Educause Security Discussion mailing list archives
Re: Your thougts about smart phone access to privileged accounts?
From: Steve Lovaas <steven.lovaas () COLOSTATE EDU>
Date: Tue, 2 May 2006 14:35:02 -0600
Gary, You're right that these things are new and we don't have a good baseline over time for them. On the other hand, they're not going away and they're getting much more popular with the user community. I like your parting-shot question (offered in jest, perhaps, but important). I'd say it would make a certain amount of sense to temporarily ignore the fact that they're phones and see how they stack up against your other existing policies. For example, if you require people normally accessing these elevated-privilege accounts to log in through the campus VPN, will the device work that way? If you require host-level posture checking (presence/patch level of AV, etc) for this kind of remote access, is that capability present? How about file encryption? Do you require disk encryption for sensitive data taken out of a secure environment? If so, do these devices offer adequate (or any) encryption of files in storage? What about logging? Does remote access by one of these things give you enough useful information to track it down and/or disable its access in the event of suspicious traffic? Can adequate forensic investigation be performed on the phone after suspected misuse? If your policies require these things and the phones can't support them, it's time to either get top-level sign-off on a change in policies or to wait on allowing smart phones. Given the popularity of these devices, it'll be a losing battle to deny them on general principle; your best bet (as I see it) is to make a strong stand one way or the other based on security policies that already have acceptance and backing (or at least familiarity) so that you're not seen as the capricious "IT Preventer". Good luck, Steve Lovaas Gary Flynn wrote:
What are your thoughts regarding the use of smart phones to access elevated privilege accounts by administrators and other privileged users over a wireless VPN? We're getting requests for such use. Although known incidents with such devices are rare, the technology is new and changing rapidly and I'm not sure that we know enough about the technology, attack points, and how people will use them ( e.g. application downloads, local storage of sensitive data like passwords, etc. ) to perform any kind of accurate, formal risk assessment. Ergo, I lean toward the conservative and would tend to view use of such technology for access to accounts having global access to organizational data premature without a *strong* demonstrated benefit of doing so. Customer service is the benefit being used to justify the access. On the other hand, can they be any worse than using a Windows PC? :)
-- ============================================================== Steven Lovaas, MSIA, CISSP Network & Security Resource Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ==============================================================
Current thread:
- Your thougts about smart phone access to privileged accounts? Gary Flynn (May 02)
- <Possible follow-ups>
- Re: Your thougts about smart phone access to privileged accounts? Steve Lovaas (May 02)
- Re: Your thougts about smart phone access to privileged accounts? Dugan, Darin D [EIT] (May 02)
- Re: Your thougts about smart phone access to privileged accounts? Chris Green (May 03)