(This piece by Eric Vanderburg originally appeared on The Security Thinking Cap. @evanderburg)
For decades, the printer has been the intermediary between the digital and physical worlds. Through it, our creations become tangible and yet; this intermediary has become so pervasive and such a mainstay of our technological world that it was assumed somewhat unchallengeable. However, while the basic functions of printing, scanning, copying and faxing have stayed the same, the modern printer is a far different creature from the monoliths of the past or even the printers of last year.
Today’s printers exchange data with users not only on the local network but also across the cloud and through apps. They are accessible from the browser to the tablet, and they perform complex tasks to empower end users. Scanned documents can be stored or archived to a variety of destinations including the cloud. Workflows that originate with the printer, such as data entry or data manipulation, are automated and performed by the printer, eliminating the need for multiple data flows between devices and simplifying the overall process. The printer truly embodies the concept of a smart device.
These smart printers have become high-value targets for attackers looking for an inside device to compromise. They have many connections to services and applications and can function as a conduit for data exfiltration. They are equipped with much more processing power, memory, and networking capabilities, which can be used by attackers to scan networks for weaknesses and to launch attacks. As such, printer security is an essential part of cybersecurity. It must not and cannot be ignored!
The challenge for consumers and companies, therefore, is to find a printer that can both perform modern functions and withstand modern attacks. I had the pleasure of speaking with engineers and developers at Xerox to discuss how security is implemented in their ConnectKey ecosystem, a framework that is implemented across both their VersaLink and AltaLink platforms.
The VersaLink and AltaLink products offer app-centric interfaces, and the devices are accessible via smartphones and tablets. Customers and channel partners can download applications from the app gallery. Core security controls are there including user authentication, role based access control, logging and audit trails. ConnectKey encrypts data at rest using AES-256 and grants administrators considerable latitude in establishing policies for how to control access to data and how data can be stored and transmitted to the device and to the systems integrated with ConnectKey.
One aspect I had been particularly interested in was whether ConnectKey could protect against rooting the device. Since many users will have physical access to the device, it is imperative for ConnectKey to prevent unwanted firmware and software from running on it. ConnectKey only runs software and firmware that is digitally signed and encrypted, and it performs a verification of its firmware each time it starts up. The AltaLink printer also utilizes McAfee’s whitelisting technology to protect against unauthorized code and malware.
Overall, the impression I got was that Xerox takes security seriously. We live in a data-centric world. Data is the lifeblood of our companies and must be secured. The devices that interact with, store, and retrieve data must offer reliable security comparable with that of other enterprise computing systems. Consider whether the print devices on your network are providing the security needed to protect against today’s threats.
This article was written thanks to the insight and support of Xerox, a technology leader that innovates the way the world communicates, connects and works. As always, the thoughts and opinions expressed here are my own and do not necessarily represent Xerox’s positions or strategies.
