One Identity Manager v8.1.5 Security Target Version 1.0 16 December 2021 Prepared for: One Identity LLC 4 Polaris Way Aliso Viejo, CA 92656 United States Prepared by: Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, Maryland 21046 Security Target Version 1.0 2 Contents 1 Security Target Introduction.................................................................................................................5 1.1 Security Target, TOE and CC Identification.....................................................................................5 1.2 Conformance Claims.......................................................................................................................5 1.3 Conventions....................................................................................................................................6 1.3.1 Acronyms.................................................................................................................................6 1.3.2 Terminology ............................................................................................................................7 2 TOE Description ....................................................................................................................................9 2.1 TOE Overview .................................................................................................................................9 2.2 TOE Architecture ..........................................................................................................................11 2.2.1 Physical Boundaries...............................................................................................................12 2.2.2 Excluded from the Evaluated Configuration.........................................................................14 2.2.3 Logical Boundaries ................................................................................................................14 2.3 TOE Documentation .....................................................................................................................15 3 Security Problem Definition................................................................................................................17 4 Security Objectives .............................................................................................................................18 4.1 Security Objectives for the Operational Environment.................................................................18 5 IT Security Requirements....................................................................................................................19 5.1 Extended Requirements...............................................................................................................19 5.2 TOE Security Functional Requirements........................................................................................19 5.2.1 Enterprise Security Management (ESM)...............................................................................20 5.2.2 Security Audit (FAU)..............................................................................................................21 5.2.3 Identification and Authentication (FIA).................................................................................22 5.2.4 Security Management (FMT).................................................................................................23 5.2.5 Protection of the TSF (FPT)....................................................................................................25 5.2.6 Trusted Path/Channels (FTP).................................................................................................26 5.3 TOE Security Assurance Requirements ........................................................................................26 6 TOE Summary Specification................................................................................................................28 6.1 Enterprise Security Management.................................................................................................28 6.1.1 ESM_EAU.2 / ESM_EID.2.......................................................................................................28 6.1.2 ESM_ICD.1.............................................................................................................................28 6.1.3 ESM_ICT.1 .............................................................................................................................31 6.2 Security Audit ...............................................................................................................................32 6.2.1 FAU_GEN.1............................................................................................................................32 6.2.2 FAU_STG_EXT.1.....................................................................................................................34 6.3 Identification and Authentication ................................................................................................34 6.3.1 FIA_USB.1..............................................................................................................................34 6.4 Security Management ..................................................................................................................34 6.4.1 FMT_MOF.1...........................................................................................................................35 6.4.2 FMT_MTD.1...........................................................................................................................35 6.4.3 FMT_SMF.1 ...........................................................................................................................35 6.4.4 FMT_SMR.1...........................................................................................................................35 6.5 Protection of the TSF....................................................................................................................36 6.5.1 FPT_APW_EXT.1....................................................................................................................36 Security Target Version 1.0 3 6.5.2 FPT_SKP_EXT.1......................................................................................................................36 6.6 Trusted Path/Channels.................................................................................................................37 6.6.1 FTP_ITC.1...............................................................................................................................37 6.6.2 FTP_TRP.1..............................................................................................................................37 7 Protection Profile Claims ....................................................................................................................38 8 Rationale.............................................................................................................................................39 8.1 TOE Summary Specification Rationale .........................................................................................39 Security Target Version 1.0 4 List of Tables Table 1: Security Objectives Descriptions...................................................................................................18 Table 2: TOE Security Functional Components...........................................................................................19 Table 3: Auditable Events ...........................................................................................................................21 Table 4 TOE Management Functions..........................................................................................................25 Table 5: Assurance Components.................................................................................................................26 Table 6: External Systems, attributes, and secure channel ........................................................................31 Table 7. SFR Protection Profile Sources......................................................................................................38 Table 8: Security Functions vs. Requirements Mapping.............................................................................39 Security Target Version 1.0 1 Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is One Identity Manager v8.1.5 provided by One Identity. The Security Target contains the following additional sections: • TOE Description (Section 2) • Security Problem Definition (Section 0) • Security Objectives (Section 4) • IT Security Requirements (Section 5) • TOE Summary Specification (Section 6) • Protection Profile Claims (Section 7) • Rationale (Section 8) 1.1 Security Target, TOE and CC Identification ST Title – One Identity Manager v8.1.5 ST Version – Version 1.0 ST Date – 16 December 2021 TOE Identification – One Identity Manager v8.1.5 TOE Developer – One Identity Evaluation Sponsor – One Identity CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Release 4, September 2012 1.2 Conformance Claims This ST and the TOE it describes are conformant to the following CC specifications: • Standard Protection Profile for Enterprise Security Management Identity and Credential Management, Version 2.1, 24 October 2013, [ESMICM] and including the following optional SFRs: FMT_MTD.1. • The following NIAP Technical Decisions apply to this PP and have been accounted for in the ST development and the conduct of the evaluation: TD0245: Updates to FTP_ITC and FTP_TRP for ESM PPs TD0066: Clarification of FAU_STG_EXT.1 Requirement in ESM PPs TD0055: Move FTA_TAB.1 to Selection-Based Requirement (not included in ST: Operational Environment component authenticates the administrator) • Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Release 4, September 2012 o Part 2 Extended Security Target Version 1.0 6 • Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012 o Part 3 Conformant 1.3 Conventions The following conventions have been applied in this document: • Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. o Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a number in parentheses placed at the end of the component. For example, FDP_ACC.1(1) and FDP_ACC.1(2) indicate that the ST includes two iterations of the FDP_ACC.1 requirement, (1) and (2). o Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within a selection would be identified in italics and with embedded bold brackets (e.g., [[selected- assignment]]). o Selection: allows the specification of one or more elements from a list. Selections are indicated using bold italics and are surrounded by brackets (e.g., [selection]). o Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”). Note that ‘cases’ that are not applicable in a given SFR have simply been removed without any explicit identification. • The [ESMICM] uses an additional convention – the ‘case’ – which defines parts of an SFR that apply only when corresponding selections are made or some other identified conditions exist. Only the applicable cases are identified in this ST and they are identified using bold text. • Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as captions. 1.3.1 Acronyms Acronym Definition 2FA Two Factor Authentication AAA Authentication, Authorization and Accounting AD Active Directory API Application Programming Interface CC Common Criteria for Information Technology Security Evaluation CM Configuration Management ESMICM Protection Profile for Enterprise Security Management Identity and Credential Management FIPS Federal Information Processing Standard HTTPS Hyper-Text Transport Protocol Secure IT Information Technology LDAP Lightweight Directory Access Protocol Security Target Version 1.0 7 Acronym Definition OAUTH2 Open Authorization PP Protection Profile RSA Rivest, Shamir and Adleman (algorithm for public-key cryptography) REST REpresentational State Transfer SAP Systems, Applications and Products (Data Management Software) SAR Security Assurance Requirement SFR Security Functional Requirement SSH Secure Shell ST Security Target TOE Target of Evaluation TSF TOE Security Functions 1.3.2 Terminology This section identifies TOE-specific terminology. Administrator A TOE user that also has permissions to manage some or all of the TOE’s functionality. The ST defines the One Identity Manager administrator as an administrator with full permissions to manage the TSF. However, administrators with a subset of these permissions may also be created based on the permissions granted by the associated application role. Application Role A user identity attribute that grants a TOE user administrative privileges on the TOE, making them an administrator. Application roles derive their privileges through association with permissions groups. Business Role A user identity attribute that associates the user with an arbitrarily- defined job title. This data may be propagated to other repositories where the user is defined, or it could be used to automatically configure access to environmental resources based on the expected responsibilities that are conferred on the role (e.g. a user with an ‘auditor’ role may have greater access needs than a user with an ‘engineer’ role). Connectors TOE components that allow the TOE to securely connect with external systems. Designer An administrative tool included with the fat client used to perform initial configuration of One Identity Manager. Specifically, the Designer is used to establish the evaluated configuration by enabling security-relevant auditing. Security Target Version 1.0 8 Enterprise User An enterprise user is a company employee whose accounts are managed by the TOE. All administrators, TOE Users and employees are enterprise users. External Systems The organizational repositories (sometimes called Target Systems) that can either be the authoritative source of enterprise user attributes or that can contain user attributes managed by the TOE or both. The external systems are also classified as Enterprise Security Management products. Fat Client A One Identity Manager Windows application installed on an administrative workstation primarily used for initial configuration activities. The fat client includes the Designer, Synchronization Editor, and Manager administrative tools. Organization Data User identity attribute data that relates to the user’s position within an organization. Includes department, cost center, and (geographic) location. Manager An administrative tool included with the fat client that is used to manage application roles and password policies. The Manager interacts with the TOE via invocation of the Web Service over HTTPS. Password Reset Portal A tool that TOE users can use to reset their own user password. Part of the Web UI. Permissions Group Authorizations to manipulate data in the database. Permissions Groups are associated with Application Roles to determine the administrative privileges of users that are assigned those roles. Synchronization Editor An administrative tool included with the fat client that is used to perform initial configuration of One Identity Manager. Specifically, the Synchronization Editor is used to define the connectivity and data mapping between the TOE and external systems. System Role A grouping of permissions to interact with external systems. Can be assigned directly to a user as an identity attribute or can be inherited through assignment to a business role or organization data. Target Systems A term synonymous with External Systems. TOE User An enterprise user that can log on to the One Identity Manager in order to reset their own password or to perform delegated administration. Web Portal An administrative tool that is used to perform security-relevant management activities of user identity and credential data, password policies, and administrative roles and privileges. Users may also modify their own personal data using this interface. Part of the Web UI. Security Target Version 1.0 9 2 TOE Description The One Identity Manager v8.1.5 TOE provides centralized provisioning and management of enterprise user accounts based on defined ‘identities’ and therefore is an Identity and Credential Management product as defined in the [ESMICM]. 2.1 TOE Overview The One Identity Manager v8.1.5 TOE provides centralized provisioning and management of user accounts based on defined ‘identities’. The TOE provides identity and credential management functions by serving as the authoritative source for various user attributes while also designating various external systems to be authoritative sources for other attributes. The end result is that user data can be automatically and accurately propagated to multiple organizational locations so that external systems can subsequently make use of this data. For example, One Identity Manager may interface with an organization’s HR system (e.g. PeopleSoft) such that when a new user is created by the HR system, One Identity Manager will automatically generate external system accounts for that new user (e.g. create a new AD entry for them based on the default information and/or information supplied by the HR system). One Identity Manager can also be used to manually create user accounts and as an interface for TOE users to perform self-service management of their own password credentials, which are then pushed out to the organizational repositories (external systems) where that password data resides. The external systems that the TOE supports are equivalent to the connectors identified in Section 2.2.1. For example the TOE includes an Active Directory Connector and therefore Active Directory external systems are supported. The TOE provides the ability to manage credential data by providing an interface to change a user’s “master password”, which is then propagated to any external systems that the TOE is configured to synchronize password data with. The TOE also acts as a central point for password policy enforcement by defining password policies that these passwords must comply with. Note that the administrator must ensure that external systems do not enforce stricter password policies than the TOE or else password synchronization may fail due to contradictory policies. The TOE provides the One Identity Manager administrator role and TOE user role. Users with the One Identity Manager administrator role have full permissions to create new users, permissions and roles and manage identities. This user has full administrative capabilities to manage the TOE including creating custom role and permissions and associating users with them. Users with the One Identity Manager administrator role can create new Administrative roles with different levels of permissions and then assign these roles to TOE users for delegated administration. However, a TOE user doesn’t have to have admin permissions, they can be just an organizational user who uses the TOE solely to reset their own password. One Identity Manager supplies employees in a company with company resources, for example, permissions or applications, according to their function. The company structures are represented in hierarchical role form in the One Identity Manager. Employees can obtain their company resources through these roles when they are assigned to roles as members. In One Identity Manager the following roles (also referred to as role classes) are defined for mapping company structures: • Organization data (departments, cost centers and locations) Departments, cost centers and locations are each mapped to their own hierarchy under the heading "Organizations". This is due to their special significance for daily work schedules in many companies. The Security Target Version 1.0 10 TOE can be used to associate accounts and permissions on external systems based on organization data so that all users with this identity attribute are treated uniformly. • Business roles Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be project groups, for example. The TOE can be used to associate accounts and permissions on external systems based on business roles so that all users with this identity attribute are treated uniformly. • Application roles Application roles are used to grant One Identity Manager object access rights to One Identity Manager users, making them administrators of the TOE for the functions defined by the assigned roles. For more detailed information, see the One Identity Manager Application Roles Administration Guide. One Identity provides several methods of assigning company resources: Direct Assignment; Indirect Assignment; Assigning through Dynamic Role. • Direct assignment of company resources results from the assignment of a company resource to an employee, device or a work desk, for example. • In the case of indirect assignment of company resources, employees, devices and work desks are arranged in departments, cost centers, locations, business roles or application roles. The total of assigned company resources for an employee, device or work desk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods, a difference between primary and secondary assignment is taken into account. Secondary assignments are made by classifying an employee, a device or a work desk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles. Secondary assignments are specified on the role classes (department, location, cost center, business roles, application role) and indicate whether a secondary assignment of company resources to employees, device and work desk is possible. Primary assignments are made by referencing a department, cost center or location through a foreign key to the employee, device and work desk objects. A foreign key is a field (or collection of fields) in one table that refers to the foreign key in another table. Input fields are used for roles on the employee, device and work desk master data forms. Primary assignment inheritance can be enabled through configuration parameters. Assignment through dynamic roles is a special case of indirect assignment. • Dynamic roles can be used to specify role memberships dynamically. Employees, devices and work desks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices or work desks fulfill these conditions. This means the role memberships change dynamically. • One Identity also provides the ability to define custom roles and permissions. One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following methods for linking employees and their user accounts. • Employees can automatically obtain their user accounts through One Identity Manager account definitions. Security Target Version 1.0 11 • When user accounts are inserted in the One Identity Manager, they can be automatically assigned to an existing employee or a new employee can be created if necessary. • Employee and user account data in the One Identity Manager can be manually entered and assigned to each other. Typically, the user accounts are initially read into One Identity Manager from a target system or systems through synchronization. One Identity Manager consolidates user account data from all of the various target systems in the TOE. Either the TOE or the external system can be defined as the ‘definitive’ source of user data. For example, a user’s employee ID may be defined in AD and the TOE will keep track of that data but can’t be used to change it. Whereas a user’s unique ID may be defined in One Identity Manager and the TOE can make changes to this data and push it out to external systems (e.g. Active Directory). The TOE can create or modify user accounts on external systems based on user identity attributes. In other words the TOE ‘manages’ identity data in the sense that it can do something to treat the managed users differently based on what their identity attributes say about them. The external systems are sources of the object attribute data required of an ESM access control system. The TOE does not define object attributes and this ST does not include the optional ESM_ATD.1: Object Attribute Definition SFR. Administrators use the fat client to configure the TOE and the web UI and web service to manage the TOE and create and approve user requests for user entitlement or to add a user to an account or a role with entitlements. All communication with users is through a secure HTTPS channel. The TOE relies on FIPS 140-2 validated cryptographic modules in the operational environment for cryptographic functions. The cryptographic functions are used for all SSH and TLS connections with trusted external IT entities, and for HTTPS connections with users accessing the TOE. 2.2 TOE Architecture The One Identity Manager v8.1.5 TOE consists of several components: fat client, web UI, web service, job service (and its connectors) that interface with a centralized Microsoft SQL Server database through a shared object layer interface. The object layer interface is responsible for all database I/O operations and interfacing with external systems. The One Identity Manager Service (Job Service) performs data synchronization and provisioning between the database and any connected target systems and executes actions at the database and file level. The Job Service retrieves process steps from the JobQueue and executes them. The Job Service Application is the only method of interfacing with other organizational systems (e.g. HR system, AD, SAP) and the protected communication is through the use of connectors. The fat client provides the Designer and Synchronization Editor tools that are used for the initial setup of One Identity Manager. The fat client also includes the Manager application, but this interacts with the TOE via the web service. The Web UI and web services component provide interfaces for managing employee data. The Web UI is the graphical front-end that handles administrative management tasks, and where a TOE user can use the Password Reset Portal to change their password. The Web service is a REST API that provides the same functions as the Web UI as well as the interfaces that Manager uses to manage administrative role assignment and password policies. From an architectural standpoint, the identity data maintained by One Identity Management resides in a central database (in the operational environment). All communications between the TOE and the database use TLS. Security Target Version 1.0 12 The following figure depicts the TOE components within the operational environment. Figure 1 TOE in Operational Environment TOE components are highlighted in blue / shaded blue. The fat client application is shaded to indicate that it is primarily used for initial configuration activities. The web UI, web service, and job service (with connectors) can each be installed on their own platform or on the same platform in a distributed architecture. 2.2.1 Physical Boundaries The One Identity Manager v8.1.5 TOE consists of fat client, web UI, web service, job service, and connectors. The TOE provides connectors and any required templates for the following types of external systems: Connectors and prepared templates: • Active Directory • UNIX/Linux • Exchange 2010, 2013, 2016 • SharePoint 2010, 2013, 2016 • Azure AD • Exchange Online Security Target Version 1.0 13 • SharePoint Online • Google G-Suite • LDAP (including AS/400, RACF, ACF2, Top Secret) The Operational Environment consists of: • Database Server o SQL Server 2017 (64-bit) with the current cumulative update • Minimum System Requirements - Administrative Workstations (Fat client) o Windows 10 (32-bit or 64-bit) minimum version 1511 o Microsoft .NET Framework Version 4.7.2 or later • Minimum system requirements for the Job Service (admin guides refer to as Server Service) o Windows Server 2016 o Microsoft .NET Framework Version 4.7.2 or later • Minimum system requirements for the Web Service and Web UI o Windows Server 2016 o Microsoft .NET Framework Version 4.7.2 or later • Microsoft Internet Information Services 10 or 8.5 or 8 or 7.5 or 7 with ASP.NET 4.7.2 • web browser: o Internet Explorer 11 or later o Firefox (Latest Release) o Chrome (Latest Release) o Microsoft Edge (Latest Release) • SSH Client, • one or more supported external systems (see connectors above), • Active Directory authentication server. The TOE relies on the Windows FIPS-compliant cryptographic libraries bcryptprimitives.dll (CMVP2937) and cng.sys (CMVP2936) for trusted channel and trusted path connections. Random seeding for deterministic random bit functions used for key generation is obtained through the Windows bcryptgenrandom function and its underlying OS operations that provide its non-deterministic entropy data. The TOE uses SSHBlackbox that in turn uses the same underlying Windows FIPS-compliant cryptographic libraries for SSH functionality. SSHBlackbox is provided with the One Identity Manager TOE but is itself a third-party product. Security Target Version 1.0 14 The TOE interacts with the external systems to transmit and receive identity and credential data for user authentication and provisioning. The TOE has the following minimum system requirements: TOE Component Processor Memory Hard drive storage Job Service 8 physical cores 2.5 GHz+ 16 GB RAM 40GB Web UI 4 physical cores 1.65 GHz+ 4 GB RAM 40GB Web Service 8 physical cores 2.5 GHz+ 8 GB RAM 40GB Fat Client 4 physical cores 2.5 GHz+ 4 GB+ RAM 1GB 2.2.2 Excluded from the Evaluated Configuration The evaluation excludes the following Operational Environment software and security functionality that is supported by One Identity Manager but is not included or tested in the evaluated configuration: • LDAP Enterprise User Stores • User authentication methods: Internal One Identity Manager authentication, LDAP Server, OpenID Connect, OAUTH2, and 2-factor authentication • Connectors: SCIMv2, databases (ADO.NET, OLEDB, ODBC), structured files (CSV, tab separated, etc.), IBM Notes, SAP R/3 and S/4Hana, PowerShell, Oracle E-Business Suite • Configuration of the Password Reset Portal such that a user can log in to the Password Reset Portal using user accounts other than the central user account (i.e. target system user account). 2.2.3 Logical Boundaries This section summarizes the security functions provided by One Identity Manager: • Enterprise security management • Security audit • Identification and authentication • Security management • Protection of the TSF • Trusted path/channels 2.2.3.1 Enterprise Security Management The TOE provides the ability to identify and authenticate administrators using Active Directory. The TOE provides the capability to define and manage enterprise user security attributes and provision modifications in the target systems. The TOE provides the capability to define and securely transmit identity and credential data for use with other ESM products. The TOE provides a password restriction policy mechanism to ensure secure passwords are defined. 2.2.3.2 Security Audit The TOE generates logs for the security relevant events specified in ESMICM PP. The TOE writes the logs to the central Microsoft SQL Server database using a TLS channel. Security Target Version 1.0 15 2.2.3.3 Identification and Authentication The TOE associates roles, entitlements, and other user attributes with enterprise users and relies on the operational environment for user authentication. The TOE enforces binding of users to subjects by defining users as ‘employee’ objects inside the TOE. These objects are then mapped to accounts on external systems such that changes to user data on the TOE is propagated to these external systems through synchronization. The TOE also enforces binding between administrators and subjects during initial authentication such that an administrator’s privileges to manage the TSF are assigned when they log in and any changes to their privileges only take effect on subsequent logins. 2.2.3.4 Security Management The TOE provides the following management functions identified in the ESMICMPP: - Management of administrator authentication data - Definition and management of user identity and credential data - Configuration of password policy for credential data - Management of user credential status (e.g. suspended) - Enrollment of users - Configuration of transmission of identity and credential data to external entities, including enabling of trusted communications where necessary - Configuration and assignment of administrative roles The TOE also provides the ability for users to perform self-service management of their own password credential data. The TOE restricts access to the management functions to users with applicable roles and entitlements. By default, the TOE includes a One Identity Manager administrator role with full privileges to manage the TSF, but additional administrative roles can be defined and associated with users to grant a subset of these privileges. 2.2.3.5Protection of the TSF Credentials/keys used by the TOE are stored in the operational environment. The TOE does not offer any interfaces to view the credentials/keys. 2.2.3.6 Trusted Path/Channels The TOE provides trusted communication channels using TLS for communication with authentication servers, the audit server and for transfer of policy (identity and credential) data. SSH is used for transfer of policy data between the TOE and UNIX systems. HTTPS is used to protect communication channels between distributed TOE components. The TOE provides trusted communication paths using Web UI/Web Service for remote administrators, which is enforced by IIS. 2.3 TOE Documentation There are numerous documents that provide information and guidance for the deployment and management of the TOE. The following guides are used in the evaluated configuration: • One Identity Manager 8.1.5 Common Criteria Supplemental Admin Guidance • One Identity Manager 8.1.5 Installation Guide Security Target Version 1.0 16 • One Identity Manager 8.1.5 Configuration Guide • One Identity Manager 8.1.5 User Guide for One Identity Manager Tools User Interface • One Identity Manager 8.1.5 Web Portal User Guide • One Identity Manager 8.1.5 Web Application Configuration Guide • One Identity Manager 8.1.5 System Roles Administration Guide • One Identity Manager 8.1.5 Target System Base Module Administration Guide • One Identity Manager 8.1.5 Administration Guide for Connecting to Active Directory • One Identity Manager 8.1.5 Business Roles Administration Guide • One Identity Manager 8.1.5 Authorization and Authentication Guide • One Identity Manager 8.1.5 Identity Management Base Module Administration Guide • One Identity Manager 8.1.5 Operational Guide • One Identity Manager 8.1.5 REST API Reference Guide • One Identity Manager 8.1.5 Target System Synchronization Reference Guide • One Identity Manager 8.1.5 LDAP Connector for CA ACF2 Reference Guide • One Identity Manager 8.1.5 LDAP Connector for CA Top Secret Reference Guide • One Identity Manager 8.1.5 LDAP Connector for IBM AS/400 Reference Guide • One Identity Manager 8.1.5 LDAP Connector for IBM RACF Reference Guide • One Identity Manager 8.1.5 Administration Guide for Connecting to Azure Active Directory • One Identity Manager 8.1.5 Administration Guide for Connecting to Exchange Online • One Identity Manager 8.1.5 Administration Guide for Connecting to G Suite • One Identity Manager 8.1.5 Administration Guide for Connecting to Microsoft Exchange • One Identity Manager 8.1.5 Administration Guide for Connecting to SharePoint • One Identity Manager 8.1.5 Administration Guide for Connecting to SharePoint Online • One Identity Manager 8.1.5 Administration Guide for Connecting Unix-Based Target Systems • One Identity Manager 8.1.5 Administration Guide for Connecting to LDAP Security Target Version 1.0 17 3 Security Problem Definition The Security Problem Definition (composed of organizational policies, threat statements, and assumption) has been drawn verbatim from the Standard Protection Profile for Enterprise Security Management Identity and Credential Management, Version 2.1, 24 October 2013 (ESMICM). The [ESMICM] offers additional information about the identified threats, but that has not been reproduced here and the [ESMICM] should be consulted if there is interest in that material. In general, the [ESMICM] has presented a Security Problem Definition appropriate for enterprise security identity and credential management products, and as such is applicable to the One Identity Manager TOE. Security Target Version 1.0 18 4 Security Objectives As with the Security Problem Definition, the Security Objectives have been drawn verbatim from the [ESMICM] and includes the optional objectives: OE.CRYPTO, OE.ROBUST, and OE.SYSTIME. O.BANNER is excluded per TD0055. The [ESMICM] offers additional information about the identified security objectives, but that has not been reproduced here and the [ESMICM] should be consulted if there is interest in that material. In general, the [ESMICM] has presented a Security Objectives statement appropriate for enterprise security identity and credential management products, and as such are applicable to One Identity Manager. 4.1 Security Objectives for the Operational Environment Table 1: Security Objectives Descriptions Objective Description OE.ADMIN There will be one or more administrators of the Operational Environment that will be responsible for providing subject identity to attribute mappings within the TOE. OE.CRYPTO The Operational Environment will provide cryptographic mechanisms that are used to ensure the confidentiality and integrity of communications. OE.ENROLLMENT The Operational Environment will provide a defined enrollment process that confirms user identity before the assignment of credentials. OE.FEDERATE Data the TOE exchanges with trusted external entities is trusted. OE.INSTALL Those responsible for the TOE shall ensure that the TOE is delivered, installed, managed, and operated in a manner that is consistent with IT security. OE.MANAGEMENT The Operational Environment will provide an Authentication Server component that uses identity and credential data maintained by the TOE. OE.PERSON Personnel working as TOE administrators shall be carefully selected and trained for proper operation of the TOE. OE.ROBUST The Operational Environment will provide mechanisms to reduce the ability for an attacker to impersonate a legitimate user during authentication. OE.SYSTIME The Operational Environment will provide reliable time data to the TOE. Security Target Version 1.0 19 5 IT Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile (PP): Standard Protection Profile for Enterprise Security Management Identity and Credential Management, Version 2.1, 24 October 2013, [ESMICM]. As a result, refinements and operations already performed in that PP are not identified (e.g., highlighted) here, rather the requirements have been copied from that PP and any residual operations have been completed herein. Of particular note, the [ESMICM] made a number of refinements and completed some of the SFR operations defined in the CC and that PP should be consulted to identify those changes if necessary. The SARs are the set of SARs specified in [ESMICM]. 5.1 Extended Requirements All of the extended requirements in this ST have been drawn from the [ESMICM]. The [ESMICM] defines the following extended SFRs and since they are not redefined in this ST, the [ESMICM] should be consulted for more information in regard to those CC extensions. • ESM_EAU.2: Reliance on Enterprise Authentication • ESM_EID.2: Reliance on Enterprise Identification • ESM_ICD.1: Identity and Credential Definition • ESM_ICT.1: Identity and Credential Transmission • FAU_STG_EXT.1: External Audit Trail Storage • FPT_APW_EXT.1: Protection of Stored Credentials • FPT_SKP_EXT.1: Protection of Secret Parameters 5.2 TOE Security Functional Requirements The following table identifies the SFRs that are satisfied by the TOE. Table 2: TOE Security Functional Components Requirement Class Requirement Component ESM: Enterprise Security Management ESM_EAU.2: Reliance on Enterprise Authentication ESM_EID.2: Reliance on Enterprise Identification ESM_ICD.1: Identity and Credential Definition ESM_ICT.1: Identity and Credential Transmission FAU: Security audit FAU_GEN.1: Audit Data Generation FAU_STG_EXT.1: External Audit Trail Storage FIA: Identification and Authentication FIA_USB.1: User-Subject Binding FMT: Security management FMT_MOF.1: Management of Functions Behavior FMT_MTD.1: Management of TSF Data FMT_SMF.1: Specification of Management Functions Security Target Version 1.0 20 Requirement Class Requirement Component FMT_SMR.1: Security Management Roles FPT: Protection of the TSF FPT_APW_EXT.1: Protection of Stored Credentials FPT_SKP_EXT.1: Protection of Secret Key Parameters FTP: Trusted path/channels FTP_ITC.1: Inter-TSF Trusted Channel FTP_TRP.1: Trusted Path 5.2.1 Enterprise Security Management (ESM) 5.2.1.1 Reliance on Enterprise Authentication (ESM_EAU.2) ESM_EAU.2.1 The TSF shall rely on [[Active Directory]] for subject authentication. ESM_EAU.2.2 The TSF shall require each subject to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject. 5.2.1.2 Reliance on Enterprise Identification (ESM_EID.2) ESM_EID.2.1 The TSF shall rely on [[Active Directory]] for subject identification. ESM_EID.2.2 The TSF shall require each subject to be successfully identified before allowing any other TSF-mediated actions on behalf of that subject. 5.2.1.3 Identity and Credential Definition (ESM_ICD.1) ESM_ICD.1.1 The TSF shall provide the ability to define identity and credential data for use with other Enterprise Security Management products. ESM_ICD.1.2 The TSF shall define the following security-relevant identity and credential attributes for enterprise users: credential lifetime, credential status, [name, employee ID, password, business role, system role, application role, organization data]. ESM_ICD.1.3 The TSF shall provide the ability to enroll enterprise users through assignment of unique identifying data. ESM_ICD.1.4 The TSF shall provide the ability to associate defined security-relevant attributes with enrolled enterprise users. ESM_ICD.1.5 The TSF shall provide the ability to query the status of an enterprise user’s credentials. ESM_ICD.1.6 The TSF shall provide the ability to revoke an enterprise user’s credentials. ESM_ICD.1.7 The TSF shall provide the ability for a compatible Authentication Server ESM product to update an enterprise user’s credentials. ESM_ICD.1.8 The TSF shall ensure that the defined enterprise user credentials satisfy the following strength rules: 1. For password-based credentials, the following rules apply: Security Target Version 1.0 21 a. Passwords shall be able to be composed of a subset of the following character sets: [English character set] that include the following values [26 uppercase letters, 26 lowercase letters, 10 numbers, and the following 10 special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”]; and b. Minimum password length shall settable by an administrator, and support passwords of 15 characters or greater; and c. Password composition rules specifying the types and numbers of required characters that comprise the password shall be settable by an administrator; and d. Passwords shall not be reused within the last administrator-settable number of passwords used by that user; 2. For non-password-based credentials, the following rules apply: a. The probability that a secret can be obtained by an attacker during the lifetime of the secret is less than 2-20 . 5.2.1.4 Identity and Credential Transmission (ESM_ICT.1) ESM_ICT.1.1 The TSF shall transmit [identity and credential data] to compatible and authorized Enterprise Security Management products under the following circumstances: [immediately following creation or modification of data, at a periodic interval]. Application Note: The periodic interval is defined when the connection to the external system is first defined. 5.2.2 Security Audit (FAU) 5.2.2.1 Audit Data Generation (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: 1) Start-up and shutdown of the audit functions; 2) All auditable events identified in Table 3 for the not specified level of audit; and 3) [none]. Table 3: Auditable Events Requirement Auditable Events Additional Audit Record Contents ESM_EAU.2 All use of the authentication mechanism None ESM_ICD.1 Creation or modification of identity and credential data The attribute(s) modified ESM_ICD.1 Enrollment or modification of subject The subject created or modified, the attribute(s) modified (if applicable) Security Target Version 1.0 22 Requirement Auditable Events Additional Audit Record Contents ESM_ICT.1 All attempts to transmit information The destination to which the transmission was attempted FAU_STG_EXT.1 Establishment and disestablishment of communications with audit server Identification of audit server FMT_MOF.1 All modifications of TSF function behavior None FMT_SMF.1 Use of the management functions Management function performed FTP_ITC.1 All use of trusted channel functions Identity of the initiator and target of the trusted channel FTP_TRP.1 All attempted uses of the trusted path functions Identification of user associated with all trusted path functions, if available FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: 1) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and 2) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other audit relevant information]. 5.2.2.2 External Audit Trail Storage (FAU_STG_EXT.1) Modified by TD066: Clarification of FAU_STG_EXT.1 Requirement in ESM PPs FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to [SQL Database]. FAU_STG_EXT.1.2 The TSF shall ensure that transmission of generated audit data to any external IT entity uses a trusted channel defined in FTP_ITC.1. FAU_STG_EXT.1.3 The TSF shall ensure that any TOE-internal storage of generated audit data: 1) protects the stored audit records in the TOE-internal audit trail from unauthorized deletion; and 2) prevents unauthorized modifications to the stored audit records in the TOE- internal audit trail. 5.2.3 Identification and Authentication (FIA) 5.2.3.1 User-Subject Binding (FIA_USB.1) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [all user security attributes]. FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [ - Successful user authentication to the TOE associates that user’s application role to the subject to determine the extent to which TOE administration is permitted. Security Target Version 1.0 23 - Explicit mapping of user attributes associates identity and credential attributes with a user account based on values for those attributes that are directly assigned to the account by an administrator. - Implicit mapping of user attributes associates identity and credential attributes with a user account based on administrator-defined criteria, such that an explicit change to one attribute may automatically change a different attribute]. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [changes to user attributes take place upon the next logon]. 5.2.4 Security Management (FMT) 5.2.4.1 Management of Functions Behavior (FMT_MOF.1) FMT_MOF.1.1 The TSF shall restrict the ability to [determine the behavior of, disable, enable, modify the behavior of] the functions: [list of functions in Table 4] to [role, permission, entitlement in Error! Reference source not found.]. Requirement Management Activities Role/Entitlement Operation ESM_EAU.2 Management of authentication data for both interactive users and authorized IT entities (if managed by the TSF) One Identity Manager administrator A TOE user with the change/set password permission and the Entitlement(s) for the particular external system and resource. See Application Note. All users can change their own passwords. Determine/modify the behavior of ESM_EID.2 Management of authentication data for both interactive users and authorized IT entities (if managed by the TSF) See ESM_EAU.2 Determine/modify the behavior of ESM_ICD.1 Definition of identity and credential data that can be associated with users (activate, suspend, revoke credential, etc.) One Identity Manager administrator A TOE user with the change data permission and the Entitlement(s) for the particular external Determine/Modify/ Enable, Disable the behavior of: Full control over establishment, removal etc... of enterprise users (maintained in the Security Target Version 1.0 24 Requirement Management Activities Role/Entitlement Operation system and resource. See Application Note. TOE and/or modified in external system) and their credentials including the ability to activate (or define a user), assign users to roles, and revoke roles, accounts, and entitlements. One Identity Manager administrators TOE users with permissions to change/set password policy: “insert” (create), “update” (change) or “delete” Enable, Disable, Modify the behavior of the password management function ESM_ICD.1 Management of credential status One Identity Manager administrator TOE users with permissions to manage identities Modify the behavior of ESM_ICD.1 Enrollment of users into repository One Identity Manager administrator TOE user with permissions to manage identities Determine the behavior of ESM_ICT.1 Configuration of circumstances in which transmission of identity and credential data is performed One Identity Manager administrator Determine/modify the behavior of Enable/Disable FAU_STG_EXT.1 Configuration of external audit storage location Performed during installation and set-up. The One Identity Manager administrator must configure the TLS secure channel. Enable, disable. FIA_USB.1 Definition of default subject security attributes, modification of subject security attributes See ESM_ICD.1 FMT_MOF.1 Management of sets of users that can interact with security functions One Identity Manager administrator Determine/modify the behavior of Security Target Version 1.0 25 Requirement Management Activities Role/Entitlement Operation FMT_SMR.1 Management of the users that belong to a particular role One Identity Manager administrator Determine/modify the behavior of FTP_ITC.1 Configuration of actions that require trusted channel (if applicable) One Identity Manager administrator TOE user with permissions to start synchronization editor and to create/edit schedule Enable/Disable FTP_TRP.1 Configuration of actions that require trusted path (if applicable) N/A- no configuration is necessary. Enable/Disable Table 4 TOE Management Functions Application Note: The required entitlement needed will depend on the external system account being managed. For example, in order to manage a user account in an external UNIX system, the entitlement required would be the account definitions entitlement for the specific target system (UNIX). 5.2.4.2 Management of TSF Data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [password authentication data] to [TOE users]. 5.2.4.3 Specification of Management Functions (FMT_SMF.1) FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [list of functions in Table 4]. 5.2.4.4 Security Management Roles (FMT_SMR.1) FMT_SMR.1.1 The TSF shall maintain the roles [One Identity Manager administrator, TOE users, administrator-assigned application roles]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 5.2.5 Protection of the TSF (FPT) 5.2.5.1 Protection of Stored Credentials (FPT_APW_EXT.1) FPT_APW_EXT.1.1 The TSF shall store credentials in non-plaintext form. FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext credentials. 5.2.5.2Protection of Secret Key Parameters (FPT_SKP_EXT.1) FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys. Security Target Version 1.0 26 5.2.6 Trusted Path/Channels (FTP) 5.2.6.1 Trusted Channel (FTP_ITC.1) Modified by TD0245: Updates to FTP_ITC and FTP_TRP for ESM PPs. FTP_ITC.1.1 The TSF shall be capable of using [SSH, TLS, HTTPS] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: [audit server, authentication server, transfer of data between distributed TOE components, [transfer of policy data, database]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. FTP_ITC.1.2 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for transfer of policy data, [[audit data, user authentication, transfer of data between distributed TOE components]]. 5.2.6.2 Trusted Path (FTP_TRP.1) Modified by TD0245: Updates to FTP_ITC and FTP_TRP for ESM PPs. FTP_TRP.1.1 The TSF shall be capable of using [HTTPS] to provide a communication path between itself and remote users that is logically distinct from other communication channels and provides assured identifications of its end points and protection of the communicated data from modification, disclosure, and [no other types of integrity or confidentiality violations]. FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication and execution of management functions. 5.3 TOE Security Assurance Requirements The security assurance requirements for the TOE are included by reference from the [ESMICM]. Table 5: Assurance Components Requirement Class Requirement Component ADV: Development ADV_FSP.1 Basic functional specification AGD: Guidance documents AGD_OPE.1: Operational user guidance AGD_PRE.1: Preparative procedures ALC: Life-cycle support ALC_CMC.1 Labelling of the TOE ALC_CMS.1 TOE CM coverage ATE: Tests ATE_IND.1 Independent testing - conformance AVA: Vulnerability assessment AVA_VAN.1 Vulnerability survey Security Target Version 1.0 27 Consequently, the assurance activities specified in the [ESMICM] apply to the TOE evaluation. Security Target Version 1.0 28 6 TOE Summary Specification This chapter describes the security functions: • Enterprise security management • Security audit • Identification and authentication • Security management • Protection of the TSF • Trusted path/channels 6.1 Enterprise Security Management The TOE provides automated methods to read user accounts and permissions from target systems into the One Identity Manager database and to link this data to employees. The TOE provides the capability to define and manage user accounts and their permissions and provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database. In this ST, target systems are also referred to as external systems. The external systems are synonymous with the terms “authorized ESM Products” and "other Enterprise Security Management products" as used in the ESMICM PP. See Sections 2.2.1 and 6.1.3 for the list of supported external systems. 6.1.1 ESM_EAU.2 / ESM_EID.2 The TOE requires each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject. The TOE uses an external Active Directory authentication server in the operational environment for user and administrator authentication. Username and password-based credentials are used for subject authentication. The TSF accepts the validity of an identity asserted by these authentication servers. 6.1.2 ESM_ICD.1 The TOE keeps track of users in a central SQL Server database as “identities”. During initial configuration Administrators define the relationships of how that identity data is populated using scripts. So for example, an administrator can configure it so that when a new user gets created in PeopleSoft, the TOE will take that data and create a new ‘identity’ and assign them their first name, last name, etc. Then another script could be configured to take that same data and create an AD account with it. The TOE keeps track of this data in the local SQL Server database. The TOE maintains the following security-relevant identity data: - Name - Employee ID - System role - Business role Security Target Version 1.0 29 - Application role - Organization data (department, cost center, location) The product may also maintain other user identity data, but it does not have security relevance with respect to the TSF. This includes data such as physical address and contact information. The TOE maintains the following security-relevant credential data: - Credential lifetime - Credential status (enabled, suspended, temporarily revoked, permanently revoked) - Password Note that while the TSF is responsible for maintenance of the password, password data is not stored persistently by the TOE. It is only stored in memory long enough to be transmitted to the environmental data store(s) in which it resides. The TOE’s role within an organization’s architecture is to maintain user identity and credential data in a single location so that changes to this data can be replicated to different organizational systems all at once, and so that changes to a user’s ability to access organizational resources across multiple systems can be initiated automatically when their associated attributes change. User identity data maintained by the TSF can be mapped to corresponding attributes in organizational systems. For example, the administrator may configure the TOE to associate the ‘name’ value with an Active Directory User class object so that a change to a user’s name updates the corresponding data in Active Directory. Credential changes work the same way. The TOE’s user password attribute may be mapped to corresponding password attributes on a variety of different environmental entities. When a user’s password is changed, the TSF will use its configured synchronization mappings to push the updated password to the relevant user records on the configured entities. For each attribute, an administrator may configure whether the ‘authoritative’ source of the attribute is the TOE or an external system. The TOE will periodically communicate with the external entities it is configured to synchronize with (see ESM_ICT.1 below) and will resolve data conflicts by ensuring that the value associated with the authoritative source is applied at both ends of the connection. This allows administrators to retain the use of legacy systems for managing certain user attributes if desired. New users may be created manually on the TOE, or enrolled from external sources using synchronization. For example, the TOE may be synchronized with the organization’s HR system such that new users are created on that system and then imported into the TOE through a mapping between TOE user attributes and attributes on the HR system. When a new user is created, the TSF automatically assigns that user a unique employee ID value. This value can then be used as a primary key across all environmental systems to associate all of that user’s various system and application accounts with their centrally-defined identity. In addition to replicating user identity data between different organizational systems, administrators may use the TOE to define conditional rules such that a change to one user attribute causes different changes to be made on external systems (also referred to as “resources”). For example, the organization may have a resource that only users with a certain role, department, or geographic location may access. The TSF may be configured in such a way that changing a user’s role or organization data attribute to a specific value will automatically trigger a synchronization event that creates a new account on that resource for that user. Likewise, it may be configured to remove the account if the user’s role or organization data attribute is changed to no longer be that value. This is typically configured based on changes to a user’s Security Target Version 1.0 30 system role or business role attributes. The logical access granted to resources is dependent on the type of external entity it is, and may include the following: • Target System account definitions (e.g. Unix system account) • Active Directory groups • SharePoint groups • Azure Active Directory groups • Azure Active Directory administrator roles • Azure Active Directory subscriptions • Disabled Azure Active Directory service plans • Azure Active Directory Module • Unix Groups Business roles are typically assigned to employees so they can obtain their company resources. System roles make it easier to assign company resources that are frequently required or that are always assigned together. For example, new employees in an auditor role may be provided, by default, with certain system entitlements for both Active Directory and for SharePoint. In order to avoid a lot of separate assignments, it is possible for the TOE administrator to group these company resources into a system role. System roles may be assigned directly to individual users, or they may be assigned indirectly through the same types of triggers as are defined above (e.g. assigning a user a given business role or organization data attribute may automatically trigger the assignment of one or more attached system roles). Changes to credential data may have a similar effect. For example, the TOE may be configured so that if a user’s credential status has been set to be suspended or revoked, the TSF may synchronize with the configured external entities to disable or delete all relevant external accounts for that user. Users also have an entitlement attribute, which is also known as an application role. This attribute determines the extent to which a user may manage the TSF. By default, a user has an unprivileged application role, which allows them to log in to the TOE to perform self-service of their own credential data (see FMT_MTD.1). The TOE provides the ability to query the status of an enterprise user’s credentials. This allows an administrator to determine whether a user is active or if they have been suspended, temporarily disabled, or permanently disabled, as well as when their credential is set to expire. An administrator may manually configure the expiration period of a user’s credential on a per-user basis. For example, if the organization establishes a 90-day lifetime for credentials but a given user has a known departure date that is sooner than 90 days, the administrator may specify a “last working day” value for them that supersedes the credential lifetime policy for that user. Once that day has been reached, the credential is automatically set into a permanently disabled status. The TOE also includes a ‘security incident’ option that allows an administrator to immediately suspend or revoke a user’s credential, which then deactivates all accounts that are mapped to their identity. The TOE provides the capability to ensure defined enterprise user credentials satisfy specified minimum strength rules, via Password Policies. Predefined password policies are supplied with the default installation and can be customized. Password policies can be created or modified by One Identity Manager administrators and TOE users with administrator permissions. Password Policies define and enforce the following: Security Target Version 1.0 31 • Password strength — Minimum password length and alphanumeric character requirements and restrictions (as specified in ESM_ICD.1.8 parts a-c). • Password history — The number of passwords that have been previously reset that cannot be used in a password reset (as specified in ESM_ICD.1.8 part d). 6.1.3 ESM_ICT.1 The TOE transmits subject identity and credential data to other compatible and authorized ESM external systems: • Active Directory • UNIX/Linux • Exchange 2010, 2013, 2016 • SharePoint 2010, 2013, 2016 • Azure AD • Exchange Online • SharePoint Online • Google G-Suite • LDAP (including AS/400, RACF, ACF2, Top Secret) The types of data transmitted to these external systems and the secure channel used to carry this data is shown in the table below: Table 6: External Systems, attributes, and secure channel Attributes Transmitted External System / ESM product Identity Data Credential Data Secure Channel Active Directory X X LDAPS (TLS) Unix/Linux X X SSH Exchange 2010, 2013, 2016 X HTTPS SharePoint 2010, 2013, 2016 X HTTPS Azure AD X X HTTPS Exchange Online X HTTPS SharePoint Online X HTTPS Google G-Suite X X HTTPS Mainframe (AS/400, RACF, ACF2, Top Secret) X X LDAPS (TLS) Security Target Version 1.0 32 LDAP X X LDAPS (TLS) All outbound transmissions are done immediately following creation or modification of data. Inbound communications of data is periodic, and depends on initial configuration of time period for each external system. The Synchronization Editor provides interfaces to configure the interval for consumption (e.g. daily, hourly, etc.). When the TOE receives data from an external system, it will reconcile all changes by updating any modified attributes where the external system is the authoritative source for that attribute and discarding any modifications of attributes that the TOE is the authoritative source for. 6.2 Security Audit The TOE generates logs for security relevant events including the events specified in ESMICM PP. The TOE sends the logs to an external (to the TOE) SQL database for storage. The database and reliable timestamps are provided by the operational environment. 6.2.1 FAU_GEN.1 The TOE generates log records for security relevant events as they occur. The events that can cause an audit record to be logged include the following auditable events defined in Table 3Error! Reference source not found.: • Startup and shutdown of the audit functions • All use of the authentication mechanism • Creation or modification of identity and credential data • Enrollment or modification of subject • All attempts to transmit information • Establishment and disestablishment of communications with audit server • All modifications of TSF function behavior • Use of the management functions • All use of trusted channel functions • All attempted uses of the trusted path functions Startup/shutdown of the audit function occurs when the product is started/stopped. Additionally, the establishment and disestablishment of communications with audit server occurs when the product is started/stopped. Establishing/disestablishing connectivity with the audit server is also logged in the form of logging changes to whether certain events are configured to be audited. Use of the authentication mechanism is logged in the DialogJournal table in the SQL Server database as “Login failed” and “Login succeeded” events. As this is the only use of the trusted path function, logging for this behavior is synonymous with logging trusted path usage. All manipulation of administrator, user, or configuration data that would occur as a result of executing the TOE’s management functions is logged in the DialogWatchOperation table in the SQL Server database. Within this table, the OperationType field identifies whether the data in question was created, modified, or removed, and the DisplayValue field identifies the data. Security Target Version 1.0 33 • Creation or modification of identity and credential data – if a new user is created, the DisplayValue will just show the name/ID of the user. If an existing user attribute is modified, the DisplayValue will show both the name/ID of the user and the modified attribute. • Enrollment or modification of subject – same as “creation or modification of identity and credential data.” • Establishment and disestablishment of communications with audit server – if an auditable event is enabled/disabled, the OperationType field will show a U for modification and the DisplayValue field will show the event that was affected by the change (e.g. “Common\Journal\LoginAudit”). This event is then tied to the DialogWatchProperty SQL table via a shared key, which includes the ContentShort field that flags whether the modification was to enable or disable logging for the event. • All modifications of TSF function behavior – the DisplayValue will show different information, depending on the function behavior being modified: o Creating or modifying users or any data associated with them will be logged as shown in “creation or modification of identity and credential data” above. o Creating or updating an application role will show the name of the role. o Assigning a user to an application role will show the name of the role and the username/ID of the user. o Configuring communications with an external entity will identify the type and name of the target system (e.g. “Active Directory Domain (DC=IAM,DC=CORP) - Active Directory Service (Root DN dc=IAM,dc=corp, Server iams01.iam.corp)”) • Use of the management functions – same as “all modifications of TSF function behavior” and “creation or modification of identity and credential data” When using the TOE to review this data, the TSF will automatically associate the data in the DialogWatchOperation and DialogWatchProperty SQL tables. If this data is exported beyond the SQL Server database, the primary key of the DialogWatchOperation table is the UID_DialogWatchOperation field, which is the foreign key for the DIalogWatchProperty table. Transmission of identity and credential data is logged in the DPRJournal, DPRJournalObject, and DPRJournalMessage tables. Specifically, the DPRJournal.UID_DPRProjectionConfig field identifies the external system data is being transmitted to/from and the type of transmission that is performed (e.g. “initial synchronization” for the first time connectivity is established with that system). The DPRJournalObject.ObjectDisplay field identifies the data that is transmitted as part of this operation. This also serves as a log for use of the trusted channel functions since synchronization operations require use of the trusted channel. When using the TOE to review this data, the TSF will automatically associate the data in the DPRJournal, DPRJournalObject, and DPRJournalMessage SQL tables. If this data is exported beyond the SQL Server database, the primary key of the DPRJournal table is the UID_DPRJournal field, which is the foreign key for both the DPRJournalObject and DPRJournalMessage fields. The logged audit records identify the date and time, the nature or type of the triggering event, an indication of the outcome of the event, and the identity of the user responsible for the event. The logged audit records also include event-specific content that includes at least all of the content required in Table 3. Security Target Version 1.0 34 6.2.2 FAU_STG_EXT.1 The TOE stores audit records in the operational environment in the Microsoft SQL Server 2017 database. The audit records can be accessed through the Web UI. Audit records sent to the database are transmitted over a TLS trusted channel. There is no concern with unavailability because if the database is unavailable, changes to the TSF or its data cannot be made. Therefore, there is no possibility a change is made but not logged. The storage of generated audit data is in the operational environment and therefore the TOE relies on the environment to protect the stored audit records from unauthorized deletion; and to prevent unauthorized modifications to the stored audit records in the audit trail. 6.3 Identification and Authentication The TOE associates roles, entitlements, and other user attributes with enterprise users. The TOE relies on the operational environment to authenticate users. 6.3.1 FIA_USB.1 The TOE provides user-subject binding in two situations. The first situation is binding of the administrator and TOE user to their assigned privileges in the object layer during initial authentication. If a user or administrator’s privileges are changed while they are logged in, the change won’t take effect until their next session. This applies both to their role (i.e. what functions they can perform) and scoping (i.e. what objects they can perform their allowed functions against). For the web service interface, the binding is made through generated tokens. The specific interfaces that can be accessed is derived from role and entitlement membership or by direct assignment to account. The second situation is binding of user ‘identities’ defined by the product to accounts on external systems. This is done through implicit or explicit mapping. For example, you can create a workflow that automatically creates a new AD account for a user (using scripts for example) if the product ingests a new user from the HR system. The new user would be created as an ‘identity’ (the subject) and its various accounts on external systems would be directly mapped to it. Rules can also exist to change some aspects of that identity if a specific change is detected on a specific external system. The “user” is the person (an enterprise user) in the organization who is authorized to perform activities in the organization, and the “subject” is the ‘identity’ that is defined for them in the TOE. The ‘binding’ is the notion that the subject attributes are used to go out and change the configurations of accounts that the user actually uses, which affects what they can do on the organizational systems. The “initial association” between user security attributes and subjects is the notion that you can script things to say that when a new identity is created, this will automatically trigger certain other accounts to be created based on the identity attributes that were filled out. Enterprise users (including those that have administrative privileges) are associated with all user security attributes during user subject binding. 6.4 Security Management The TOE provides the management functions identified in the ESMICM PP; maintains roles and restricts access to the functions. The management functions are restricted to the One Identity Manager administrator and to TOE users with delegated administrative permissions. Security Target Version 1.0 35 6.4.1 FMT_MOF.1 The TOE restricts the ability to determine the behavior of, disable, enable, and modify the behavior of the management functions as defined in Table 4. In order to manage enterprise user authentication data for another user, one must have been assigned the change/set password permission and the entitlement(s) for the particular external system and resource. All users can change their own passwords. A user with the change/data permission can manage the identity and credential data that can be associated with users (activate, suspend, revoke credential, etc.). Enrollment of users and management of credential status can be performed by users with permissions to manage identities. Other permissions include those to start synchronization editor and to create/edit schedule that control actions requiring the trusted channel. These management functions can also be performed by the One Identity Manager administrator. 6.4.2 FMT_MTD.1 The TOE provides a self-service option that allows users to change their own password attribute data. This is performed using the Password Reset Portal on the Web UI. The TOE uses Active Directory for user/administration authentication, so authentication data needed to access the TSF is stored there. Since the TOE uses TLS to communicate with the external Active Directory, this is used to protect any authentication data in transit (e.g. challenge/response and propagation of updated credential data initiated through a password change on the TOE). Depending on how the TOE is configured, the password attribute data may be transmitted to other external systems as well. In this case, protection of the credential data is the responsibility of the system that the data is transmitted to. Table 6 identifies the trusted channel that may be used to secure this data while it is in transit to the target system. 6.4.3 FMT_SMF.1 The TOE provides the management functions identified in Table 4. The “Configuration of circumstances in which transmission of identity and credential data is performed” function is performed during initial configuration of the TOE in Synchronization Editor, both in terms of establishing the connection to the external systems and configuring the communications interval. The “Management of sets of users that can interact with security functions” function is performed using Manager, as is management of password policies (a subset of “Definition of identity and credential data that can be associated with users”). 6.4.4 FMT_SMR.1 The TOE maintains the roles of One Identity Manager administrator and TOE user. Users with the One Identity Manager administrator role have full permissions to create new users, permissions and roles and manage identities. This user has full administrative capabilities to manage the TOE including creating custom role and permissions and associating users with them. Users with the One Identity Manager administrator role can create new roles with different levels of permissions and then assign these roles to TOE users for delegated administration. However, a TOE user doesn’t have to have admin permissions, they can be just an organizational user who uses the TOE solely to reset their own password. Security Target Version 1.0 36 Although the TOE provides pre-defined roles that can be assigned to users, typically administrators of the TOE define their own custom permissions and roles rather than use the predefined ones. Therefore the evaluation focusses on the permissions and entitlements a user must have in order to perform a specific management function. Permissions and entitlements are described in Section 6.1.2. TOE users become administrators through association of Application Roles with their user identities. Application Roles determine the management functions that are authorized. Permission Groups (permissions) define the actions that may be performed and are assigned to Application Roles. Entitlements determine the external targets that the assigned Application Roles can be applied to. For example, an administrator may be assigned an Application Role that allows them to manage user passwords, but if they lack entitlement to interact with Active Directory, an attempted user password change that is pushed to Active Directory will not succeed. 6.5 Protection of the TSF Credentials/keys used by the TOE are stored in the operational environment. The TOE does not offer any interfaces to view the credentials/keys. 6.5.1 FPT_APW_EXT.1 There is no persistent storage of passwords on the TOE. Administrator and user accounts with passwords are defined on external systems. When a user sets a password on the TOE, the password temporarily exists inside the One Identity Manager until it gets pushed to the relevant external systems. The password is generated or received by the object layer, and then encrypted. Encryption is performed by the Microsoft Windows Cryptographic Primitives Library bcryptprimitives.dll and the private key is stored in the Windows key store in the operational environment. For the purpose of writing a password to the target system there is a very small period of time where the decrypted value must be in memory. However at no time is a password written to a temporary file or swapped out to a region in plain text and therefore no passwords could be discovered by examination of TOE memory through normal methods. The workflow for password creation is as follows: 1. Password generated/entered in object layer 2. Pull public key from database 3. Encrypt password with public key and send to database 4. Database puts in job queue 5. Job service pulls from queue and decrypts the password with the stored private key 6. From there, the password data is transmitted to the external system. The database in the workflow process above is a SQL server database shown in Figure 1 and is in the TOE’s operational environment. 6.5.2 FPT_SKP_EXT.1 An administrator is unable to read or view any keys (stored or ephemeral) through “normal” interfaces as there are no interfaces to view key data. The TOE stores a private key for password decryption in the Windows key store in the operational environment. Certificates and their associated private keys are stored in the Windows Certificate Store. Windows stores private keys encrypted using RSA. All key management is the responsibility of the environmental cryptographic components that the product relies on. Security Target Version 1.0 37 6.6 Trusted Path/Channels The TOE provides trusted communication channels using TLS for communication with authentication servers, the audit server and TLS/SSH for transfer of policy data. The TOE provides trusted communication paths using Web UI/Web Service for remote administrators using HTTPS, which is enforced by IIS. 6.6.1 FTP_ITC.1 The TOE provides trusted communication channels using TLS v1.1, and TLS v1.2 for the following connections: • External authentication of users and administrators (AD) • Transfer of policy data (collection and provisioning) • Transfer of audit records (SQL database) The mainframe (AS/400, RACF, ACF2, Top Secret), LDAP, and Active Directory connectors use LDAPS, which establishes a TLS connection between the TOE and these types of external systems before any LDAP messages are transferred. The TOE provides trusted communication channels between the TOE and UNIX-based systems using SSH for transfer of policy data. The TOE uses SSHBlackbox for this connection. SSHBlackbox invokes OS cryptographic libraries for underlying cryptographic functions. Table 6 lists the environmental trusted channels invoked by the TOE for each type of external system connection. When the web UI, web service, and job service (with connectors) components are in a distributed architecture, the TOE provides trusted communication channels using HTTPS (HTTP over TLS). TLS v1.1, and TLS v1.2 are supported. The TOE permits the TSF to initiate communication via the trusted channel. Microsoft Windows Cryptographic Primitives Library bcryptprimitives.dll (CMVP2937) and cng.sys (CMVP2936) is used for all TLS, SSH, and HTTPS connections. 6.6.2 FTP_TRP.1 The TOE provides trusted communication paths using HTTPS for remote administrators accessing the Web UI. The TOE requires all users to initiate communication via the trusted path for initial user authentication, and execution of management functions. Microsoft Windows Cryptographic Primitives Library (bcryptprimitives.dll (CMVP2937) and cng.sys (CMVP2936)) is used for the HTTPS connection (i.e. HTTP over TLS). Security Target Version 1.0 38 7 Protection Profile Claims This ST is conformant to the Standard Protection Profile for Enterprise Security Management Identity and Credential Management, Version 2.1, October 24, 2013 and including the following optional SFRs: FMT_MTD.1. As explained in Section 0, Security Target Version 1.0 39 Security Problem Definition, the Security Problem Definition of the [ESMICM] has been copied verbatim into this ST. As explained in Section 4, Security Objectives, the Security Objectives of the [ESMICM] excluding O.BANNER and including the optional objectives: OE.CRYPTO, OE.ROBUST, OE.SYSTIME have been copied verbatim into this ST. The following table identifies all the Security Functional Requirements (SFRs) in this ST. Each SFR is drawn from the [ESMICM]. The only operations performed on the SFRs drawn from the [ESMICM] are assignment and selection operations. Table 7. SFR Protection Profile Sources Requirement Class Requirement Component Source ESM: Enterprise Security Management ESM_EAU.2: Reliance on Enterprise Authentication ESMICM ESM_EID.2: Reliance on Enterprise Identification ESMICM ESM_ICD.1: Identity and Credential Definition ESMICM ESM_ICT.1: Identity and Credential Transmission ESMICM FAU: Security audit FAU_GEN.1: Audit Data Generation ESMICM FAU_STG_EXT.1: External Audit Trail Storage ESMICM FIA: Identification and authentication FIA_USB.1: User-Subject Binding ESMICM FMT: Security management FMT_MOF.1: Management of Functions Behavior ESMICM FMT_MTD.1: Management of TSF Data ESMICM FMT_SMF.1: Specification of Management Functions ESMICM FMT_SMR.1: Security Management Roles ESMICM FPT: Protection of the TSF FPT_APW_EXT.1: Protection of Stored Credentials ESMICM FPT_SKP_EXT.1: Protection of Secret Key Parameters ESMICM FTP: Trusted path/channels FTP_ITC.1: Inter-TSF Trusted Channel ESMICM FTP_TRP.1: Trusted Path ESMICM Security Target Version 1.0 40 8 Rationale This security target includes by reference the [ESMICM] Security Problem Definition, Security Objectives (including the optional objective: OE.CRYPTO, OE.ROBUST, OE.SYSTIME and excluding O.BANNER), and Security Assurance Requirements. The security target makes no additions to the [ESMICM] assumptions. [ESMICM] security functional requirements have been reproduced with the Protection Profile operations completed. Operations on the security requirements follow [ESMICM] application notes and assurance activities. Consequently, [ESMICM] rationale applies but is incomplete. The TOE Summary Specification rationale below serves to complete the rationale required for the security target. 8.1 TOE Summary Specification Rationale Each subsection in Section 6, the TOE Summary Specification, describes a security function of the TOE. Each description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding security function. The set of security functions work together to satisfy all of the security functions and assurance requirements. Furthermore, all of the security functions are necessary in order for the TSF to provide the required security functionality. This Section in conjunction with Section 6, the TOE Summary Specification, provides evidence that the security functions are suitable to meet the TOE security requirements. The collection of security functions work together to provide all of the security requirements. The security functions described in the TOE summary specification are all necessary for the required security functionality in the TSF. Table 8: Security Functions vs. Requirements Mapping demonstrates the relationship between security requirements and security functions. Table 8: Security Functions vs. Requirements Mapping Enterprise security management Security audit Identification and authentication Security management Protection of the TSF Trusted path/channels ESM_EAU.2 X ESM_EID.2 X ESM_ICD.1 X ESM_ICT.1 X FAU_GEN.1 X FAU_STG_EXT.1 X FIA_USB.1 X FMT_MOF.1 X Security Target Version 1.0 41 Enterprise security management Security audit Identification and authentication Security management Protection of the TSF Trusted path/channels FMT_MTD.1 X FMT_SMF.1 X FMT_SMR.1 X FPT_APW_EXT.1 X FPT_SKP_EXT.1 X FTP_ITC.1 X FTP_TRP.1 X