Secure printing

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Drew Robb
 

Connecting state and local government leaders

By Drew Robb

|

These tools can help secure confidential documents sent to a workgroup printer.

Sometimes the biggest threats to data are fairly low tech. Former national security adviser Sandy Berger made that point when he walked out of the National Archives with classified documents. There was no hacking of networks or decrypting of documents. Instead, it was as simple as carrying out hard copy on your person.The fact is, despite billions of dollars being spent on securing federal IT systems, it's possible for the wrong eyes to see sensitive data at unsecured print stations.Vendors are responding to the situation, but IT staff aren't sure how to assess the vendors' proposed solutions. 'We see more vendors advertising secure printing, which leaves people wondering what they should do,' said Ken Weilerstein, research vice president of Gartner Inc. of Stamford, Conn. 'IT security directors have other things to worry about, so the decisions are left to people who are not security specialists.'While most printer manufacturers have some sort of secure printing offering, a full solution requires more than putting a keypad on the printer. Data needs to be protected in transit, and the printers need to be protected against hacks.'The biggest mistake is to view secure printing as a separate, standalone application. It is one element of security and has to be looked at in that context,' said Steve Reynolds, senior analyst for Lyra Research Inc., a consulting group in Newton, Mass. 'The best way to do it is to take advantage of the security infrastructure you are putting in place for all kinds of things.'An obvious low-tech security risk is the wrong person picking up a sensitive document from a shared printer.'Sometimes you print a document and get a phone call before you pick it up,' said Chuck Jarrow, vice president and deputy general manager of the IT Services Group at government contractor L-3 Communications Corp. 'You might have some very sensitive data sitting out there.'Last spring, International Data Corp., a Massachusetts consulting firm, released a survey showing that more than half of respondents had found other people's documents on their shared printer. E-mails were the most commonly found item, but 24 percent found financial data and 18 percent found personnel records.The simplest way to solve this issue, of course, is to buy personal printers.'Printers are so cheap these days, the easy way is for everyone to have their own printer,' said Bruce Schneier, founder and CTO of Counterpane Internet Security Inc., a managed-security-services company in Mountain View, Calif.But this strategy only works when users have private offices. It's also more expensive to support a large number of private printers than having networked shared printers.Another approach often used in high-security installations is to put the printer behind a locked door. But, again, that's not always practical for general office use.Then there is the matter of device and network security. This is particularly becoming an issue with multifunction peripherals (MFPs), which combine printing, copying, scanning and faxing. Some devices even have their own Web page for access by remote personnel. And, as we have witnessed with other computing devices, more features mean more potential security holes.The most common printer security strategy is to control access to printer output with a keypad, card reader or biometric device attached to the printer. When the user sends the document to the printer, a dialog box appears offering the option of using either secure or standard printing.If you choose secure printing, you enter a code at your workstation. The job would then go into a print queue, either on a print server or on the printer itself, and the job would sit there until the user goes to the printer and'if a keypad device is being employed'enters the password to release the job for printing.Alternatives include smart cards and biometric devices. L-3 Communications, for example, has started using fingerprint readers for some of its own internal printing needs, as well as for some of its customers.'For an organization that suddenly finds it needs secure printing, biometric access is a very cost-effective way to do it and a very quick way to do an implementation,' Jarrow said.L-3 has employees stationed at the offices of some of its customer agencies to provide tech support. Adding keypad security to printers would have been one way to enhance security, but Jarrow prefers a biometric approach.'There was a group we worked with that had printers with a keypad release mechanism, and they got rid of them because they were more trouble than they were worth,' he said. 'You need to look at your people, and if they can't remember their ZIP code, they won't remember their printer code.'Instead, he purchased a fingerprint system from Silex Technology America Inc. With it, a fingerprint reader is plugged into a USB port on the user's workstation to register a fingerprint. Then, if a user opts for a secure print job, he uses a fingerprint reader at the printer to release the document. Since L-3 started using the system, Jarrow said, he has seen a lot of interest from clients.'We talked to one agency that had grown tired of people forgetting their codes and calling the help desk to get the number reset,' he said. 'They were very intrigued by this solution since users can't leave their finger back at the computer.'The interconnectivity of modern printing equipment also creates additional security holes.'It wasn't that long ago where we had separate printers, and the copier was only connected to the power supply,' says Weilerstein. 'Today they have an increasing number of functions, are connected to the network and might also be connected to the phone line.'While it is more common for hackers to try to access databases or document storage systems, printer files have two distinct attractions. The first is that they show what documents are currently in play in an organization. The other is that print documents are easy to read.Bob Forte, senior systems engineer for Levi, Ray and Shoup Inc. of Springfield, Ill., likes to conduct demonstrations of how even a free network sniffer can produce clear copies of printer files.'People don't feel they have a vulnerability in their print data streams,' Forte said. 'In actuality, any basic line data or PCL [Printer Command Language] is pretty readable.'He advises encrypting all printer files and only decrypting them at the printer. This is especially critical if the printer file is being transmitted to a remote location. LRS has print encryption software, and some printer vendors, including Hewlett-Packard Co. (Capella) and Lexmark International Inc. (Printcryption), have decryption options on their printers.Then there are remote workers who are physically outside the network but who need to print documents inside the office. 'Printing can take advantage of the security and encryption that is already there, a VPN tunnel or 128-bit encryption that is available with the Web,' said Lyra Research's Reynolds.Another important factor to consider is controlling who is printing what.'The most common problem is not knowing what users are printing,' said Bill Feeley, CEO of Software Shelf International Inc. of Clearwater, Fla. 'If management has no way to run reports on who is printing, what is being printed [and] where jobs are being printed, they have no way to implement any kind of security.'Software Shelf sells the Print Management Plus software that is used by the General Services Administration, NASA and other agencies. While it's most commonly used to set quotas or restrict who can print in color as a way to cut costs, it also provides an audit trail to see who is accessing and printing what documents.In addition, a user can be blocked from printing documents from specific applications or documents that have designated key words in the title. For example, anyone not on the human resources staff would be blocked from printing anything from the HR Management System.'The point here is that the other elements of computer systems are being tightened up so paper is one of the few remaining places you can take information out of the agencies without leaving a trace,' Weilerstein said. 'If you try to download the information to local storage there might be rules blocking it, but not with printing.' Unless, of course, you have installed print management software to prevent this.Printer manufacturers keep adding features, and since additional features can mean additional vulnerabilities, the first reaction of some IT managers might be to disconnect the fax line and disable any other features that aren't absolutely essential.But vendors are adding extensive security features as well. (Most vendors also offer white papers on their Web sites detailing these features.) In addition, Lexmark, Sharp Corp. and Xerox Corp. have received National Security Agency Common Criteria certifications and some HP LaserJet models are undergoing evaluation. But even this type of certification doesn't provide a complete answer.'Agencies should look for certification such as the Common Criteria certification, but the problem is that the certification only shows that it has been tested for a specific threat,' Weilerstein said. 'Vendors say it is like a Good Housekeeping seal, but in reality it is just one product tested for one threat.'Also, agencies will want to check to see what features their existing security vendors can provide in relation to printing.'The whole subject of secure printing is being increasingly rolled into the general elements of security that people are enabling on their networks,' Reynolds said. 'It is less a standalone application these days as it is just another application in a suite of things that people are enabling.'

Selecting the best secure-printing solution for your organization requires a close look at your existing infrastructure and workflow as well as consideration of future needs. Here are some critical questions you'll want to answer before investing in a specific solution.

  • Do you need to provide security for an existing fleet of printers?


  • Are you purchasing new printers in the near future?


  • If so, do a thorough needs analysis to determine your desired printing capabilities (such as color, paper size, resolution) and speed. Also, bear in mind that some vendors provide printers with built-in security capabilities.

  • Does the data need to be encrypted?


  • Will it be decrypted at the printer or at the file server?


  • Do you need to log what gets printed and audit the data?


  • Do you need to restrict the number of copies or types of files an individual prints?


  • Do all printers in your organization need security functions?


  • Do you need to restrict who gets access to which printers?


  • Will any printers have an external connection, either to send and receive faxes or for remote support?


  • Is there already a security system in place?


  • How does the user activate the print job?


  • If so, does it employ a keypad, fingerprint reader or secure ID card?


  • If it uses a card, is it HSPD-12 compliant?


  • Does your current equipment have Common Criteria certification?


  • What support is needed?


  • What are the terms of the support contract?


  • Will you have a vendor representative on site?


  • What do support and materials cost?


  • Will you lease or buy the equipment?


  • How is equipment disposal handled?


  • Does your current printer infrastructure integrate with any other enterprise security software?


  • How does the security software interact with user applications?


  • Is any additional middleware or custom programming needed, or does it just show up as an option on the print screen?


  • What type of user training is needed for each printer security solution you're considering?


  • Does the vendor conduct the training?











    • Threat diversity
















    What to do?

















    Wire worries















    Taking control










    Don't fear the feature











    Security Printing
























































    VendorRepresentative Product(s)Notes
    Capella Technologies Inc.

    Anaheim, Calif.

    (888) 232-4200

    www.capellatech.com    		SecureJet, VeriUser, MegaTrackMegaTrack is a Windows-based application for recording and monitoring printer usage. VeriUser is an authentication system for Hewlett-Packard MFPs. SecureJet controls user access to HP printers with keypads, ID cards or proximity devices.
    Hewlett-Packard Company

    Palo Alto, Calif.

    (800) 727-5472

    www.hp.com    		Printers and management softwareA wide range of laser and ink-jet printers with associated management and security features; some models currently under review for Common Criteria certification.
    Kyocera Mita America

    Fairfield, N.J.

    (703) 469-2350

    www.kyoceramita.com/us    		Printers and multifunction devices; Equitrac Secure Print Release
    		Equitrac software works with keypads or card readers for secure printing.
    Levi, Ray and Shoup Inc.

    Springfield, Ill.

    (217) 793-3800

    www.lrs.com    		VPSSecure printing software that encrypts print files while in transit.
    Liquid Machines Inc.

    Waltham, Mass.

    (877) 885-4784

    www.liquidmachines.com    		Liquid Machines Document ControlSoftware that lets users set access and print policies for documents; works with 65 different applications, including Microsoft Office, Adobe Acrobat, Sharepoint and Visio.
    Oce-USA

    Chicago

    (773) 714-8500

    www.oceusa.com    		Printers and associated softwareNine models have achieved Common Criteria certification; some come with built-in fingerprint readers.
    Ricoh Corp.

    Alexandria, Va.

    (703) 317-0800

    www.ricoh-usa.com    		Printers, Data Overwrite
    Security System, removable hard drives
    		The company offers optional removable hard drives for printers, so the data can't be accessed by others. Customers also have the option of overwriting data on printer drives, rather than just erasing it.
    Silex Technology America Inc.

    Salt Lake City

    (801) 748-1199

    www.silexreseller.com
    		SecurePrintBiometric network printing security system; works with any workstations and printers that have a USB connection; replaces keypad access with a fingerprint reader.
    Software Shelf International Inc.

    Clearwater, Fla.

    (727) 445-1920

    www.softwareshelf.com    		Print Manager Plus (several versions)Printing management software to control costs and improve security; includes user authorization and restrictions on what documents users are able to print, and audit logs to see who printed what.
    Xerox Corp.

    Stamford, Conn.

    (800) 275-9376

    www.xerox.com    		Wide range of printers; Xerox Secure Access Unified ID SystemThe Secure Access Unified ID System works with existing student or employee ID badges; can use a keypad code for a second layer of security.

    NEXT STORY: FOSE full range

    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.