Your multi-functional printers: A compliance and security risk?

Podcast

Your multi-functional printers: A compliance and security risk?

Today’s printers and multi-functional devices can have hard drives the size of recent-spec laptops. As conduits for corporate information being printed, faxed etc they retain data subject to legal and regulatory compliance, such as the Data Protection Act and PCI-DSS.

Not only that, but printers and multi-functional devices can be a target for malicious employees and hackers and security has to be considered as it would for any device with on-board storage in your environment.

In this podcast ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about security and compliance issues around data stored on printers and multi-functional devices and the key steps to make sure your data is safe on these devices.

Antony Adshead: What compliance issues arise due to data being stored on printers and multi-functional devices?

Mathieu Gorge: Printers and multi-functional devices are often forgotten in terms of compliance and security. However, it is worth remembering that that Data Protection Act states that if you host data you should protect it. You need to take what are known as appropriate security to protect the data within the networks on which you host the data.

So, if you think about it a printer or multi-functional device that might allow you to scan to email, scan to fax, copy the information and print information; any one of those network component could fall under the act.

Similarly, if you look at PCI-DSS it states that any system or network of systems that allows you to store or process or transmit data is in scope for PCI compliance.

So, if you have a process whereby you might receive a purchase order or some sort of order form that has credit card holder data on, and you use a multi-functional device to scan that information onto a server that network component is actually in scope and needs to be protected according to PCI controls, which can be fairly onerous.

So, if you take it from a data protection perspective this is probably the most important area with regards to compliance for multi-functional printers.

Adshead: How can organisations ensure they are compliant with regard to data stored on printers and multi-functional devices?

Gorge: Let’s have a look at the risks for the printing and document capture environment.

First of all there’s a physical risk in that malicious employees or visitors on your premises might be able to get physical access to the device and might be able to steal the device or in modern multi-functional devices you can just access the hard drive of the device if it’s not protected properly.

It’s also worth considering the fact that multi-functional devices today have hard drives with the capacity of a standard laptop of two or three years ago, so you can imagine the amount of data that’s on the device.

Then there’s the logical security around the device, ie how do you integrate it into the wider network, how do you protect the data in the printing environment. For example, do you decide who is going to print what, at what time, under what conditions; do they need to authenticate on the printer using two-factor authentication, maybe using a card to authenticate?

Do you manage your fleet of multi-functional devices, do you do reporting, can you [determine who printed what document at what time]?

There is also the concept of follow-me printing, where you can send a print job to a specific device in a different office, potentially even abroad, and when you arrive you authenticate that that device is there.

One of the key things is to understand the issues with what a hacker can do with a printer. So, you can Telnet into a printer, sniff print jobs, you can replay print jobs, you can potentially change the administrative settings, forcing people to print more copies than they intend to print, change the colour, change the words, you can hack into the admin welcome pages, you can configure the printers or multi-functional devices to act as a zombie.

So, the key thing is to make sure that you classify data and ensure you know what kind of data is on the printer or printing devices and to have a printing policy that is clearly linked to your storage policy.

Because, as I said, the hard drive can store an awful lot of information and unfortunately most hard drives on printers are not purged on a regular basis. And if you don’t do that you cannot claim to be taking appropriate security measures to protect the data and therefore you are at risk of falling out of compliance.

So, key principles of data classification, good printing policy, a storage policy and some basic security settings will help you comply with the legal and industry standards that apply to the printing environment.


This was first published in March 2014

 

COMMENTS powered by Disqus  //  Commenting policy