Business Issues -> Security & Risk
By: Louella Fernandes, Principal Analyst, Quocirca
Published: 10th September 2010
Copyright Quocirca © 2010
The cost of accidental or malicious data loss can be severe. As well as penalties from regulators and industry bodies, there is also damage to the brand, which can lead to lost business.
So many organisations have taken measures, ranging from encryption to data loss prevention, to cut the risks. But one area is often overlooked and it is perhaps the least secure medium of all: printed output. Although the widespread use of networked printers has brought speed and convenience, it has also introduced potential security risks. Print jobs routinely contain sensitive information and it is not unusual for pages to be left unclaimed in a printer tray, just waiting to fall into the wrong hands.
But that issue is the tip of the iceberg. Today's advanced networked multifunction peripherals print, copy, scan to network destinations and send email attachments. These devices are far from peripheral to the network, posing the same security risks as any other networked device.
They are equipped with a hard drive that stores user IDs, as well as copy, scan, fax and print images from previously processed jobs and device logs. Consequently, information can be leaked not only through printed documents, but also via unauthorised access to the device and its hard drive, and through the unauthorised distribution of confidential documents via scan-to-email.
The threat is very real. In April 2010 it emerged that a US managed healthcare provider, Affinity Health Plan, notified over 400,000 current and former employees that sensitive medical records had been potentially compromised due to the loss of digital copier hard drive, after the copier had been leased and later returned to its supplier without the data being erased on the drive.
So what steps can be taken to protect printed output?
Businesses have a range of criteria to evaluate, including certification, built-in security features and advanced security options.
Print security standards
When it comes to evaluating the security of peripherals and networked printers, devices may support differing levels of certifications. These include the Common Criteria Certification (CCC), also known as ISO 15408, the National Institute of Standards and Technology (Nist) Security Checklist and the IEEE 2600 hard-copy security standard, first published in June 2008. The myriad standards can create confusion: for instance, CCC evaluation levels range from EAL1 to EAL4 with higher levels requiring greater disclosure of product information to the testing laboratory. Those devices with higher EAL levels do not necessarily provide greater security, however.
Since CCC evaluation can be costly and lengthens product development time, some vendors certify data security kits or specific features as opposed to full device functionality. Vendors such as HP, Ricoh, Sharp and Toshiba all certify their products or data security kits using CCC. Xerox, for instance, includes the entire device in its CCC evaluation, rather than just an optional security kit, while, in addition to CCC, HP printers have a multifunction peripherals security checklist that is also approved and published by Nist.
Useful printing features
Because there is no single industry standard to certify against, and since some vendors may certify features of devices as opposed to the entire solution, businesses should take further action. They should look at third-party certification in combination with the built-in and optional security features that manufacturers offer and then enable the features which are most appropriate to their required level of security. The security features they should consider include:
Although steps can be taken to secure printed output through enabling these features, businesses should not overlook the sensitive data that is often created, printed and copied by authorised users. A document security plan should also consider protecting the documents at point of creation through data classification.
Many tools—such as those from CA, McAfee and Symantec—can limit the exposure of documents by authorised users by blocking the printing of content. Securing the print environment may seem daunting, and for some enterprises with a diverse printer fleet, the best option may be to use a managed print service provider that can assess the existing print environment and recommend a consolidated strategy where devices can be centrally managed and controlled.
Those businesses that integrate the print environment into their overall security strategy are best positioned to control and protect their intellectual property and confidential information, inside and outside their organisation.
Read Quocirca's report Think Print, Think Security for further details.
We have not received any comments against this entry. Why not be the first?
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761