Printers teem with security woes

Encryption, access controls help to prevent breaches

The RFP Checklist: Ask questions before buying

Selecting the best secure-printing solution requires a close look at the existing infrastructure and workflow as well as consideration of future needs. Here are some critical questions you'll want to answer before picking a specific solution.

Is there an existing fleet of printers that needs security?

Will new printers be purchased in the near future?

If so, perform a thorough needs analysis to determine the desired printing capabilities (such as color, paper size, resolution) and speed. Also, keep in mind that some printers have built-in security capabilities.

Does the data need to be encrypted?

Will the data be decrypted at the printer or at the file server?

Is there a log of what gets printed, and will that data be audited?

Will the number of copies or types of files an individual prints be restricted?

Do all printers in your organization need security functions?

Do you need to restrict who gets access to which printers?

Will any printers have an external connection, either to send and receive faxes or for remote support?

Is a security system already in place?

If so, does the system employ a keypad, fingerprint reader or secure ID card?

How does the user activate the print job?

If a card is used, is it HSPD-12 compliant?

Sometimes the biggest threats to data are fairly low-tech, as when former National Security Adviser Sandy Berger walked out of the National Archives with classified documents stuffed into his clothes. There was no hacking of networks or decrypting documents. Instead, taking the information was as simple as carrying out hard copy.

Despite billions of dollars being spent on securing federal information technology systems, it's still possible for the wrong eyes to see sensitive data at unsecured print stations.

Vendors are responding to the problem, but the challenge is assessing the proposed solutions. "We see more vendors advertising secure printing, which leaves people wondering what they should do," said Ken Weilerstein, research vice president of Gartner Inc. of Stamford, Conn.

Although most printer manufacturers have some type of secure printing offering, a full solution requires more than putting a keypad on the printer. Data needs to be protected in transit, and printers should be protected against hacks.

"The biggest mistake is to view secure printing as a separate, stand-alone application. It is one element of security and has to be looked at in that context," said Steve Reynolds, senior analyst at Lyra Research Inc., a consulting group in Newton, Mass. "The best way to do it is to take advantage of the security infrastructure you are putting in place for all kinds of things."

Threat diversity

An obvious low-tech security risk comes from the wrong person getting a sensitive document from a shared printer.

"Sometimes you print a document and get a phone call before you pick it up," said Chuck Jarrow, vice president and deputy general manager of the IT Services Group at government contractor L-3 Communi- cations Corp. "You might have some very sensitive data sitting out there."

Last spring, International Data Corp., a Massachusetts consulting firm, released a survey showing that more than half of respondents had found other people's documents on their shared printer. E-mails were the most commonly found item, but 24 percent reported finding financial data and 18 percent found personnel records.

The most common security strategy is to control access to printer output with a keypad, card reader or biometric device attached to the printer. When a user sends the document to the printer, a dialog box appears offering the option of using either secure or standard printing.

If users choose secure printing, they enter a code at their workstations. The job then goes into a print queue, either on a print server or on the printer itself. The job sits there until a user goes to the printer and ? if a keypad device is being employed ? enters the password to release the job for printing.

Other security choices include smart cards and biometric devices. L-3 Communications, for example, has started using fingerprint readers for some of its own internal printing needs, as well as for some of its customers.

L-3 has employees to provide tech-support employees stationed at the offices of some of its customer agencies. Adding keypad security to printers would have been one way to enhance security, but Jarrow prefers a biometric approach.

"There was a group we worked with that had printers with a keypad release mechanism, and they got rid of them because they were more trouble than they were worth," he said. "You need to look at your people, and if they can't remember their ZIP code, they won't remember their printer code."

Instead, Jarrow bought a fingerprint system from Silex Technology America Inc. With that system, a fingerprint reader is plugged into a USB port on users' workstations to register a fingerprint. Then, if users opt for a secure print job, they use a fingerprint reader at the printer to release the document.

Wire worries

Also, the interconnectivity of modern printing equipment creates additional holes in security.

"It wasn't that long ago where we had separate printers, and the copier was only connected to the power supply," Weilerstein said. "Today they have an increasing number of functions, are connected to the network and might also be connected to the phone line."

Although it's more common for hackers to try to access databases or document storage systems, printer files have two distinct attractions for them. The first is that the files show what documents are currently in play in an organization, and the other is that print documents are easy to read.

Bob Forte, senior systems engineer at Levi, Ray and Shoup Inc. of Springfield, Ill., advises encrypting all printer files and only decrypting them at the printer. This is critical if the printer file is being transmitted to a remote location. LRS has print encryption software, and some printer vendors, including Hewlett-Packard Co. (Capella) and Lexmark International Inc. (Printcryption), have decryption options on their printers.

Then there are remote workers who are physically outside the network but need to print documents inside the office. "Printing can take advantage of the security and encryption that is already there, a VPN tunnel or 128-bit encryption that is available with the Web," Reynolds said.

Taking control

Controlling who is printing what is another factor to consider. "The most common problem is not knowing what users are printing," said Bill Feeley, CEO of Software Shelf International Inc. of Clearwater, Fla. "If management has no way to run reports on who is printing, what is being printed [and] where jobs are being printed, they have no way to implement any kind of security."

Software Shelf sells the Print Management Plus software that is used by the General Services Administration, NASA and other agencies. Although the software is most commonly used to set quotas or restrict who can print in color as a way to cut costs, it also provides an audit trail to see who is accessing and printing what documents.

In addition, the software can block users from printing documents from specific applications, or from documents that have designated key words in the title. For example, anyone not on the human resources staff would be blocked from printing anything from the HR Management System.

Don't fear the feature

Printer makers keep adding features, and because additional features can mean additional vulnerabilities, the first reaction of some IT managers could be to disconnect the fax line and disable any other features that aren't absolutely essential.

But vendors are also adding extensive security features. In addition, Lexmark, Sharp Corp. and Xerox Corp. have received National Security Agency Common Criteria certifications and some HP LaserJet models are undergoing evaluation. However, even this type of certification doesn't provide a complete solution.

Agencies also will want to check to see what features their existing security vendors can provide in relation to printing.

"The whole subject of secure printing is being increasingly rolled into the general elements of security that people are enabling on their networks," Reynolds said. "It is less a stand-alone application these days as it is just another application in a suite of things that people are enabling."

Drew Robb is a freelance writer in Los Angeles.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.