The beauty of today’s advanced multi-function printing devices is the broad array of capabilities they offer, from on-board storage to intelligent job routing to network access, Internet access and self-management abilities. While devices that can print, scan, e-mail, fax and surf the Web may open possibilities for productivity and efficiency, they can, if left unguarded, also open organizations to serious security vulnerabilities.
In this era of heightened security concerns and increasing regulatory compliance issues, print-specialist partners need to raise their game to protect their clients’ systems, data and sensitive documents.
Think of the new generation of MFPs as more than just peripherals, but computing with storage, software and network vulnerabilities similar to connected desktops and laptops. Overlooking security can be perilous and costly.
According to analyst firm Quocirca, the majority of businesses are at risk from unsecured network printers, and nine out of 10 require no passwords from users to access even the most powerful MFPs. As a result, 70 percent say they have suffered one or more accidental printing-related data breach, and only 15 percent feel their print infrastructure is “very secure.”
Here are five key security considerations for partners deploying and maintaining managed print systems:
- The Grab and Go — The simplest of vulnerabilities involves unsecured output trays with no provision for identifying users before spitting out printed pages. Anyone can walk past these often remote devices and take sensitive documents that were meant for someone else.
- Device-level Hacks — Many MFP configurations and parameters can be set right at the device, and without password protection, everyone who gets near the printer is a potential hacker, even if by accident. Device-level access can include commands for printing stored documents, routing print jobs to other machines or wiping custom settings to create confusion or downtime.
- Stored Secrets — Most of today’s business-class MFPs sport a built-in hard disk drive that can store print jobs, scans, copies, and faxes. That makes the drive a point of vulnerability in itself. A stolen machine can cough up reams of sensitive documents, and MFPs that are taken out of service without having their drives erased remain an ongoing trove of corporate data.
- Listening In — The networking capability common to most modern MFPs makes them susceptible to the same kinds of network snooping as their computer counterparts. Data traversing the network between a user and his/her assigned MFP can be intercepted and used to generate unauthorized copies of sensitive corporate documents.
- Opening a Window — If the massive Target and Neiman Marcus data breaches from earlier this year taught us anything, it’s that networked devices are not only vulnerable themselves, they are potential portals into corporate systems where hackers can wreak havoc from unauthorized access to databases to the installation of malware and generation of denial-of-service attacks. Users on the network can access unprotected network printers, and if those printers are Web-enabled, the pool of potential hackers is exponentially multiplied.
Given the serious nature of security concerns raised by modern printing infrastructure, the print services partner, in the role of trusted advisor, must take all necessary precautions to ensure the safety and integrity of their clients’ data and systems even as they enjoy the productivity benefits of state-of-the-art devices.
Here are five print security features and protocols partners should look to and leverage to protect their customers:
- Access Controls — At their simplest, MFP access controls include provisions that require users to input a PIN to initiate a print job, and then re-enter it at the device to take physical custody of the output. Other capabilities partners should consider include role-based access controls for administrators to assign permissions to work groups based on function and need; and Microsoft Active Directory integration so an organization’s larger accounts database can be layered.
- Network Security Features — Managed print services providers should restrict addresses to certain devices based on IP address, creating a basic defense against most outside attackers. Basic network authentication such as the 802.1x standard is also needed before network traffic is allowed to travel to or from an MFP to keep rogue devices off the network.
- Encryption — While it may seem extreme, diligent provisioning of print infrastructure, particularly in sensitive or highly regulated industries, should include the ability to encrypt all of the data travelling to and from MFPs as well as the data at rest within those devices. Look for support for Internet Protocol Security (IPSec) and Secure Socket Layer/Transport Layer Security for encrypting customers’ scans, prints, copies and data accessed via the Web.
- Image Overwriting and Hard Disk Management — Because the on-board hard drives in many MFPs store reams of sensitive data, managing the risk and vulnerability associated with them should be high on the lists of prudent print partners. Look for devices that offer at least three-pass image overwriting either standard or as an optional add-on to keep sensitive information from prying eyes. Also be sure the hard drive is in a separate, locked enclosure within the MFP to thwart theft, and look for hard drive removal kits to keep the storage media secure during equipment repairs and decommissioning.
- Segregate Faxes — One sneaky way hackers gain access to corporate networks is by taking advantage of the backdoor created when fax telephone line connections are integrated with network connectivity. While it may seem old-school, this hack works around traditional firewall protections and presents a serious vulnerability. Partners should look for MFPs that certifiably provide complete separation of fax lines and network connections.
In this age when 30 million printers and MFPs are deployed and many are connected to the network, it’s time to take the security of these devices seriously. As Xerox senior manager for product security Larry Kovnat points out in his guest column on Forbes.com, MFPs are considered “true citizens” on the network rather than rogue devices.
“Taking the time to protect it is an integral part of today’s security imperatives,” he writes.