Risk regarding remote login services

["Basgen, Brian" <bbasgen () PIMA EDU>]

 I'm working on ways to adequately assess the risk of solutions like
LogMeIn, GoToMyPC, etc. The main concerns that I have so far are: (1)
traditional end point security issues; (2) source addresses are
essentially masked by the service; (3) these solutions are user
managed/not IT controlled (no policy enforcement, for example); (4)
confidential/sensitive data being sent through a third party in an
unmanaged way; (5) the security of the third party becomes axiomatic to
your institution.  

 The last four points, in particular, seem to make these solutions
distinct from traditional VPN offerings.  I don't want to get into
making spacious arguments about why this solution is problematic, but it
seems difficult to latch onto specifics considering such an open field
of possible risk. 
 
 I'm curious to know institutions that allow one of these solutions, and
how they employ it. I'm also curious to hear from those that prohibit
it, and what justifications they use for doing that. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College