Re: iPad and access to university ERP

["Ullman, Catherine" <cende () BUFFALO EDU>]

The 40-bit reference appears to be to the software itself, which is an add-on app that can be downloaded and installed 
from a third party.  Note the line that says "40-bit encryption" is a limitation:

http://www.mochasoft.dk/iphone_rdp_help/help.htm

So yes, I'd say there is a distinct concern.

-Cathy

Catherine J. Ullman
Information Security Analyst
Information Security Office
University at Buffalo
cende () buffalo edu



________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian 
[bbasgen () PIMA EDU]
Sent: Wednesday, July 21, 2010 7:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

 Apple has an overview of security on the iPad here:
   http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf

 This is an interesting read: I didn't know, for example, that the iPad appears to have quasi FDE functionality: 
"256-bit AES encoding hardware-based encryption to protect all data on the device. Encryption is always enabled and 
cannot be disabled by users."

 The lowest algorithm I can see in the document is 3DES, which is typically implemented at either 112 or 168 bit 
strength. I don't see anything about 40-bit, but to the previous poster, that would be a concern since 40-bit is well 
within the realm of brute force. By the looks of the Apple publication, however, the iPad appears to have some pretty 
good security controls.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security Office
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Wednesday, July 21, 2010 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

But...given that the session *is* encrypted - and not persistent - wouldn't *any* kind of encryption be serviceable for 
something like this?  (I'm thinking that is someone *really* wanted the data, they aren't going to try and tunnel 
through a relatively random wireless connection....?)

Just a thought...

M

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg 
Schaffer
Sent: Wednesday, July 21, 2010 10:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

I believe the encryption is only 40 bit.

Greg

Greg Schaffer, CISSP
Assistant Vice President
Network and Information Technology Security
Middle Tennessee State University
615 898-5753

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa 
Rowe
Sent: Wednesday, July 21, 2010 11:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] iPad and access to university ERP

I just received this email from a department manager:

"First thing I did was installed an app called Remote Desktop Lite (free). I
used that to remote into my Windows machine on my desk and it worked
beautifully. I pulled up Banner and found it to be really easy to work with
on the iPad. What I liked the most was I didn't have to tab into the entry
fields. I could touch them and the cursor would move. If I only had that on
my desktop!"

Wonderful....  So I'm thinking what is open on the desktop and what is the security of the transmission.  We force VPN 
use from off-campus.  I thought we had the remote desktop thing handled in terms of accessing our ERP.

Am I unreasonably concerned?

--
Theresa Rowe
Chief Information Officer
Oakland University
**Think Green - Think before you print.**

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.