Sunday, April 30, 2017

Another Chromebook Use Case

Recent restrictions on traveling with laptops have caused difficulties for business travelers.

My better half recently booked airline tickets to visit family in the UK, traveling with a codesharing combination of Qantas (Sydney - Dubai) and Emirates (Dubai - Birmingham). This is a much more convenient alternative to taking QF1 all the way to Heathrow and then organising land transport to the Midlands, but even QF1 still transits through Dubai, so would be subject to the same problem.
The Acer Chromebook 14, in Luxury Gold trim.

The Problem

Recently the US instituted a ban on passengers traveling from several Middle Eastern airports carrying electronic devices in their hand baggage. The ban applies to tablets (including some of the older, larger Kindles), laptop computers and other personal electronic devices, and apparently is based on received intelligence on bomb-making techniques.

This occurred a few weeks after my wife had bought her tickets, and we were initially unconcerned - until the UK followed suit, and specifically added Dubai to the list of ports concerned. Although this was a family visit, my wife needs to run her business while traveling, maintaining contact with clients and working on project reports and presentations. She had previously taken her Windows laptop for this purpose and so we initially considered how this could be done in the light of the new restrictions.

The most obvious alternative to hand luggage was to put the laptop into checked luggage. But there are problems with this approach.

Firstly, airlines (and aviation regulators) have specific rules for the carriage of dangerous goods, and lithium ion batteries feature quite prominently in the dangerous goods list. For example, Australia's Civil Aviation Safety Authority provides quite detailed advice to passengers ("Travelling safely with batteries and portable power packs", available online at https://www.casa.gov.au/standard-page/travelling-safely-batteries) and is quite clear that spare batteries must be in carry-on baggage only, because of the risk of fire.No advice is provided in relation to batteries installed in devices, probably because of the expectation that passengers will carry expensive and fragile devices as carry-on baggage anyway.

However, a laptop packed into a suitcase - especially a zip-up lightweight suitcase - poses its own risks. First, there is the possibility of theft; I have personally had electronics stolen from a checked bag, presumably by a baggage handler. Secondly, there's the possibility of damage - suitcases are stacked up in containers for loading into the freight holds of large aircraft, and a lightweight suitcase at the bottom of a pile could be subject to considerable pressure and deformation. Finally, the natural inclination is to wrap the laptop in soft clothing to provide protection against the shock of dropping - but what if pressure on a power switch or deformation of the case causes the laptop to power up? It is quite likely to overheat since the clothing will block the air vents - and the clothing is also likely to be highly flammable.

For these reasons, we rapidly ruled out the idea of packing the laptop in a suitcase - and I hope everyone else does, too.

The airline eventually proposed a scheme in which passengers transiting Dubai could surrender their laptops for carriage in the hold - but this is unattractive, too - since the laptop bag is the obvious place to store travel documents (e-ticket, passport, etc.) and in-flight requirements. Surrender the bag, and you lose access to those, or have to have yet another bag to carry them; surrender the laptop without the bag, and it is unprotected. Both cases still leave an exposure to damage, loss or theft. Not a comfortable option, either.

The Solution


What to do, then? Fortunately, there is an easy alternative: order a Chromebook in advance of travel, for delivery to a UK address, and that is what we chose in the end.

I drew up a short list of requirements for the various alternative solutions to the problem:

  • Functionality. The device has to support essential business applications: email/calendar, word processing, spreadsheet and presentation graphics.
  • Low cost. If we acquired a device just for use on visits to the UK, it would only get used for a few weeks each year, so a high-cost device is not justified. This requirement extends to software licences as well.
  • Low maintenance. The machine would lie unused for three to six months at a time, and if the first task on arrival was to install updates and patches, requiring multiple reboots and lots of interaction (e.g. via the Help -> About menu option in Mozilla applications), that's time badly spent on a short trip - but if not done, security exposures would result.
  • Security. If the device is stolen, lost, lent to a third party, etc. there should be no exposure of sensitive data on the device and no threat to system integrity.
  • No interruption to work, and no work lost. Locally-stored files, e.g. on the hard drive of a Windows laptop, could accidentally be left behind, requiring work to be done all over again.
  • Simplicity. We wanted to avoid complicated schemes of copying files to and from USB keys or compact flash. This poses too much risk of an old file over-writing a newer version.

Fortunately, the use of a Chromebook meets these requirements perfectly. Since my wife's business uses Google GSuite (formerly Google Apps), she is already familiar with some of its components and uses them, particularly for collaborative projects. So we knew the functionality requirement was met. We already have another Chromebook and a Chromebox, so the device is familiar, too.

The Chromebook meets the low maintenance requirement quite easily, as there's very little on the device itself to be updated, and that is taken care of with a few minutes downloading and a ten-second (at most!) reboot. All applications are cloud-based and continually updated.

Security, simplicity and the requirement for no work to be lost are dealt with by the fact that the Chromebook and GSuite are cloud-based. All she had to do was transfer more of her work to GSuite in the weeks leading up to the trip, and all her work documents were available immediately upon initial login. Similarly, she can leave the Chromebook behind and upon arrival, immediately resume work. Everything is stored in the cloud; nothing is stored on the machine. And because we use two-factor authentication with security keys, there's no real possibility of someone using the machine to gain access to her data. For the same reasons, the family member charged with storing the device is relieved of a lot of responsibility.

Finally, cost: the Acer Chromebook 14 is only GBP199.00 from Amazon.co.uk (see https://www.amazon.co.uk/Acer-Chromebook-CB3-431-14-Inch-Notebook/dp/B01MY6VFL3/). That is sufficiently inexpensive that the low utilization is not a problem - it's a reasonable price to pay to solve the travel problem.

The Pudding


The proof of the pudding is in the eating, as they say. The trip is almost over, and my wife reports that the Chromebook worked well. Even as a non-technical user, she was able to get it unpacked, set up and working with minimal effort, and she has used it for ten days to complete a variety of work tasks. Not having to worry about taking a laptop was a load off her mind, and not having a laptop case to carry was a load off her shoulders.

The Chromebook is now permanently stationed in the UK for use on future trips, and travel - especially via Dubai - will be a lot easier. The whole exercise has proved yet another use case for the Chromebook, and it has turned out to be a useful addition to our business technology toolbox.

Sunday, April 2, 2017

An Infosec View of Privacy

Information security professionals, and especially cryptographers, tend to think in terms of preserving the security properties associated with information assets, and CISSP's in particular tend to start with the CIA Triad. Clearly, privacy relates to the first member of that triad - confidentiality - in some way, but the relationship is not obviously clear. For example, we often use secrecy as a synonym for confidentiality, but privacy is something different.

The difference is centered on agency or control, and in particular the relationship between the subject of the information and the information custodian.

The vast bulk of enterprise information - whether it be private enterprise, or public - is internally-generated, and the subject is, ultimately, the enterprise itself. For example, an ERP system revolves around accounting data (GL, A/R, A/P, etc.) and the ledgers therein describe the enterprise's financial state and history of transactions (as well as future revenue, of course). A CRM system may contain information about customers, but the bulk of that information relates to the enterprise's transactional history with the customer - sales calls, orders placed, etc.

In such cases, the enterprise is custodian of its own information - it is both subject and custodian. There is no conflict of interest - as custodian, the enterprise is never going to breach the confidentiality of its own information, and indeed will implement controls - policies, identity and access management, security models - to ensure that its employees and agents cannot. The enterprise, as the subject, has authority over the custodians and users of the information.

However, a conflict of interest arises when an enterprise is custodian of information about identified (or identifiable) individuals. For example, a medical practice maintains health records about patients; it is the custodian, while the patients are the subjects.

The patient records obviously have value for advertising and marketing purposes, in addition to the intended purpose of patient diagnosis and treatment. For example, a company selling stand-up desks or ergonomic chairs would see considerable value in a list of patients who have complained of chronic back pain, while over-the-counter pharmaceuticals marketers might want to sell directly to patients whose test results indicate pre-diabetes, early indications of hypertension or any of a range of conditions. And an unscrupulous marketer might approach an unscrupulous medical practice manager, resulting in patients being subjected to sales calls for products they do not necessarily want or - worse still - their medical histories or problems being leaked to other interested parties such as family members or employers.

There is a clear conflict of interest here. The subject of the data is not the custodian, and in fact, has no authority over the custodian. It is in the custodian's interest to on-sell the subject's data to anyone and everyone who is willing to pay for it. And while the example of a medical practice involves only a small business, many enterprises are much, much larger and employ many lawyers, resulting in a power imbalance between the enterprise and the affected individual.

This is why governments, acting on behalf of civil society and the individual, enact privacy legislation - the legislation gives the individual some degree of authority over enterprises and restores the balance of power.

Note that many information security controls are able to preserve confidentiality, but not privacy. Personal information is stored in databases and document management systems which are ultimately under the control of an information asset owner and users who are free to access the information for a range of purposes; if he or she decides to extract data, copy it to a USB key and sell it externally, the first two steps are probably authorized while the third cannot be detected, let alone prevented.

Hence the need for a privacy policy and strong privacy education and awareness within the enterprise. In the end, privacy comes down to personal ethics and compliance with the law. It is really a matter of trust in the integrity of those who have access to personal information - and the threat of legal action provides a degree of assurance in that integrity.

Notice that, in this model, the distinction between confidentiality and privacy can be extended beyond individual persons to companies or other entities. For example, the Chinese Wall model is another situation in which information about one entity is in the custody of another (e.g. information about clients held by a consulting firm would obviously be of great interest to other clients who are competitors). In that sense, then, the Chinese Wall model is intended to preserve privacy rather than integrity.

Finally, consider personal information in the custody of the person themselves. The subject and the custodian are the same individual - there is no conflict of interest, privacy laws do not apply, and the issue here is confidentiality, not privacy.

The distinction between confidentiality and privacy, then, is whether the subject of the information has authority over the custodian - if he does, it's a matter of confidentiality, but if he does not, then it's a matter of privacy.

Of course, there are other common conceptions of privacy, as well as legal views relating to photography, etc. but these are not considered here.