MFP's: Security Leak?

I want to pass this along.

A security article around MFPs.

Nothing new really, security is an issue with every network connected device.

MFP's have always had issues (small) with possible security breaches. These potential leaks can usually be addressed with "check in a box"configuration, closing the open channels.

But, just like everything else around the print fleet, these issues have been overlooked. A printer or copier or MFP just isn't as sexxxy as a Blade, or Citrix, or VMWare, is it?

Enjoy...

MFP security--or how the IT guy is becoming the security guy
Wednesday, 11 February 2009 12:15 Vince Jannelli, Sharp Information and Imaging Company of America

NetworkingI recently read an interesting article in the Wall Street Journal (October 16, 2008, “New Data Privacy Laws Set for Firms”) that outlines new state-by-state regulations for data security. The article contains a great quote that I think sums up the major concerns for IT managers right now, but it doesn’t come from IBM or Cisco or even Sharp. It comes from the network manager for the Northeast-based pizza chain, Papa Ginos, who says, “Anybody in IT has to become the security guy.” I truly believe this quote illustrates how IT managers in companies of all sizes are quickly realizing the importance of data security and are learning more about what steps need to be taken to ensure that the network, and ultimately the company, are safeguarded against data theft.

Technology makes an ever-increasing contribution to profitability in today’s highly competitive business landscape. However, the same technology that enables high productivity in the workplace can easily be compromised if not sufficiently secured. The consequences of inadequate protection could be financial loss, identity theft, risk to intellectual property, or even the ruination of an upstanding business due to identity theft.

Organizations spend significant capital to protect digital assets from threats, yet frequently overlook one of the most used network devices today -- the office multi-function peripheral (MFP). As these devices become more advanced and integrated, they offer companies a myriad of new benefits. However, because they are a document’s entry and exit point on your network, they also pose a number of threats that cannot be overlooked. For a comprehensive security strategy to be effective, it is imperative for organizations to demand a greater level of protection from MFP vulnerabilities.

MFP: The Overlooked Security Risk

An MFP is a powerful asset in your office’s environment. Left unsecured however, an MFP can pose one of the greatest threats to your organization. Just consider the types of documents that are copied, printed, faxed or scanned on a daily basis -- personal information, financial statements, confidential reports, e-mails, memos, customer data and employee information. Much like a computer, this data remains on the unit’s hard drive indefinitely.

The Risks to Office Multifunction Peripherals

Internal Threats

Important information can be at risk at the internal level, from threats within your organization. At the device level, confidential information can be accidentally or even purposefully copied from stored documents on the unit’s hard drive, taken from the output tray or faxed without authorization. Any information stored on a local desktop computer or accessible through the Local Area Network ( LAN) can be printed without authorization. And since many of today’s offices MFPs are running over a network, this provides employees with another entry point to the network that could be used to bypass user restrictions and access information on other computers on the same network.

External Threats

Data is also at risk via external threats, outside the company’s realm. From across a Wide-Area Network (WAN), the Internet or a Virtual Private Network (VPN), information such as stored documents, scanned data or print data can be intercepted. In the worst case, a user from the outside can obtain confidential information, unleash a Denial of Service (DOS) attack, or even place a virus on the device via the network or a phone line. Through a FAX line, or corporate LAN, communications could be intercepted or sent without permission anywhere in the world. Data stored on the copier’s hard disk drive or in memory could also be compromised or even taken off-site and stolen if not protected.

IT mangers need to also consider what happens to office equipment once they have reached their end of life. If copiers or MFPs are being leased, there is always a chance that these units can fall in to the hands of hackers who can unlock data stored on the hard drive.

The Solution: Multi-Tiered Security

In any situation, protecting your MFP from just one threat is not adequate. A solid security suite will offer a multi-layered approach to protection -- providing better control over the users, devices, ports, protocols and applications on your MFP(s). A comprehensive approach to security will account for protection at every step in the document lifecycle, from the initial scan or print to final output and distribution.

Solutions for Internal Threats

The first step is to secure data that is stored right on the MFP that users can access locally. Manufacturers have introduced Common Criteria security solutions to offer encryption and data overwrite features for various levels of use. Ensure that your MFP meets the highest commercial level of Common Criteria Validation.

Data Security

A powerful security suite or security kit protects and controls the major MFP systems, subsystems (print, copy, scan, fax jobs, network settings, operating system, memory components, local user interface, engine and job controller) and all data before it is written to RAM or Flash memory and the disk. Be sure to enable overwriting routines for deleted data so that all information is virtually irretrievable by unauthorized users.

Access Control Security

To limit unauthorized access to each device, specify account codes, user/group profiles, passwords, or external user accounts contained in an LDAP or Active Directory server. And to mitigate the risk of interception, user credentials should be transferred using a proven combination of encryption standards, such as, Kerberos, SSL or Digest-MD5.

An MFP security suite should also enable you to customize your solution to meet your unique requirements and ensure data confidentiality and integrity. For instance, government agencies should seek out a security suite or development platform that can be customized for use with MFD or CAT card readers. Without a CAT card reader, the MFP is not compliant with HSPD-12 (homeland security presidential directive 12) and renders the network functionality of your built-in fax or copier unsafe.

Audit Trail Security

A modern MFP will provide an internal audit trail, and/or third party application software such as Equitrac Office, for comprehensive auditing of all user activity. Certain federal regulations parameters, such as 'to', 'from', 'when' and 'file name' can be logged, reviewed and archived for conformance. Be sure that your MFP is customizable so that, if audit trail software is not embedded, you can easily request or download the appropriate software.

Solutions for External Threats

Unlocking the true potential of your MFP means having it fully integrated with your network, so employees can scan to email, or browse and preview data from the server right on the MFP. Of course, adding another entry point to the network present another possible threat to a company’s data. A security suite should provide you with the proper safeguarding against external threats too, allowing you to scale up as needed, but adequately safeguarding the network infrastructure and MFP installed base, without affecting network traffic or workgroup productivity.

Network Security

A multi-tiered security suite will feature an intelligent network interface that can limit access to specific computers on a network by IP or MAC address, and selectively enable or disable any protocol or service port on each device. All communications to and from the MFP will utilize Secure Socket Layer ( SSL) for secure transmission over the network, and most devices also support SMB, IPv6*, IPSec* and SNMPv3.

Fax Security

Often times attackers can gain access to the internal systems of the MFP or the local network via fax lines. The MFP should provide a logical separation between the fax telephone line and LAN.

Platform Virus Security

Be sure that the MFP operating platform is secure. A proprietary platform is ideal, since it won’t be susceptible to viruses designed to attack more popular operating systems available on personal computers.

Taking the time to talk to your dealer about these features is vital. The time spent will be minimal but the cost savings, both tangible and intangible, will be enormous. Regardless, do not settle for a cookie-cutter, one-size-fits-all security package. Threats to private information and data will always be present and are always evolving. Make sure you are ahead of the game when it comes to security and that your MFP security suite is evolving fast enough to stay ahead of these threats.

Vince Jannelli is the associate director, Applications and Partners, for Sharp Information and Imaging Company of America.

Here is original.

Click to email me.

Death Of The Copier a Year Later: When does a Blog stop being a Blog?

I had to go back and see what the official date was of my first post. I knew it was close to March, but to my surprise, it was a year ago, yesterday (Feb 20).

So I guess it is fitting that I put down some thoughts a year later.

One of the techniques I have learned to drive traffic to a site, is to use easily searchable words in the title of the post, like "copier", "HP", "Xerox", etc. - this post will not show up on many Google results and that is fine with me.

It's fine because I really write to read what I write - that's how this started, and today it's still true.

I started this little endeavor without really knowing what a "Blog" was - all I wanted to do was put some information "out there", within reach of potential clients. Information strictly around the HP Edgeline. At the time a revolutionary new technology, a "copier Killer" technology.

Well, I never really wanted to talk about what I ate for lunch or how many people came over for Thanksgiving dinner.

Back in the beginning, "driving traffic" to the site meant me telling my family and close friends about my blog and how they should "go check it out". One month, 12 of my friends viewed one page and spent an average of 30 seconds on the site. Today, I have a months with 16,000 and an average time on the site between 2.5 and 3.2 minutes.

Back then a "Blog", the combination of the two words web and log, was considered a diary created by individuals and stored on the internet.

I looked at the Drudge Report as a functional model. Scanning the internet for information regarding my industry and posting.

Pretty simple.

This idea grew into finding more information, again interesting to me, and writing some commentary or reflection. And ultimately, writing pure content based on topical issues.

As time progressed, I started to refer to the blog as "my site" - because it really isn't a blog, it's not a journal or diary. One of the many things I have learned, most successful, business blogs really aren't diaries. Neither is mine - but I must admit I do like to go back and read older posts.

Sometimes I cringe, sometimes I laugh out loud, most of the time I am just as amused as the day I wrote it.

They say any good experience is one you learn something from. This is the greatest learning experience, ever.

Over the past 12 months, together, we have been witness to the beginning of the largest merger in the history of our industry .

We've seen $5.00/gallon gasoline prices grind the economy to a stand still and have witnessed the biggest transfer of private business to government ownership in the history of mankind - this has not been a "ho-hum" year.

I have learned more about smart paper, carbon credits, publishing, killer laser toner, nano-printing, copier leases, copier crimes in Cleveland, winery tours, and recycling centers, soy based toner, Hybrid Dealers, Galactic-Hybrid Dealers, drunk email, umbrellas of silence, Pearl Harbor, and Google Data Barges.

Some of the other things I have learned involve plagiarism, "feeds" vs content, verifying sources and that writing should not be easy, if it is, then it is not writing.

I have also tried to title my posts with a bit more thought - well, I must admit, I do like "The Death of..."

The Death of Xerography
The Death of the Sale
The Death of the Copier Person
The Death of Print
The Death of Kaaaaaahhhhhhhhhhhhhhhhhhhhnnnnnnn!
The Death of Socrates
The Death of Windows 3.0
The Death of the "Close"
The Death of the Typewriter
The Death of the Copier Dealer
The Death of Edgeline

I still chuckle, and reflect, when reading "The Death of Kaaaaaaaahhhhhnnnnnn!" I am sure there will be more.

Ah...the people...

This site as introduced me to so many different people. People I would never have met without the DOTC. Great peeps - you know who you are. Collaborators, mentors, contributors, critics - peers. To you, I say thanks.

And the connections...

I have now been published in a new and highly regarded MPS Journal, I have been interviewed by dozens of pundits, industry analysts and peers. I am currently working on articles for a number of industry publications.

I attended the Lyra Symposium and will be attending the Photizo conference in April. I am part of a collection of MPS people focused on helping others make it in this field.

All of this is very flattering and a bit unbelievable. The attention is grand.

And yet, the most rewarding aspect has been receiving emails from folks who read the site everyday - who have made it part of their routine.

The regular, normal, everyday Selling Professional. The people that make EVERYTHING happen. Sometimes it's just a phrase or two and sometimes I receive a nice long letter - and to be honest I haven't received all that many. But a law of marketing says for every "one" response, there are 5.3 people who feel the same.(not sure on the actual figure)

The blog stopped being a blog, the day I received my first "good job" email, back in August of 2008 - since then, its been a odyssey.

And as this writing expedition, this journey into "self" continues to evolve, I am even more honored to have you here along with me.

Thank you, and keep coming back.

Click to email me.

Excellent Discussion over on LinkedIn - "Just What is Managed Print Services?"

2/22/2009

The topic was posted by Michael O'Leary, Director- Document Outsourcing at Info Trends.

A sampling of the responses:

"...I hope I did make this point in my explanation--print management is a services-led sales strategy. You will sell equipment but frequently that revenue stream becomes a fulfillment of the print management engagement rather than the entry point..."

- Tom Callinan

"...One of the biggest problems I find in discussing MPS, or PM or any other name that is developed, is that no one is working from the same definition..."

- Shawn Robison

"...I don’t view print management or MPS as new; they are evolving, but what doesn’t? I sold “fleet management” agreements inside of facilities management (FM) agreements for the last 10+ years (A services-led sales approach). Admittedly, we didn’t look at the cost to print at the individual asset level other than trying to move prints to copier-based products or the production center (a mistake)..."

- Tom Callinan

"... in our definition Print Management is two components: Printing Management and Printer Management.

Printer Management is also mostly known out there as MPS. It has everything to do with the device; meter reads, supplies reporting, supplies fulfillment, break-fix information, and various alerts as to what is happening on the machine..." 

- John MacInnes, President & CEO Print Audit

"...one company I recently interviewed (one of the largest managed print services installations in Europe) had a very good perspective on this. They said (and I paraphrase a bit here): "Most vendors are approaching Managed Print Services as 'wrapping' services around hardware in order to sell more hardware."

"What we want, and where the market is moving to, is for a vendor to offer me all of the services required to manage my fleet and hardcopy strategy just like I manage any other IT technology. And oh, by the way, if they provide the hardware also, that's a bonus." 

- Ed Crowley, Industry Pundit - Managed Print Services

### Update ###

This great discussion is done brewing, having been removed from the group.  It was good while it lasted.


Click to email me.



2/22/09

Do You Sell? You Are a Capitalist, and that's OK.

A long time ago, a few Americans, at great risk to themselves and family, disguised themselves as Indians, and dumped tea into the Boston Harbor - over a 4% tax hike.

Today, the California state budget(for last year) was passed. My taxes are going up - a great deal more than 4%.

One radio personality said on-air last night, "...I know how to change this, but there is an 11 day waiting period in California..."

This is not good.

Since September, regular people, business owners, and employees alike - Capitalists - have been scared. Not scared of competition from overseas, or down the block. They are not scared of losing customers or enhancing their customer experience.

The Russians, or the Taliban, or even Bin Laden don't give these people pause.

Today, millions of us are afraid of our own government.

Worse, some, as they witness failure and bad choices being rewarded - "mortgage bailouts" - are starting to fear success.

I have seen the enemy, and the enemy is us.




Click to email me.

More Green - Canon Makes Calculators Out of Old Copiers - Huh?

“Although the cost of manufacturing products using recyclable products is higher than buying new raw materials off the shelf, we believe in doing something to preserve the environment,” says Canon Marketing (M) Sdn Bhd president and chief executive officer Liew Sip Chon.


"As the first office equipment manufacturer to implement a cartridge recycling program in 1990, Canon has long been committed to reducing our environmental impact," said Hendrik Verbrugghe, Marketing Manager, Canon Middle East.

"The launch of this calculator range is a small step towards a truly sustainable manufacturing program. Through continued improvements in resource efficiency, we hope to show that it is possible for all players in the industry to achieve a balance between environmental and business interests."