SlideShare a Scribd company logo

Print - Overlooked piece of the security puzzle whitepaper - DRAFT

G
Gerry Skipwith

Information security is an important part of corporate governance. Print is often overlooked as a critical piece of the security puzzle. This whitepaper serves to help educate companies on the risks inherent to their print infrastructure.

Technology
1 of 9
Download to read offline
A Compugen White Paper 100 Via Renzo Drive Richmond Hill, Ontario www.compugen.com Print – Overlooked Piece of the Security Puzzle? Gerry Skipwith Vice President, Services - Compugen Co-Chair, Standards and Best Practices Committee - MPSA January 7, 2011
Introduction Contents There has been no shortage of company and government Introduction 2 security breaches. Stories abound of personal financial The Issues 3 information, confidential client data, hospital patient Security Gaps 4 records and government information ending up in the Industry Response 5 wrong place – sometimes inadvertently, sometimes by intention. How Leading Organizations Lead 7 About the Author 9 The costs of these breaches – financial, brand and Contributors Appreciation 9 corporate credibility – can be dramatic. Both government and corporations have responded with formal regulation of security information through acts such as Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), Federal Information Processing Standard (FIPS) Publication 140-2and the Ontario Government of Ontario IT Standard 25.12 (GO-ITS 25.12). Companies have taken steps to increase network security through intrusion detection, higher encryption standards, end user authentication, establishing chief security officers at the executive level and many others. One aspect of security that, until recently, has not appeared on the government, corporate or technology manufacturer radar screens is print. Leading organizations are starting to treat their print environments with the same degree of care and attention that they give their networks, servers and storage arrays. Leading organizations understand that overlooking their print security will – it is only a matter of time – have dramatic consequences. These organizations are now taking steps to address the risks by fitting in a final piece of the puzzle. January 7, 2011 Print – Overlooked Piece of the Security Puzzle? Page | 2
The Issue There have been stories of information security breaches originating in the print world. Government budgets copied and leaked. Sensitive information scanned to external email addresses. Everyone has a story of a termination letter or other sensitive HR information inadvertently overseen at network printers. Print environments have become an integral component of the IT infrastructure through increased complexity and sophistication. Unfortunately, controls have not kept pace with the technology advancements, leaving government and corporations open to abuse and unintentional distribution of proprietary information. As the product sophistication increased, printers became an extension of the network. Printers now contain processing capacity to the point they are effectively additional computing devices that fall under the auspices of IT departments. Finally, as bandwidth grew and document complexity increased, hard drives became integral to the printer to buffer large, complex documents and scans. This was made famous by the CBS report on April 15, 2010 - Digital Photocopiers Loaded with Secrets. It was clearly shown that with limited sophistication, the footprints of printed documents could be accessed from copiers and multi-function printers coming off lease or discarded. By purchasing 4 used MFP’s for $300 each and using forensic software obtained for free on the Internet, CBS uncovered; • tens of thousands of documents in less than 12 hours • Buffalo Police reports detailing domestic violence complaints and wanted sex offenders • Buffalo Police Narcotics Unit targets in major drug raids • 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied cheques from a New York construction company • 300 pages of individual medical records including drug prescriptions, blood test results and cancer diagnoses from a New York insurance company - a potentially serious breach of US privacy law Given that more than 2 billion pages are printed every year in North America, it is easy to see why leading organizations are starting to address this serious security threat. January 7, 2011 Print – Overlooked Piece of the Security Puzzle? Page | 3
Security Gaps To better understand the challenges, it is worthwhile to walk through the architecture of how documents are printed. A user creates a new document or accesses an existing one. The individual decides to print – clicks – and information is transmitted to a print server. The print server holds the document, prioritizes traffic and ensures the document is presented to the appropriate printer. Once presented, the printer processes the incoming document using memory and hard drive capacity to maintain the information until fully printed. There are 3 key areas that represent security threats in this scenario. Interception during Network Transmission: through sophisticated means, networks can be monitored – or ‘sniffed’ to access information flowing across the network. It is feasible that printed documents sent for printing over the network are intercepted and read prior to printing. It is also possible that open network ports on the printer become a means to monitor network traffic or load in harmful programs. It is also possible that open ports on the printer be a means to monitor network traffic or institute harmful programs. Interception of Document Receipt: The user may need to walk some distance to the network printer, and in that time a document can easily be taken or copied leaving no sign of information theft. Further; network printers typically service a pool of people. This creates the potential for confidential or private information to be seen mistakenly, or intentionally, by unintended recipients. Document Footprint: Once a print job has occurred and been picked up, the information can remain within the print device for some time – stored on the printer’s hard drive. This creates a form of ‘information echo.’ Data from print outs, scans or copies can remain on the unit indefinitely. Although, it would take deliberate prying eyes to access the information, it is not a difficult course of action. January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 4
Industry Response Leading print hardware and software vendors are taking steps to increase security across the print environment. Despite some lofty statements, it is really a nascent area of expertise with new developments occurring regularly. To enhance security levels of the various dimensions to a print infrastructure, all existing safety precautions and measures should be applied. Given the unique aspect of a ‘hard copy document’ produced outside the network – additional innovation is needed to maintain some semblance of control on printed matter. Network Security: This is the one area of print that a great deal of work has been done. Existing network security protocols are readily applied to print environments. Common features available from major print vendors include; • User authentication • IP address range designations • SNMPv3 encrypted communications • Unused port closure • Implementing Internet Protocol Security (IPsec) • Device authentication such as 802.1x access control All of these steps secure the transmission of documents, while limiting the range of users and means to access the network. All of these steps would be considered basic practices to secure print transmission. Document Security: Print manufacturers are upgrading device security for each new generation of devices. Functionality that accompanies new MFP’s, or the accompanying manufacturer print management software, includes such features as; • Secure print - password or PIN based printing • Document timeout – for documents sitting excessively long in queue • Document rights management • Device Level Log-in • Access Management • User authentication for scan to email and copy functions • Copy numbering January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 5
There are a variety of companies that have developed 3rd party printer additions to provide; • Password or Pin authentication • Key card authentication • Bio-metric authentication • Document accounting and tracking Device Security Particularly in the past 2 years, manufacturers have done a great deal to increase the level of device security for print information. Ricoh, Xerox, HP, Lexmark, Konica Minolta have all introduced programs, tools and printer features that enhance print security. The programs for major manufacturers may have different names, but the basic features that are available on latest generation units include; • Hard drive encryption • Hard drive locking / removable Hard drive • Prioritized use of RAM over Hard Drive • File erasure capability • Hard drive wipe capability • Hard drive destruction program (upon product lease return) While it takes some integration efforts, hard drive encryption programs intended for organizations covering desktops, notebooks and servers can be implemented into print environments. Depending on the software publisher, this can vary dramatically in terms of complexity. Encrypting printer data Applying encryption to data that is sent to the printer ensures that if any interception occurs or anyone can access the data that is stored in the printer memory (RAM) or the printer hard drive, it can only be read (decrypted) by the person who printed the document through his user authentication. Is AES 256-bit Encryption Necessary? There is always a debate of how much security is necessary. A good (and paranoid) Chief Security Officer will say there is no such thing as enough. There is recent literature documenting that AES 128-bit encryption can be cracked. In November 2010, a paper was published that described a practical approach to near real time recovery of keys from AES 128-bit encryption [1]. While the validity of this approach is debated, the sound practice is to seek the highest security standard available in the marketplace. [1] Bern University of Applied Sciences, Cache Games – Bringing Access-Based Cache Attacks on AES to Practice, E. Bangerter, D. Gullasch, S. Krenn, November 2010 January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 6
Hard drives on printers and copiers have been prevalent since 2002. As products evolved, reputable vendors have made AES 128-bit encryption available on copier and MFP products through vendor-specific encryption modules. There is literature available describing this capability for Canon, HP, Konica Minolta, Kyocera Mita, Lexmark, Oce, Okidata, Ricoh, and Xerox as an entry point for security. In the recent past, top print manufacturers have made AES 256- bit encryption available on products through minor customization of the encryption models. There is manufacturer documentation available indicating that Okidata, Ricoh, Lexmark and Xerox all offer AES 256-bit encryption as an option for hard drive security on latest generation products. In addition, leading service providers are integrating third party hard drive security solutions to provide the highest currently available security levels, such as Sophos SafeGuard® RemovableMedia. Given these moves, it will not be long before all print vendors make AES 256-bit encryption a standard option. How Leading Organizations Lead Organizations that have shown leadership in raising levels of print security have been financial institutions, hospitals and health organizations, and federal and state/provincial government. There are 3 keys to success in ensuring corporate information is secure; • Information storage - knowing what information is critical/confidential, where it is generated and where it is stored • Information protection - using the best security solutions available and be paranoid it isn’t enough • Continuous improvement and refinement - pushing your organization and your vendors to do more Leading organizations recognize print infrastructure is a part of their network and absolutely requires the level of vigilance given to their networks. They also recognize there is an additional dimension to print – the need to control how printed documents are accessed. Network; Leading organizations extend all the practices of their networks into the print environment. Specifically, they control end user rights, encrypt communications, close unused ports and enable device authentication protocols. January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 7
Document; Leading organizations are tackling the added dimension of controlling hard copy generation and distribution. Specifically, leading organizations are known to; • Implement secure print with passwords • Timeout the user for delayed print pickup • Utilize scan encryption • Implement copy controls • Implement secure print with cards and biometrics • Utilize tracking and activity logs for print, scan and copy Device; Leading organizations work through the following hierarchy of steps to secure the devices. The further they are able to proceed through the list, the higher the level of security offered. The progression of device security is to; • Activate immediate data overwrite capability • Maximize print from memory features • Implement physical hard drive locks • Encrypt the hard drive with the highest level of protection available • Overwrite the hard disk at time of device disposal January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 8
About the Author Gerry Skipwith has been the Vice President of Services for Compugen since 1998. Gerry is an industry contributor serving in several technology and business associations. He is also an invited member of the HP and CompTIA Executive Councils. Gerry received an undergraduate degree from the University of Waterloo in Mechanical Engineering. He has also completed a Network Engineering Program at the University of Toronto, followed with a Master's in Business Administration at the U of T Executive program. Gerry recently completed a Directors program at York University for non-profit organizations. Most recently, Gerry has been the executive sponsor of Compugen’s Print practice. In this capacity, he has been named as the Co-Chairman of the Standards and Best Practices Committee in the Managed Print Services Association (MPSA). Further, Gerry is 6 months away from completing his first (and most likely last) book – "EcoWise Print: Gaining the Full Value of Printing in a Responsible Manner". The goal of the book is to educate corporations on the dramatic financial and environmental costs of print, with an approach to assist both. Special Thanks to Contributors and Editorial Reviewers • Brian D. Dawson, Sales and Marketing Director, Print Tracker™ • Jo-Anne Morgante, Print Services Manager, Compugen • Keith Shumard, Managed Print Services Specialist , Modern Office Methods • Kevin DeYoung, President & CEO Qualpath, Inc. • Tyler Markowsky, Practice Lead - Security Services, Compugen January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 9

Recommended

Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2olambel
 

Recommended

Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2olambel
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Larry Levine
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concernsJohn Napier
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small BusinessJulius Clark, CISSP, CISA
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromiseCMR WORLD TECH
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksSocialKwan
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2Donald Jennings
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDFBan Selvakumar
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 

More Related Content

What's hot

An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Larry Levine
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concernsJohn Napier
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromiseCMR WORLD TECH
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksSocialKwan
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2Donald Jennings
 

What's hot (19)

An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concerns
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas Companies
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaks
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
 

Similar to Print - Overlooked piece of the security puzzle whitepaper - DRAFT

Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data securityKeith Braswell
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS Accelerite
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Data Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPData Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPJoseph Lopez, M.ISM
 
Print Security - Are Business Complacent?
Print Security - Are Business Complacent?Print Security - Are Business Complacent?
Print Security - Are Business Complacent?Adrian Boucek
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Huntsman Security
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCAegify Inc.
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCxmeteorite
 

Similar to Print - Overlooked piece of the security puzzle whitepaper - DRAFT (20)

Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS REAL TIME ENDPOINT INSIGHTS
REAL TIME ENDPOINT INSIGHTS
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
Data Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEPData Security and Know-How Protection from PROSTEP
Data Security and Know-How Protection from PROSTEP
 
Print Security - Are Business Complacent?
Print Security - Are Business Complacent?Print Security - Are Business Complacent?
Print Security - Are Business Complacent?
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
The Insider Threats - Are You at Risk?
The Insider Threats - Are You at Risk?The Insider Threats - Are You at Risk?
The Insider Threats - Are You at Risk?
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRC
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRC
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Print - Overlooked piece of the security puzzle whitepaper - DRAFT

  • 1. A Compugen White Paper 100 Via Renzo Drive Richmond Hill, Ontario www.compugen.com Print – Overlooked Piece of the Security Puzzle? Gerry Skipwith Vice President, Services - Compugen Co-Chair, Standards and Best Practices Committee - MPSA January 7, 2011
  • 2. Introduction Contents There has been no shortage of company and government Introduction 2 security breaches. Stories abound of personal financial The Issues 3 information, confidential client data, hospital patient Security Gaps 4 records and government information ending up in the Industry Response 5 wrong place – sometimes inadvertently, sometimes by intention. How Leading Organizations Lead 7 About the Author 9 The costs of these breaches – financial, brand and Contributors Appreciation 9 corporate credibility – can be dramatic. Both government and corporations have responded with formal regulation of security information through acts such as Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), Federal Information Processing Standard (FIPS) Publication 140-2and the Ontario Government of Ontario IT Standard 25.12 (GO-ITS 25.12). Companies have taken steps to increase network security through intrusion detection, higher encryption standards, end user authentication, establishing chief security officers at the executive level and many others. One aspect of security that, until recently, has not appeared on the government, corporate or technology manufacturer radar screens is print. Leading organizations are starting to treat their print environments with the same degree of care and attention that they give their networks, servers and storage arrays. Leading organizations understand that overlooking their print security will – it is only a matter of time – have dramatic consequences. These organizations are now taking steps to address the risks by fitting in a final piece of the puzzle. January 7, 2011 Print – Overlooked Piece of the Security Puzzle? Page | 2
  • 3. The Issue There have been stories of information security breaches originating in the print world. Government budgets copied and leaked. Sensitive information scanned to external email addresses. Everyone has a story of a termination letter or other sensitive HR information inadvertently overseen at network printers. Print environments have become an integral component of the IT infrastructure through increased complexity and sophistication. Unfortunately, controls have not kept pace with the technology advancements, leaving government and corporations open to abuse and unintentional distribution of proprietary information. As the product sophistication increased, printers became an extension of the network. Printers now contain processing capacity to the point they are effectively additional computing devices that fall under the auspices of IT departments. Finally, as bandwidth grew and document complexity increased, hard drives became integral to the printer to buffer large, complex documents and scans. This was made famous by the CBS report on April 15, 2010 - Digital Photocopiers Loaded with Secrets. It was clearly shown that with limited sophistication, the footprints of printed documents could be accessed from copiers and multi-function printers coming off lease or discarded. By purchasing 4 used MFP’s for $300 each and using forensic software obtained for free on the Internet, CBS uncovered; • tens of thousands of documents in less than 12 hours • Buffalo Police reports detailing domestic violence complaints and wanted sex offenders • Buffalo Police Narcotics Unit targets in major drug raids • 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied cheques from a New York construction company • 300 pages of individual medical records including drug prescriptions, blood test results and cancer diagnoses from a New York insurance company - a potentially serious breach of US privacy law Given that more than 2 billion pages are printed every year in North America, it is easy to see why leading organizations are starting to address this serious security threat. January 7, 2011 Print – Overlooked Piece of the Security Puzzle? Page | 3
  • 4. Security Gaps To better understand the challenges, it is worthwhile to walk through the architecture of how documents are printed. A user creates a new document or accesses an existing one. The individual decides to print – clicks – and information is transmitted to a print server. The print server holds the document, prioritizes traffic and ensures the document is presented to the appropriate printer. Once presented, the printer processes the incoming document using memory and hard drive capacity to maintain the information until fully printed. There are 3 key areas that represent security threats in this scenario. Interception during Network Transmission: through sophisticated means, networks can be monitored – or ‘sniffed’ to access information flowing across the network. It is feasible that printed documents sent for printing over the network are intercepted and read prior to printing. It is also possible that open network ports on the printer become a means to monitor network traffic or load in harmful programs. It is also possible that open ports on the printer be a means to monitor network traffic or institute harmful programs. Interception of Document Receipt: The user may need to walk some distance to the network printer, and in that time a document can easily be taken or copied leaving no sign of information theft. Further; network printers typically service a pool of people. This creates the potential for confidential or private information to be seen mistakenly, or intentionally, by unintended recipients. Document Footprint: Once a print job has occurred and been picked up, the information can remain within the print device for some time – stored on the printer’s hard drive. This creates a form of ‘information echo.’ Data from print outs, scans or copies can remain on the unit indefinitely. Although, it would take deliberate prying eyes to access the information, it is not a difficult course of action. January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 4
  • 5. Industry Response Leading print hardware and software vendors are taking steps to increase security across the print environment. Despite some lofty statements, it is really a nascent area of expertise with new developments occurring regularly. To enhance security levels of the various dimensions to a print infrastructure, all existing safety precautions and measures should be applied. Given the unique aspect of a ‘hard copy document’ produced outside the network – additional innovation is needed to maintain some semblance of control on printed matter. Network Security: This is the one area of print that a great deal of work has been done. Existing network security protocols are readily applied to print environments. Common features available from major print vendors include; • User authentication • IP address range designations • SNMPv3 encrypted communications • Unused port closure • Implementing Internet Protocol Security (IPsec) • Device authentication such as 802.1x access control All of these steps secure the transmission of documents, while limiting the range of users and means to access the network. All of these steps would be considered basic practices to secure print transmission. Document Security: Print manufacturers are upgrading device security for each new generation of devices. Functionality that accompanies new MFP’s, or the accompanying manufacturer print management software, includes such features as; • Secure print - password or PIN based printing • Document timeout – for documents sitting excessively long in queue • Document rights management • Device Level Log-in • Access Management • User authentication for scan to email and copy functions • Copy numbering January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 5
  • 6. There are a variety of companies that have developed 3rd party printer additions to provide; • Password or Pin authentication • Key card authentication • Bio-metric authentication • Document accounting and tracking Device Security Particularly in the past 2 years, manufacturers have done a great deal to increase the level of device security for print information. Ricoh, Xerox, HP, Lexmark, Konica Minolta have all introduced programs, tools and printer features that enhance print security. The programs for major manufacturers may have different names, but the basic features that are available on latest generation units include; • Hard drive encryption • Hard drive locking / removable Hard drive • Prioritized use of RAM over Hard Drive • File erasure capability • Hard drive wipe capability • Hard drive destruction program (upon product lease return) While it takes some integration efforts, hard drive encryption programs intended for organizations covering desktops, notebooks and servers can be implemented into print environments. Depending on the software publisher, this can vary dramatically in terms of complexity. Encrypting printer data Applying encryption to data that is sent to the printer ensures that if any interception occurs or anyone can access the data that is stored in the printer memory (RAM) or the printer hard drive, it can only be read (decrypted) by the person who printed the document through his user authentication. Is AES 256-bit Encryption Necessary? There is always a debate of how much security is necessary. A good (and paranoid) Chief Security Officer will say there is no such thing as enough. There is recent literature documenting that AES 128-bit encryption can be cracked. In November 2010, a paper was published that described a practical approach to near real time recovery of keys from AES 128-bit encryption [1]. While the validity of this approach is debated, the sound practice is to seek the highest security standard available in the marketplace. [1] Bern University of Applied Sciences, Cache Games – Bringing Access-Based Cache Attacks on AES to Practice, E. Bangerter, D. Gullasch, S. Krenn, November 2010 January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 6
  • 7. Hard drives on printers and copiers have been prevalent since 2002. As products evolved, reputable vendors have made AES 128-bit encryption available on copier and MFP products through vendor-specific encryption modules. There is literature available describing this capability for Canon, HP, Konica Minolta, Kyocera Mita, Lexmark, Oce, Okidata, Ricoh, and Xerox as an entry point for security. In the recent past, top print manufacturers have made AES 256- bit encryption available on products through minor customization of the encryption models. There is manufacturer documentation available indicating that Okidata, Ricoh, Lexmark and Xerox all offer AES 256-bit encryption as an option for hard drive security on latest generation products. In addition, leading service providers are integrating third party hard drive security solutions to provide the highest currently available security levels, such as Sophos SafeGuard® RemovableMedia. Given these moves, it will not be long before all print vendors make AES 256-bit encryption a standard option. How Leading Organizations Lead Organizations that have shown leadership in raising levels of print security have been financial institutions, hospitals and health organizations, and federal and state/provincial government. There are 3 keys to success in ensuring corporate information is secure; • Information storage - knowing what information is critical/confidential, where it is generated and where it is stored • Information protection - using the best security solutions available and be paranoid it isn’t enough • Continuous improvement and refinement - pushing your organization and your vendors to do more Leading organizations recognize print infrastructure is a part of their network and absolutely requires the level of vigilance given to their networks. They also recognize there is an additional dimension to print – the need to control how printed documents are accessed. Network; Leading organizations extend all the practices of their networks into the print environment. Specifically, they control end user rights, encrypt communications, close unused ports and enable device authentication protocols. January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 7
  • 8. Document; Leading organizations are tackling the added dimension of controlling hard copy generation and distribution. Specifically, leading organizations are known to; • Implement secure print with passwords • Timeout the user for delayed print pickup • Utilize scan encryption • Implement copy controls • Implement secure print with cards and biometrics • Utilize tracking and activity logs for print, scan and copy Device; Leading organizations work through the following hierarchy of steps to secure the devices. The further they are able to proceed through the list, the higher the level of security offered. The progression of device security is to; • Activate immediate data overwrite capability • Maximize print from memory features • Implement physical hard drive locks • Encrypt the hard drive with the highest level of protection available • Overwrite the hard disk at time of device disposal January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 8
  • 9. About the Author Gerry Skipwith has been the Vice President of Services for Compugen since 1998. Gerry is an industry contributor serving in several technology and business associations. He is also an invited member of the HP and CompTIA Executive Councils. Gerry received an undergraduate degree from the University of Waterloo in Mechanical Engineering. He has also completed a Network Engineering Program at the University of Toronto, followed with a Master's in Business Administration at the U of T Executive program. Gerry recently completed a Directors program at York University for non-profit organizations. Most recently, Gerry has been the executive sponsor of Compugen’s Print practice. In this capacity, he has been named as the Co-Chairman of the Standards and Best Practices Committee in the Managed Print Services Association (MPSA). Further, Gerry is 6 months away from completing his first (and most likely last) book – "EcoWise Print: Gaining the Full Value of Printing in a Responsible Manner". The goal of the book is to educate corporations on the dramatic financial and environmental costs of print, with an approach to assist both. Special Thanks to Contributors and Editorial Reviewers • Brian D. Dawson, Sales and Marketing Director, Print Tracker™ • Jo-Anne Morgante, Print Services Manager, Compugen • Keith Shumard, Managed Print Services Specialist , Modern Office Methods • Kevin DeYoung, President & CEO Qualpath, Inc. • Tyler Markowsky, Practice Lead - Security Services, Compugen January 7, 2011 Print – The Last Piece of the Security Puzzle Page | 9