Educause Security Discussion mailing list archives

Re: Risk regarding remote login services

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 22 Apr 2008 14:41:01 -0700

 Thanks for your response Jeff.

 I'm not sure why I haven't gotten many responses on this. Is it because
many institutions don't try to control faculty/staff use of services
like GoToMyPC? Is that because of a perception of negligible risk,
perhaps a lack of the necessary tools, or potential political issues? 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Koerber, Jeff
Sent: Tuesday, April 22, 2008 2:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Risk regarding remote login services

For faculty/staff, we use Citrix and publish Remote Desktop 
as an application. That seems to meet everyone's needs and we 
don't allow any third party services.

Jeff Koerber
Supervisor, Student Service Desk & Lab Support Office of 
Technology Services Towson University Towson, MD

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Monday, April 21, 2008 1:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Risk regarding remote login services

 I'm working on ways to adequately assess the risk of 
solutions like LogMeIn, GoToMyPC, etc. The main concerns that 
I have so far are: (1) traditional end point security issues; 
(2) source addresses are essentially masked by the service; 
(3) these solutions are user managed/not IT controlled (no 
policy enforcement, for example); (4) confidential/sensitive 
data being sent through a third party in an unmanaged way; 
(5) the security of the third party becomes axiomatic to your 
institution.

 The last four points, in particular, seem to make these 
solutions distinct from traditional VPN offerings.  I don't 
want to get into making spacious arguments about why this 
solution is problematic, but it seems difficult to latch onto 
specifics considering such an open field of possible risk.

 I'm curious to know institutions that allow one of these 
solutions, and how they employ it. I'm also curious to hear 
from those that prohibit it, and what justifications they use 
for doing that.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

Current thread:

Risk regarding remote login services Basgen, Brian (Apr 21)
- <Possible follow-ups>
- Re: Risk regarding remote login services Koerber, Jeff (Apr 22)
- Re: Risk regarding remote login services Basgen, Brian (Apr 22)
- Re: Risk regarding remote login services Calvin Krzywiec (Apr 23)
- Re: Risk regarding remote login services King, Ronald A. (Apr 23)
- Re: Risk regarding remote login services Gary Flynn (Apr 24)
- Re: Risk regarding remote login services Basgen, Brian (Apr 24)
- Re: Risk regarding remote login services Kevin Hayes (Apr 24)
- Re: Risk regarding remote login services Di Fabio, Andrea (Apr 24)