DOCSLIB.ORG

Cohesity Dataplatform & Dataprotect Version 6.3.1E Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cohesity Dataplatform & Dataprotect Version 6.3.1E Security Target Cohesity DataPlatform & DataProtect Version 6.3.1e Security Target Version 1.3 7 May 2020 Prepared for: 300 Park Ave Suite 1700 San Jose, CA 95110 Prepared By: Accredited Testing and Evaluation Labs 6841 Benjamin Franklin Drive Columbia, MD 21046 TABLE OF CONTENTS 1. INTRODUCTION ........................................................................................................................................... 1 1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION...................................................................................... 1 1.2 CONFORMANCE CLAIMS ............................................................................................................................. 1 1.3 CONVENTIONS ........................................................................................................................................... 1 1.4 ABBREVIATIONS AND ACRONYMS ............................................................................................................... 2 2. TOE DESCRIPTION ...................................................................................................................................... 4 2.1 OVERVIEW ................................................................................................................................................. 4 2.2 ARCHITECTURE .......................................................................................................................................... 4 2.3 PHYSICAL BOUNDARIES ............................................................................................................................. 6 2.3.1 Physical TOE Components ................................................................................................................. 6 2.3.2 Operational Environment Components ............................................................................................... 6 2.3.3 Excluded from the TOE ...................................................................................................................... 7 2.4 LOGICAL BOUNDARIES ............................................................................................................................... 7 2.4.1 Security Audit .................................................................................................................................... 7 2.4.2 Cryptographic Support....................................................................................................................... 8 2.4.3 User Data Protection ......................................................................................................................... 8 2.4.4 Identification & Authentication .......................................................................................................... 8 2.4.5 Security Management ......................................................................................................................... 8 2.4.6 Protection of the TSF ......................................................................................................................... 9 2.4.7 Resource Utilization........................................................................................................................... 9 2.4.8 Trusted Path/Channels ....................................................................................................................... 9 2.5 CAPABILITIES PROVIDED BY THE OPERATIONAL ENVIRONMENT .................................................................. 9 2.6 TOE DOCUMENTATION .............................................................................................................................. 9 3. SECURITY PROBLEM DEFINITION ....................................................................................................... 10 3.1 ASSUMPTIONS .......................................................................................................................................... 10 3.2 THREATS ................................................................................................................................................. 10 4. SECURITY OBJECTIVES .......................................................................................................................... 11 4.1 SECURITY OBJECTIVES FOR THE TOE........................................................................................................ 11 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .................................................................. 11 5. IT SECURITY REQUIREMENTS .............................................................................................................. 12 5.1 EXTENDED COMPONENTS DEFINITION ...................................................................................................... 12 5.1.1 Cryptographic Support (FCS) .......................................................................................................... 12 5.1.2 User Data Protection (FDP) ............................................................................................................ 14 5.1.3 Protection of the TSF (FPT) ............................................................................................................. 15 5.2 TOE SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................... 16 5.2.1 Security Audit (FAU) ....................................................................................................................... 17 5.2.2 Cryptographic Support (FCS) .......................................................................................................... 18 5.2.3 User Data Protection (FDP) ............................................................................................................ 19 5.2.4 Identification and Authentication (FIA) ............................................................................................ 20 5.2.5 Security Management (FMT) ............................................................................................................ 21 5.2.6 Protection of the TSF (FPT) ............................................................................................................. 22 5.2.7 Resource Utilization (FRU) .............................................................................................................. 22 5.2.8 Trusted Path/Channels (FTP)........................................................................................................... 22 5.3 TOE SECURITY ASSURANCE REQUIREMENTS ............................................................................................ 22 5.3.1 Development (ADV) ......................................................................................................................... 23 5.3.2 Guidance Documents (AGD) ............................................................................................................ 24 5.3.3 Life-cycle Support (ALC).................................................................................................................. 25 5.3.4 Security Target Evaluation (ASE) ..................................................................................................... 26 Page i of ii 5.3.5 Tests (ATE) ...................................................................................................................................... 28 5.3.6 Vulnerability Assessment (AVA) ....................................................................................................... 29 6. TOE SUMMARY SPECIFICATION ........................................................................................................... 30 6.1 SECURITY AUDIT ..................................................................................................................................... 30 6.2 CRYPTOGRAPHIC SUPPORT ....................................................................................................................... 31 6.3 USER DATA PROTECTION ......................................................................................................................... 32 6.4 IDENTIFICATION AND AUTHENTICATION ................................................................................................... 35 6.5 SECURITY MANAGEMENT ......................................................................................................................... 36 6.6 PROTECTION OF THE TSF.......................................................................................................................... 38 6.7 RESOURCE UTILIZATION........................................................................................................................... 39 6.8 TRUSTED PATH/CHANNELS ...................................................................................................................... 39 7. RATIONALE ................................................................................................................................................ 41 7.1 SECURITY OBJECTIVES RATIONALE .......................................................................................................... 41 7.2 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE ................................................................................ 44 7.3 SECURITY ASSURANCE REQUIREMENTS RATIONALE.................................................................................. 48 7.4 REQUIREMENT DEPENDENCY RATIONALE ................................................................................................
Load more

Recommended publications
  • Altavault 4.4 Administration Guide
    Beta Draft NetApp® AltaVault™ Cloud Integrated Storage 4.4 Administration Guide NetApp, Inc. Telephone: +1 (408) 822-6000 Part number: 215-12478_A0 495 East Java Drive Fax: + 1 (408) 822-4501 November 2017 Sunnyvale, CA 94089 Support telephone: +1(888) 463-8277 U.S. Web: www.netapp.com Feedback: [email protected] Beta Draft Contents Beta Draft Contents Chapter 1 - Introduction of NetApp AltaVault Cloud Integrated Storage ............................................ 11 Overview of AltaVault....................................................................................................................................11 Supported backup applications and cloud destinations...........................................................................11 AutoSupport ............................................................................................................................................11 System requirements and specifications.........................................................................................................11 Documentation and release notes ...................................................................................................................12 Chapter 2 - Deploying the AltaVault appliance ......................................................................................13 Deployment guidelines ...................................................................................................................................13 Basic configuration.........................................................................................................................................15
    [Show full text]
  • The Parallel File System Lustre
    The parallel file system Lustre Roland Laifer STEINBUCH CENTRE FOR COMPUTING - SCC KIT – University of the State Rolandof Baden Laifer-Württemberg – Internal and SCC Storage Workshop National Laboratory of the Helmholtz Association www.kit.edu Overview Basic Lustre concepts Lustre status Vendors New features Pros and cons INSTITUTSLustre-, FAKULTÄTS systems-, ABTEILUNGSNAME at (inKIT der Masteransicht ändern) Complexity of underlying hardware Remarks on Lustre performance 2 16.4.2014 Roland Laifer – Internal SCC Storage Workshop Steinbuch Centre for Computing Basic Lustre concepts Client ClientClient Directory operations, file open/close File I/O & file locking metadata & concurrency INSTITUTS-, FAKULTÄTS-, ABTEILUNGSNAME (in der Recovery,Masteransicht ändern)file status, Metadata Server file creation Object Storage Server Lustre componets: Clients offer standard file system API (POSIX) Metadata servers (MDS) hold metadata, e.g. directory data, and store them on Metadata Targets (MDTs) Object Storage Servers (OSS) hold file contents and store them on Object Storage Targets (OSTs) All communicate efficiently over interconnects, e.g. with RDMA 3 16.4.2014 Roland Laifer – Internal SCC Storage Workshop Steinbuch Centre for Computing Lustre status (1) Huge user base about 70% of Top100 use Lustre Lustre HW + SW solutions available from many vendors: DDN (via resellers, e.g. HP, Dell), Xyratex – now Seagate (via resellers, e.g. Cray, HP), Bull, NEC, NetApp, EMC, SGI Lustre is Open Source INSTITUTS-, LotsFAKULTÄTS of organizational-, ABTEILUNGSNAME
    [Show full text]
  • What Is Object Storage?
    What is Object Storage? What is object storage? How does object storage vs file system compare? When should object storage be used? This short paper looks at the technical side of why object storage is often a better building block for storage platforms than file systems are. www.object-matrix.com Object Matrix Ltd [email protected] Experts in Digital Content Governance & Object Storage +44(0)2920 382 308 The Rise of Object Storage Centera the trail blazer… What exactly Object Storage is made of will be discussed later; its benefits and its limitations included. But first of all a brief history of the rise of Object Storage: Concepts around object storage can be dated back to the 1980’s1 , but it wasn’t until around 2002 when EMC launched Centera to the world – a Content Addressable Storage product2 - that there was an object storage product for the world in general3. However, whilst Centera sold well – some sources say over 600PB were sold – there were fundamental issues with the product. In, 2005 I had a meeting with a “next Companies railed against having to use a “proprietary API” for data generation guru” of a top 3 storage access and a simple search on a search engine shows that company, and he boldly told me: “There is Centera had plenty of complaints about its performance. It wasn’t no place for Object Storage. Everything long until the industry was calling time on Centera and its “content you can do on object storage can be addressable storage” (CAS) version of object storage: not only done in the filesystem.
    [Show full text]
  • IBM Cloud Object Storage System On-Premises Features and Benefits Object Storage to Help Solve Terabytes-And-Beyond Storage Challenges
    IBM Cloud Cloud Object Storage Data Sheet IBM Cloud Object Storage System on-premises features and benefits Object storage to help solve terabytes-and-beyond storage challenges The IBM® Cloud Object Storage System™ is a breakthrough platform Highlights that helps solve unstructured data challenges for companies worldwide. It is designed to provide scalability, availability, security, • On-line scalability that offers a single manageability, flexibility, and lower total cost of ownership (TCO). storage system and namespace • Security features include a wide The Cloud Object Storage System is deployed in multiple range of capabilities designed to meet configurations as shown in Figure 1. Each node consists of Cloud security requirements Object Storage software running on an industry-standard server. • Reliability and availability characteristics Cloud Object Storage software is compatible with a wide range of of the system are configurable servers from many sources, including a physical or virtual appliance. • Single copy protected data with In addition, IBM conducts certification of specific servers that geo-dispersal creating both efficiency customers want to use in their environment to help insure quick and manageability initial installation, long-term reliability and predictable performance. • Compliance enabled vaults for when compliance requirements or locking down data is required Data source Multiple concurrent paths ACCESSER® LAYER ......... Multiple concurrent paths SLICESTOR® LAYER ......... Figure 1: Multiple configurations of
    [Show full text]
  • File Systems and Storage
    FILE SYSTEMS AND STORAGE On Making GPFS Truly General DEAN HILDEBRAND AND FRANK SCHMUCK Dean Hildebrand manages the PFS (also called IBM Spectrum Scale) began as a research project Cloud Storage Software team that quickly found its groove supporting high performance comput- at the IBM Almaden Research ing (HPC) applications [1, 2]. Over the last 15 years, GPFS branched Center and is a recognized G expert in the field of distributed out to embrace general file-serving workloads while maintaining its original and parallel file systems. He pioneered pNFS, distributed design. This article gives a brief overview of the origins of numer- demonstrating the feasibility of providing ous features that we and many others at IBM have implemented to make standard and scalable access to any file GPFS a truly general file system. system. He received a BSc degree in computer science from the University of British Columbia Early Days in 1998 and a PhD in computer science from Following its origins as a project focused on high-performance lossless streaming of multi- the University of Michigan in 2007. media video files, GPFS was soon enhanced to support high performance computing (HPC) [email protected] applications, to become the “General Parallel File System.” One of its first large deployments was on ASCI White in 2002—at the time, the fastest supercomputer in the world. This HPC- Frank Schmuck joined IBM focused architecture is described in more detail in a 2002 FAST paper [3], but from the outset Research in 1988 after receiving an important design goal was to support general workloads through a standard POSIX inter- a PhD in computer science face—and live up to the “General” term in the name.
    [Show full text]
  • DAOS: Revolutionizing High-Performance Storage with Intel® Optane™ Technology
    SOLUTION BRIEF Distributed Asynchronous Object Storage (DAOS) Intel® Optane™ Technology DAOS: Revolutionizing High-Performance Storage with Intel® Optane™ Technology With the exponential growth of data, distributed storage systems have become not only the heart, but also the bottleneck of data centers. High-latency data access, poor scalability, difficulty managing large datasets, and lack of query capabilities are just a few examples of common hurdles. Traditional storage systems have been designed for rotating media and for POSIX* input/output (I/O). These storage systems represent a key performance bottleneck, and they cannot evolve to support new data models and next-generation workflows. The Convergence of HPC, Big Data, and AI Storage requirements have continued to evolve, with the need to manipulate ever-growing datasets driving a further need to remove barriers between data and compute. Storage is no longer driven by traditional workloads with large streaming writes like checkpoint/restart, but is increasingly driven by complex I/O patterns from new storage pillars. High-performance data-analytics workloads are generating vast quantities of random reads and writes. Artificial-intelligence (AI) workloads are reading far more than traditional high-performance computing (HPC) workloads. Data streaming from instruments into an HPC cluster require better quality of service (QoS) to avoid data loss. Data-access time is now becoming as critical as write bandwidth. New storage semantics are required to query, analyze, filter, and transform datasets. A single storage platform in which next-generation workflows combine HPC, big data, and AI to exchange data and communicate is essential. DAOS Software Stack Intel has been building an entirely open source software ecosystem for data-centric computing, fully optimized for Intel® architecture and non-volatile memory (NVM) technologies, including Intel® Optane™ DC persistent memory and Intel Optane DC SSDs.
    [Show full text]
  • Capsule: an Energy-Optimized Object Storage System for Memory-Constrained Sensor Devices
    Capsule: An Energy-Optimized Object Storage System for Memory-Constrained Sensor Devices Gaurav Mathur, Peter Desnoyers, Deepak Ganesan, Prashant Shenoy {gmathur, pjd, dganesan, shenoy}@cs.umass.edu Department of Computer Science University of Massachusetts, Amherst, MA 01003 Abstract 1 Introduction Recent gains in energy-efficiency of new-generation NAND flash stor- Storage is an essential ingredient of any data-centric sen- age have strengthened the case for in-network storage by data-centric sensor sor network application. Common uses of storage in sen- network applications. This paper argues that a simple file system abstrac- sor applications include archival storage [9], temporary data tion is inadequate for realizing the full benefits of high-capacity low-power storage [6], storage of sensor calibration tables [10], in- NAND flash storage in data-centric applications. Instead we advocate a network indexing [20], in-network querying [19] and code rich object storage abstraction to support flexible use of the storage system storage for network reprogramming [7], among others. Until for a variety of application needs and one that is specifically optimized for recently, sensor applications and systems were designed un- memory and energy-constrained sensor platforms. We propose Capsule, an der the assumption that computation is significantly cheaper energy-optimized log-structured object storage system for flash memories that both communication and storage, with the latter two in- that enables sensor applications to exploit storage resources in a multitude of curring roughly equal costs. However, the emergence of a ways. Capsule employs a hardware abstraction layer that hides the vagaries new generation of NAND flash storage has significantly al- of flash memories for the application and supports energy-optimized imple- tered this trade-off, with a recent study showing that flash mentations of commonly used storage objects such as streams, files, arrays, storage is now two orders of magnitude cheaper than com- queues and lists.
    [Show full text]
  • IBM Cloud Object Storage System: Release Notes Support Information
    IBM Cloud Object Storage System Version 3.8.3 Release Notes IBM COSRN_3800-20160516L This edition applies to IBM Cloud Object Storage System™ and is valid until replaced by new editions. © Copyright IBM Corporation Copyright, 2016-2017. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Support information ......... v Chapter 11. Resolved issues in 3.8.1 .. 23 Chapter 1. Release Notes 3.8.3 ..... 1 Chapter 12. Known issues ...... 25 Upgrading............... 26 Chapter 2. New Features and Alerting and Reporting .......... 27 Improvements in ClevOS 3.8.3 ..... 3 System Behavior............. 27 Storage Pools .............. 28 Security ............... 28 Chapter 3. New Features and Data Evacuation ............. 29 Improvements in ClevOS 3.8.2 ..... 5 System Configuration ........... 29 Deleting objects ............. 29 Chapter 4. New Features and Manager Web Interface .......... 30 Improvements in ClevOS 3.8.1 ..... 7 Vaults ................ 30 Vault mirrors .............. 30 Chapter 5. New Features and Vault migration ............. 30 Installation .............. 31 Improvements in ClevOS 3.8.0 ..... 9 Native File ............. 31 Chapter 6. Resolved issues in 3.8.3 Chapter 13. Supported Hardware January Maintenance Release..... 13 Platforms ............. 33 IBM Cloud Object Storage Appliances ..... 33 Chapter 7. Resolved issues in 3.8.3 Hewlett Packard............. 33 December Maintenance Release .... 15 Seagate ................ 34 Cisco ................ 34 Chapter 8. Resolved issues in 3.8.3 .. 17 Notices .............. 35 Chapter 9. Resolved issues in 3.8.2 Trademarks .............. 37 October Maintenance Release..... 19 Chapter 10. Resolved issues in 3.8.2 21 © Copyright IBM Corp. Copyright, 2016-2017 iii iv IBM Cloud Object Storage System: Release Notes Support information For more information on the product or help with troubleshooting, contact IBM Support at [email protected] or visit the Directory of worldwide contacts.
    [Show full text]
  • Inside the Lustre File System
    Inside The Lustre File System Technology Paper An introduction to the inner workings of the world’s most scalable and popular open source HPC file system Torben Kling Petersen, PhD Inside The Lustre File System The Lustre High Performance Parallel File System Introduction Ever since the precursor to Lustre® (known as the Object- Based Filesystem, or ODBFS) was developed at Carnegie Mellon University in 1999, Lustre has been at the heart of high performance computing, providing the necessary throughput and scalability to many of the fastest supercomputers in the world. Lustre has experienced a number of changes and, despite the code being open source, the ownership has changed hands a number of times. From the original company started by Dr. Peter Braam (Cluster File Systems, or CFS), which was acquired by Sun Microsystems in 2008—which was in turn acquired by Oracle in 2010—to the acquisition of the Lustre assets by Xyratex in 2013, the open source community has supported the proliferation and acceptance of Lustre. In 2011, industry trade groups like OpenSFS1, together with its European sister organization, EOFS2, took a leading role in the continued development of Lustre, using member fees and donations to drive the evolution of specific projects, along with those sponsored by users3 such as Oak Ridge National Laboratory, Lawrence Livermore National Laboratory and the French Atomic Energy Commission (CEA), to mention a few. Today, in 2014, the Lustre community is stronger than ever, and seven of the top 10 high performance computing (HPC) systems on the international Top 5004 list (as well as 75+ of the top 100) are running the Lustre high performance parallel file system.
    [Show full text]
  • Red Hat Ceph* Storage and Intel®
    RED HAT CEPH STORAGE AND INTEL CACHE ACCELERATION SOFTWARE Accelerating object storage with the Intel SSD Data Center family SOLUTION OVERVIEW INTRODUCTION To manage massive data growth, organizations are increasingly choosing object storage solutions, allowing them to scale storage flexibly while controlling costs. Ceph is a popular solution, letting organizations deploy cost-effective industry-standard hardware as a part of proven software- defined storage infrastructure. With this shift, the storage media itself has become a key consider- Achieve flash-accelerated object ation. Traditional hard disk drives (HDDs) are affordable, but often lack the desired input/output (I/O) storage performance at lower performance for demanding workloads, such as storing large numbers of objects. Proprietary all- costs than proprietary flash arrays offer performance, but can be cost-prohibitive for large-scale deployments. all-flash array solutions. Red Hat® Ceph Storage combined with Intel® Solid State Drives (SSDs) Data Center family and Intel® Cache Acceleration Software (CAS) has emerged as a compelling option. Organizations can use Intel Use the Intel SSD Data Center CAS to selectively classify key portions of a given I/O workload for acceleration with the high-per- family and Intel CAS to intelli- formance and low latency of flash storage. The performance difference can be remarkable. When gently prioritize I/O for caching. testing large object-count storage workloads, Red Hat saw performance improvements of up to 400% for small-object writes when using Intel SSDs and Intel CAS.1 The solution is also cost-effec- Confidently deploy software- tive, achieving strong performance results with only 2-4 SSDs per system.
    [Show full text]
  • RED HAT CEPH STORAGE an Open, Software-Defined Storage Platform for the Cloud
    RED HAT CEPH STORAGE An open, software-defined storage platform for the cloud DATASHEET OVERVIEW Red Hat® Ceph Storage is a massively scalable, open, software-defined storage platform that: • Is designed for cloud infrastructures and web-scale object storage. Combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. • Provides the tools to flexibly, automatically, and cost-effectively manage petabyte-scale data deployments in the enterprise. • Manages cloud data so enterprises can focus on managing their businesses. Deployment tools Ceph management Development tools platform Wizard to ease installation of Ceph management platform On-premise, web-based Local repository SLA-backed technical support application with dependencies Bug escalation Cluster monitoring and Cluster bootstrapping tool “Hot patches” management Roadmap input RESTful API CEPH OBJECT AND CEPH BLOCK 100% open source Production hardened Supported packages 18 months of support ST0038 facebook.com/redhatinc @redhatnews linkedin.com/company/red-hat redhat.com Specifically, Red Hat Ceph Storage 1.3 consists of: Ceph 0.80 • Ceph object and block storage • Object storage via Amazon S3/Swift or native API protocols • Block storage integrated with OpenStack, Linux®, and open hypervisors • Multisite and disaster recovery options • Flexible storage policies VALUE • Data durability via erasure coding or replication • Significantly lowers storage • Cache tiering for hot/cold data management cost per gigabyte Ceph management •
    [Show full text]
  • Trusted Platform Module Library Part 1: Architecture TCG PUBLIC REVIEW
    Trusted Platform Module Library Part 1: Architecture Family “2.0” Level 00 Revision 01.55 April 15, 2019 Committee Draft Work in Progress This document is an intermediate draft for comment only and is subject to change without notice. Readers should not design products based on this document. Contact: [email protected] TCG PUBLIC REVIEW TCG Copyright © TCG 2006-2019 Trusted Platform Module Library Part 1: Architecture Licenses and Notices Copyright Licenses: Trusted Computing Group (TCG) grants to the user of the source code in this specification (the “Source Code”) a worldwide, irrevocable, nonexclusive, royalty free, copyright license to reproduce, create derivative works, distribute, display and perform the Source Code and derivative works thereof, and to grant others the rights granted herein. The TCG grants to the user of the other parts of the specification (other than the Source Code) the rights to reproduce, distribute, display, and perform the specification solely for the purpose of developing products based on such documents. Source Code Distribution Conditions: Redistributions of Source Code must retain the above copyright licenses, this list of conditions and the following disclaimers. Redistributions in binary form must reproduce the above copyright licenses, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution. Disclaimers: THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES) THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE. Contact TCG Administration ([email protected]) for information on specification licensing rights available through TCG membership agreements.
    [Show full text]