With the ever-increasing threat of data compromise, organisations have to ensure the utmost vigilance when it comes to their and their clients' information security. Most commonly we see concerns raised in the arena of online banking transactions and web-based communications but the increasing convergence of technologies, with essentially bordlerless interractions between previously separate business processes/systems, means that few environments are now entirely risk free. This does not have to mean panic but it should necessitate a timely move away from more old-fashioned, 'analogue' conventions on risk towards a view more informed by the actual technologies we're all using and their full, often potentially harmful capabilities...
Nowhere is this more true than when it comes to photocopying and office printing. Since the dawn of the first photocopiers in the mid-fifties, organisations and indivdual photocopier users themselves have become accustomed to analogue technology. Photocopiers did have their associated risks but these tended to be those that could be physically detected and easily eliminated - document pages left under the cover for instance or jammed paper left in a machine left to be fished-out by someone else. While the physical appearance of photocopiers may have remained largely unchanged over the years, the technology which powers these devices has come on a long way, to the extent that photocopiers today not only do a great deal more - printing, scanning, colour copying and all the finishing options - but also hold a great deal more information from the documents which pass through them, minute-by-minute, day-by-day. Since around 2002 in fact, almost all major OEM manufactured photocopiers/MFPs have contained hard disk drives, like the sort on any desktop PC. Depending on the device configuration, they'll typically share a record of every document scanned/printed/copied through. Such information is essentially the life-blood of any business - much of it will be confidential, some will be personal and in the wrong hands it could quite easily do catastrophic damage to a business legally, financially and in terms of reputation as well. CBS News in the US highlighted the threat potential of photocopiers/MFPs when it conducted its own investigation into the data that could be found on second-hand purchased photocopiers. Startlingly, CBS, with the help of technology experts, were able to find medical records, payroll data and bank account information on these second-hand devices they had purchased for as little as $300.
It might seem that the risk of a photocopier hard drive potentially ending up in the wrong hands would be bad enough but it is not only second-hand/used devices which expose organisations to risk. A recent article by another US journalist, Byron Acohido, revealed that the increasingly 'network-ready' capabilities of modern photocopiers/MFPs is as much, if not more of a concern. An independent web security firm, Zscaler, conducted a US search uncovering over 100,000 HP printers/scanners at risk of data compromise and thousands of photocopiers as well. Through the on-board servers which are built into many modern printers and photocopiers, researchers found they would have been able to access these devices through the internet, take control of them and gain access to any information contained on them. Most devices, it was found, were protected by default or weak passwords. Essentially, whereas photocopiers were once only vulnerable to security compromise really from their own users' negligence, today the actual hardware itself poses the greatest risk - hard drives hold the potential to store vast amounts of data passing through them and the networks to which photocopiers are now attached expose them to the threat of an external internet attack. But there are measures, some technology based and others focusing more on practical user/administrative methods which can significantly mitigate and in some instances almost totally eliminate the dangers.
As could be imagined, non-technology based solutions tend to emphasise fully captialising on existing technology and generally improving staff awareness of security in this connection. It is difficult to provide advice for users whose MFP/photocopier arrangements are bound to be quite different but starting from the top, with those areas almost all MFP/photocopier users will have in common...
On the output tray or under the document cover - In most office environments its common to find yourself picking up printed materials belonging to another colleague. And its often the case that printed documents are left forgotten on the printer, leaving information available to anyone who has access to the machine. Ensuring all staff memmbers are made aware that printed documents are the most difficult to protect of all document types and encouraging greater vigilance over printing habits is the only defence, without the use of secure print workflow or print audit software.
It's key to ensure that the device security configuration is 'locked-down' too. The USA Today report showed that the server functionality which features now as standard on many printers and MFPs was a vulnerable spot for quite a number of orgainsations. Simply ensuring good passwords are used to access the server function can sure-up this potential weakness.As Xerox has explained in many a security white paper, device security is no static state of affairs. As time marches on, hackers can discover weaknesses in MFP operating system software, just as with any other PC/server. It's essential that administrators and IT staff ensure that the regular security patches released by manufacturers are installed on their machines. Teams of researchers spend a great deal of time and energy trying to stay ahead on the curve on device security, so it makes sense to take full advantage of all they are offering.
Other device security features. Many photocopiers and MFP's come equipped with quite powerful security features which when activated and configured correctly can be a fairly robust line-of-defence. One commonly-featured tool, user authentication, ensures users are actually who they say they are when processing jobs at a device. In some cases, user authentication can also limit device functionality depending on a pre-determined level of access. IP address restriction means access to a device can be restricted to selected user work-stations. IT administrators are able to enter the IP details of all an organisation's actual users so any attempts to access a photocopier/MFP from an unrecognised internet protocol will not be allowed. This provides an additional layer of security for users whose devices also possess server functionality.
Secure Print and Smart Card Authetication - Secure print ensures that hard copy documents are received and viewed only by their intended recipients. With the simplest form of secure print package, print jobs which have been ordered by a user to a device can only be released by inputting a personal identification code on the photocopiers/MFPs' user interface. This ensures that a document's intended recipient must be physically present at an MFP when documents are printed and gives that intended recipient to be there at the exact moment that the document is released before there is any opportunity for it to get into the wrong hands.
Smart card authetication protects a photocopier/MFP from unauthorised walk-up access. With smart card authentication, users can be identified with a two tier identification system - firstly by producing their personal authentication card at the device at a specially adapted card slot on the machine, then by entering their personal identification number in the MFP's user interface, as before. Smart card authetication provides a truly robust secure print configuration.
HDD Encryption - The most impressive photocopiers/MFP manufacturers now offer optional hard disk drive data encryption kits, usually at an additional cost. Canon's kit for instance, uses advanced encryption algorithms to protect a photocopiers temporary data along with the documents that have been stored onto the device hard drive. A special plug-in board encrypts every byte of data before it can be stored onto the hard drive. Canon's photocopiers/MFPs use either a 256 bit Advanced Encryption Standard (AES) or 168-bit Triple Data Encryption Algorithm (TDEA), depending on the specific photocopier/MFP. The encryption key, stored on the board, encrypts and decrypts all data stored on random non-continuous spaces on the hard drive.
HDD Data Erase - As well as data encryption, it's sometimes safest to completely remove data from photocopier/MFP hard drives. As it not always known, all hard drive data is possibly retrievable until it has been over-written. Canon's data erase kit for instance uses either null data, random data or random data over-written three times (!) to ensure that neither temporary data or documents that have been stored on a photocopier/MFP remain accessible, so that when data is erased using the data erase kit functionality, it is fully, permanently deleted.
Falcon hopes its document security briefing will give organisations and their photocopier/MFP users everything they need to ensure high standards of information security can be maintained in this incredibly changeable arena of office technology.
 |
© Falcon 2011. All Rights Reserved. |
