Re: Risk regarding remote login services

["Koerber, Jeff" <jkoerber () TOWSON EDU>]

For faculty/staff, we use Citrix and publish Remote Desktop as an application. That seems to meet everyone's needs and 
we don't allow any third party services.

Jeff Koerber
Supervisor, Student Service Desk & Lab Support
Office of Technology Services
Towson University
Towson, MD


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Monday, April 21, 2008 1:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Risk regarding remote login services

 I'm working on ways to adequately assess the risk of solutions like LogMeIn, GoToMyPC, etc. The main concerns that I 
have so far are: (1) traditional end point security issues; (2) source addresses are essentially masked by the service; 
(3) these solutions are user managed/not IT controlled (no policy enforcement, for example); (4) confidential/sensitive 
data being sent through a third party in an unmanaged way; (5) the security of the third party becomes axiomatic to 
your institution.

 The last four points, in particular, seem to make these solutions distinct from traditional VPN offerings.  I don't 
want to get into making spacious arguments about why this solution is problematic, but it seems difficult to latch onto 
specifics considering such an open field of possible risk.

 I'm curious to know institutions that allow one of these solutions, and how they employ it. I'm also curious to hear 
from those that prohibit it, and what justifications they use for doing that.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College