The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.
Enterprise employees may find that government actions won't just put a crimp on convenience but could also have heavy implications - from a regulatory and intellectual property protection perspective - when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.
At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.
"It’s going to force people to actually implement and enforce the policies they have on paper," says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT's (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. "They're just not enforced," he says, "because people will carry their laptops and they're considered to be using other compensatory strategies to prevent the loss of intellectual property and data."
The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.
"This is not rocket science. We are talking whole disk encryption, good quality passwords or two factor authentication, and key management," he says. "Blocking and tackling, but it has to be enforced by each company to be effective."
Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.
"Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords," says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. "So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage."
In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O'Neill, national security strategist for Carbon Black and a former FBI counter-terrorism operative, military contractors likely wouldn't be able to bring their laptops on affected legs.
"When traveling internationally, the rule of thumb is to keep all critical devices on your person - especially phones, laptops and tablets that have important information on them, or access to important or sensitive information," he says.
The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.
"The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access," says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. "This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices."
Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.
“The laptop ban only affects a small number at present. Laptop searches by border protection is a much broader concern," Hallam-Baker says. "Currently, the main confidentiality control available is full disk encryption, though this does not help if a user can be ordered to unlock the device. And there is a real possibility other governments will follow suit. Whether the U.S. government could be trusted not to abuse data obtained in this manner is irrelevant if your laptop is being searched in Russia."
Many experts believe that this confluence of issues should be enough to convince organizations to update policies and address frequently traveling employees of the risks. Christopher Ensey, COO of Dunbar Security Solutions, urges extreme caution transporting any data at all on laptops, mobile phones or portable media over any border these days.
"The restrictions on what is allowed for inspection and seizure have become nearly impossible to track. The best practice is to take a vanilla device with you that can only connect to sensitive information via secure tunnels and strong authentication," he says. "Latency in faraway lands can be an issue, and frankly the experience isn’t all it’s cracked up to be for the end user. This is, however, the best way to ensure that data isn’t going to be leaked all over the place when crossing a border."
Employees will lose the ability to access and work on information without internet access, but Morey Haber, vice president of technology for BeyondTrust, believes that this is the best policy for all organizations to adopt. He says that users and admins need to be mindful of managing connection configurations and security after an interaction at the border to be sure to keep the set-up fully secure.
"Whether the mobile device uses VPN or accesses the cloud to retrieve the data, being online to retrieve it and not store it locally, is critical to mitigating these risks introduced by the US government," he says. "In addition, if the device is accessed or copied, organizations need a prompt method to change VPN keys and passwords on those devices to mitigate the image compromised being leveraged against them as well."
Experts say that many organizations may already have derivations of this for travel to certain parts of the world. Wrenn explains that the practice of 'shaking' devices by shady authorities is a well-known practice.
"Companies should already be anticipating these scenarios," he says. "So I think there just may be a need to edit policies to make sure this new use case (at the U.S. border) is factored in."
"It has long been a best practice when heading to hostile environments to issue clean devices to traveling employees," explaining that organizations typically overwrite memory and load machines with fresh images both before and after travel to certain parts of the world. "Look for this practice to become more common and even for special device services to be built around this new need."
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio