Security at the MFD using embedded software

With the abundance of multifunction devices (MFDs) and printers distributed throughout an organization, one of the key risks to a business is when users leave their print jobs on the MFD. This also creates the potential for confidential information to become exposed.

Since today’s MFDs already have a great touch screens and freely available computing power, PaperCut uses them! That means adding software right onto your MFD to improve your security is easier than you think.

We’ve got a touchscreen, let’s use it

Today’s printers and MFDs are powerful. They are in effect a mini-computer with a touchscreen and an operating system, and have the ability to run apps. This power can be used to bring real security and convenience to printing and scanning. You get the best of both — a security win and a usability win.

PaperCut MF and PaperCut Hive include, as standard, embedded software apps that run directly on the MFD’s touch-screen on all leading brands. We’re continually updating and releasing this embedded software to ensure a higher level of security to protect both the user and the organization’s documents.

PaperCut MF's embedded experiance — PaperCut MF’s embedded experience

There are three ways embedded software brings security to your MFDs:

	Item	Description
1.	Authenticate users before they can use the device	All users must authenticate at the MFD before they are given access to print, scan, copy, or fax. Authentication is usually performed by the user with card scan/swipe, username or password, or access code login. User authentication is a core underpinning for Secure Print Release.
2.	Gain visibility and tracking of user behaviors at the MFD	The authentication process also ensures you can track off-the-glass device usage such as copying and scanning. All usage across all devices is logged and audited into one central admin view.
3.	Provide a consistent secure printing experience irrespective of printer manufacturer	Good security needs to be easy... otherwise people work around the system! (Have you ever seen a door propped open to work around the lock?) Our embedded apps are all developed in-house. This ensures that the touch screens on all the different MFDs are kept consistent, meaning users only have to learn one system. We focus on ease-of-use as a core design principle.

How to make your MFDs secure

We’ve listed the key features that should be implemented to level-up your MFD security. We recommend the foundational set as the baseline for all organizations.

Foundational (the must-have features)

Feature	Description	Product
Basic Authentication	Secure user authentication is a must-have foundation for many security features. Users can authenticate at an MFD using many methods. The most popular foundation option is to select either RFID card tap (for example, using door access cards), or username and password (for example, utilizing AD, LDAP, and many others).	PaperCut MF PaperCut Hive
Tracking	PaperCut's core purpose is to track all device activity. It keeps detailed audit logs for all devices and users printing, copying, and scanning activity. Standard or custom reports show user behavior, device printing, and more.	PaperCut MF PaperCut Hive
Secure print release	PaperCut's secure print release — or "tap and release" feature — provides a way to securely place jobs in a holding state until the user authenticates and releases the jobs at the printer. This is a must-have feature for any organization that prints personal identifying information.	PaperCut MF PaperCut Hive
Centralized management	Duplicating a configuring across all devices is tedious and prone to errors. Errors lead to security holes! You get the picture :-) . With PaperCut MF, all MFD embedded software is managed from one location.	PaperCut MF PaperCut Hive

Advanced (level-up)

Feature	Description	Product
Advanced authentication	Swipe card authentication can be both secure and convenient (for example, like door access cards). Secure options include popular technologies such as Mifare, HID, Indala, and smart cards. Two factor authentication (2FA) can also be enabled for even more security. This usually takes the form of a card (something you have) and a PIN (something you know). Many larger organizations also link a user's card number to the existing door security system databases to make management and provisioning 100% automatic and secure. Biometrics readers are also an option although less popular because of the reader costs.	PaperCut MF PaperCut Hive
Secured scan actions	Users can securely scan and send documents using the one-click "tap and scan" feature without additional authentication (after the initial card login). Scan sources can include: their own email address their own network home folder a cloud storage folder or provider (for example, Dropbox, SharePoint, Box.Net, OneDrive, G Suite) a network folder destination (PaperCut MF only). Scans may, optionally, be OCR'ed (made text searchable) and are securely delivered over encrypted connections. All scanning activity is tracked and audited.	PaperCut MF PaperCut Hive
Secure protocols and device setup	Security-focused organizations are encouraged to also implement secure protocols. Options are detailed in this security white paper.	PaperCut MF PaperCut Hive

Securely deliver scans straight to your email using one-click tap and scan

Education

Many universities have printers and scanners accessible to the public, especially in libraries. These are a fantastic resource for the community, but can be ripe for abuse by students and public if not properly secured. The dean of technical college was getting tired of scanned buttocks arriving in his inbox almost every day from the sender ‘Lib_MFD_2b’, a printer on the library’s second floor.

By deploying PaperCut’s embedded app to the campus devices, his IT department was able to control all device functions, including print, scan, and copy, and track whose student ID card or registered guest PIN was used to perform every action.

They were also able to use the new device user authentication to start restricting students across campus to only print within their own faculty buildings, keeping computer science students off the engineering plotters and graphic design students from using up the history department’s color toner.

Healthcare

Doctors and nurses are already overworked and overstressed, and hospital administrators face the same struggles in a fast-paced environment with scarce resources.

Having print security management done through a single central console, no matter how many different brands of printers and MFDs the hospital uses, saves time and effort. Having a consistent user experience across all those different device brands means one less distraction to the medical staff who are already busy making life and death decisions.

And with full audit logs for all user and print job activity in the same central console, hospital IT staff can spend less time securing printing, and more time supporting the systems and technology that help save lives.

Small Business

A scenic tours bus company invested in one MFD for the office, so they could retire three small desktop printers that were frustrating everyone. As a small business without full time IT staff, the owner really appreciated that setting up the single PaperCut app on the device didn’t need hours of billable time from their service provider. Now all the office staff and drivers can quickly and easily use secure print release on the new MFD.

Large Enterprise

Global business means complexity, as well as opportunity. A multinational logistics group with operations in twelve countries was running a mixed fleet of MFDs from five different manufacturers. Using PaperCut’s embedded software on all five platforms, they were able to provide a consistent authentication and security experience for printing and scanning across every device, no matter where in the world their staff travelled.

This significantly reduced their IT support load, and made sure all their global operations kept up the same high standard of security. The global IT team also loved the ability to centrally configure device security policies once, and push them out to every platform in every country. Centralized user management was just as easy, especially when access across regions needed to be quickly removed when a dishonest employee was terminated.

One of the other motiviation for global consistency in the MFD experience was the group’s push to adopt cloud technologies as a way of bringing their scattered operations together. Making it easy for authenticated users to scan directly into Sharepoint Online from any of their international offices really helped boost adoption of the new cloud platform.

Features in more detail

The following content explains a number of the features referenced in the examples above.

Secure Print Release

Prints are initiated at a user’s workstation, laptop, or mobile device, but are produced at the shared printer. Anything on a printer output tray is fair game, so confidential or sensitive data is especially vulnerable in the time from when the print comes out to the time it is picked up. Which is why the fastest people in the office are those on the way to the printer.

Secure Print Release is all about holding your print job securely until you get a chance to release it and pick it up. Your job doesn’t print until you’re at the printer so you can be assured that no-one else will see it. With PaperCut’s Secure Print Release at the MFD, users must walk to an MFD, securely authenticate themselves, and then release their jobs using the touchscreen.

Centralized management (any device any model)

With PaperCut Print Management solutions, we’ve designed most features so that users get a uniform experience no matter which MFD they happen to walk up to. They see the same authentication options, get the same access rights, and use the same friendly UI no matter the device make or model. That’s a huge bonus for the user and it’s much simpler to manage, too.

User authentication

PaperCut’s Secure Print Release, tracking, and control all rely on knowing who the user is standing at the MFD touch screen. We support multiple ways to authenticate the user, and you can choose whichever works best with your organization’s systems.

Username and Password (securely validated by your AD or LDAP directory service)
ID number (less secure, but can be paired with a PIN)
Door access card or biometric reader. In fact, any device that can identify the user with a unique number. Common reader types include HID, MIFARE, INDALA, and CAC.

If one form of authentication is not enough for your organization, no problem! PaperCut supports 2FA (Two Factor Authentication) with provision for a PIN to be entered as well as the card or ID.

PaperCut MF user authentication screen — Enabling different authentication methods is easy - if someone forgets their ID badge, they can login using their ID and pin instead

Copy / Fax / Scan / Print Tracking

As the saying goes — “if you can’t see it, you can’t manage it”. PaperCut works hard to give you complete visibility into what is going on with all your print devices. As well as printing, all user activity at the MFD is tracked, including copying, faxes, and scans.

The result is a rich set of reports and insights. Need to know your top 10 busiest devices? No problem. Or the copy volume last month by department? No problem. Or the users who print the most color pages? You guessed it — no problem.

PaperCut MF print reports — PaperCut MF reporting

Securing scanning actions

PaperCut MF’s one-click scan actions at the MFD are not only convenient for users, they make an important contribution to security and data loss protection (DLP).

Scan actions help users by pre-defining scan destinations. This gives the user a one-click experience and also prevents the user from mistakenly delivering the document to the wrong place. You don’t want the possibility of a mis-typed email at the MFD causing your document to leave the organization by mistake.

This principle also applies to delivery to cloud storage (for example, Google Drive, Dropbox, OneDrive, Sharepoint etc.). It’s easy to lose visibility of documents in the cloud, so it’s important that the process is simple and secure. Our scan actions save documents in the same location each time, so they don’t get misplaced, and our design ensures that cloud authentication keys are not kept at the MFD to positively prevent anyone accessing cloud folders belonging to another user.

PaperCut MF scan actions embedded at the MFD

Secure protocols and device setup (security white papers)

An important security principle is that protection should be provided by multiple independent layers. So as well as being protected at the feature-level as described above, security should be built in at all layers of the application.

PaperCut leverages and builds on the security of the operating system and layers on top secure transport, encryption, and best practices. Organizations can improve their security according to need — as often the tightest security does come at a cost. For example, older devices might not support the latest TLS encryption protocols.

To dive deeper, we recommend reading our Security White Paper for a whole bunch of practical tips on how to secure your print system.

PaperCut security white-paper — Grab a coffee and settle in to read through a vault of network environment and print security recommendations in the security white-paper

Want to know more…?

We’ve got plenty of information about secure printing that you might be interested in:

Check out the Comprehensive guide to end-to-end print security KB; it’s full of details.
You’ll find hard core security details in the Security White Paper.
Find out more about user authentication for Mobility Print.
Authentication methods are covered in the NG/MF Help Center.