Security at the MFD using embedded software
With the abundance of multifunction devices (MFDs) and printers distributed throughout an organization, one of the key risks to a business is when users leave their print jobs on the MFD. This also creates the potential for confidential information to become exposed.
Since today’s MFDs already have a great touch screens and freely available computing power, PaperCut uses them! That means adding software right onto your MFD to improve your security is easier than you think.
Today’s printers and MFDs are powerful. They are in effect a mini-computer with a touchscreen and an operating system, and have the ability to run apps. This power can be used to bring real security and convenience to printing and scanning. You get the best of both — a security win and a usability win.
PaperCut MF includes, as standard, embedded software apps that run directly on the MFD’s touch-screen on all leading brands. We’re always continually releasing this embedded software to ensure a higher level of security to protect both the user and the organization’s documents.
There are three ways embedded software brings security to your MFDs:
|1.||Authenticate users before they can use the device||All users must authenticate at the MFD before they are given access to print, scan, copy, or fax. Authentication is usually performed by the user with card scan/swipe, username or password, or access code login.User authentication is a core underpinning for Secure Print Release.|
|2.||Gain visibility and tracking of user behaviors at the MFD||The authentication process also ensures you can track off-the-glass device usage such as copying and scanning. All usage across all devices is logged and audited into one central admin view.|
|3.||Provide a consistent secure printing experience irrespective of printer manufacturer||Good security needs to be easy… otherwise people work around the system! (Have you ever seen a door propped open to work around the lock?) Our embedded apps are all developed in-house. This ensures that the touch screens on all the different MFDs are kept consistent, meaning users only have to learn one system. We focus on ease-of-use as a core design principle.|
We’ve listed the key features that should be implemented to level-up your MFD security. We recommend the foundational set as the baseline for all organizations.
Foundational (the must-have features)
|Basic Authentication||Secure user authentication is a must-have foundation for many security features. Users can authenticate at an MFD using many methods. The most popular foundation option is to select either RFID card tap (for example, using door access cards), or username and password (for example, utilizing AD, LDAP, and many others).||PaperCut MF|
|Tracking||PaperCut’s core purpose is to track all device activity. It keeps detailed audit logs for all devices and users printing, copying, and scanning activity. Standard or custom reports show user behavior, device printing, and more.||PaperCut MF|
|Secure print release||PaperCut’s secure print release — or “tap and release” feature — provides a way to securely place jobs in a holding state until the user authenticates and releases the jobs at the printer. This is a must-have feature for any organization that prints personal identifying information.||PaperCut MF|
|Centralized management||Duplicating a configuring across all devices is tedious and prone to errors. Errors lead to security holes! You get the picture :-) . With PaperCut MF, all MFD embedded software is managed from one location.||PaperCut MF|
|Advanced authentication||Swipe card authentication can be both secure and convenient (for example, like door access cards). Secure options include popular technologies such as Mifare, HID, Indala, and smart cards. Two factor authentication (2FA) can also be enabled for even more security. This usually takes the form of a card (something you have) and a PIN (something you know). Many larger organizations also link a user’s card number to the existing door security system databases to make management and provisioning 100% automatic and secure. Biometrics readers are also an option although less popular because of the reader costs.||PaperCut MF|
|Secured scan actions||Users can securely scan and send documents using the one-click “tap and scan” feature without additional authentication (after the initial card login). Scan sources can include:
|Secure protocols and device setup||Security-focused organizations are encouraged to also implement secure protocols. Options are detailed in this security white paper.||PaperCut MF|
Many universities have printers and scanners accessible to the public, especially in libraries. These are a fantastic resource for the community, but can be ripe for abuse by students and public if not properly secured. The dean of technical college was getting tired of scanned buttocks arriving in his inbox almost every day from the sender ‘Lib_MFD_2b’, a printer on the library’s second floor.
By deploying PaperCut’s embedded app to the campus devices, his IT department was able to control all device functions, including print, scan, and copy, and track whose student ID card or registered guest PIN was used to perform every action.
They were also able to use the new device user authentication to start restricting students across campus to only print within their own faculty buildings, keeping computer science students off the engineering plotters and graphic design students from using up the history department’s color toner.
Doctors and nurses are already overworked and overstressed, and hospital administrators face the same struggles in a fast-paced environment with scarce resources.
Having print security management done through a single central console, no matter how many different brands of printers and MFDs the hospital uses, saves time and effort. Having a consistent user experience across all those different device brands means one less distraction to the medical staff who are already busy making life and death decisions.
And with full audit logs for all user and print job activity in the same central console, hospital IT staff can spend less time securing printing, and more time supporting the systems and technology that help save lives.
Global business means complexity, as well as opportunity. A multinational logistics group with operations in twelve countries was running a mixed fleet of MFDs from five different manufacturers. Using PaperCut’s embedded software on all five platforms, they were able to provide a consistent authentication and security experience for printing and scanning across every device, no matter where in the world their staff travelled.
This significantly reduced their IT support load, and made sure all their global operations kept up the same high standard of security. The global IT team also loved the ability to centrally configure device security policies once, and push them out to every platform in every country. Centralized user management was just as easy, especially when access across regions needed to be quickly removed when a dishonest employee was terminated.
One of the other motiviation for global consistency in the MFD experience was the group’s push to adopt cloud technologies as a way of bringing their scattered operations together. Making it easy for authenticated users to scan directly into Sharepoint Online from any of their international offices really helped boost adoption of the new cloud platform.
The following content explains a number of the features referenced in the examples above.
Prints are initiated at a user’s workstation, laptop, or mobile device, but are produced at the shared printer. Anything on a printer output tray is fair game, so confidential or sensitive data is especially vulnerable in the time from when the print comes out to the time it is picked up. Which is why the fastest people in the office are those on the way to the printer.
Secure Print Release is all about holding your print job securely until you get a chance to release it and pick it up. Your job doesn’t print until you’re at the printer so you can be assured that no-one else will see it. With PaperCut’s Secure Print Release at the MFD, users must walk to an MFD, securely authenticate themselves, and then release their jobs using the touchscreen.
With PaperCut Print Management solutions, we’ve designed most features so that users get a uniform experience no matter which MFD they happen to walk up to. They see the same authentication options, get the same access rights, and use the same friendly UI no matter the device make or model. That’s a huge bonus for the user and it’s much simpler to manage, too.
PaperCut’s Secure Print Release, tracking, and control all rely on knowing who the user is standing at the MFD touch screen. We support multiple ways to authenticate the user, and you can choose whichever works best with your organization’s systems.
- Username and Password (securely validated by your AD or LDAP directory service)
- ID number (less secure, but can be paired with a PIN)
- Door access card or biometric reader. In fact, any device that can identify the user with a unique number. Common reader types include HID, MIFARE, INDALA, and CAC.
If one form of authentication is not enough for your organization, no problem! PaperCut supports 2FA (Two Factor Authentication) with provision for a PIN to be entered as well as the card or ID.
As the saying goes — “if you can’t see it, you can’t manage it”. PaperCut works hard to give you complete visibility into what is going on with all your print devices. As well as printing, all user activity at the MFD is tracked, including copying, faxes, and scans.
The result is a rich set of reports and insights. Need to know your top 10 busiest devices? No problem. Or the copy volume last month by department? No problem. Or the users who print the most color pages? You guessed it — no problem.
PaperCut’s one-click scan actions at the MFD are not only convenient for users, they make an important contribution to security and data loss protection (DLP).
Scan actions help users by pre-defining scan destinations. This gives the user a one-click experience and also prevents the user from mistakenly delivering the document to the wrong place. You don’t want the possibility of a mis-typed email at the MFD causing your document to leave the organization by mistake.
This principle also applies to delivery to cloud storage (for example, Google Drive, Dropbox, OneDrive, Sharepoint etc.). It’s easy to lose visibility of documents in the cloud, so it’s important that the process is simple and secure. Our scan actions save documents in the same location each time, so they don’t get misplaced, and our design ensures that cloud authentication keys are not kept at the MFD to positively prevent anyone accessing cloud folders belonging to another user.
An important security principle is that protection should be provided by multiple independent layers. So as well as being protected at the feature-level as described above, security should be built in at all layers of the application.
PaperCut leverages and builds on the security of the operating system and layers on top secure transport, encryption, and best practices. Organizations can improve their security according to need — as often the tightest security does come at a cost. For example, older devices might not support the latest TLS encryption protocols.
To dive deeper, we recommend reading our Security White Paper for a whole bunch of practical tips on how to secure your print system.
We’ve got plenty of information about secure printing that you might be interested in:
This blog post on the importance of end-to-end security for print management is a good intro.
Check out the Comprehensive guide to end-to-end print security KB; it’s full of details.
You’ll find hard core security details in the Security White Paper.
Find out more about user authentication for Mobility Print.
Authentication methods are covered in the NG/MF Help Center.