Security Experts:

Endpoint Security Evolving Against Airport Searches, GDPR

Travel pressure around privacy and compliance is forcing mobile endpoint software to evolve. Media coverage of recent airport phone searches has privacy enthusiasts worried, and Europe's General Data Protection Regulation (GDPR) has IT security and compliance teams thinking about data-loss policies. The good news is that endpoint software, specifically for mobile devices like laptops, tablets, and smartphones, is improving in these areas.

Travel Privacy 

Chandler Frobin, a tech-solution architect, has an iPhone X but doesn’t enable its nifty face ID because he doesn’t want it used against him when landing in a country that might demand to examine his phone and paw through his luggage.

“And if they ask me for my passcode, I’ll tell them I can’t remember,” Chandler told me over a vanilla porter. “I’d like to see them compel me.” 

Chandler’s fear of nonconsensual search isn’t entirely unfounded; just six months ago, a Southern California traveler was detained and had his phone searched after landing at LAX on his way to the Middle East. He is currently suing the federal government, alleging violations of the first, fourth, and fifth amendments related to when he felt forced to unlock his phone.

Chandler Frobin Suit Against Federal Government

The U.S. Customs and Border Patrol—which recently made the news after a hack exposed license plates and traveler data—keeps statistics on electronic-device searches. In 2017, they searched 0.008% (one in every 12,500) of the electronic devices associated with nearly 200 million travelers. That’s not a lot, but it’s not nothing, either.

It’s not just Chandler who’s concerned; IT departments for both the federal space and the private sector are wondering if there’s a technological solution to the endpoint search problem.

Compliance Pressure

Another externality putting pressure on endpoints is the regulatory burden imposed by data security and privacy requirements like General Data Protection Regulations (GDPR). For endpoints such as phones, laptops, and tablets, the concern is the GDRP’s cross-border data-transfer requirements. How is an IT team supposed to comply with the requirements when everyone has their own endpoints and is always jetting around on Ryanair’s £6 fares?

Imagine this problem: your sales engineer has a gig of customer data on his phone via a Slack message, and a storm reroutes his dinky Embraer to Tripoli, of all places. The local officials demand his phone and slurp up his data, which later escapes to the Internet. Who’s at fault for your customer’s data loss in this situation? You can hear Chandler cackling right now, can’t you?

Architects and IT security teams are looking for technology evolutions to help them manage real problems in endpoint storage and messaging. 

Endpoint Privacy Evolving for Corporate, but Not for Citizens

The good news is that endpoint technology is moving in the right direction with both app improvements and new Unified Endpoint Management (UEM) solutions. Leading UEM solutions offer contextual access and risk-based authentication methods that include criteria for both time and location. In a late 2018 survey Forrester, 63% of respondents said they like how Microsoft is simplifying endpoint management with Windows 10, which may give the Redmond giant the edge in the end.

At least one startup, Hotshot, is betting big on contextual data protection. Their mobile messaging encryption client (Android, iOS) enforces location- and time-based restriction policies so users can access data only when and where they are authorized to do so. Hotshot enforces the restrictions by putting controls around the customer’s end-to-end encryption keys. Data owners can set specific policies to allow data access only from approved locations—whether a specific address, like a business office, or from an entire country or group of countries like the EU. Data owners can also set time restrictions to only allow access to work-related communications during business hours.

"One of the challenging aspects of GDPR is that its cross-border data restrictions run counter to a primary tenet of zero-trust security—allowing for secure access regardless of location,” explained Hotshot CEO Aaron Turner, when asked about the inspiration for his encryption app. As for what happens if an official shows up at Hotshot with a subpoena, Turner said that, like WhatsApp and other peer-encryption messaging clients, “We as a platform operator cannot see the details since we don’t have the keys.” 

So, when the hapless sales engineer unexpectedly lands in Tripoli, he cannot access encrypted customer data, much less be coerced into giving it up to local authorities. 

Traveling in the Right Direction

UEM and endpoint apps like Hotshot help IT teams meet their compliance requirements for GDPR, reduce data leakage, and enable clawback of data when users leave the organization, or no longer have the need for access to it (think controlled chat and collaboration with contractors or third-party project team members). IT buyers should be evaluating these software solutions as part of their data security management strategy.

view counter
David Holmes, CISSP, is a security researcher and a low-rent technical evangelist. He has a background in cryptography, application security, architecture, and development. He has spoken at more than 50 conferences, including RSA, InfoSec Europe, the Australian CyberSecurity Conference, and Gartner Data Center. He researches and writes regularly about cryptography, the Internet of Things, malware, policy, vulnerabilities, technical solutions, and the security industry in general as an expert contributor at SecurityWeek. Holmes studied Computer Science and Engineering Physics at the University of Colorado at Boulder and has awards from Toastmasters International. On Twitter he is @capmblade.