Endpoint security: How to erase printer threat

Plug security holes left by unsecured networked printers and multifunction peripherals...

Endpoint security is a critical part of any organisation's data-loss prevention strategy, yet networked printers often present intruders with an open door, says Louella Fernandes.

Most firms understand that securing network endpoints against the risk of accidental or deliberate security breaches is important. But while most companies have antivirus software, firewalls, email and web-content security to protect against external threats, few realise that unsecured networked printers and multifunction peripherals can expose holes in their information security coverage.

Points of printer vulnerability include documents left in output trays and data left on internal hard drives

Points of printer vulnerability include documents left in output trays and data left on internal hard drivesPhoto: Shutterstock

The recent data breach at the City of York council over sensitive information being distributed after being inadvertently collected from a shared printer highlights the security vulnerabilities inherent in the use of shared printers.

The move to shared printers is often the result of device consolidation performed under a managed print services contract, which aims to reduce the spiralling costs of an unmanaged printer estate by replacing desktop and personal printers with advanced multifunction peripherals.

Such devices often operate as sophisticated document-processing hubs with capabilities to scan to email or file destinations, as well as holding copies of documents sent for printing on local hard disk drives in addition to the standard functions of print, copy and fax.

Unmonitored and unsecured multifunction peripherals

While multifunction peripherals have brought speed and convenience to the office, more than often they are unmonitored and unsecured, allowing sensitive or confidential data to fall into the wrong hands, either intentionally or inadvertently.

Points of vulnerability include output trays where documents may be left unclaimed and the data stored on the internal hard disk drives. For instance, without the correct controls, documents can be emailed out without any trace of the sender, using the printer itself as the outgoing email address. Fortunately, there are simple ways of mitigating these risks, either using built-in security features or advanced security options, depending on the level of security needed.

The security landscape for printing is complex and characterised by a mix of manufacturer software tools and third-party products. A multifunction peripheral's built-in security features may include integrated hard disk drive overwrite capabilities that enable the automatic erasure of sensitive data from the printer's hard disk after the file has been processed.

Advanced products may offer hard disk encryption, which enables address-book data, authentication information, archived documents and so forth to be encrypted before being saved to the hard disk. For enhanced security, document data can itself be encrypted during transmission. Canon, for instance, through its uniFlow tool, can also detect the type of document being printed and determine if the user actually has the rights to print the job.

User authentication or pull printing

One of the easiest ways to eliminate the common problem of unclaimed output in printer trays is through user authentication or pull printing. Authentication can be through user ID, smartcards or biometrics and can be enabled either against the multifunction peripheral or an external authentication server such as Microsoft's Active Directory.

Pull printing enhances security by releasing documents only when users are physically at the printer. But there are other benefits. Where pull printing is shared among a pool of printers, it...