Your thougts about smart phone access to privileged accounts?

[Gary Flynn <flynngn () JMU EDU>]

What are your thoughts regarding the use of smart phones to
access elevated privilege accounts by administrators and
other privileged users over a wireless VPN?

We're getting requests for such use. Although known incidents
with such devices are rare, the technology is new and changing
rapidly and I'm not sure that we know enough about the
technology, attack points, and how people will use them ( e.g.
application downloads, local storage of sensitive data like
passwords, etc. ) to perform any kind of accurate, formal risk
assessment. Ergo, I lean toward the conservative and would
tend to view use of such technology for access to accounts
having global access to organizational data premature without
a *strong* demonstrated benefit of doing so. Customer service
is the benefit being used to justify the access.

On the other hand, can they be any worse than using
a Windows PC? :)


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature