination
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_SSL_EXT.5.1 The TSF shall allow administrator-initiated termination of a user's
interactive session.
6.2.7.3 FTA_TAB.1 Default TOE access banners
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_TAB.1.1 Before establishing a user session, the TSF shall display an advisory
warning message regarding unauthorised use of the TOE.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 26 of 40
Trusted Path/Channels (FTP)
6.2.8
6.2.8.1 FTP_TRP.1 Trusted path
Hierarchical to: No other components.
Dependencies: No dependencies.
FTP_TRP.1.1 The TSF shall provide a communication path between itself and
[remote] users that is logically distinct from other communication paths
and provides assured identification of its end points and protection of the
communicated data from [disclosure].
FTP_TRP.1.2 The TSF shall permit [remote users] to initiate communication via the
trusted path.
FTP_TRP.1.3 The TSF shall require the use of the trusted path for [remote
administration].
6.3 SECURITY FUNCTIONAL REQUIREMENTS
RATIONALE
The following Table provides a mapping between the SFRs and Security
Objectives.
O.ACCESS
O.ADMIN
O.AUDIT
O.ENCRYPT
O.IDENAUTH
O.PATH
O.PROTECT
O.REPORT
FAU_GEN.1 X
FAU_SAR.1 X X
FCS_CKM.1 X
FCS_CKM.4 X
FCS_COP.1 X
FDP_ACC.1 X X
FDP_ACF.1 X X
FDP_ETC.1 X X
FDP_ITC.1 X
FIA_UAU.2 X
FIA_UAU.5 X
FIA_UAU.7 X
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 27 of 40
O.ACCESS
O.ADMIN
O.AUDIT
O.ENCRYPT
O.IDENAUTH
O.PATH
O.PROTECT
O.REPORT
FIA_UID.2 X
FMT_MSA.1 X
FMT_MSA.3 X
FMT_SMF.1 X
FMT_SMR.1 X
FPT_TPS_EXT.1 X
FTA_SSL.3 X
FTA_SSL_EXT.5 X
FTA_TAB.1 X
FTP_TRP.1 X
Table 11 – Mapping of SFRs to Security Objectives
SFR Rationale Related to Security Objectives
6.3.1
The following rationale traces each SFR back to the Security Objectives for the
TOE.
Objective:
O.ACCESS
The TOE must allow authorized users to access only appropriate
TOE functions and data. Access shall be terminated after a period
of inactivity, or as determined by an authorized administrator.
Access must be preceded by an advisory warning regarding
unauthorized use.
Security
Functional
Requirements:
FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
FDP_ETC.1 Export of user data without security attributes
FTA_SSL.3 TSF-initiated termination
FTA_SSL_EXT.5 Administrator-initiated termination
FTA_TAB.1 Default TOE access banners
Rationale: FDD_ACC.1 meets this objective by enforcing an access control
policy to ensure only authorized users can gain access to
appropriate TOE functions and data.
FDP_ACF.1 meets this objective by enforcing the rules and
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 28 of 40
attributes that govern the access control policy.
FDP_ETC.1 meets this objective by enforcing the access control
policy when exporting user data outside of the TOE.
FTA_SSL.3 meets this objective by automatically terminating an
interactive session after one hour of inactivity.
FTA_SSL_EXT.5 meets this objective by giving authorized
administrators the ability to terminate a user’s interactive session.
FTA_TAB.1 meets this objective by presenting users with an
advisory warning message regarding unauthorized use of the TOE,
before establishing a session.
Objective:
O.ADMIN
The TOE will provide all the functions and facilities necessary to
support the administrators in their management of the security of
the TOE, and restrict these functions and facilities from
unauthorized use.
Security
Functional
Requirements:
FAU_SAR.1 Audit review
FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialisation
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Rationale: FAU_SAR.1 meets this objective by providing authorized
administrators the ability to access and review audit records.
FDP_ACC.1 meets this objective by enforcing the access control
policy limiting the management of the TOE security functions to
authorized administrators.
FDP_ACF.1 meets this objective by enforcing the rules and
attributes that govern the access control policy.
FMT_MSA.1 meets this objective by restricting the ability to
manipulate the Administrative Access Control SFP security
attributes to authorized administrators.
FMT_MSA.3 meets this objective by restricting the ability to
manipulate the Administrative Access Control SFP default security
attributes to authorized administrators.
FMT_SMF.1 supports this objective by identifying the management
functions authorized administrators are able to perform.
FMT_SMR.1 supports this objective by maintaining a list of
authorized TOE roles.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 29 of 40
Objective:
O.AUDIT
The TOE must generate audit records for use of the TOE functions,
and provide a means to review those records.
Security
Functional
Requirements:
FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
Rationale: FAU_GEN.1 meets this objective by generating audit records for
auditable events.
FAU_SAR.1 supports this objective by providing authorized
administrators with the means to read and interpret all audit
information.
Objective:
O.ENCRYPT
The TOE must make use of FIPS-validated cryptographic functions
for the protection of sensitive data.
Security
Functional
Requirements:
FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1 Cryptographic operation
Rationale: FCS_CKM.1, FCS_CKM.4, and FCS_COP.1 meet this objective by
providing FIPS-validated cryptographic functionality required to
protect sensitive data.
Objective:
O.IDENTAUTH
The TOE must be able to identify and authenticate users prior to
allowing access to the administrative functions and data of the TOE
using both local and LDAP based authentication. Authentication
feedback must be obscured.
Security
Functional
Requirements:
FIA_UAU.2 User authentication before any action
FIA_UAU.5 Multiple authentication mechanisms
FIA_UAU.7 Protected authentication feedback
FIA_UID.2 User identification before any action
Rationale: FIA_UAU.2 meets this objective by ensuring that each user is
successfully authenticated before gaining access to TOE functions
and data.
FIA_UAU.5 meets this objective by supporting internal
authentication and LDAP authentication.
FIA_UAU.7 meets this objective by providing obscured feedback to
users while authentication is in progress.
FIA_UID.2 meets this objective by ensuring that each user is
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 30 of 40
successfully identified before gaining access to the TOE functions
and data.
Objective:
O.PATH
The TOE must ensure the confidentiality of data passed between
itself and remote administrators.
Security
Functional
Requirements:
FTP_TRP.1 Trusted path
Rationale: FTP_TRP.1 meets this objective by specifying the use of
cryptography for data passed between the TOE and remote
administrators.
Objective:
O.PROTECT
The TOE must ensure the confidentiality of password information
used to access third party resources.
Security
Functional
Requirements:
FPT_TPS_EXT.1 Protection of external passwords
Rationale: FPT_TPS_EXT.1 meets this objective by storing and protecting
passwords required to access external entities.
Objective:
O.REPORT
The TOE must be able to gather storage system metrics and create
reports on usage.
Security
Functional
Requirements:
FDP_ETC.1 Export of user data without security attributes
FDP_ITC.1 Import of user data without security attributes
Rationale: FDP_ETC.1 meets this objective by identifying the ability to export
user data for the generation of network storage usage reports.
FDP_ITC.1 meets this objective by specifying the ability to retrieve
performance data from network storage resources.
6.4 DEPENDENCY RATIONALE
Table 12 identifies the Security Functional Requirements from Part 2 of the CC
and their associated dependencies. It also indicates whether the ST explicitly
addresses each dependency.
SFR Dependency
Dependency
Satisfied
Rationale
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 31 of 40
SFR Dependency
Dependency
Satisfied
Rationale
FAU_GEN.1 FPT_STM.1 x Timestamps are provided to the
TOE by the operational
environment in order to satisfy
this requirement.
FAU_SAR.1 FAU_GEN.1 
FCS_CKM.1 FCS_CKM.2 or
FCS_COP.1

FCS_CKM.4 
FCS_CKM.4 FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1

FCS_COP.1 FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1

FCS_CKM.4 
FDP_ACC.1 FDP_ACF.1 
FDP_ACF.1 FDP_ACC.1 
FMT_MSA.3 
FDP_ETC.1 FDP_ACC.1 or
FDP_IFC.1

FDP_ITC.1 FDP_ACC.1 or
FDP_IFC.1

FMT_MSA.3 
FIA_UAU.2 FIA_UID.1  FIA_UID.2 is hierarchical to
FIA_UID.1; this dependency has
been satisfied.
FIA_UAU.5 None N/A
FIA_UAU.7 FIA_UAU.1  FIA_UAU.2 is hierarchical to
FIA_UAU.1; this dependency has
been satisfied.
FIA_UID.2 None N/A
FMT_MSA.1 FDP_ACC.1 or
FDP_IFC.1

FMT_SMR.1 
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 32 of 40
SFR Dependency
Dependency
Satisfied
Rationale
FMT_SMF.1 
FMT_MSA.3 FMT_MSA.1 
FMT_SMR.1 
FMT_SMF.1 None N/A
FMT_SMR.1 FIA_UID.1  FIA_UID.2 is hierarchical to
FIA_UID.1; this dependency has
been satisfied.
FPT_TPS_EXT.1 None N/A
FTA_SSL.3 None N/A
FTA_SSL_EXT.5 None N/A
FTA_TAB.1 None N/A
FTP_TRP.1 None N/A
Table 12 – Functional Requirement Dependencies
6.5 TOE SECURITY ASSURANCE REQUIREMENTS
The TOE assurance requirements for this ST consist of the requirements
corresponding to the EAL 2+ level of assurance, as defined in the CC Part 3,
augmented by the inclusion of Flaw reporting procedures (ALC_FLR.2). EAL 2+
was chosen for competitive reasons. The developer is claiming the ALC_FLR.2
augmentation since there are a number of areas where current practices and
procedures exceed the minimum requirements for EAL 2+.
The assurance requirements are summarized in the Table 13.
Assurance Class
Assurance Components
Identifier Name
Development ADV_ARC.1 Security architecture description
ADV_FSP.2
Security-enforcing functional
specification
ADV_TDS.1 Basic design
Guidance Documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 33 of 40
Assurance Class
Assurance Components
Identifier Name
Life-cycle support ALC_CMC.2 Use of a CM system
ALC_CMS.2 Parts of the TOE CM coverage
ALC_DEL.1 Delivery procedures
ALC_FLR.2 Flaw reporting procedures
Security Target
Evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
Tests ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
Vulnerability
Assessment
AVA_VAN.2 Vulnerability analysis
Table 13 – Security Assurance Requirements
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 34 of 40
7 TOE SUMMARY SPECIFICATION
This section provides a description of the security functions and assurance
measures of the TOE that meet the TOE security requirements. A description of
each of the TOE security functions follows.
7.1 TOE SECURITY FUNCTIONS
Security Audit
7.1.1
The TOE uses Tomcat Web-Server to produce a chronological record of system
activities and security-relevant transactions in two formats. Log files are
generated for each module and service and are handled using Java Logging.
Audit logs are generated for specific user interactions and recovered from the
connected servers. All logs are accessed through the user interface and
restricted to authorized users with Global Administrator privileges. Logs can be
viewed directly from the user interface or downloaded as a ZIP file on a local
machine.
The TOE generates records for the following audit event types:
Event Type Description
Collection Configuration Events The discovery, configuration, and modification
of collector devices.
Reporting Events Records the following report transactions:
• When a ReportPack, template, or schedule
has been created, modified, or deleted.
• Report generation stats including start, stop,
and rendering time.
User Management Events Records when users, profiles and roles are:
• Created, modified, and deleted
• Enabled and disabled
Start and stop of services Start, stop, and restart times of a service,
device, or module.
User Events • Authentication success and failure
• Session termination including user-initiated,
idle timeout, or administrator-initiated.
Table 14 - Audit Event Types
TOE Security Functional Requirements addressed: FAU_GEN.1, FAU_SAR.1.
Cryptographic Support
7.1.2
ViPR SRM uses the RSA BSAFE® Crypto-J JSAFE and JCE Software Module
(Software Version: 6.2), Cryptographic Module Validation Program (CMVP)
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 35 of 40
certificate number 2469 to provide cryptographic support. TLS 1.2 is used to
protect the link between the administrator and the TOE, and encryption is used
to protect third party passwords held by the TOE.
AES keys are generated for the protection of third party passwords using the
cryptographic module’s Deterministic Random Bit Generator (HMAC DRBG).
(Keys used in support of TLS are generated using Diffie-Hellman key exchange,
in accordance with the TLS 1.2 standard (RFC 2246); however, this not part of
the FCS_CKM.1 claim.) Keys are zeroized using the
<object>.clearSensitiveData() function within the module.
AES encryption is used in support of both administrative sessions, and
protection of third party passwords.
TOE Security Functional Requirements addressed: FCS_CKM.1, FCS_CKM.4,
FCS_COP.1.
User Data Protection
7.1.3
The TOE provides role-based access to administrative functionality through the
user interface. The TOE enforces the Administrative Access Control SFP to
manage TOE configuration, users, and reporting functions. Only authorized users
identified as Global Administrators have full access to the TSF functions and
data, including import and export capabilities of all user data.
User data is imported from external hosts, switches, and storage devices by the
Collector VM then stored in the Primary Backend database. Only metric data is
collected, therefore associated security attributes are ignored during data import
and export transactions.
For example, the TOE filters for physical and logical assets such as hosts and
virtual arrays, raw and usable capacity, and data center events. Only the metric
data is analyzed and exported in the form of usage reports. Usage reports can
be generated in the following formats: PDF, CSV, XLS, PNG, JPEG, SVG, and
XML.
TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1,
FDP_ETC.1, FDP_IFC.1.
Identification and Authentication
7.1.4
The identification and authentication functions ensure that users attempting to
access the TOE have provided valid user credentials and are authorized to
access the requested services.
When an authorized administrator adds a user, they’re presented with the option
to choose either Internal Authentication or External Authentication. External
authentication requires that the administrator only provide a user login.
Password validation is done through a corporate LDAP-based identity repository
such as Active Directory.
Internal authentication uses Apache Tomcat’s native services and requires the
administrator to provide both a User Login and Password when creating users.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 36 of 40
The TOE is configured for Single Sign On by default, but can be setup to
authenticate based on Realm for individual applications.
During the authentication process, obscured feedback is provided to the user
entering the password.
TOE Security Functional Requirements addressed: FIA_UAU.2, FIA_UAU.5,
FIA_UAU.7, FIA_UID.2.
Security Management
7.1.5
Security management for the TOE is implemented in a hierarchical manner. For
initial installation, the TOE operator must first provide the default credentials.
The default username is admin and the default password is changeme. This
operator account is then used to create a Global Administrator who can create
additional users and assign access rights to control what they can see and do in
the interface. A Global Administrator has full access to all user management,
reporting, and configuration functions.
User permissions and settings are defined by a combination of User Status,
Profile and User Roles.
When a user account is created, the user is first assigned a status of Normal
User or Global Administrator. Note that ‘Global Administrator’ and ‘Normal User’
are not user roles. They are user status settings. ‘Normal User’ is the default
status for all users. Various access restrictions on reports and components can
be set on users assigned the ‘Normal User’ status. Users with ‘Global
Administrator’ status have full rights to all components, cannot be disabled and
have no restrictions on templates. At the highest level of security management,
the Administrative Access Control SFP is enforced on Normal Users and Global
Administrators.
Users can then be assigned to a role with access to specific TOE functions. If a
user is not assigned to a role, by default, the user only sees Scheduled Reports,
Stored Reports, and Favorite Reports. Table 15 identifies and defines the default
user roles provided by the TOE.
User Role Description
Datacenter Administrator Users This role allows users to access datacenter oriented
reports.
Full Control Users This role allows users to access most modules and
tools. It also gives them read-write access to all
available templates.
NOC Operator Users This role allows users to access all reports.
Network Administrator Users This role allows users to do the following:
• Access network oriented reports
• Discover devices
• Remove data and devices
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 37 of 40
User Role Description
• Modify groups and service levels
• Use SNMP tools
• Define alerts
Storage Administrator Users This role allows users to do the following:
• Access storage oriented reports
• Discover devices
• Remove data and devices
• Modify groups and service levels
• Define alerts
Web Service Role This role is used for web service calls only.
Table 15 - TOE User Role Descriptions
All users of the TOE are also assigned a default profile which groups users and
roles together for global reporting requirements. Profiles define global
characteristics of a user, such as language and time zone. There is only one
default profile however, Global Administrators can create and customize profiles
at their discretion.
Global Administrators have the authority to associate all users with roles that
limit or restrict access to management, reporting, and collection configuration
functions. They’re also given the ability modify, reset, and customize any of the
default settings.
Users have permissions to configure collection operations, create reports and
manage users, according to their assigned roles. In order to perform these
functions, the users will be able to query, modify and delete the collection
configuration parameters, the report parameters and the user security attributes
accordingly. By default, when a user is first created, the user has only the
‘Normal User’ status and no roles until specifically added by an administrator.
There are no collection parameters or report parameters until specifically added
by an administrator. These are considered to be restrictive default values.
TOE Security Functional Requirements addressed: FMT_MSA.1, FMT_MSA.3,
FMT_SMF.1, FMT_SMR.1.
Protection of the TSF
7.1.6
The TOE deploys SolutionPacks to discover, connect, and collect data from
physical hosts. The TOE stores and protects the passwords required to access
these network storage resources by restricting management and configuration
functions to authorized administrators. Only authorized administrators have the
ability to configure the TOE in order to present password information in
accordance with individual host requirements.
TOE Security Functional Requirement addressed: FPT_TPS_EXT.1.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 38 of 40
TOE Access
7.1.7
The TOE can be configured to display an advisory message to users on login,
warning of unauthorized use. Authenticated user sessions are terminated after
one hour of user inactivity, or may be terminated by an authorized
administrator.
TOE Security Functional Requirements addressed: FTA_SSL.3, FTA_SSL_EXT.5,
FTA_TAB.1.
Trusted Path / Channels
7.1.8
The TOE protects information when it is transmitted between the front end web
portal and the remote management workstation. The TOE achieves this by using
TLS to perform the encryption and the decryption of data that is being passed.
The trusted paths are established for each administrative session, making them
logically distinct from other communication paths. Administrators identify the
TOE by entering the known URL for the administrative interface; the TOE
identifies the administrative user via username and password, thereby providing
assured identification of the end points.
The TOE is preconfigured for HTTPS and enabled for SSL by default. In the
evaluated configuration, it must be configured to TLS1.2 protocols to encrypt
data in transit over the network.
TOE Security Functional Requirements addressed: FTC_TRP.1.
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 39 of 40
8 ACRONYMS
The following acronyms are used in this ST:
Acronym Definition
AES Advance Encryption Standard
CAVP Cryptographic Algorithm Validation Program
CC Common Criteria
CMVP Cryptographic Module Validation Program
DES Data Encryption Standard
DRBG Deterministic Random Bit Generation
EAL Evaluation Assurance Level
FIPS Federal Information Processing Standards
HMAC Hash Message Authentication Code
HTTPS Hypertext Transfer Protocol Secure
IT Information Technology
LDAP Lightweight Directory Access Protocol
LUN Logical Unit
NIST National Institute of Standards and Technology
NOC Network Operations Center
OSP Organizational Security Policy
PP Protection Profile
RSA Rivest, Shamir and Adleman
SAN Storage Area Network
SAR Security Assurance Requirement
SFP Security Function Policy
SFR Security Functional Requirement
SNMP Simple Network Management Protocol
SSL Secure Sockets Layer
ST Security Target
TLS Transport Layer Security
EMC®
ViPR®
SRM 4.0
Security Target
Doc No: 1915-000-D102 Version: 1.1 Date: 10 August 2016 Page 40 of 40
Acronym Definition
TOE Target of Evaluation
TSF TOE Security Functionality
VM Virtual Machine
VSA Virtual Storage Appliance
Table 16 – Acronyms