OFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT

Transcription

1 SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT Version 1.3 Crown Copyright 2015 All Rights Reserved Page 1 of 12

2 About this document This document describes the features, testing and deployment requirements necessary to meet Foundation Grade Certification for Mobile Device Management security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena. Section 1 is suitable for all readers. It outlines the purpose of the security product and defines the scope of the Security Characteristic. Document history CESG may review, amend, update, replace or issue new Scheme Documents as may be required from time to time. Soft copy location: DiscoverID Version Date Description 0.8 May 2013 Initial Draft June 2013 Updates after internal review July 2013 Updates after external feedback August 2013 Updates after second internal review October 2013 Updates after review from Technical Director January 2014 Initial draft release 1.1 January 2015 Updated to only reference NIAP Protection Profile 1.2 April 2015 Updates following external feedback 1.3 June 2015 Updates following second external review Contact CESG This document is authorised by: Technical Director (Assurance), CESG. For queries about this document please contact: CPA Administration Team CESG, Hubble Road Cheltenham Gloucestershire GL51 0EX, UK [email protected] Tel: +44 (0) SECURITY CHARACTERISTIC: Mobile Device Management Page 2 of 12

3 Contents Section 1 Overview Introduction Mapping to the Common Criteria Protection Profile Product description Typical use cases Expected operating environment Compatibility Future enhancements... 6 Appendix A Common Criteria Protection Profile mappings... 7 A.1 Additional mandatory version 1.1 MDM PP requirements... 7 A.2 Additional mandatory version 2.0 MDM PP requirements... 8 A.2.1 Additional mandatory version 2.0 MDM Server PP requirements... 8 A.2.2 Additional mandatory version 2.0 MDM Agent PP requirements... 9 Appendix B Additional details for Foundation Grade certification B.1 Device features that cannot be managed by the MDM product Appendix C References Appendix D Glossary SECURITY CHARACTERISTIC: Mobile Device Management Page 3 of 12

4 Section 1 Overview 1.1 Introduction The NIAP Protection Profile for Mobile Device Management documents (references [b], [c], and [d]) describe a set of requirements for mobile devices that can be certified through the Common Criteria scheme. The document you are now reading is a Security Characteristic that: Provides a route to awarding a Foundation Grade Certification for MDM products, which already have CC certification. Highlights those requirements which are listed in the Protection Profile for Mobile Device Management as extended or optional, but which are mandatory in products that are to be successfully assessed against this Security Characteristic This Security Characteristic aligns with guidance from the UK Government s End User Devices (EUD) Security Framework [a]. 1.2 Mapping to the Common Criteria Protection Profile MDM products successfully certified via the Common Criteria against the Protection Profile for Mobile Device Management (either version 1.1 or 2.0) can be additionally awarded Foundation Grade Certification. This additional certification can be achieved by the product vendor providing CESG with the following details: Evidence to show that the CC assessment also successfully verified that the product met the extended Protection Profile requirements listed in Appendix A of this document. Other security-related information about the product, as described in Appendix B - in particular, the mobile devices supported by the MDM product and any features of those devices, which are required to be managed by this Security Characteristic, but which are not supported by one or more of the devices 1. Evidence to show that the MDM product uses appropriate OS APIs 2 (on supported mobile devices) to provide the required management of those devices, as defined in this document. A URL1, or equivalent public reference, that provides guidance to end users about how to securely provision, configure, operate, maintain and dispose of the product. This guidance should be clear, concise and focussed on security aspects, referencing other supporting documentation (such as installation guides, user manuals, etc) where necessary. Once CESG has confirmed the vendor s assertions and supporting information above, the product will be awarded a Foundation Grade Certification against this Security Characteristic. 1 This information will be made available via the CESG website. 2 It will not be possible to award Foundation Grade Certification where such APIs are provided by a platform supported by the MDM, but are not utilised by the MDM to manage the mandatory requirement associated with the feature. SECURITY CHARACTERISTIC: Mobile Device Management Page 4 of 12

5 1.3 Product description MDM solutions are designed to remotely administer, configure, and audit mobile devices deployed by an enterprise and comprise of three distinct components: the client software, residing on the mobile device the server software a communications protocol for messages between the device and server The MDM client software can be provided as part of the operating system, or provided by a third party. The purpose of the client is to enforce the configuration (including restrictions) and provide auditing information to the enterprise. The MDM server software can be provided by the device manufacturer or a third party. It allows an enterprise to push configuration policies, events (such as remote wipe) and remotely audit mobile devices. 1.4 Typical use cases The End User Devices Security Guidance [a] for each mobile platform provides guidance on the components required for a suitable deployment, including the requirement to make use of an appropriately assured Virtual Private Network (VPN) to protect all data in transit. MDM communications must be protected by an appropriately assured encryption overlay, such as the existing VPN tunnel (recommended) or a separate tunnel with the same level of assurance. When following this guidance in enterprise deployments, the MDM server is located in the presentation layer as illustrated in figure 1. The MDM can also be deployed on a suitably accredited cloud service. This could be provided through a fully managed Software as a Service (SaaS) offering or a departmentally administered solution through an Infrastructure as a Service (IaaS) offering. All cloud based deployments require network MDM communications to be protected to the same level of assurance as the protectively marked data that the device can hold. The diagram below illustrates a typical deployment. Figure 1 - Typical MDM deployment SECURITY CHARACTERISTIC: Mobile Device Management Page 5 of 12

6 1.5 Expected operating environment It is expected that the MDM client will be deployed on a suitably secured endpoint in a mobile environment (see reference [a] for guidance). As stated in section 1.4, the management communications between the MDM client and server must be protected via encapsulation in a suitably assured encryption overlay (e.g. VPN). 1.6 Compatibility The majority of mobile phone and tablet platforms have some integrated management capabilities which can be augmented with third party clients. MDM clients are only expected to be used on mobile platforms for which current CESG security risk management guidance exists (see reference [a]). Note: the MDM client is expected to be compatible with a mobile device configured to meet the CESG guidance. 1.7 Future enhancements CESG welcomes feedback and suggestions on possible enhancements to this Security Characteristic. SECURITY CHARACTERISTIC: Mobile Device Management Page 6 of 12

7 Appendix A Common Criteria Protection Profile mappings This appendix provides important mappings between this document and the NIAP Protection Profile for Mobile Device Management (reference [b]), for which there are two versions 1.1 and 2.0. There is a minor language difference between this document and the Protection Profile documents: where the Security Characteristic refers to an MDM Client, the Protection Profile uses the phrase MDM Agent. A.1 Additional mandatory version 1.1 MDM PP requirements An MDM product assessed against this version of the Protection Profile (reference [b]) needs to additionally meet the following optional requirements within [b] to achieve Foundation Grade Certification. FCS_IPSEC_EXT.1.2(1) and FCS_IPSEC_EXT.1.2(2): if IPsec is in scope, the selection must include tunnel mode. FMT_SMF.1.1(1): selections must include: 16: remove applications 18: install applications 28: enable/disable policy for [assignment: list of radios] 29: enable/disable policy for data transfer capabilities over [assignment: list of externally accessible hardware ports] Appropriate algorithm selections must also be included to match whichever of the cryptographic profile(s) the product claims compliance with (either the PRIME PSN end-state or PSN interim profile). These are summarised below: PP / EP Requirement PRIME PSN Interim FCS_CKM.1.1(2 & 4) FCS_COP.1.1(1 & 5) FIPS PUB 186-4, Digital Signature Standard (DSS), Appendix B.4 for ECDSA schemes Elliptic Curve Digital Signature Algorithm (ECDSA) Either of: FIPS PUB 186-4, Digital Signature Standard (DSS), Appendix B.3 for RSA schemes ANSI X , Appendix A.2.4 Using AES for RSA schemes RSA Digital Signature Algorithm (rdsa) FCS_COP.1.1(4 & 8) SHA-256 SHA-1 FCS_COP.1.1(2 & 6) HMAC-SHA-256 HMAC-SHA-1 FCS_IPSEC_EXT.1.4 AES-GCM-128 AES-CBC-128 FCS_IPSEC_EXT.1.5 IKEv2 IKEv1, with RFC 4304 for extended sequence numbers FCS_IPSEC_EXT.1.6 IKEv2, with AES-GCM-128 IKEv1, with AES-CBC-128 FCS_IPSEC_EXT.1.11 Group 19 Group 5 FCS_IPSEC_EXT.1.12 ECDSA RSA SECURITY CHARACTERISTIC: Mobile Device Management Page 7 of 12

8 A.2 Additional mandatory version 2.0 MDM PP requirements Version 2.0 of the MDM Protection Profile contains a number of changes, compared to 1.1, and has also been split into separate server and agent documents (references [c] and [d]). An MDM product assessed against this version of the Protection Profile needs to additionally meet the following optional requirements within those documents to achieve Foundation Grade Certification. It should also be noted that there are a small number of mandatory requirements in the version 2.0 Protection that are not considered essential to meet Foundation Grade. A.2.1 Additional mandatory version 2.0 MDM Server PP requirements The MDM server component of an MDM product must additionally meet the following optional requirements in [c] to achieve Foundation Grade Certification: FCS_IPSEC_EXT.1.3: if IPsec is in scope, the selections must include tunnel mode. FMT_SMF.1.1(1): the selections must include: 14: wipe Enterprise data 31: enable/disable policy for list of radios 32: enable/disable policy for data signalling over list of externally accessible hardware ports 33: enable/disable policy for list of protocols where the device acts as a server 48: enable/disable USB mass storage mode Appropriate algorithm selections must also be included to match whichever of the cryptographic profile(s) the product claims compliance with (either the PRIME PSN end-state profile or PSN interim profile). These are summarised below: PP / EP Requirement PRIME PSN Interim FCS_CKM.1.1 FIPS PUB 186-4, Digital Either of: Signature Standard (DSS), FIPS PUB 186-4, Digital Signature Appendix B.4 for ECDSA Standard (DSS), Appendix B.3 for RSA schemes schemes ANSI X , Appendix A.2.4 Using AES for RSA schemes FCS_COP.1.1(2) SHA-256 SHA-1 FCS_COP.1.1(3) Elliptic Curve Digital RSA Digital Signature Algorithm (rdsa) Signature Algorithm (ECDSA) FCS_COP.1.1(4) HMAC-SHA-256 HMAC-SHA-1 FCS_IPSEC_EXT.1.4 AES-GCM-128 AES-CBC-128 FCS_IPSEC_EXT.1.5 IKEv2 IKEv1, with RFC 4304 for extended sequence numbers FCS_IPSEC_EXT.1.6 IKEv2, with AES-GCM-128 IKEv1, with AES-CBC-128 FCS_IPSEC_EXT.1.11 Group 19 Group 5 FCS_IPSEC_EXT.1.13 ECDSA RSA SECURITY CHARACTERISTIC: Mobile Device Management Page 8 of 12

9 A.2.2 Additional mandatory version 2.0 MDM Agent PP requirements The MDM client component of an MDM product must additionally meet the following optional requirements in [d] to achieve Foundation Grade Certification: FAU_ALT_EXT.2.1: the selections must include: c: change in enrollment state d: failure to install an application from the MAS Server 1 e: failure to update an application from the MAS Server1 FMT_SMF_EXT.3.1: if the MDF PP selection is used, the following requirements in Table 8 in [d] must be met for columns 2 and 5: 22: enable/disable all data signalling over list of externally accessible hardware ports 25: enable data-at rest protection 26: enable removable media s data-at-rest protection 28: wipe Enterprise data 39: enable/disable USB mass storage mode 1 Only applicable if the MDM product supports the use of a MAS Server. SECURITY CHARACTERISTIC: Mobile Device Management Page 9 of 12

10 Appendix B Additional details for Foundation Grade certification Where a product is successfully assessed against this Security Characteristic, CESG will additionally make the following details available on its website: Which PP version (i.e. v1.1 or v2.0) was used in the associated CC evaluation List of mobile device types for which the MDM product was successfully evaluated for use with (via CC), also meeting the additional requirements of Appendix A in this document AND for which CESG platform guidance exists (see reference [a]). Any important features not implemented by the above mobile devices see B.1. URL to security-related guidance for the product, as described in section 1.2 If the version 2.0 profile is used, which selections are used by the product to meet FMT_SMF.1.1 (1), point 28, in [c]. Note: CESG considers the three selections here to be listed in decreasing order of preference. These details, which do not impact the applicability of the Foundation Grade Certification, are intended to provide useful additional security-related information to end users. The information should be provided by the vendor to CESG, along with appropriate supporting evidence (e.g. CC evaluation documentation) to allow the team to verify the details. B.1 Device features that cannot be managed by the MDM product It is possible a mobile device might not provide a feature that the MDM product is required to manage, due to platform and/or OS limitations of the device. Where this occurs, the MDM product can still be approved for use with the mobile device (due to not needing to manage the risks associated with an absent feature), but the details of any such device limitations need to be provided by the vendor. Important: If a mobile device provides a feature that needs to be managed and the MDM product fails to do so, the product will not be approved for use with the device. The example table below illustrates how these details (to be made available on the CESG website) should be provided to CESG, along with appropriate supporting evidence. PP requirement mandated by either the MDM PP or by CESG Reference Sub ref. Description Supported mobile device types Type A Type B Type C Type D FMT_SMF.1.1(1) 3 unenroll from management N/A N/A FMT_SMF.1.1(1) 29 enable/disable policy for [assignment: list of audio or visual collection devices] across MD SECURITY CHARACTERISTIC: Mobile Device Management Page 10 of 12 N/A - FMT_SMF.1.1(1) 48 enable/disable USB mass storage mode - N/A - For the purposes of clarity, the table only needs to cover requirements mandated by the PP and the additional requirements stated in Appendix A of this document and then only when there is at least one mobile device type (supported by the MDM) that does not implement the feature associated with the requirement. There can be multiple columns to represent the mobile device types the vendor wishes to claim support for. Each column may specify a specific device type (e.g. type, model and OS) or a range of types (i.e. to avoid duplicated column data for all the requirements listed). Each row will record one of three options for each supported mobile device types column, for the given requirement: Symbol Meaning Feature supported by mobile device platform and MDM uses the native feature via the appropriate OS level APIs As per section 1.2, an MDM solution must use OS level APIs on the mobile device to meet a requirement.) - Feature supported by mobile device platform but no OS level APIs exist to allow MDM to manage risks presented by feature N/A Feature is not present on mobile device s platform, so does not present any risks to be managed by MDM product

11 Appendix C References This document references the following resources. Label Title Location Notes [a] End User Devices Security Guidance [b] [c] [d] Protection Profile for Mobile Device Management Protection Profile for Mobile Device Management Extended Package for Mobile Device Management Agents Version 1.1, March Version 2.0, December 2014 Version 2.0, December 2014 SECURITY CHARACTERISTIC: Mobile Device Management Page 11 of 12

12 Appendix D Glossary The following definitions are used in this document. Term AP API CPA Enrolment MAS MDM OS PP Push Notification SC Security Characteristic VPN Definition Architectural Pattern Application Programming Interface Commercial Product Assurance. A scheme run by CESG providing certificate-based assurance of commercial security products. Creation of a trusted relationship between a mobile device and an MDM Server. Mobile Application Store Mobile Device Management Operating System Protection Profile Simple message sent from MDM Server to MDM client using Internet based data channel. Security Characteristic A standard which describes necessary mitigations which must be present in a completed product, its evaluation or usage, particular to a type of security product. Virtual Private Network SECURITY CHARACTERISTIC: Mobile Device Management Page 12 of 12