Printing Security – A Serious Issue Not Only In Government And Defense…
Scanned documents sent as emails, faxes received and re-distributed electronically in addition as print data being sent to a printer when not encrypted can be intercepted, listened to and sent off to other networks for examination or being analyzed by a spy within an organization.
There is a definitive vulnerability in almost any organization and sometimes a bad guy will adventure that for malice, for excitement or for money.
A good way to protect your organization is to deploy encrypting switches that will exchange security certificates consequently listening to any data going between the switches will provide nothing to a wannabe intruder.
If data is stored unencrypted on the disk of the print server there is the possible of malware being exposed. typically print data cannot contain malware and if it did, it most likely would have no consequences.
However, a bad side effect of a print server with anti-virus software installed is that it will automatically examine newly generated files, quarantine them and keep a log. Malware encased in a print job will then not be printed as the virus checker removes or quarantines it depending on the rules set up for the virus checker.
The better way of managing this particular threat is to encrypt the data to the disk, eliminating the risk of the print data to be stolen from the print queue and allowing files with images that may legitimately contain the identifying characteristics of malware to be printed, as they should. Comprehensive output management systems do that, so the encrypted malware will not present a threat nor will sending it encrypted to a printer. No threat, no log – no IT or security management overhead, the kind of solution I prefer.
If data is really valuable in in any case respect you may want to install encryption from the workstation to the switch, this will out of use the need to have a special print- encrypting client at the workstation that protects all your data to and from the PC or laptop.
If you cant provide the expense of an encrypting network card or module and you are mainly concerned about the print data, a print-stream encrypting client can be the answer. There are established obtain printing system vendors that provide end-to-end encryption for a number of years including encryption following FIPS 140-1, 2 and 3 recommendations. Generally a print server, like any other server, should be located in a physically obtain perimeter of your infrastructure, secured by firewalls and other methods to harden it from outside or user network attack.
To make your network and your printing a lot more obtain may not be as bad as you thought. There is software from reputable vendors that can make any print server platform a obtain Document Server that receives encrypted print jobs from a workstation client, encrypts its disk storage from the server to the printer, once the user has authenticated their identity on the printer.
There are many fearmongers out there, and to the ones that talk about a device being able to get out of crypto-sync Id like to say: I wrote the code for the first public meaningful encryption schemes used on the early ATM machines, re-wrote RSA and Novell compatible public meaningful encryption from published principles and for a number of processors.
If an encrypted packet is corrupted it will be resent, as there is no such thing as the printing of a crypto-meaningful by accident or due to system failure. The printer manufacturers that claim there is one on their printers – I would suggest to not use them.
Many systems use a Print Release device or an ID Reader Controller. in spite of, you may want to make sure it can receive prints from a multitude of stated servers to allow security and availability in case a server goes down.
If you have a multi-vendor ecosystem with many printer makes and models, you want a print release device that can truly work with all your print devices, not just one form or make. Otherwise you may have permanent security but locked yourself in to a single vendor, which most of the time is not a good thing.
So if you are thinking of making your network more obtain, I hope I was able to give you some food for thought and have cleared up some of the fear and uncertainties related to the subject.