The Blackberry and Windows Mobile platforms have both received accreditation from the Australian Defence Signals Directorate, clearing the way for broader adoption of the platforms in New Zealand government.
The latest Blackberry and Windows Mobile Platforms received accreditation after a record year-long assessment to meet the Defence Signals Directorate's (DSD's) Common Criteria certification.
Speaking at the 2008 ID and Access Management Summit in Sydney, DSD assistant secretary for information security Robert Campbell said the record speed was achieved because the vendors worked closely with the DSD and put their products through extensive security testing.
"Security flaws slow down evaluation because the product solutions have to be sent back to be fixed," Campbell said.
"[Vendors] should work as closely as possible with the DSD and the laboratories assessing the product to get accreditation as soon as possible."
Australia's DSD performs most of the product accreditation for the use of communications technologies in New Zealand as well as Australia. The directorate has also released a guide for users on the "hardened" deployment of the Blackberry.
Campbell said Microsoft and Blackberry were quick to rectify security flaws and sought technical support from the DSD.
He urged vendors to submit products only after rigorous testing and recommended submitting through the lowest appropriate accreditation level to speed-up review.
Perth-based software company Secure System achieved top secret accreditation for its Silicon Disk Encryption product and won a contract with the Department of Defence, after it redesigned the product under close guidance from the DSD.
Consumer guidelines have been added to the Common Criteria to simplify the technical target lists that explain why products have been accredited.
The guidelines show consumers which element of solutions have been accredited, since uncertified solutions can be listed under the criteria's accredited product lists by passing only one component through the evaluation process.
"A VPN and firewall can be passed and listed on the product lists by evaluating the firewall alone," Campbell said.
Wireless technology and converged communications have been added to the ACSI 33 assessment lists; however, accreditation of biometric technology has been stymied by uncertainty and flaws.
Campbell said the technology will be more suited to the common criteria list once it is better understood by the DSD.
Most of the few biometric tools assessed by separate internal methodologies were passed only after arduous security updates or entire rebuilds. A single camera iris scanner was rejected after the DSD discovered users could breach identities by tilting their heads.
Biometric products are assessed for database security, integrity of hash lists, and biometric templates.
Campbell said the DSD security manual, ACSI 33, follows principle rather than rule, and urged industry to submit recommendations for its assessment criteria.