@@ -1362,19 +1362,32 @@ The product shall protect data stored on the product from unauthorized access.
#### 5.2.20.2 MI-CDST: Protect confidentiality of data stored on the product (### 5.6.N CON)
***\[REQ-CON-7jalr]** The product shall protect data stored on the product from unauthorized access.
***\[REQ-CON-7jalr]** The product shall protect the confidentiality of stored data, whether personal or other, from unauthorized access by encrypting relevant data at rest using state-of-the-art mechanisms as defined in Annex [K](K) and by using other appropriate technical access controls.
To ensure testability, the product shall explicitly implement protection mechanisms for confidential data stored locally on the endpoint or on remote nodes.
Elements that shall be considered confidential and require protection are, including but not limited to:
* Cryptographic Material & Credentials: Private keys, pre-shared keys (PSK), certificates, user passwords, and authentication tokens
* Local Logs & Telemetry: Cybersecurity-relevant internal event logs (as defined in MI-LOGG-1), troubleshooting/support logs prepared for transmission to the manufacturer, network configuration audit logs, and network flow logs.
* Configuration & User Data: VPN configuration files containing endpoint details, routing policies, and any stored Personal Data.
Depending on the data type and operational environment, the product shall protect these elements using one or more of the following methods:
* State-of-the-art encryption as defined in Annex [K](K) at rest
* Cryptographic salting and hashing (specifically for stored passwords/secrets)
* Strict environment and file-system permissions restricting read/write access exclusively to the VPN client software and authorized administrators or users.
[//]:#(### 6.6.N CON)
* Reference: TR-CDST
* Requirement: **REQ-CON-7jalr**
* Objective: Confidentiality of data
* Preparation: List all types of data that may be stored on the product that should not be readable without authorization, what methods of ensuring confidentiality are appropriate for each type, all methods of accessing that data available to an attacker based on the risk assessment, and what the allowable authorization methods are for that access method
* Activities: For each type of data and each access mechanism, determine the method of ensuring confidentiality used, and attempt to read the data without authorization
* Verdict: If all methods of ensuring confidentiality match the type of the data stored, and all the attempts to read confidential data without authorization fail => PASS, otherwise FAIL
* Evidence: Logs of determination of type of data and method of confidentiality and attempts to read confidential data without authorization
> NOTE: Data may be protected by the environment, permissions, encryption, salting and hashing, offline storage, or hardware-backed secrets.
* Preparation: Identify all specific locations (files, databases, registries, secure enclaves) where the product stores the "Confidential Elements in Scope". Document the accepted protection method applied to each location.
* Activities: For each identified storage location, attempt to access, read, or extract the data using an unauthorized user account or a third-party application on the host system. Where encryption or hashing is used, verify that the cryptographic algorithms conform to state-of-the-art standards (e.g., Annex K of the present document).
* Verdict: If all methods of ensuring confidentiality match the type of the data stored, and all the attempts to read confidential data without authorization fail => PASS, otherwise => FAIL.
* Evidence: List of identified stored data types and their applied protection methods, logs or screenshots demonstrating the failure to read the data without authorization, and documentation validating the encryption/hashing algorithms used.