Printing and security

The PaperCut approach to information security in your print environment

A behind the scenes look at PaperCut and information security

The importance of being earnest about print security

Print security is a less obvious, but just as vital, area of security for any business.

In fact, information security is an immediate element of our product development. Some of the easiest and most beneficial security victories happen at the printer.

Your information protection begins before, during, and after your print job’s life cycle.

Therein lies the trick with security. The key is adopting the mindset of a continuous process, rather than a one-and-done approach.

Shift left: the art of security

We’ve spoken before at PaperCut about how security is like an onion. It needs to be layered, and those layers begin at the beginning, well before a final security review, which is what is meant by "shifting left" (earlier) on security.

Essentially, we engineer products with security in mind before, rather than after, any code is written. This may seem obvious, but especially when it comes to technology, security needs to be at the forefront of your mind during the inception stage.

The same way an artist selects their color palette before touching the brush to canvas, blending different shades and tones throughout the act of painting is an integral part of the artistic process . We approach security in the same way. It’s our job in modern system design to approach our product engineering like artists.

As we’re painting our picture, our aspect of palette selection—or security selection—is just one of the tools that we’re using throughout the process.

Peeling back the security layers

How is security layered like an onion, exactly?

Firstly, there are five elements of security that inform our system design process:

  1. Hardware
  2. Network
  3. Application
  4. Human
  5. Data

Hardware security: ensuring your devices and appliances are secure - locks on paper trays, key access to printing rooms, super-glue in your network cables.

Network security: protecting your infrastructure VLAN - setting up home and multi-site printing security.

Application security: encryption, firewalls, and feature protection.

Human security: administrative permissions, audit trails, reducing human error by improving knowledge and experience baseline.

Data security: PII risk (personally identifiable information); GDPR (General Data Protection Regulation) in the EU; HIPAA (Health Insurance Portability and Accountability Act) in the US.

All five of these elements fall under three key security layers:

    The physical layer: hardware

    The administrative layer: human

    The technological layer: network, application, and data

    These and other features exist due to observing the information security elements and layers as a rule for all product development.

Secure print release using your mobile with PaperCut Pocket

Small village to big community

Isn’t this shifting-left attitude standard procedure in 2020? Why isn’t security automatically baked in with all technology?

It’s due to tradition. Security, as a measure of threat, didn’t always exist to the same extent that it does today.

In smaller communities, security isn’t a primary concern because there’s a smaller chance of threat. In larger communities, the more people, the increased likelihood of threat. It’s like moving from a small house on a paddock to living in an apartment complex with a locked door. The bigger the digital village, the safer you feel with a bigger lock on the digital door.

It’s still seen today in small communities, often in the countryside. There’s still the mantra, “We don’t bother locking the front door.”

Our digital, online environment has gone from being that small village to a big community. The bigger the community, combined with the increase in the amount of potential rewards for would-be digital thieves, means more potential threats. This transition happened so quickly that a lot of us still have that small village mentality towards security, and we’re living in the past.

Future learning loop

Security incidents must be isolated as sentinel tools, a wider bit of input that allows you to react to a problem and react to something else. You don’t just solve the problem, you use it as learning to solve all classes of future problems. It’s a continuous process, not a fixed point in time. Take the time to learn from your failures. When there’s no failure, make proactive security improvements - discover issues, mitigate them, then repeat the process.

Safety isn’t something you walk in and do after the fact. It needs to be baked in from the offset. It’s a learning loop. It’s why we have incident reports and Process Hazards Analysis (PHA) or hazard and operability study (HAZOP) practices. We are in a constant state of learning from our past to avoid future threats.

When there’s a security incident, the first reaction should be to assess the bigger picture. Don’t focus on the individual scenario and become reactive. Design systems, processes, and training programs to prevent future incidents.

Now, of course, if there’s a house on fire you run to the garden hose, and also call the fire brigade. But there is also an important opportunity to learn from that blaze. “How did the fire start?” If it’s something common like an electrical fault, let’s inform the community so they don’t fall victim to the same circumstance.

Security is a system, not an individual problem. That’s not to dismiss individual accountability, that should always remain. But a collective future learning loop is essential.

Before, during, and after: a continuous cycle

It’s of paramount importance in print security for the print job to be secure during its whole lifecycle. There must be security before, during, and after the user hits, “Print.” Multiple factors must be accounted for: access to documents (secure print release), eavesdropping (access control best practices), document traceability (watermarking), and so forth.

These practices aren’t significant costs and yet they have significant returns. Best practices need to be absorbed then incrementally applied. Once that first step is made, you just continue taking steps. You start with the basics then gradually apply the advanced mechanisms.

What’s vital is viewing security as a journey, not a point in time. It’s a marathon, not a sprint.

PaperCut’s bake-in mindset and our security features address three areas of print job protection:

  1. Securing print infrastructure: protecting the job before it’s printed
  2. Securing print workflows: protecting the job during the printing process
  3. Securing printed output: protecting the job after it’s finished printing
PaperCut print security overview

That is to say, safeguarding:

  • who can print when and what
  • the printing process itself
  • the documents once they’re out free in the world

These three steps provide lifetime protection for your documents.

Back to security being like an onion again, the security features that PaperCut designs are categories as two feature-sets:

Foundational: base-level security features needed for all organizations

Advanced: additional implementations when compliance is crucial

STATUS FOUNDATIONAL ADVANCED
Before printing Authentication
Access control
Access policies
Behavior alerts
Encryption
During printing Secure Print Release
Find-Me printing
Encryption
Card authentication
Two-factor authentication
Device error handling
After printing Print log auditing
Behavior reports
Watermarking
Digital signatures
Archiving

So how do you assess which foundational and advanced security features your printing environment needs?

Attack surface area

Security is a curve. If you have five locks on a door, a sixth lock isn’t improving your security, it’s damaging the original intention. But that’s a relative equation. A bank vault might want a seventh, or eighth lock. But the storage cabinet in the office? Five locks would be counterproductive, and almost insulting. Besides, one could just cut through the side instead of bothering with however many locks you might have.

In security circles, “attack surface area” refers to how many entry points you have. The more different things there are to protect, the harder it is to keep all of them protected. For example, securing a bank vault with one way in vs a building with many doors and windows.

Print archiving, for example, can improve security, accountability, and traceability, but equally can increase the attack surface area. The equation for determining that sweet spot isn’t fixed, it evolves over time.

The secret to finding security balance is to have constant review. Continuous learning is the magic bullet for security or safety. By baking continuous learning into your security mindset, you are by definition constantly moving towards that refreshing sweet spot.

Modern safety has proven this magic formula by always building a loop inside itself.