Re: Your thougts about smart phone access to privileged accounts?

[Steve Lovaas <steven.lovaas () COLOSTATE EDU>]

Gary,

You're right that these things are new and we don't have a good baseline
over time for them. On the other hand, they're not going away and
they're getting much more popular with the user community. I like your
parting-shot question (offered in jest, perhaps, but important).

I'd say it would make a certain amount of sense to temporarily ignore
the fact that they're phones and see how they stack up against your
other existing policies.

For example, if you require people normally accessing these
elevated-privilege accounts to log in through the campus VPN, will the
device work that way?

If you require host-level posture checking (presence/patch level of AV,
etc) for this kind of remote access, is that capability present?

How about file encryption? Do you require disk encryption for sensitive
data taken out of a secure environment? If so, do these devices offer
adequate (or any) encryption of files in storage?

What about logging? Does remote access by one of these things give you
enough useful information to track it down and/or disable its access in
the event of suspicious traffic? Can adequate forensic investigation be
performed on the phone after suspected misuse? If your policies require
these things and the phones can't support them, it's time to either get
top-level sign-off on a change in policies or to wait on allowing smart
phones.

Given the popularity of these devices, it'll be a losing battle to deny
them on general principle; your best bet (as I see it) is to make a
strong stand one way or the other based on security policies that
already have acceptance and backing (or at least familiarity) so that
you're not seen as the capricious "IT Preventer".

Good luck,
Steve Lovaas



Gary Flynn wrote:
> What are your thoughts regarding the use of smart phones to
> access elevated privilege accounts by administrators and
> other privileged users over a wireless VPN?
>
> We're getting requests for such use. Although known incidents
> with such devices are rare, the technology is new and changing
> rapidly and I'm not sure that we know enough about the
> technology, attack points, and how people will use them ( e.g.
> application downloads, local storage of sensitive data like
> passwords, etc. ) to perform any kind of accurate, formal risk
> assessment. Ergo, I lean toward the conservative and would
> tend to view use of such technology for access to accounts
> having global access to organizational data premature without
> a *strong* demonstrated benefit of doing so. Customer service
> is the benefit being used to justify the access.
>
> On the other hand, can they be any worse than using
> a Windows PC? :)

--
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================