http://computerworld.co.nz/news.nsf/scrt/3BFB22DAB18A7134CC25740B0019DB6C
By Darren Pauli Sydney
Computerworld
14 March, 2008
The Blackberry and Windows Mobile platforms have both received
accreditation from the Australian Defence Signals Directorate, clearing
the way for broader adoption of the platforms in New Zealand government.
The latest Blackberry and Windows Mobile Platforms received
accreditation after a record year-long assessment to meet the Defence
Signals Directorate's (DSD's) Common Criteria certification.
Speaking at the 2008 ID and Access Management Summit in Sydney, DSD
assistant secretary for information security Robert Campbell said the
record speed was achieved because the vendors worked closely with the
DSD and put their products through extensive security testing.
"Security flaws slow down evaluation because the product solutions have
to be sent back to be fixed," Campbell said.
"[Vendors] should work as closely as possible with the DSD and the
laboratories assessing the product to get accreditation as soon as
possible."
Australia's DSD performs most of the product accreditation for the use
of communications technologies in New Zealand as well as Australia. The
directorate has also released a guide [1] for users on the "hardened"
deployment of the Blackberry.
Campbell said Microsoft and Blackberry were quick to rectify security
flaws and sought technical support from the DSD.
He urged vendors to submit products only after rigorous testing and
recommended submitting through the lowest appropriate accreditation
level to speed-up review.
Perth-based software company Secure System achieved top secret
accreditation for its Silicon Disk Encryption product and won a contract
with the Department of Defence, after it redesigned the product under
close guidance from the DSD.
Consumer guidelines have been added to the Common Criteria to simplify
the technical target lists that explain why products have been
accredited.
The guidelines show consumers which element of solutions have been
accredited, since uncertified solutions can be listed under the
criteria's accredited product lists by passing only one component
through the evaluation process.
"A VPN and firewall can be passed and listed on the product lists by
evaluating the firewall alone," Campbell said.
Wireless technology and converged communications have been added to the
ACSI 33 assessment lists; however, accreditation of biometric technology
has been stymied by uncertainty and flaws.
Campbell said the technology will be more suited to the common criteria
list once it is better understood by the DSD.
Most of the few biometric tools assessed by separate internal
methodologies were passed only after arduous security updates or entire
rebuilds. A single camera iris scanner was rejected after the DSD
discovered users could breach identities by tilting their heads.
Biometric products are assessed for database security, integrity of hash
lists, and biometric templates.
Campbell said the DSD security manual, ACSI 33, follows principle rather
than rule, and urged industry to submit recommendations for its
assessment criteria.
[1] http://www.dsd.gov.au/library/index.html#05
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments