DOCSLIB.ORG

Verdasys Digital Guardian V6.0.1 ST

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Verdasys Digital Guardian V6.0.1 ST Verdasys ® Digital Guardian ™ v6.0.1 Security Target Evaluation Assurance Level (EAL): EAL2+ Document Version: 1.4 Prepared for: Prepared by: Verdasys Corsec Security, Inc. 404 Wyman Street, Suite 320 13135 Lee Jackson Memorial Hwy., Suite 220 Waltham, MA 02451 Fairfax, VA 22033 United States of America United States of America Phone: +1 781 788 -8180 Phone: +1 703 267 6050 Email: [email protected] Email: [email protected] http://www.verdasys.com http://www.corsec.com Security Target , V ersion 1.4 October 2, 2012 Table of Contents 1 INTRODUCTION ................................................................................................................... 5 1.1 PURPOSE ................................................................................................................................................................ 5 1.2 SECURITY TARGET AND TOE REFERENCES ...................................................................................................... 5 1.3 PRODUCT OVERVIEW .......................................................................................................................................... 6 1.4 TOE OVERVIEW ................................................................................................................................................... 9 1.4.1 Brief Description of the Components of the TOE........................................................................................ 9 1.4.2 TOE Environment ................................................................................................................................................ 11 1.5 TOE DESCRIPTION ............................................................................................................................................ 13 1.5.1 Physical Scope ....................................................................................................................................................... 13 1.5.2 Logical Scope ........................................................................................................................................................ 16 1.5.3 Product Physical/Logical Features and Functionality not included in the TOE ................................. 19 1.5.4 FIPS 140-2 Considerations for the TOE Environment............................................................................. 19 2 CONFORMANCE CLAIMS .................................................................................................. 21 3 SECURITY PROBLEM .......................................................................................................... 22 3.1 THREATS TO SECURITY ...................................................................................................................................... 22 3.2 ORGANIZATIONAL SECURITY POLICIES .......................................................................................................... 23 3.3 ASSUMPTIONS ..................................................................................................................................................... 24 4 SECURITY OBJECTIVES ...................................................................................................... 26 4.1 SECURITY OBJECTIVES FOR THE TOE .............................................................................................................. 26 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .................................................................. 27 4.2.1 IT Security Objectives ......................................................................................................................................... 27 4.2.2 Non-IT Security Objectives ............................................................................................................................... 28 5 EXTENDED COMPONENTS .............................................................................................. 29 5.1 EXTENDED TOE SECURITY FUNCTIONAL COMPONENTS ........................................................................... 29 5.1.1 Class ESM: Enterprise Security Management .......................................................................................... 30 5.2 EXTENDED TOE SECURITY ASSURANCE COMPONENTS .............................................................................. 35 6 SECURITY REQUIREMENTS .............................................................................................. 36 6.1 CONVENTIONS ................................................................................................................................................... 36 6.2 SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................................ 36 6.2.1 Class ESM: Enterprise Security Management ........................................................................................... 38 6.2.2 Class FAU: Security Audit .................................................................................................................................. 40 6.2.3 Class FCS: Cryptographic Support ................................................................................................................. 44 6.2.4 Class FDP: User Data Protection .................................................................................................................... 46 6.2.5 Class FIA: Identification and Authentication................................................................................................ 50 6.2.6 Class FMT: Security Management ................................................................................................................. 51 6.2.7 Class FPT: Protection of the TSF ..................................................................................................................... 55 6.2.8 Class FRU: Resource Utilization ...................................................................................................................... 56 6.2.9 Class FTA: TOE Access ...................................................................................................................................... 57 6.3 SECURITY ASSURANCE REQUIREMENTS ........................................................................................................... 58 7 TOE SUMMARY SPECIFICATION ..................................................................................... 59 7.1 TOE SECURITY FUNCTIONS ............................................................................................................................. 59 7.1.1 Robust Security Management ......................................................................................................................... 60 7.1.2 Enterprise Information Protection .................................................................................................................. 62 7.1.3 Cryptographic Protection ................................................................................................................................... 65 7.1.4 Violation Analysis, Alerting, and Reporting .................................................................................................. 65 7.1.5 Fault Tolerance ..................................................................................................................................................... 66 8 RATIONALE .......................................................................................................................... 68 8.1 CONFORMANCE CLAIMS RATIONALE ............................................................................................................. 68 8.2 SECURITY OBJECTIVES RATIONALE .................................................................................................................. 68 Verdasys Digital Guardian™ v6.0.1 Page 2 of 91 © 2012 Verdasys ® This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target , V ersion 1.4 October 2, 2012 8.2.1 Security Objectives Rationale Relating to Threats .................................................................................... 68 8.2.2 Security Objectives Rationale Relating to Policies ..................................................................................... 73 8.2.3 Security Objectives Rationale Relating to Assumptions ........................................................................... 74 8.3 RATIONALE FOR EXTENDED SECURITY FUNCTIONAL REQUIREMENTS ...................................................... 76 8.4 RATIONALE FOR EXTENDED TOE SECURITY ASSURANCE REQUIREMENTS ............................................... 77 8.5 SECURITY REQUIREMENTS RATIONALE ........................................................................................................... 78 8.5.1 Rationale for Security Functional Requirements of the TOE Objectives ............................................ 78 8.5.2 Security Assurance Requirements Rationale ............................................................................................... 85 8.5.3 Dependency Rationale ....................................................................................................................................... 85 9 ACRONYMS .......................................................................................................................... 88 9.1 ACRONYMS ........................................................................................................................................................
Load more

Recommended publications
  • The Definitive Guide to Data Loss Prevention
    THE DEFINITIVE GUIDE TO DATA LOSS PREVENTION THE DEFINITIVE GUIDE TO DATA LOSS PREVENTION 1 THE DEFINITIVE GUIDE TO DATA LOSS PREVENTION TABLE OF CONTENTS 03 Introduction 04 Part One: What is Data Loss Prevention 08 Part Two: How DLP Has Evolved 11 Part Three: The Resurgence of DLP 24 Part Four: The Shift to Data-Centric Security 28 Part Five: Determining the Right Approach to DLP 39 Part Six: Business Case for DLP 46 Part Seven: Buying DLP 52 Part Eight: Getting Successful with DLP 61 Part Nine: Digital Guardian—Next Generation Data Protection 65 Conclusion 66 Resources at a Glance 2 INTRODUCTION WHY READ THIS GUIDE? WHAT'S OLD IS NEW AGAIN As security professionals struggle with how to keep up with non-stop threats from every angle, a 10+ year old technology, data loss prevention (DLP) is hot again. A number of macro trends are driving the wider adoption of DLP. But as we looked at the resources out there, we couldn’t find one source that could provide all the essential information in one place. So we created this guide to provide answers to the most common questions about DLP all in an easy to digest format. HOW TO USE THIS GUIDE IF YOU ARE... GO TO... New to DLP Part One: What is Data Loss Prevention Familiar with DLP, but want to learn what’s new Part Two: How DLP has Evolved Not sure where to start? Part Four: A Data Centric Security Framework Trying to determine the best DLP architecture for your organization Part Five: Determining the Right Approach to DLP Looking to buy DLP Part Six: Buying DLP Looking for a quick win deployment
    [Show full text]
  • Verdasys FIPS VSEC Security Policy
    Verdasys, Inc. Verdasys Secure Cryptographic Module Software Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 0.3 Prepared for: Prepared by: Verdasys, Inc. Corsec Security, Inc. 404 Wyman Street, Suite 320 13135 Lee Jackson Memorial Hwy., Suite 220 Waltham, MA 02451 Fairfax, VA 22033 Phone: +1 781 788 8180 Phone: +1 703 267 6050 Email: [email protected] Email: info@ corsec.com http://www.verdasys.com http://www.corsec.com Security Policy , Version 0.3 August 20, 2012 Table of Contents 1 INTRODUCTION ................................................................................................................... 3 1.1 PURPOSE ................................................................................................................................................................ 3 1.2 REFERENCES .......................................................................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ............................................................................................................................ 3 2 VSEC MODULE ....................................................................................................................... 4 2.1 OVERVIEW ............................................................................................................................................................. 4 2.2 MODULE SPECIFICATION ....................................................................................................................................
    [Show full text]
  • Cloud Data Loss Prevention
    PRODUCT DATA SHEET ® Cloud Data Loss Prevention AUDIT AND PROTECT SENSITIVE DATA IN POPULAR CLOUD STORAGE APPS Code Green Networks Cloud DLP allows your organization to adopt Cloud Content Control cloud storage while maintaining the visibility and control you need to comply with privacy and data protection regulations. Cloud DLP integrates with leading cloud storage providers such as Accellion, Box, Citrix ShareFile, and Egnyte to scan file servers, Create Copy Move Upload Download enabling encryption, removal or other remediation of sensitive data before the file is shared in the cloud. Data that is already stored in the cloud can be scanned and audited at any time. KEY BENEFITS • Accurately DISCOVER sensitive data in cloud storage • Continuously AUDIT files that have been uploaded • Automatically REMEDIATE according to enterprise policies to meet compliance requirements • Instantly ALERT the appropriate administrator and data owner when protected data has been identified and the actions taken to meet compliance policy KEY FEATURES • Content aware monitoring and inspection policies, with detailed activity logging and reporting Workstation Smart Device • Device level control, with audit, report, alert, move, and remove (iOS/Android) remediation actions • Encrypt sensitive data as it is copied to the cloud Laptop • End user notification and remediation of policy violations Corporate Cloud Storage Users WHY CODE GREEN NETWORKS FOR CLOUD DLP CLOUD PROTECTION THAT’S TRANSPARENT TO END USERS Once your organization’s data sharing policies are entered into our system, users who follow the prescribed security policies won’t even know 1 Cloud DLP is there. But when corporate policies are violated, the user will be notified of the violation and the automatic remediation taken.
    [Show full text]
  • A Practical Approach to GDPR Featuring Duncan Brown, IDC Agenda
    A Practical Approach To GDPR Featuring Duncan Brown, IDC Agenda . Logistics . A Practical Approach to GDPR, Duncan Brown • GDPR Readiness • The Role of DPO • Technology Framework • Recommended Timeline • Action Plan . The Atos Approach to GDPR, Zeina Zakhour . Q&A 2 Duncan Brown . Leads IDC’s security research Duncan Brown program in Europe Associate Vice President IDC . Broad security expertise including: • Incident response • Threat intelligence • Global privacy . Established and leads IDC coverage: • GDPR • RPEC • NIS Directive 3 A Practical Approach to GDPR Duncan Brown Associate Vice President, European Security [email protected] GDPR is a game-changer *Article 58 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 5 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” © IDC Visit us at IDC.com and follow us on Twitter: @IDC 6 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation © IDC Visit us at IDC.com and follow us on Twitter: @IDC 7 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation . Class-action lawsuits • Brought by activists…? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 8 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss
    [Show full text]
  • Balancing Privacy, Compliance and Digitization Lessons from Global Financial Firms Enza Iannopollo
    Balancing Privacy, Compliance and Digitization Lessons From Global Financial Firms Enza Iannopollo . Analyst on the Security & Risk team at Forrester and a Certified Information Enza Iannopollo Privacy Professional (CIPP/E) Security & Risk Analyst Forrester Research . Research focuses on the impact of internet regulations and data privacy issues on digital business models, as well as the technologies that underpin them . Prior to joining the Security & Risk team, Enza was a researcher on the CIO team 2 Shiva Kashalkar . Leads Product Marketing for DLP Shiva Kashalkar Managed Services and Advanced Threat Director, Product Marketing Protection Marketing Professional . 13 years of marketing, business development & product management experience . Previously at Managed Service Providers and Big Data Analytics companies • Wipro, Oracle, KPN, Empirix 3 Protecting Customer Data In Digital World Enza Iannopollo, Analyst © 2017 FORRESTER. REPRODUCTION PROHIBITED. Agenda › Privacy and innovation in Financial Services › GDPR and PSD2 requirements › Lessons learnt on the way to GDPR compliance › Privacy and GDPR as a business opportunity › Next steps © 2017 FORRESTER. REPRODUCTION PROHIBITED. 5 Agenda › Privacy and innovation in Financial Services › GDPR and PSD2 requirements › Lessons learnt on the way to GDPR compliance › Privacy and GDPR as a business opportunity › Next steps © 2017 FORRESTER. REPRODUCTION PROHIBITED. 6 "Security was traded with the size of the customer base and penalized the bank's ability to gain new customers. They wanted to be super safe, but the business suffered”. UniCredit Group © 2017 FORRESTER. REPRODUCTION PROHIBITED. 7 © 2017 FORRESTER. REPRODUCTION PROHIBITED. 8 Brief: Turn PSD2 From A Burden Into A Catalyst © 2017 FORRESTER. REPRODUCTION PROHIBITED. 9 Customers Leverage Different Channels To Access Their Financial Data Base: 16,175 EU online adults (18+) who are retail banking customers Source: Forrester Data Consumer Technographics® European Financial Services Survey, H2 2016 © 2017 FORRESTER.
    [Show full text]
  • The Definitive Guide to U.S. State Data Breach Laws the Definitive Guide to U.S
    The Definitive Guide to U.S. State Data Breach Laws The Definitive Guide to U.S. State Data Breach Laws According to the National Conference of State Legislatures (NCSL), legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information. These laws typically define what is classified as personally identifiable information in each state, entities required to comply, what specifically constitutes a breach, the timing and method of notice required to individuals and regulatory agencies, and consumer credit reporting agencies, and any exemptions that apply, such as exemptions for encrypted data. Entities that conduct business in any state must be familiar with not only federal regulations, but also individual state laws that apply to any agency or entity that collects, stores, or processes data pertaining to residents in that state. While the laws in many states share some core similarities, state legislators have worked to pass laws that best protect the interests of consumers in their respective states. As a result, some states have much more stringent laws or more severe penalties for violations. Below, you’ll find a state-by-state guide providing a detailed synopsis of the state’s existing data breach laws, notification requirements, penalties for violations, and pending legislation. • Alabama • Nevada • Alaska
    [Show full text]
  • A New Dawn for Data Loss Prevention
    COMPANY OVERVIEW A New Dawn for Data Loss Prevention Data Loss Prevention is More Important Than Ever. HERE’S WHY WE’RE REINVENTING IT. “Security buyers are very confused by all the products in In the past few years Data Loss Prevention (DLP) has seen a the market and they’re investing in more solutions than major resurgence, and that’s expected to continue. According they really need as a result. Even worse, this large number to Gartner, by 2020 85% of organizations will have implemented of tools drives up price and complexity and ultimately DLP, up from 50% today. But Digital Guardian is challenging becomes a barrier to managing risk effectively.” the security industry to expand their thinking about data loss Art Coviello prevention. Former CEO of RSA & Partner, Rally Ventures Source: Keynote Address, May 2017, iSMG Breach Prevention Summit, Washington, DC A DLP solution that is limited to protecting data from well- meaning or malicious insiders is no longer sufficient. The demand “The average number of software agents installed on each for data protection within your enterprise continues to grow, as endpoint has ranged from five in 2010 to more than seven does the variety of threats challenging your security team. Given in 2015.” today’s evolving threat landscape and shortage of security talent, Ponemon Institute, security professionals should demand vendors do more. 2016 State of the Endpoint Report, April 2016 First and Only Solution to Unify Data Endpoint Loss Detection & Prevention & Response DLP + Endpoint Detection & Response = One Less Agent and This purpose-built, cloud-native architecture utilizes streaming One Less Console data from DG endpoint agents and network sensors to provide Digital Guardian is responding to the need to do more by deep visibility into system, data and user events.
    [Show full text]
  • Product Requirements for DG Core, ATP, and DLP Licensing
    VERDASYS SECURE CRYPTOGRAPHIC MODULE SOFTWARE VERSION 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level 1 Document Version 0.4 Author: Digital Guardian, Inc. CONTENTS 1. INTRODUCTION ................................................................................................................................................. 3 1.1 PURPOSE ................................................................................................................................................................... 3 1.2 REFERENCES ............................................................................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ......................................................................................................................................... 3 2. VSEC MODULE ................................................................................................................................................... 4 2.1 OVERVIEW ................................................................................................................................................................. 4 2.2 MODULE SPECIFICATION .............................................................................................................................................. 6 2.2.1. PHYSICAL CRYPTOGRAPHIC BOUNDARY ....................................................................................................... 6 2.2.2. LOGICAL CRYPTOGRAPHIC BOUNDARY
    [Show full text]
  • Data Visibility and Control
    PRODUCT DATA SHEET ® Data Visibility and Control GAIN VISIBILITY OF YOUR ORGANIZATION’S SENSITIVE DATA ON DAY ONE If you don’t have visibility into your organization’s sensitive data, you PII, PCI, PHI data is and how it’s being used – without requiring pre- can’t protect it. Digital Guardian for Data Visibility and Control defined policies. It also delivers device control and encryption – all at enables you to understand exactly where your organization’s affordable price. Digital Guardian sees the file and sees that it came from a file share containing sensitive data Out–of–the–box data visibility User attempts and device control at the to download a file to PCI endpoint USB device PCI Digital Guardian sees Digital Guardian the tag, understands the Digital Guardian automatically applies a context, and protects by encrypts the file classification requiring a decryption key PCI PCI tag to the file to open the file prior to copying it to the USB IDENTIFY AND MONITOR PII, PHI ENFORCE DEVICE ENCRYPTION POLICIES AND PCI DATA - IMMEDIATELY • Require users to encrypt data written to removable devices or • Install the DG agents and they will instantly start classifying and media using FIPS 140-2 level 2 validated encryption. Encryption tagging your PII, PHI and PCI data through automatic content is self-contained on the device, allowing only those with an inspection. The tags remain no matter how the files are modified or encryption key to access that information. where the data goes, giving the agent persistent visibility. • Control who can access devices or media and control whether or not those devices/media can be accessed outside GET REAL-TIME VISIBILITY OF ALL DATA MOVEMENT AND your organization.
    [Show full text]
  • CODE GREEN NETWORKS TECHNICAL OVERVIEW Organizations in Every Industry Have Sensitive Data That Intentional Exposure of Confidential Data
    WHITE PAPER CODE GREEN NETWORKS TECHNICAL OVERVIEW Organizations in every industry have sensitive data that intentional exposure of confidential data. must be kept secure (e.g. customer records, financial data, personal health information, and intellectual Today’s organizations have many potential channels for property). Beyond simply securing data, many companies data loss to occur including: webmail, email, FTP transfers, must demonstrate compliance with government and removable USB devices, and cloud storage. Many of these industry regulations regarding information privacy. channels are not currently monitored or controlled, leaving Most organizations don’t know where their sensitive the organization with no visibility into the extent of their data resides—laptops, unmanaged SharePoint servers exposure or any means of proactively preventing data loss. or network file shares—which can lead to inadvertent or CODE GREEN NETWORKS SOLUTIONS SET Code Green Networks (CGN) is a complete Data Loss data loss Prevention (DLP) solution that allows companies to − Webmail and FTP visibility and control, including effectively discover, monitor, control, and secure sensitive SSL-enabled sessions data, whether on the network, in use on desktops or − Policy based monitoring and blocking of Web laptops, at rest on end user devices and network servers, or 2.0 applications, including wikis, blogs, and other stored in the cloud. applications − Email encryption for secure communication and • Comprehensive DLP Solution — Unified solution for regulatory compliance
    [Show full text]
  • Magic Quadrant for Enterprise Data Loss Prevention Published: 28 January 2016
    G00277564 Magic Quadrant for Enterprise Data Loss Prevention Published: 28 January 2016 Analyst(s): Brian Reed, Neil Wynne Enterprise DLP continues evolving to support both content-aware and context-aware capabilities, as well as support for IT security leaders to cover broader deployment use cases beyond regulatory compliance and intellectual property protection. Strategic Planning Assumptions By 2018, 90% of organizations will implement at least one form of integrated DLP, up from 50% today. By 2018, less than 10% of organizations with integrated DLP will have a well-defined data security governance program in place, up from near zero today. Market Definition/Description Gartner defines the data loss prevention (DLP) market as those technologies that, as a core function, perform both content inspection and contextual analysis of data at rest on-premises or in cloud applications and cloud storage, in motion over the network, or in use on a managed endpoint device. DLP solutions can execute responses — ranging from simple notification to active blocking — based on policy and rules defined to address the risk of inadvertent or accidental leaks, or exposure of sensitive data outside authorized channels. Data loss prevention technologies can be divided into two categories: ■ Enterprise DLP solutions incorporate sophisticated detection techniques to help organizations address their most critical data protection requirements. Solutions are packaged in agent software for desktops and servers, physical and virtual appliances for monitoring networks and agents, or soft appliances for data discovery. Leading characteristics of enterprise DLP solutions include a centralized management console, support for advanced policy definition and event management workflow. Enterprise DLP functions as a comprehensive solution to discover sensitive data within an organization and mitigate the risk of its loss at the endpoints, in storage and over the network.
    [Show full text]
  • The Incident Responders Field Guide—Digital Guardian
    INCIDENT RESPONDER'S FIELD GUIDE INCIDENT INCIDENT RESPONSE RESPONDER'S PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction & How to Use This Guide 04 Introducing Tim Bandos 05 Part One: Incident Response Do’s and Don’ts 08 Part Two: Get Ready 18 Part Three: The Five Stages of Incident Response 31 Part Four: Advanced Threat Protection as a Service 35 Appendix: Digital Guardian — Next Generation Data Protection 2 INTRODUCTION WHY READ THIS GUIDE? Careful cyber security incident response planning provides a formal, coordinated approach for responding to security incidents affecting information assets. This e-book provides easy-to-follow steps for crafting an incident response plan in the event of cyber security attacks. HOW TO USE THIS GUIDE IF YOU ARE... GO TO... New to Incident Response Plan Part One: Incident Response Do's and Don'ts Not sure where to start? Part Two: Get Ready Familiar with Incident Response Plans, but how do I implement Part Three: The Five Stages of Incident Response in my organization Worried about managing Incident Response with limited Part Four: Advanced Threat Protection as a Service resources Appendix: Digital Guardian — Next Generation Data Looking to understand what makes Digital Guardian different Protection 3 INTRODUCTION INCIDENT RESPONSE EXPERT Tim Bandos is the Director of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy SEE focus on Internal Controls, Incident Response & Threat Intelligence. At this global OUR BLOG manufacturer, he built and managed the company’s incident response team.
    [Show full text]