Transcription
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementStandard Protection Profile forEnterprise Security ManagementIdentity and Credential ManagementOctober 24, 2013Version 2.1Page 1
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementDocument HistoryVersionDateComment1.0July 13, 2011First complete version1.1May 22, 2012Update to bring in line withESM Access Control andPolicy Management PPs.1.2July 9, 2012 – August 8,2012Updated to addresscomments received on v1.1,as well as comments fromCA, Tom Benkhart, and theESM Telecon1.3August 8, 2012 – August10, 2012Detailed changes from ESMTelecon. Resolution of finalissue regarding credentialupdate1.4August 31, 2012Final version – all changesaccepted1.5June 13, 2013Changes made based onconsistency with ESMAuthentication Server PPscope and formatting, ESMTechnical Communityfeedback, and CCEVS inputon cryptography.2.1October 24, 2013Version updated to 2.1 to beconsistent with AccessControl Protection ProfilePage 2
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementTable of Contents1234Protection Profile (PP) Introduction .91.1Introduction .91.2ESM Protection Profile Suite Overview .91.3Overview of the ESM Identity and Credential Management Protection Profile .121.4Compliant Targets of Evaluation .141.5Common Capabilities.151.6Related Protection Profiles .151.7Claiming Multiple Protection Profiles .161.8Document Organization .18Conformance Claims .202.1CC Conformance Claims .202.2PP Conformance Claim.202.3Package Conformance Claim .202.4ST Conformance Requirements .20Threats.223.1Administrator Error .223.2Credential, Identity, and ESM Data Disclosure .223.3Unauthorized Access to TOE Functions .223.4False TOE Assurance .233.5False Identity and Credential Mappings .233.6Hidden Actions .233.7Insufficient Attributes .243.8Weak Authentication Functions .243.9Insufficient Protection of Credentials .24Security Objectives .25Page 3
Standard Protection Profile for Enterprise Security Management Identity and Credential Management4.1ESM Component Validation .254.2System Monitoring.254.3Robust TOE Access .264.4Confidential Communications .264.5Protected Credentials .274.6Identity Definition.274.7Guaranteed Integrity .274.8Authorized Management .284.9Access Bannering.284.10 Cryptographic Services .285Extended Components Definition .295.1Class ESM: Enterprise Security Management .295.1.1 ESM ATD Attribute Definition .295.1.2 ESM EAU Enterprise Authentication .315.1.3 ESM EID Enterprise Identification .335.1.4 ESM ICD Identity and Credential Definition .345.1.5 ESM ICT Identity and Credential Transmission .385.2Class FAU: Security Audit .395.2.1 FAU STG EXT.1 External Audit Trail Storage.395.3Class FCS: Cryptographic Support .415.3.1 FCS CKM EXT.4 Cryptographic Key Zerioization .415.3.2 FCS HTTPS EXT HTTPS .415.3.3 FCS IPSEC EXT IPsec .425.3.4 FCS RBG EXT Random Bit Generation .465.3.5 FCS SSH EXT SSH .475.3.6 FCS TLS EXT TLS .495.4Class FPT: Protection of the TSF .515.4.1 FPT APW EXT Protection of Stored Credentials.515.4.1 FPT SKP EXT Protection of Secret Key Parameters .525.5Class FTA: TOE Access .53Page 4
Standard Protection Profile for Enterprise Security Management Identity and Credential Management5.5.16FTA SSL EXT.1 TSF-initiated Session Locking .53Security Requirements .546.1Security Functional Requirements .546.1.1 PP Application Notes .566.1.2Class ESM: Enterprise Security Management .576.1.3Security Audit (FAU) .646.1.4 Cryptographic Support (FCS) .696.1.5 Identification and Authentication (FIA) .706.1.6 Security Management (FMT) .716.1.7 Protection of the TSF .756.1.8 TOE Access (FTA) .776.1.9 Trusted Paths/Channels (FTP) .776.1.10 Unfulfilled Dependencies .806.2Security Assurance Requirements .816.2.1 Class ADV: Development.826.2.2 Class AGD: Guidance Documentation .846.2.3 Class ALC: Life Cycle Support .876.2.4 Class ATE: Tests.896.2.5 Class AVA: Vulnerability Assessment .906.3Rationale for Security Assurance Requirements .927Security Problem Definition Rationale .938Security Problem Definition .1048.1Assumptions.1048.1.1 Connectivity Assumptions .1048.1.2 Physical Assumptions .1048.1.3 Personnel Assumptions .1048.2Threats.1058.3Organizational Security Policies .1058.4Security Objectives .1068.4.1 Security Objectives for the TOE .106Page 5
Standard Protection Profile for Enterprise Security Management Identity and Credential Management8.4.2Security Objectives for the Operational Environment .107Appendix A - Supporting Tables and References.108A.1 References .108A.2 Acronyms .110Appendix B - NIST SP 800-53/CNSS 1253 Mapping.112Appendix C - Architectural Variations and Additional Requirements .117C.1 Object Attribute Data .117C.1.1 ESM ATD.1 Object Attribute Definition.117C.2 Password Policy Definition.118C.2.1 FIA SOS.1 Verification of Secrets.118C.3 Selectable Auditing .121C.3.1 FAU SEL.1 Selective Audit.121C.4 Session Management .122C.4.1 FTA SSL EXT.1 TSF-initiated Session Locking .122C.4.2 FTA SSL.3 TSF-initiated Termination .123C.4.3 FTA SSL.4 User-initiated Termination .124C.5 Management of Environmental Authentication Data .124C.5.1 FMT MTD.1 Management of TSF Data .125C.6 Timestamps .126C.6.1 FPT STM.1 Reliable Time Stamps .126C.7 Authentication Policy Definition .126C.7.1 FIA AFL.1 Authentication Failure Handling.127C.7.2 FTA TSE.1 TOE Session Establishment .127C.8 Cryptographic Functional Requirements .128C.8.1 FCS CKM.1 Cryptographic Key Generation (for Asymmetric Keys) .129C.8.2 FCS CKM EXT.4 Cryptographic Key Zeroization .131C.8.3 FCS ecryption) .132C.8.4 FCS COP.1(2) Cryptographic Operation (for Cryptographic Signature) .133C.8.5 FCS COP.1(3) Cryptographic Operation (for Cryptographic Hashing) .134Page 6
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementC.8.6 FCS COP.1(4) Cryptographic Operation (for Keyed-Hash MessageAuthentication) .135C.8.7 FCS HTTPS EXT.1 HTTPS .137C.8.8 FCS IPSEC EXT.1 IPsec .138C.8.9 FCS RBG EXT.1 Cryptographic Operation (Random Bit Generation) .143C.8.10 FCS SSH EXT.1 SSH .147C.8.11 FCS TLS EXT.1 TLS .151C.9 Entropy Documentation and Assessment .153Appendix D - Document Conventions.155D.1 Operations .155D.2 Extended Requirement Convention .155D.3 Application Notes .156D.4 Assurance Activities .156Appendix E - Glossary of Terms .157Appendix F - Identification.158Page 7
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementList of FiguresFigure 1. Context for Protection Profile .14List of TablesTable 1. Summary of the ESM Protection Profile Suite .11Table 2. TOE Functional Components .55Table 3. Auditable Events .65Table 4. TOE Management Functions .72Table 5. TOE Security Assurance Requirements .82Table 6. Assumptions, Environmental Objectives, and Rationale.93Table 7. Policies, Threats, Objectives, and Rationale.95Table 8. Connectivity Assumptions .104Table 9. Personnel Assumptions .104Table 10. Threats .105Table 11. Organizational Security Policies .105Table 12. Security Objectives for the TOE .106Table 13. Security Objectives for the Operational Environment .107Table 14. Acronyms and Definitions .110Table 15. NIST 800-53 Requirements Compatibility .112Table 16. Terms and Definitions .157Page 8
Standard Protection Profile for Enterprise Security Management Identity and Credential Management1 Protection Profile (PP) Introduction1.1IntroductionThis section contains document management and overview information necessary toallow a Protection Profile (PP) to be registered through a Protection Profile Registry. Theidentification provides the labeling and descriptive information necessary to identify,catalogue, register, and cross-reference a PP. The overview summarizes the profile innarrative form and provides sufficient information for a potential user to determinewhether the PP is of interest. The formal identification of the profile may be found inAppendix F - Identification.1.2ESM Protection Profile Suite OverviewEnterprise Security Management (ESM) refers to a suite of product/product components 1used to provide centralized management of a set of IT assets within an organization. 2In the current ESM Protection Profile suite, profiles are defined that permit the definitionof the following types of enterprise policies: Access Control Polices: Policies that authorize or deny specific actions ofdefined subjects (actors) against defined objects (IT assets or resources).Identity and Credential Policies: Policies that define and maintain attributesused for subject identification, authentication, authorization, and accountability.Object Attribute Policies: Policies that define and maintain attributes used forobjects.Authentication Policies: Policies that define the circumstances under whichusers can authenticate to enterprise systems.Secure Configuration Policies: Polices that define baseline configurations for ITassets.1Note: In a technical sense, the term “product” is inaccurate, but other terms (such as “system”) are equallypoor and overloaded. The various “products” within an ESM “system” may be distinct products, or theymay simply be subproducts or functional capabilities within a larger product described in the ST. The useof the term “product” is solely because Security Targets describe products, as opposed to systems (whichare integrated collections of products designed for a specific mission), and thus a PP typically describes aproduct (or a component of a product) in a manner independent from a specific vendor’s implementation.2In ESM usage, the term “enterprise” is often used instead of “organization”, reflecting the fact that theoverall enterprise might cross organizational boundaries.Page 9
Standard Protection Profile for Enterprise Security Management Identity and Credential Management Audit Policies: Policies that define how audit data is collected, aggregated,reported, and maintained across the enterprise.The ESM product/product components that consume and enforce the various policiesprovide the following types of security: Preventative: Actions performed against IT assets are prohibited if found to be aviolation of an enterprise-defined central policy.Detective: The behavior of users and IT assets is audited and aggregated so thatpatterns of insecure, malicious, or otherwise inappropriate behavior across theenterprise can be detected.Reactive: IT assets are compared to a secure organizationally-defined centraldefinition, and action is taken if discrepancies are identified.There are three types of ESM capabilities. The first type, policy definition, is used todefine a central organizational policy that will be used to govern the behavior of a set ofIT assets. This is shown by the following examples: A Secure Configuration Management product may define a policy that governsthe acceptable set of software assets that reside on a system or the configurationof one or more of that system’s applications.A Policy Management product may define the operations that are and are notallowed against a specific system based on the subject requesting the operationand the object the request acts upon.The second type, policy consumption, acquires a defined policy, stores it, and enforces itin a persistent manner. This is shown by the following examples: An Access Control product that resides on a system may receive a defined accesscontrol policy from Policy Management. It will then store it and persistentlyensure that all subjects abide by it until instructed otherwise.An Access Control product that enforces data loss prevention access control on asystem may receive a defined object attribute policy from Policy Managementthat associates certain types of objects with defined sensitivity levels. It will storethis policy and will persistently block objects from leaving the system based onthe sensitivity attributes assigned to the objects.The third type, policy enforcement, acts upon a policy that is defined elsewhere as a resultof a query to or command from the source of that policy. This is shown by the followingPage 10
Standard Protection Profile for Enterprise Security Management Identity and Credential Managementexamples: An administrator attempts to log in to a Policy Management product to manage it.Their authentication request is submitted to an Authentication Server whichapplies a defined authentication policy to determine if the request should beauthorized. The Policy Management product then enforces the AuthenticationServer’s decision and allows or rejects access accordingly.A Secure Configuration Management product defines a policy to ensure thatsoftware deployed in the environment is up-to-date. An Access Control product isfound to be an older version. The Secure Configuration Management productissues an instruction to the Access Control product to apply a patch. The secureconfiguration policy is subsequently enforced by the Access Control productacting on this instruction.These three types of ESM capabilities are represented in the overall suite of ESMProtection Profiles.The ESM PP Suite consists of 6 Protection Profiles that may be characterized as EC(1)EE(3)EC(1)/D(1)EE(3)D/EC(1)/DESM Access Control Protection ProfileCCCESM Policy Management Protection ProfileDC/ED/C(2)DC/D(2)Protection ProfileESM Identity and Credential ManagementProtection ProfileESM Authentication Server Protection ProfileESM Audit Server Protection ProfileESMSecureConfigurationProtection ProfileManagementAuthenticationPolicyE(3)Object AttributePolicyC(1)Identity andCredential PolicyEAccess ControlPolicySecure ConfigurationPolicyTable 1. Summary of the ESM Protection Profile SuiteC Consume and Enforce; D Define; E EnforceNotes:1)2)3)The audit policy is consumed as the TOE determines what events to audit. Alternatively, a de facto audit policy may bedefined solely within an Audit Server TOE through it discarding an administratively-defined subset of the collected data.Object attributes are defined either in the Identity and Credential Management PP or the Policy Management PP, but not both.The authentication policy is enforced in the sense that the authentication server may mediate authentication requests to theTOE.Page 11
Standard Protection Profile for Enterprise Security Management Identity and Credential Management4)5)1.3Specifically, it is conceivable that an authentication server may define a strength of secrets policy.Specifically, the Policy Management TOE may define the access-control events audited by an Access Control TOE.Overview of the ESM Identity and Credential Management Protection ProfileThis protection profile focuses on the aspect of ESM that is responsible for enforcingidentity and credential management. Identity and Credential Management productswill generate and issue credentials for subjects that reside within the enterprise. They willalso maintain the organizational attributes that are associated with these subjects. Byproviding a means for subjects to validate their identities and determining the relationshipthese subjects have to the enterprise, an Identity and Credential Management product isable to support enterprise accountability and access control.The establishment of unique, unambiguous identities is an important foundationalcapability that enables issuance and management of credentials and authorizationattributes. The notion of identity refers to that unique identifier assigned to an individualagainst which credential and attribute data can be associated.In order for an individual to be identified as a user within the ESM system, they must beenrolled. Enrollment refers to the act of assigning a unique identifier to a subject,generating and issuing credentials, defining attributes for a user, and propagating thatdata to any repositories that use it. It is necessary for the TSF to be able to securelytransmit this data to those components.TOEs compliant with this PP are expected to exhibit the following behavior: Provisioning of subjects (enroll new subjects to an organizational repository,associate and disassociate subjects with organizationally-defined attributes) Issue and maintain credentials associated with user identities Publish and change credential status (such as active, suspended, or terminated) Establish appropriate trusted channels between itself and compatible PolicyManagement and Authentication Server ESM products Generate an audit trail of configuration changes and subject identification andauthentication activities Write audit trail data to a trusted repository Securely transmit identity and credential attribute data via a trusted channelPage 12
Standard Protection Profile for Enterprise Security Management Identity and Credential ManagementWhile this PP defines the capabilities of the TOE as if they belong to a standaloneproduct, some or all of these capabilities may belong to an ESM Policy Management(PM) product as well. If an ST is written that claims conformance to this PP, thedistribution of these capabilities must be clearly delineated.Note that this is one of many Protection Profiles in the ESM PP family. This PP is meantto be used for one component in an ESM system and not to work in isolation. Atminimum, at least one compatible Authentication Server product must be identified.Compatibility is defined by the ability of that product to authenticate identities andcredentials that are defined by the TOE. Depending on how access control isimplemented in the organization, ESM PP solutions for policy management, accesscontrol, and auditing may need to be implemented as well. If any of these components areexpected to be deployed against an organizational baseline, a secure configurationmanagement solution may also need to be deployed. A customer could seriouslycompromise the overall security of the enterprise architecture if they are to deploy asolution without using all applicable ESM PP evaluated products.Figure 1 illustrates, at a basic level, the context in which the TOE is expected to bedeployed. The TOE resides on a system and provides an interface to one or more
Standard Protection Profile for Enterprise Security Management Identity and Credential Management Page 1 . Standard Protection Profile for . Enterprise Security Management . Identity and Credential Management . October 24, 2013 . Version 2.1
