Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Endpoint Security Evolving Against Airport Searches, GDPR

Travel pressure around privacy and compliance is forcing mobile endpoint software to evolve. Media coverage of recent airport phone searches has privacy enthusiasts worried, and Europe’s General Data Protection Regulation (GDPR) has IT security and compliance teams thinking about data-loss policies.

Travel pressure around privacy and compliance is forcing mobile endpoint software to evolve. Media coverage of recent airport phone searches has privacy enthusiasts worried, and Europe’s General Data Protection Regulation (GDPR) has IT security and compliance teams thinking about data-loss policies. The good news is that endpoint software, specifically for mobile devices like laptops, tablets, and smartphones, is improving in these areas.

Travel Privacy 

Chandler Frobin, a tech-solution architect, has an iPhone X but doesn’t enable its nifty face ID because he doesn’t want it used against him when landing in a country that might demand to examine his phone and paw through his luggage.

“And if they ask me for my passcode, I’ll tell them I can’t remember,” Chandler told me over a vanilla porter. “I’d like to see them compel me.” 

Chandler’s fear of nonconsensual search isn’t entirely unfounded; just six months ago, a Southern California traveler was detained and had his phone searched after landing at LAX on his way to the Middle East. He is currently suing the federal government, alleging violations of the first, fourth, and fifth amendments related to when he felt forced to unlock his phone.

Chandler Frobin Suit Against Federal Government

The U.S. Customs and Border Patrol—which recently made the news after a hack exposed license plates and traveler data—keeps statistics on electronic-device searches. In 2017, they searched 0.008% (one in every 12,500) of the electronic devices associated with nearly 200 million travelers. That’s not a lot, but it’s not nothing, either.

It’s not just Chandler who’s concerned; IT departments for both the federal space and the private sector are wondering if there’s a technological solution to the endpoint search problem.

Compliance Pressure

Advertisement. Scroll to continue reading.

Another externality putting pressure on endpoints is the regulatory burden imposed by data security and privacy requirements like General Data Protection Regulations (GDPR). For endpoints such as phones, laptops, and tablets, the concern is the GDRP’s cross-border data-transfer requirements. How is an IT team supposed to comply with the requirements when everyone has their own endpoints and is always jetting around on Ryanair’s £6 fares?

Imagine this problem: your sales engineer has a gig of customer data on his phone via a Slack message, and a storm reroutes his dinky Embraer to Tripoli, of all places. The local officials demand his phone and slurp up his data, which later escapes to the Internet. Who’s at fault for your customer’s data loss in this situation? You can hear Chandler cackling right now, can’t you?

Architects and IT security teams are looking for technology evolutions to help them manage real problems in endpoint storage and messaging. 

Endpoint Privacy Evolving for Corporate, but Not for Citizens

The good news is that endpoint technology is moving in the right direction with both app improvements and new Unified Endpoint Management (UEM) solutions. Leading UEM solutions offer contextual access and risk-based authentication methods that include criteria for both time and location. In a late 2018 survey Forrester, 63% of respondents said they like how Microsoft is simplifying endpoint management with Windows 10, which may give the Redmond giant the edge in the end.

At least one startup, Hotshot, is betting big on contextual data protection. Their mobile messaging encryption client (Android, iOS) enforces location- and time-based restriction policies so users can access data only when and where they are authorized to do so. Hotshot enforces the restrictions by putting controls around the customer’s end-to-end encryption keys. Data owners can set specific policies to allow data access only from approved locations—whether a specific address, like a business office, or from an entire country or group of countries like the EU. Data owners can also set time restrictions to only allow access to work-related communications during business hours.

“One of the challenging aspects of GDPR is that its cross-border data restrictions run counter to a primary tenet of zero-trust security—allowing for secure access regardless of location,” explained Hotshot CEO Aaron Turner, when asked about the inspiration for his encryption app. As for what happens if an official shows up at Hotshot with a subpoena, Turner said that, like WhatsApp and other peer-encryption messaging clients, “We as a platform operator cannot see the details since we don’t have the keys.” 

So, when the hapless sales engineer unexpectedly lands in Tripoli, he cannot access encrypted customer data, much less be coerced into giving it up to local authorities. 

Traveling in the Right Direction

UEM and endpoint apps like Hotshot help IT teams meet their compliance requirements for GDPR, reduce data leakage, and enable clawback of data when users leave the organization, or no longer have the need for access to it (think controlled chat and collaboration with contractors or third-party project team members). IT buyers should be evaluating these software solutions as part of their data security management strategy.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...