Print security is a less obvious, but just as vital, area of security for any business.
In fact, information security is an immediate element of our product development. Some of the easiest and most beneficial security victories happen at the printer.
Your information protection begins before, during, and after your print job’s life cycle.
Therein lies the trick with security. The key is adopting the mindset of a continuous process, rather than a one-and-done approach.
Shift left: the art of security
We’ve spoken before at PaperCut about how security is like an onion. It needs to be layered, and those layers begin at the beginning, well before a final security review, which is what is meant by "shifting left" (earlier) on security.
Essentially, we engineer products with security in mind before, rather than after, any code is written. This may seem obvious, but especially when it comes to technology, security needs to be at the forefront of your mind during the inception stage.
The same way an artist selects their color palette before touching the brush to canvas, blending different shades and tones throughout the act of painting is an integral part of the artistic process . We approach security in the same way. It’s our job in modern system design to approach our product engineering like artists.
As we’re painting our picture, our aspect of palette selection—or security selection—is just one of the tools that we’re using throughout the process.
How is security layered like an onion, exactly?
Firstly, there are five elements of security that inform our system design process:
Hardware security: ensuring your devices and appliances are secure - locks on paper trays, key access to printing rooms, super-glue in your network cables.
Network security: protecting your infrastructure VLAN - setting up home and multi-site printing security.
Application security: encryption, firewalls, and feature protection.
Human security: administrative permissions, audit trails, reducing human error by improving knowledge and experience baseline.
Data security: PII risk (personally identifiable information); GDPR (General Data Protection Regulation) in the EU; HIPAA (Health Insurance Portability and Accountability Act) in the US.
All five of these elements fall under three key security layers:
The physical layer: hardware
The administrative layer: human
The technological layer: network, application, and data
These and other features exist due to observing the information security elements and layers as a rule for all product development.
Isn’t this shifting-left attitude standard procedure in 2020? Why isn’t security automatically baked in with all technology?
It’s due to tradition. Security, as a measure of threat, didn’t always exist to the same extent that it does today.
In smaller communities, security isn’t a primary concern because there’s a smaller chance of threat. In larger communities, the more people, the increased likelihood of threat. It’s like moving from a small house on a paddock to living in an apartment complex with a locked door. The bigger the digital village, the safer you feel with a bigger lock on the digital door.
It’s still seen today in small communities, often in the countryside. There’s still the mantra, “We don’t bother locking the front door.”
Our digital, online environment has gone from being that small village to a big community. The bigger the community, combined with the increase in the amount of potential rewards for would-be digital thieves, means more potential threats. This transition happened so quickly that a lot of us still have that small village mentality towards security, and we’re living in the past.
Security incidents must be isolated as sentinel tools, a wider bit of input that allows you to react to a problem and react to something else. You don’t just solve the problem, you use it as learning to solve all classes of future problems. It’s a continuous process, not a fixed point in time. Take the time to learn from your failures. When there’s no failure, make proactive security improvements - discover issues, mitigate them, then repeat the process.
Safety isn’t something you walk in and do after the fact. It needs to be baked in from the offset. It’s a learning loop. It’s why we have incident reports and Process Hazards Analysis (PHA) or hazard and operability study (HAZOP) practices. We are in a constant state of learning from our past to avoid future threats.
When there’s a security incident, the first reaction should be to assess the bigger picture. Don’t focus on the individual scenario and become reactive. Design systems, processes, and training programs to prevent future incidents.
Now, of course, if there’s a house on fire you run to the garden hose, and also call the fire brigade. But there is also an important opportunity to learn from that blaze. “How did the fire start?” If it’s something common like an electrical fault, let’s inform the community so they don’t fall victim to the same circumstance.
Security is a system, not an individual problem. That’s not to dismiss individual accountability, that should always remain. But a collective future learning loop is essential.
It’s of paramount importance in print security for the print job to be secure during its whole lifecycle. There must be security before, during, and after the user hits, “Print.” Multiple factors must be accounted for: access to documents (secure print release), eavesdropping (access control best practices), document traceability (watermarking), and so forth.
These practices aren’t significant costs and yet they have significant returns. Best practices need to be absorbed then incrementally applied. Once that first step is made, you just continue taking steps. You start with the basics then gradually apply the advanced mechanisms.
What’s vital is viewing security as a journey, not a point in time. It’s a marathon, not a sprint.
PaperCut’s bake-in mindset and our security features address three areas of print job protection:
- Securing print infrastructure: protecting the job before it’s printed
- Securing print workflows: protecting the job during the printing process
- Securing printed output: protecting the job after it’s finished printing
That is to say, safeguarding:
- who can print when and what
- the printing process itself
- the documents once they’re out free in the world
These three steps provide lifetime protection for your documents.
Back to security being like an onion again, the security features that PaperCut designs are categories as two feature-sets:
Foundational: base-level security features needed for all organizations
Advanced: additional implementations when compliance is crucial
|During printing||Secure Print Release |
Device error handling
|After printing||Print log auditing |
So how do you assess which foundational and advanced security features your printing environment needs?
Security is a curve. If you have five locks on a door, a sixth lock isn’t improving your security, it’s damaging the original intention. But that’s a relative equation. A bank vault might want a seventh, or eighth lock. But the storage cabinet in the office? Five locks would be counterproductive, and almost insulting. Besides, one could just cut through the side instead of bothering with however many locks you might have.
In security circles, “attack surface area” refers to how many entry points you have. The more different things there are to protect, the harder it is to keep all of them protected. For example, securing a bank vault with one way in vs a building with many doors and windows.
Print archiving, for example, can improve security, accountability, and traceability, but equally can increase the attack surface area. The equation for determining that sweet spot isn’t fixed, it evolves over time.
The secret to finding security balance is to have constant review. Continuous learning is the magic bullet for security or safety. By baking continuous learning into your security mindset, you are by definition constantly moving towards that refreshing sweet spot.
Modern safety has proven this magic formula by always building a loop inside itself.
Once you’ve recalibrated your security mindset, what comes next is actionable, practical steps. To assess your printing environment’s security, we recommend working your way down this simple checklist:
- How sensitive is your print job’s information?
- Implement the basics
- Ensure visibility
Firstly, if the information in your print job is of crucial importance, the level of that confidentiality and demand for compliance is your key motivation for designing your security system.
Secondly, don’t fall into the trap of trying to protect the least likely threats (especially things that sound high impact, but low chance.) Be mindful of "Security theatre"(products that market on security, but provide minimal actual benefits or only address very unlikely threats) and “movie plot threats” (e.g. products advertising on addressing very unlikely, but very scary sounding threats). For print management, begin simply with a mechanism to stop jobs being left at the printer.
Thirdly, and this step comes immediately after implementing the basics (and is an extension of it), ensure your system has visibility. You need to be able to monitor everything that goes in and out of your system. This visibility is vital for your in-built learning loop and will help you accelerate your rate of continual learning and development.
Grade your print job information’s importance, start with the basics, and ensure visibility to accelerate your learning loop.
We have extensive resources on secure printing, which we recommend you read to understand our information security practices in full detail.