Educause Security Discussion mailing list archives
Re: Your thougts about smart phone access to privileged accounts?
From: "Dugan, Darin D [EIT]" <dddugan () IASTATE EDU>
Date: Tue, 2 May 2006 16:34:48 -0500
This is not a direct answer to your question, but I was just posting on another list about the Messaging and Security Feature Pack for Windows Mobile 5 devices and it seems quite relevant here as well. Here's an excerpt: I think anyone looking at Windows Mobile 5 should be looking at the Messaging and Security Feature Pack (MSFP) and how it may fit into your organization. This is the WM5 update that corresponds to Exchange 2003 SP2. MSFP fully enables direct-push (instead of SMS triggers for always-up-to-date notifications) and has the client bits for password enforcement and local and remote device wipe. As in, Dean of X loses their device somewhere, a student or worse picks it up and wants to look through it... MSFP policies can require a device password and automatically wipe the device when a number of unlock failures have occurred. In additional, remote wipes can be manually initiated at the server level, enforced at next synchronization. www.microsoft.com/technet/itsolutions/mobile/deploy/msfpdepguide.mspx Cheers. -- Darin Dugan Iowa State University Extension
-----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Tuesday, May 02, 2006 8:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Your thougts about smart phone access to privileged accounts? What are your thoughts regarding the use of smart phones to access elevated privilege accounts by administrators and other privileged users over a wireless VPN? We're getting requests for such use. Although known incidents with such devices are rare, the technology is new and changing rapidly and I'm not sure that we know enough about the technology, attack points, and how people will use them ( e.g. application downloads, local storage of sensitive data like passwords, etc. ) to perform any kind of accurate, formal risk assessment. Ergo, I lean toward the conservative and would tend to view use of such technology for access to accounts having global access to organizational data premature without a *strong* demonstrated benefit of doing so. Customer service is the benefit being used to justify the access. On the other hand, can they be any worse than using a Windows PC? :) -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Your thougts about smart phone access to privileged accounts? Gary Flynn (May 02)
- <Possible follow-ups>
- Re: Your thougts about smart phone access to privileged accounts? Steve Lovaas (May 02)
- Re: Your thougts about smart phone access to privileged accounts? Dugan, Darin D [EIT] (May 02)
- Re: Your thougts about smart phone access to privileged accounts? Chris Green (May 03)