Why You Should Secure Your Print Environment
Do you print documents containing the following information?
- Customer Name, Address or Contact Numbers
- Customer Account Number
- PPSN/Social Security Number
- Financial Data (credit card, bank account no. etc)
Would you store these documents in a location where anyone could access them? No! Of course you wouldn’t.
Organizations devote a huge amount of time and resources to secure their IT environment to prevent data leakage, virus infection and unauthorized access. A typical IT department will have implemented most or all of these;
- Active Directory – to authenticate and authorize users and enforce security policies.
- Security Groups – to assign access to resources and ensure data access is limited only to those that should have access.
- Firewall Rules – to protect the network from unauthorized access.
- Intrusion Detection Systems – to monitor the network for suspected unauthorized access.
- Hard Disk Encryption – to safeguard data on lost/stolen devices.
- Pseudonymisation of Data.
Layers of security measures are applied to the digital data, but as soon as you press the print button you strip all these layers away. The digital rules protecting the soft copy are not inherited by the hard copy.
There is no longer a security group protecting the data, or an authentication system auditing who has accessed the document. If an unauthorized user accesses hard copy data, it may well go undetected. The data is now in the public realm, viewable by anyone inside or outside of your organization. You are now depending on human behavior to ensure the data is kept confidential.
“61% of data breaches within Companies with fewer than 500 employees involve paper records”
What can be done to protect Sensitive Data entering the Printing System?
Our approach focuses on the following three parts of the Print Environment;
- Securing the Print Process
- Securing the Print Data
- Securing the Print Device
1. Securing the Print Process
The first step in securing your print environment should be to enforce secure printing as standard. This can be achieved locally on a per device level or centrally via Print Management software such as Uniflow or Papercut.
Modern MFD’s can be configured to enforce secure printing locally. Print jobs configured to output directly at the device can be either dropped or routed to the secure queue. A user must then authenticate themselves at the device in order to release their job.
Authentication provides an added layer of security and accountability. Uniflow and Papercut can provide authentication via Proximity Card, Active Directory and/or PIN login.
In fact, most devices have their own built in authentication systems which work quite well if you have one or two devices. If you have a fleet of machines you can link the device to active directory via proximity card. This provides an efficient login mechanism that is linked back to each user’s domain account. Prints, copies and scans can then be allocated to the domain user giving you a clearer picture of you print costs.
2. Securing the Print Data
What’s in a filename?
Picture the scene: Your HR department sends some confidential jobs to print, but there is a problem with the printer. This could be a paper jam, toner request or print driver issue. These jobs will sit in the print queue until the problem has been resolved.
You now have two issues;
1. The print job filenames are visible to all users of the shared print queue. If sensitive information is contained in the document filenames this is a serious data breach.
2. These jobs will be printed to the devices output tray when the error is resolved – available to anyone to pick up and read.
There are several ways to combat this. We can encrypt the Print Job’s Filename as well as the data contained in the document.
We can also instruct the printer to cancel any document that has failed to print due to an error at the print device. This could be a jam, service error or toner issue. If the printer is unable to print the document while the user is at the device, it will cancel the job to ensure it is not left at the device unattended, therefore preventing any data breaches.
Encrypting your print data?
Under normal circumstances when you send a print job the content of the document is sent to the printer in plain text using either PCL or Postscript Printing Language. Any sensitive data within the document, such as a name, address, PPS no. or credit card is unprotected and can be used for malicious intent. A user with moderate IT skills could intercept the data and convert it to PDF using freely available PDL conversion software.
Our Uniflow Print Management Application can secure your print environment by encrypting all traffic to and from the printer using Advanced Encryption Standard AES-256. Print traffic is encrypted at the print server, sent to the printer and then decrypted before it is released from your secure print queue.
For non-Uniflow customers we can apply Print Encryption Kits that provide the same level of security.
When scanning documents, the traditional method is to add your email address to the address book. This allows for human error in selecting the email address and could possibly allow a user in your organisation to send confidential information to the wrong person.
Uniflow can force the devices to only allow a user send to their own internal e-mail address. This prevents the human error factor and ensures your information stays in house.
If you scan financial information such as bank account or credit card numbers you should really be password protecting the documents. This can be done locally at the device with a PDF encryption kit or through a Uniflow Scan device license.
3. Securing the Device
Hard Disk Encryption
The latest Multifunctional devices come with Hard Disk Encryption as standard. This safeguards your data from malicious users by ensuring the data cannot be read if the Hard disk is analysed. All data on the Hard disk is encrypted including image data, address book information, network settings and print logs.
If you have an older device we can apply a HDD Encryption kit that will safeguard your devices and help you to comply with Corporate Security policies.
In addition to HDD Encryption we can supply a facility that erases the data in real-time. As soon as the device uses the data it is deleted. The data erase facility can utilize the Department of Defence’s highest standard DoD 5220.22M to ensure all files are completely unrecoverable.
An authentication system can also be used to ensure user’s only have access to the features they need. Device access can be set to allow IT user’s full access to the devices system settings while regular users can be restricted to print, copy & scan.
Access Control Lists
In large organisations you might want to restrict the use of certain devices. The Marketing team might have a high speed production device that is business critical. Uniflow allows you to apply an ACL to individual printers dictating who is allowed to login to the device and print. In an educational environment you may have some machines dedicated to staff and some to students. ACL’s are a good way to prevent students being able to login to the staff devices. Additionally ACL’s can be used to prevent the use of USB devices and to restrict device features for certain users.
There are may levels available in terms of print security. Whether you need all of these features depends on the type of data you print. Sensitive customer data such as contact information, financial data or account information should not be left sitting unattended in a printers output tray. At a minimum you should ensure these types of documents are printed securely.
If you are interested in improving the security of your print environment our team can carry out a Free Print Security Audit. We will provide recommendations on how you can comply with new GDPR regulations, protect your data and prevent data and security breaches.
For further information please contact our team on [email protected]
The post How to Secure Your Print Environment – 3 Step Approach appeared first on Cantec.