Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

There are many challenges to safely carrying data and equipment on international travels, but the right policy can make navigating the challenges easier and more successful.

(Image by Rawf8, via Adobe Stock)

RSA Conference 2020 – San Francisco – It was an impressive claim. "Implementing the Perfect Travel Laptop Program" was on the sign at the door of the conference room at RSAC and the attendees at the morning session were buzzing with anticipation. Then Brian Warshawsky, JD CCEP, manager of export control compliance at the University of California Office of the President took the stage.

"There's really no such thing as a perfect travel program," he said.

Well, alrighty, then.

There is such a thing, he said, as a very good travel program. And the key to that very good program is balance. With that, Warshawsky began laying out the factors that must be balanced in the creation of a travel laptop program.

First, he said, "Business travelers must understand they have no inherent right to privacy while traveling, and that most network operators conduct at least superficial surveillance." That awareness means security professionals within an organization should perform triage on the data and systems that employees want to carry, especially when the destination is international.

Data Triage
Warshawsky said that governments' willingness to take data as it comes into and out of the country on electronic devices means that organizations need to ask themselves a series of questions about the data.

  • Is the data and information contained with the device worth more than the device itself?

  • What are the local laws in the country being entered?

  • What is the result to both the individual and the organization if all data on the device were compromised or released?

  • What is the effect of device encryption?

He pointed out that these are the foundational questions and must be asked not only about the countries of origin and destination, but of every country that will be a transit point on the trip. Warshawsky gave London's Heathrow Airport as one that is infamous as a midpoint in international travel. Many connections, he said, require changing terminals, which requires going through a security checkpoint, at which point officials can demand access to files on devices.

Encryption Weakness
Many organization think that full-device encryption will be enough to protect all on-device information from prying eyes, Warshawsky said. It's important to remember, he reminded the audience, that on-device encryption is only as strong as the individual carrying the device. When local authorities threaten to imprison an employee until they supply the device password — or until the authorities can crack the device — it may not take long before the device is unlocked, decrypted, and completely duplicated into local servers.

In addition to potential human weakness, Warshawsky said that organizations must be aware that very strong encryption might be illegal to carry into certain nations. Part of the compliance review for a travel program must include answering the question of whether the information on the device, and the technology used to protect it, can legally be carried out of the country. The penalties for getting this wrong, he pointed out, can be severe for both employee and organization.

The Risk-Based Approach
To properly assess the risk of a trip, there are five questions that must be asked in the process:

  • What is on the device?

  • Who owns it?

  • How is it being used and secured?

  • Why is it needed overseas?

  • Where will it be located and for how long?

The question of what is on the device is especially critical when an employee is going to give a presentation at an international conference: While the presentation itself will likely have been vetted and approved by both management and corporate legal, supporting documents brought along for follow-up conversations might easily be outside organizational guidelines, national law, or both.

Ask the Questions
Before travel begins, Warshawsky said there should be a formal, documented series of steps the traveler must take.

  • Pre-travel briefings

  • Pre-travel surveys

  • Guides

  • Net forms

  • Signed acknowledgement forms

  • Travel letters

  • Data and hardware classification

The surveys, he said, are especially important for answering questions around what information is absolutely required for the trip, whether there are workable alternatives to carrying the information on a device, and making plans for using or transferring the information in any nation that might outlaw VPN use.

Ultimately, he said, travelers should only carry data that they (and their organizations) are willing to see compromised. Travelers must be fully briefed on limitations on their rights at international crossings and on the laws applying to data in every country they will visit or transit. The point of all this is to enable and support international travel, but to do so in a way that is legally compliant at every step of the trip.

Related Content:

 

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights