Your SlideShare is downloading. ×
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Print - Overlooked piece of the security puzzle whitepaper - DRAFT


Published on

Information security is an important part of corporate governance. Print is often overlooked as a critical piece of the security puzzle. This whitepaper serves to help educate companies on the risks …

Information security is an important part of corporate governance. Print is often overlooked as a critical piece of the security puzzle. This whitepaper serves to help educate companies on the risks inherent to their print infrastructure.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A Compugen White Paper 100 Via Renzo Drive Richmond Hill, Ontario Print – Overlooked Piece of the Security Puzzle? Gerry Skipwith Vice President, Services - Compugen Co-Chair, Standards and Best Practices Committee - MPSA January 7, 2011
  • 2. Introduction Contents There has been no shortage of company and governmentIntroduction 2 security breaches. Stories abound of personal financialThe Issues 3 information, confidential client data, hospital patientSecurity Gaps 4 records and government information ending up in theIndustry Response 5 wrong place – sometimes inadvertently, sometimes by intention.How Leading Organizations Lead 7About the Author 9 The costs of these breaches – financial, brand andContributors Appreciation 9 corporate credibility – can be dramatic. Both government and corporations have responded with formal regulation of security information through acts such as Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), Federal Information Processing Standard (FIPS) Publication 140-2and the Ontario Government of Ontario IT Standard 25.12 (GO-ITS 25.12). Companies have taken steps to increase network security through intrusion detection, higher encryption standards, end user authentication, establishing chief security officers at the executive level and many others. One aspect of security that, until recently, has not appeared on the government, corporate or technology manufacturer radar screens is print. Leading organizations are starting to treat their print environments with the same degree of care and attention that they give their networks, servers and storage arrays. Leading organizations understand that overlooking their print security will – it is only a matter of time – have dramatic consequences. These organizations are now taking steps to address the risks by fitting in a final piece of the puzzle. January 7, 2011 Print – Overlooked Piece of the Security Puzzle? Page | 2
  • 3. The IssueThere have been stories of information security breaches originating in the print world.Government budgets copied and leaked. Sensitive information scanned to external emailaddresses. Everyone has a story of a termination letter or other sensitive HR informationinadvertently overseen at network printers.Print environments have become an integral component of the IT infrastructure throughincreased complexity and sophistication. Unfortunately, controls have not kept pace with thetechnology advancements, leaving government and corporations open to abuse andunintentional distribution of proprietary information.As the product sophistication increased, printers became an extension of the network.Printers now contain processing capacity to the point they are effectively additionalcomputing devices that fall under the auspices of IT departments. Finally, as bandwidthgrew and document complexity increased, hard drives became integral to the printer to bufferlarge, complex documents and scans.This was made famous by the CBS report on April 15, 2010 - Digital Photocopiers Loadedwith Secrets. It was clearly shown that with limited sophistication, the footprints of printeddocuments could be accessed from copiers and multi-function printers coming off lease ordiscarded.By purchasing 4 used MFP’s for $300 each and using forensic software obtained for free onthe Internet, CBS uncovered; • tens of thousands of documents in less than 12 hours • Buffalo Police reports detailing domestic violence complaints and wanted sex offenders • Buffalo Police Narcotics Unit targets in major drug raids • 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied cheques from a New York construction company • 300 pages of individual medical records including drug prescriptions, blood test results and cancer diagnoses from a New York insurance company - a potentially serious breach of US privacy lawGiven that more than 2 billion pages are printed every year in North America, it is easy to seewhy leading organizations are starting to address this serious security threat.January 7, 2011 Print – Overlooked Piece of the Security Puzzle?Page | 3
  • 4. Security GapsTo better understand the challenges, it is worthwhile to walk through the architecture of howdocuments are printed.A user creates a new document or accesses an existing one. The individual decides to print –clicks – and information is transmitted to a print server. The print server holds the document,prioritizes traffic and ensures the document is presented to the appropriate printer. Oncepresented, the printer processes the incoming document using memory and hard drivecapacity to maintain the information until fully printed.There are 3 key areas that represent security threats in this scenario.Interception during Network Transmission: through sophisticated means, networks can bemonitored – or ‘sniffed’ to access information flowing across the network. It is feasible thatprinted documents sent for printing over the network are intercepted and read prior toprinting. It is also possible that open network ports on the printer become a means to monitornetwork traffic or load in harmful programs.It is also possible that open ports on the printer be a means to monitor network traffic orinstitute harmful programs.Interception of Document Receipt: The user may need to walk some distance to thenetwork printer, and in that time a document can easily be taken or copied leaving no sign ofinformation theft.Further; network printers typically service a pool of people. This creates the potential forconfidential or private information to be seen mistakenly, or intentionally, by unintendedrecipients.Document Footprint: Once a print job has occurred and been picked up, the information canremain within the print device for some time – stored on the printer’s hard drive. Thiscreates a form of ‘information echo.’ Data from print outs, scans or copies can remain on theunit indefinitely. Although, it would take deliberate prying eyes to access the information, itis not a difficult course of action.January 7, 2011 Print – The Last Piece of the Security PuzzlePage | 4
  • 5. Industry ResponseLeading print hardware and software vendors are taking steps to increase security across theprint environment. Despite some lofty statements, it is really a nascent area of expertise withnew developments occurring regularly.To enhance security levels of the various dimensions to a print infrastructure, all existingsafety precautions and measures should be applied. Given the unique aspect of a ‘hard copydocument’ produced outside the network – additional innovation is needed to maintain somesemblance of control on printed matter.Network Security:This is the one area of print that a great deal of work has been done. Existing networksecurity protocols are readily applied to print environments. Common features availablefrom major print vendors include; • User authentication • IP address range designations • SNMPv3 encrypted communications • Unused port closure • Implementing Internet Protocol Security (IPsec) • Device authentication such as 802.1x access controlAll of these steps secure the transmission of documents, while limiting the range of users andmeans to access the network. All of these steps would be considered basic practices tosecure print transmission.Document Security:Print manufacturers are upgrading device security for each new generation of devices.Functionality that accompanies new MFP’s, or the accompanying manufacturer printmanagement software, includes such features as; • Secure print - password or PIN based printing • Document timeout – for documents sitting excessively long in queue • Document rights management • Device Level Log-in • Access Management • User authentication for scan to email and copy functions • Copy numberingJanuary 7, 2011 Print – The Last Piece of the Security PuzzlePage | 5
  • 6. There are a variety of companies that have developed 3rd party printer additions to provide; • Password or Pin authentication • Key card authentication • Bio-metric authentication • Document accounting and trackingDevice SecurityParticularly in the past 2 years, manufacturers have done a great deal to increase the level ofdevice security for print information. Ricoh, Xerox, HP, Lexmark, Konica Minolta have allintroduced programs, tools and printer features that enhance print security. The programs formajor manufacturers may have different names, but the basic features that are available onlatest generation units include; • Hard drive encryption • Hard drive locking / removable Hard drive • Prioritized use of RAM over Hard Drive • File erasure capability • Hard drive wipe capability • Hard drive destruction program (upon product lease return)While it takes some integration efforts, hard drive encryption programs intended fororganizations covering desktops, notebooks and servers can be implemented into printenvironments. Depending on the software publisher, this can vary dramatically in terms ofcomplexity.Encrypting printer dataApplying encryption to data that is sent to the printer ensures that if any interception occursor anyone can access the data that is stored in the printer memory (RAM) or the printer harddrive, it can only be read (decrypted) by the person who printed the document through hisuser authentication.Is AES 256-bit Encryption Necessary?There is always a debate of how much security is necessary. A good (and paranoid) ChiefSecurity Officer will say there is no such thing as enough.There is recent literature documenting that AES 128-bit encryption can be cracked. InNovember 2010, a paper was published that described a practical approach to near real timerecovery of keys from AES 128-bit encryption [1]. While the validity of this approach isdebated, the sound practice is to seek the highest security standard available in themarketplace.[1] Bern University of Applied Sciences, Cache Games – Bringing Access-Based Cache Attacks on AES to Practice, E. Bangerter, D. Gullasch,S. Krenn, November 2010January 7, 2011 Print – The Last Piece of the Security PuzzlePage | 6
  • 7. Hard drives on printers and copiers have been prevalent since 2002. As products evolved,reputable vendors have made AES 128-bit encryption available on copier and MFP productsthrough vendor-specific encryption modules. There is literature available describing thiscapability for Canon, HP, Konica Minolta, Kyocera Mita, Lexmark, Oce, Okidata, Ricoh,and Xerox as an entry point for security.In the recent past, top print manufacturers have made AES 256- bit encryption available onproducts through minor customization of the encryption models.There is manufacturer documentation available indicating that Okidata, Ricoh, Lexmark andXerox all offer AES 256-bit encryption as an option for hard drive security on latestgeneration products. In addition, leading service providers are integrating third party harddrive security solutions to provide the highest currently available security levels, such asSophos SafeGuard® RemovableMedia. Given these moves, it will not be long before allprint vendors make AES 256-bit encryption a standard option.How Leading Organizations LeadOrganizations that have shown leadership in raising levels of print security have beenfinancial institutions, hospitals and health organizations, and federal and state/provincialgovernment.There are 3 keys to success in ensuring corporate information is secure; • Information storage - knowing what information is critical/confidential, where it is generated and where it is stored • Information protection - using the best security solutions available and be paranoid it isn’t enough • Continuous improvement and refinement - pushing your organization and your vendors to do moreLeading organizations recognize print infrastructure is a part of their network and absolutelyrequires the level of vigilance given to their networks. They also recognize there is anadditional dimension to print – the need to control how printed documents are accessed.Network;Leading organizations extend all the practices of their networks into the print environment.Specifically, they control end user rights, encrypt communications, close unused ports andenable device authentication protocols.January 7, 2011 Print – The Last Piece of the Security PuzzlePage | 7
  • 8. Document;Leading organizations are tackling the added dimension of controlling hard copy generationand distribution. Specifically, leading organizations are known to; • Implement secure print with passwords • Timeout the user for delayed print pickup • Utilize scan encryption • Implement copy controls • Implement secure print with cards and biometrics • Utilize tracking and activity logs for print, scan and copyDevice;Leading organizations work through the following hierarchy of steps to secure the devices.The further they are able to proceed through the list, the higher the level of security offered.The progression of device security is to; • Activate immediate data overwrite capability • Maximize print from memory features • Implement physical hard drive locks • Encrypt the hard drive with the highest level of protection available • Overwrite the hard disk at time of device disposalJanuary 7, 2011 Print – The Last Piece of the Security PuzzlePage | 8
  • 9. About the AuthorGerry Skipwith has been the Vice President of Services for Compugen since 1998. Gerry isan industry contributor serving in several technology and business associations. He is also aninvited member of the HP and CompTIA Executive Councils.Gerry received an undergraduate degree from the University of Waterloo in MechanicalEngineering. He has also completed a Network Engineering Program at the University ofToronto, followed with a Masters in Business Administration at the U of T Executiveprogram. Gerry recently completed a Directors program at York University for non-profitorganizations.Most recently, Gerry has been the executive sponsor of Compugen’s Print practice. In thiscapacity, he has been named as the Co-Chairman of the Standards and Best PracticesCommittee in the Managed Print Services Association (MPSA). Further, Gerry is 6 monthsaway from completing his first (and most likely last) book – "EcoWise Print: Gaining theFull Value of Printing in a Responsible Manner". The goal of the book is to educatecorporations on the dramatic financial and environmental costs of print, with an approach toassist both.Special Thanks to Contributors and Editorial Reviewers • Brian D. Dawson, Sales and Marketing Director, Print Tracker™ • Jo-Anne Morgante, Print Services Manager, Compugen • Keith Shumard, Managed Print Services Specialist , Modern Office Methods • Kevin DeYoung, President & CEO Qualpath, Inc. • Tyler Markowsky, Practice Lead - Security Services, CompugenJanuary 7, 2011 Print – The Last Piece of the Security PuzzlePage | 9