Going Overboard–International Travel & Enterprise Mobility & Security –Part 1

Welcome to a multi-part series covering Enterprise Mobility & Security for International Travel. For those not in the know, I’m currently based in the US and will be spending some time on mainland China this fall. This series of blog posts will cover some of the prep-work ahead of time as well as reports as to what did and did not work well.

I’ll start this off by admitting I’m going overboard on security for my upcoming overseas travel – I realize that most of these steps are simply an exercise in security rather than actually necessary. In honesty, I’m treating it much the way some of my colleagues treat going to DefCon conventions or any other situation where there is a short-term significant tightening of security. Why bother at all though? Well, in short, reading online with the various tech and news sites will have you quickly believing that any use of enterprise tech is simply doomed, from the great firewall blocking access to anything you need to do real work and going so far as accusations of installation of spyware at customs inspections and even installation of hardware level keyloggers/malware. I’m not really going to debate the merits of such threats, at least for everyone who doesn’t need proper Op Sec for other reasons, but either way I’ll be detailing some of the issues and how I’ve mitigated / remediated the issue.

I have quite a few tools at my disposal, as even my personal email is an Office E3 account with Enterprise Mobility & Security enabled. In addition to EMS (E3 version), I also have Cloud App Security actively monitoring my cloud SaaS accounts including Office 365 and my 3rd party services like AWS, Salesforce, and Dropbox as well as some nifty dedicated hardware at my disposal.


  • Building a Persona – Deep packet inspection is no joke. Neither are keyloggers. For this trip, I acknowledged that my day to day AD accounts tied to my work and personal email simply have far too much access to risk an intrusion by having authentication going over heavily monitored connections. Much like everyone else, I’m pretty used to my credentials being saved on any mobile devices, but that isn’t really an option on mobile devices that I’ll likely be compelled to unlock and hand over at customs. Especially when those email accounts are also Global Admins and Domain Admins. Yes, I am using Privileged Identity Management to mitigate, but I absolutely need to separate my account access. Still though, I need email access during the duration of the trip and will be taking several trips through customs and security checks for air travel throughout my time there. What to do? Simple, make a new Azure AD User (Cloud Only) account with a new Exchange Online mailbox. Once I’m ready to leave, I’ll turn on mail forwarding in Office 365 so the new persona (MyChinaTrip@domain.com) will begin getting emails. I did not however set up a reply as, or send as permissions, but instead simply customized the signature on the account to acknowledge that this is my temporary email address for the duration of the trip. Once the trip is done, I’ll convert the email account to a Shared Mailbox so I can simply drag and drop those emails into my day to day account’s inbox.

    Why Cloud Only? Simple, the Azure AD account isn’t written back to on-premises, greatly reducing it’s permissions. It’s not even a member of “Domain Users” so unless I specifically give it permissions, there’s little chance it would inherit any access.

    Why not a free Google account? Given the state of Google Apps in China, as of writing it is currently blocked unless you use a VPN. I’d rather have things work native and not risk a VPN being caught and shut down, leaving me scrambling.

  • Managing Password Reset – As part of Azure AD Premium, I have password reset enabled. For my day to day account, it will not be using the temporary persona to prevent any exploits from intercepted emails. For the temporary persona account, I’ve disabled Self-Service Password Reset.
  • Two-Factor Authentication – I have Multi-Factor Authentication enabled, and so should you. Since I’ll be international and don’t want to pay a fortune for roaming, I’ll not be using SMS or Phone calls as the MFA. In general, SMS has been seen as an OK way of improving your security over only using username / password, but as NIST points out, it isn’t really all that secure. In recent months, several notable hacks have been achieved through social engineering network providers as well as bad security practices on the user make it no where near as secure as an offline soft-token, biometric check or app notification prompts. That said, you can beef up the security of SMS by implementing MFA by SMS+PIN. Since I do have a satellite beacon that has two way SMS capability, it’s tempting to enable as a backup. The jury is still out on that, but I’ll post back the results.
  • Rights Protecting all persona emails – As part of Azure RMS, I can set up Exchange Mail Flow rules that automate protection. For this account, I’ve enabled a Information Rights Management mail flow rule that automatically RMS encrypts all company emails that have been forwarded to the persona account. Looking at the Microsoft docs on this, I realize I need to make some in-depth blog posts on the topic, there’s a lot you can do with Mail Flows (Exchange Online), or Mail Transport Rules (Exchange On-Premises) when you tie it into Azure RMS / Information Rights Management and not all of them are intuitive. As long as I am using Microsoft Outlook for iOS or Android, the experience is pretty seamless, but if I have to, it still works in Outlook Web Access.

I’ll get into Conditional Access, Application Proxy, Checking URLs, and Device Management in the Part 2. Stay tuned.