Security Certifications

Common Criteria Certification

Common Criteria is an internationally approved set of security standards (ISO 15408) which provides a transparent and consistent evaluation of the security capabilities of IT products. A Common Criteria evaluation gives customers third-party assurance that the product which they are purchasing provides the functionality and security that it claims to provide.

By providing an independent assessment, Common Criteria increases customer confidence and helps buyers make more informed purchasing decisions. Once completed, Common Criteria certifications are mutually accepted by 26 countries through Common Criteria Recognition Agreement (CCRA).

Common Criteria certification of security products is mandated by the U.S. Government for all federal purchases.

Evaluated Configuration - Sensage 4.6.2 Event Data Warehouse

The following security functions were analyzed, documented and tested:

• Security Audit
  Involves recognizing, recording, storing, and analyzing information related to security relevant activities.

• Alert Generation
  Provides timely visibility into events that may require immediate attention or further investigation through logging or sending alerts.

• Cryptographic Support and Protection of the TOE Security Functions
  Analysis of the cryptographic key management and cryptographic operation of the boundary evaluated. Provides confidentiality and integrity to both stored data and data being transferred between separate parts of the product by using SenSage’s FIPS 140-2 evaluated module.

• User Data Protection
  Requirements related to protecting user data are specified in this section. Enforces Access Control policy as defined by the administrator, and based on the permissions of Subjects and Objects.

• Identification and Authentication
  Analysis of the functions used to establish and verify a claimed user identity. This ensures that users are associated with the proper groups, roles, etc. Provides identification and authentication of all users.

• Security Management
  Specifies the management of security function data, security attributes, and defines security roles. Manages and enforces roles and permissions.

Links

• CSEC Certificate of Product Evaluation: Sensage 4.6.2
• CSEC Certification Report
• Sensage 4.6.2 Security Target
• Communications Security Establishment Canada (CSEC) Website
• Common Criteria Portal

Additional Resources

• Common Criteria FAQ - Frequent questions about Common Criteria and the validation process
• Common Criteria Recognition Agreement - Common Criteria is mutually recognized and accepted by 26 countries around the globe
• ISO 15048 - Common Criteria is an internationally recognized standard
• Federal Directives - Department of Defense Instructions and Directives that mandate Common Criteria for IA products purchased by government agencies

FIPS 140-2 Validation

The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards.

The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). The main website for the NIST/CSEC CMVP is hosted by NIST, and contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-2 validated cryptographic modules.

FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).

Cryptographic Modules validated as conforming to FIPS 140-2 are mandated by the Federal Agencies of the United States and Canada for the protection of sensitive information.

Configuration Under Evaluation, “In Process” Status 

Sensage 4.6.2 Event Data Warehouse Crypto Core Module 

The FIPS 140-2 evaluation in process includes the following areas:

• Cryptographic Module Specification
  The Crypto Core Module is a software-only module that operates within Sensage’s Event Data Warehouse solutions.

• Roles and Services
  The module offers both a Crypto-Officer and a User Role. The module was validated to ensure proper user functions and limitations available within each user role.

• Operational Environment
  The Sensage Crypto Core Module has been tested and validated while running on RedHat Enterprise Linux 5.1 and 5.5.

• Cryptographic Key Management
  A number of FIPS-Approved algorithms have been implemented and were tested for this module including AES, TDES, RSA, DSA, SHA-1, and HMAC.

• Self-tests
  Power-up and conditional self-tests are implemented to ensure that the module is functioning properly at startup and continues to operate properly while in use.

• Design Assurance
  Validates the use of best practices during the design, deployment, and operation phases of the cryptographic module.

Links

• CMVP FIPS 140-2 Modules In Process List
• National Institute of Standards & Technology CMVP Website

Additional Resources

• FIPS 140-2 FAQ - Frequent questions about FIPS 140-2 and the validation process
• ISO/IEC 19790 - The requirements of this international standard are based on FIPS 140-2