Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Endpoint Security Evolving Against Airport Searches, GDPR

Travel pressure around privacy and compliance is forcing mobile endpoint software to evolve. Media coverage of recent airport phone searches has privacy enthusiasts worried, and Europe’s General Data Protection Regulation (GDPR) has IT security and compliance teams thinking about data-loss policies.

Travel pressure around privacy and compliance is forcing mobile endpoint software to evolve. Media coverage of recent airport phone searches has privacy enthusiasts worried, and Europe’s General Data Protection Regulation (GDPR) has IT security and compliance teams thinking about data-loss policies. The good news is that endpoint software, specifically for mobile devices like laptops, tablets, and smartphones, is improving in these areas.

Travel Privacy 

Chandler Frobin, a tech-solution architect, has an iPhone X but doesn’t enable its nifty face ID because he doesn’t want it used against him when landing in a country that might demand to examine his phone and paw through his luggage.

“And if they ask me for my passcode, I’ll tell them I can’t remember,” Chandler told me over a vanilla porter. “I’d like to see them compel me.” 

Chandler’s fear of nonconsensual search isn’t entirely unfounded; just six months ago, a Southern California traveler was detained and had his phone searched after landing at LAX on his way to the Middle East. He is currently suing the federal government, alleging violations of the first, fourth, and fifth amendments related to when he felt forced to unlock his phone.

Chandler Frobin Suit Against Federal Government

The U.S. Customs and Border Patrol—which recently made the news after a hack exposed license plates and traveler data—keeps statistics on electronic-device searches. In 2017, they searched 0.008% (one in every 12,500) of the electronic devices associated with nearly 200 million travelers. That’s not a lot, but it’s not nothing, either.

It’s not just Chandler who’s concerned; IT departments for both the federal space and the private sector are wondering if there’s a technological solution to the endpoint search problem.

Compliance Pressure

Another externality putting pressure on endpoints is the regulatory burden imposed by data security and privacy requirements like General Data Protection Regulations (GDPR). For endpoints such as phones, laptops, and tablets, the concern is the GDRP’s cross-border data-transfer requirements. How is an IT team supposed to comply with the requirements when everyone has their own endpoints and is always jetting around on Ryanair’s £6 fares?

Imagine this problem: your sales engineer has a gig of customer data on his phone via a Slack message, and a storm reroutes his dinky Embraer to Tripoli, of all places. The local officials demand his phone and slurp up his data, which later escapes to the Internet. Who’s at fault for your customer’s data loss in this situation? You can hear Chandler cackling right now, can’t you?

Architects and IT security teams are looking for technology evolutions to help them manage real problems in endpoint storage and messaging. 

Endpoint Privacy Evolving for Corporate, but Not for Citizens

The good news is that endpoint technology is moving in the right direction with both app improvements and new Unified Endpoint Management (UEM) solutions. Leading UEM solutions offer contextual access and risk-based authentication methods that include criteria for both time and location. In a late 2018 survey Forrester, 63% of respondents said they like how Microsoft is simplifying endpoint management with Windows 10, which may give the Redmond giant the edge in the end.

At least one startup, Hotshot, is betting big on contextual data protection. Their mobile messaging encryption client (Android, iOS) enforces location- and time-based restriction policies so users can access data only when and where they are authorized to do so. Hotshot enforces the restrictions by putting controls around the customer’s end-to-end encryption keys. Data owners can set specific policies to allow data access only from approved locations—whether a specific address, like a business office, or from an entire country or group of countries like the EU. Data owners can also set time restrictions to only allow access to work-related communications during business hours.

“One of the challenging aspects of GDPR is that its cross-border data restrictions run counter to a primary tenet of zero-trust security—allowing for secure access regardless of location,” explained Hotshot CEO Aaron Turner, when asked about the inspiration for his encryption app. As for what happens if an official shows up at Hotshot with a subpoena, Turner said that, like WhatsApp and other peer-encryption messaging clients, “We as a platform operator cannot see the details since we don’t have the keys.” 

So, when the hapless sales engineer unexpectedly lands in Tripoli, he cannot access encrypted customer data, much less be coerced into giving it up to local authorities. 

Traveling in the Right Direction

UEM and endpoint apps like Hotshot help IT teams meet their compliance requirements for GDPR, reduce data leakage, and enable clawback of data when users leave the organization, or no longer have the need for access to it (think controlled chat and collaboration with contractors or third-party project team members). IT buyers should be evaluating these software solutions as part of their data security management strategy.

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.