Whitepaper: Secure Printing

Continued from Page 1

Hard Disk Threats

Almost every single digital printer and MFP built since 2002 contains a hard drive, and not many people know that this hard drive stores an image of nearly every document that has been scanned copied, printed or emailed. And even fax machines have large image memories that can store a significant amount of data.

Essentially, the modern MFP is now a sophisticated machine that some would argue has been turned in a ticking ‘digital timebomb’. This is because while the data on the HDD will eventually be overwritten during the lifetime of the MFP, some data will always be recoverable unless steps are taken to ‘cleanse’ or overwrite the data on the HDD. Unfortunately many IT decision makers are completely unaware of the potential security and compliance risks this undeleted data can pose.

For example, many businesses tend to lease their MFPs, but what happens to any data that is still left undeleted on that machine’s HDD when that lease is up, or when the machine is taken away for repair or disposal? These machines can present a potential goldmine for those involved in identity theft.

Indeed, security experts have long been warning that when you purchase a second-hand MFP, they can typically recover up to 20,000 sensitive documents using freely available forensic software.

So businesses need to recognise the gaping security hole that their printing environment poses and take steps to ensure that any device leaving their workplace, for whatever reason, is scrubbed clean of sensitive data. Samsung MFPs for example can encrypt the data, and then overwrite it after the job is complete to minimise exposure to data theft from memory retention.

Encryption And Authentication

Thankfully nowadays most printer and MFP manufacturers offer some form of security and encryption solution, to tackle the growing security problem. But sadly it seems that many companies are flirting with potential identify theft, lawsuits, and stolen information by not deploying these solutions.

Companies need to ensure they are utilising encryption and data overwrite on printers and MFPs, to protect their data. The encryption will encode the data so only someone who has the “key” can make sense of it, while the overwrite will erase each previous photocopy or scan. Encryption protects any data transferred from a server to a MFP or the data stored on MFP, and is also useful for protecting print mailboxes and stored documents.

Unfortunately it is the industry norm for printer manufacturers not to offer on-board device authentication with their printer and MFPs, but others (such as Samsung) do offer onboard device authentication (Trusted Platform Module or TPM). Samsung for example offers encryption at AES 256 and not the commonly used AES 128.

Secure Release Printing

Secure release printing is where a user can only access the MFP or printer to collect their printouts, when they have been properly identified, such as Samsung SecuThru Lite.

Users can be authenticated using IDs and passwords, or proximity cards, or even via the network using an existing authentication method such as LDAP, or bespoke solutions such as Samsung Syncthru Admin 5.

Some print manufacturers also offer the common access card (CAC), a standard that was developed by the US Department of Defence for authentication purposes so that users are enabled to access computers, printers MFPs, networks, and even facilities.

If we use Samsung’s CAC offering as a typically example here, the way it usually works is that the user must insert a common access card, which is then authenticated by the user entering a PIN number. The MFP then authenticates the PIN, utilising Kerberos or LDAP to verify the fact that the user has the relevant permission to perform a particular function. A usage log is saved on the LDAP server.

All MFP functions will be blocked unless the user authenticates himself. The CAC card also supports the business policy, and allows for secure print-job release.

The ID card itself usually contains the user’s email address, where the card was issued, and certifications (including authorisation certification, signing certification, and encryption certification). It also contains contact details for the user (telephone number etc), and allows for the access to secure areas or secure devices. It also provides quick and easy identification of the user at the MFP, so they can print and collect, email, or fax and scan sensitive documents.

Continued on Page 3