Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

3/4/2020
11:45 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles
50%
50%

The Perfect Travel Security Policy for a Globe-Trotting Laptop

There are many challenges to safely carrying data and equipment on international travels, but the right policy can make navigating the challenges easier and more successful.

RSA Conference 2020 – San Francisco – It was an impressive claim. "Implementing the Perfect Travel Laptop Program" was on the sign at the door of the conference room at RSAC and the attendees at the morning session were buzzing with anticipation. Then Brian Warshawsky, JD CCEP, manager of export control compliance at the University of California Office of the President took the stage.

"There's really no such thing as a perfect travel program," he said.

Well, alrighty, then.

There is such a thing, he said, as a very good travel program. And the key to that very good program is balance. With that, Warshawsky began laying out the factors that must be balanced in the creation of a travel laptop program.

First, he said, "Business travelers must understand they have no inherent right to privacy while traveling, and that most network operators conduct at least superficial surveillance." That awareness means security professionals within an organization should perform triage on the data and systems that employees want to carry, especially when the destination is international.

Data Triage
Warshawsky said that governments' willingness to take data as it comes into and out of the country on electronic devices means that organizations need to ask themselves a series of questions about the data.

  • Is the data and information contained with the device worth more than the device itself?
  • What are the local laws in the country being entered?
  • What is the result to both the individual and the organization if all data on the device were compromised or released?
  • What is the effect of device encryption?

He pointed out that these are the foundational questions and must be asked not only about the countries of origin and destination, but of every country that will be a transit point on the trip. Warshawsky gave London's Heathrow Airport as one that is infamous as a midpoint in international travel. Many connections, he said, require changing terminals, which requires going through a security checkpoint, at which point officials can demand access to files on devices.

Encryption Weakness
Many organization think that full-device encryption will be enough to protect all on-device information from prying eyes, Warshawsky said. It's important to remember, he reminded the audience, that on-device encryption is only as strong as the individual carrying the device. When local authorities threaten to imprison an employee until they supply the device password — or until the authorities can crack the device — it may not take long before the device is unlocked, decrypted, and completely duplicated into local servers.

In addition to potential human weakness, Warshawsky said that organizations must be aware that very strong encryption might be illegal to carry into certain nations. Part of the compliance review for a travel program must include answering the question of whether the information on the device, and the technology used to protect it, can legally be carried out of the country. The penalties for getting this wrong, he pointed out, can be severe for both employee and organization.

The Risk-Based Approach
To properly assess the risk of a trip, there are five questions that must be asked in the process:

  • What is on the device?
  • Who owns it?
  • How is it being used and secured?
  • Why is it needed overseas?
  • Where will it be located and for how long?

The question of what is on the device is especially critical when an employee is going to give a presentation at an international conference: While the presentation itself will likely have been vetted and approved by both management and corporate legal, supporting documents brought along for follow-up conversations might easily be outside organizational guidelines, national law, or both.

Ask the Questions
Before travel begins, Warshawsky said there should be a formal, documented series of steps the traveler must take.

  • Pre-travel briefings
  • Pre-travel surveys
  • Guides
  • Net forms
  • Signed acknowledgement forms
  • Travel letters
  • Data and hardware classification

The surveys, he said, are especially important for answering questions around what information is absolutely required for the trip, whether there are workable alternatives to carrying the information on a device, and making plans for using or transferring the information in any nation that might outlaw VPN use.

Ultimately, he said, travelers should only carry data that they (and their organizations) are willing to see compromised. Travelers must be fully briefed on limitations on their rights at international crossings and on the laws applying to data in every country they will visit or transit. The point of all this is to enable and support international travel, but to do so in a way that is legally compliant at every step of the trip.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
   OVER THE EDGE
All Links Are Safe ... Right?

Source: Mimecast

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Sign of the Tides
Flash Poll