Anytime someone mentions ‘cloud’, the word ‘security’ is not far behind it - and with good reason. No-one wants to become part of the next ‘leak’ mentioned in the press, and everyone is skeptical of things getting stored ‘up in the cloud’.
PaperCut has a long history with print security and application security, ensuring our current print management products are watertight against hackers, students, PEN testers, accidents, and everything in between.
We’ve carried this security experience and knowledge into our cloud offerings and augmented them, treating them as seriously as a double-espresso. Our ethos has been to build the cloud and on-prem components of the solution with a default starting point of ‘zero-trust’ - to satisfy the most skeptical of cloud-avoiders.
Let’s get this out of the way right away. If you’re not using the Cloud Node in your Edge Mesh, then your print jobs never go up to the cloud. It’s that simple!
If you’re not using the Cloud Node, when you print a document, the job travels from the PaperCut Printer to one or more of the Edge Nodes on your local network. The Edge Nodes co-ordinate the job movements with the cloud, but importantly, they only ever transmit the metadata for the print job to the cloud - for example, the number of pages, who printed it, and the document name. The printed document itself is never uploaded to the cloud.
If you are using the Cloud Node in PaperCut Pocket or Hive - then the print job may actually travel up to the cloud (outside of your local network). However, the document is encrypted from the start. PaperCut Pocket and Hive use secure HTTPS protocols with strong encryption (similar to what you use when you’re doing online banking) for all communications between the Edge Mesh and the cloud.
How do you know if you’re using the Cloud Node? Hop over to Manage -> Edge Mesh, and see if Include in Mesh is switched on for the Cloud Node. In short, the Cloud Node is just like one of your regular Edge Nodes, but instead of it being on one of your users machines on your network, it’s using PaperCut’s cloud infrastructure.
To learn details about how the Edge Node works, take a read through the Edge Mesh and Edge Nodes.
In short, whether you’re using the Cloud Node or not, you can rest easy that no-one can snoop on your documents (or any of your document’s metadata) traveling around your network or up to the cloud - it’s all encrypted. If you want extra extra peace of mind, disabling the Cloud Node will mean that your actual printed documents are never sent to the cloud, and will always remain on your local network devices.
PaperCut has designed PaperCut Pocket and Hive with ‘Zero Trust’ in mind. We don’t want to leave things to chance, so there isn’t a concept of ‘authenticate once’ - we check the validity of the user, and their client, and any Edge Nodes, every time they communicate.
Print jobs waiting to be printed (sitting on an Edge Node for example) are securely encrypted. That means if someone steals an entire Edge Node (a bit like making off with the whole ATM by ripping it out of the wall), they still can’t get to the contents of the documents.
We use 3-part encryption, made up from the 3 keys needed to decrypt the document:
- User key
- Organization key
- Random key
So for example if the Edge Node is no longer part of the organization, or if the user is no longer part of the organization, the Edge Node can no longer decrypt the document.
You wouldn’t see a jeweler waltzing around Oxford Circus or the Diamond District with a suitcase full of gems - you are more likely to see armored trucks carrying their sparkling cargo safely to stores.
We’re equally paranoid about secure and reliable transport of your data, so we use HTTPS when transferring your print documents or your metadata around the network and between your local network and the cloud.
When it comes time to send the document to its least-secure phase of its life - the printed page* - we use the secure printing protocol, IPPS (assuming the printer in question supports IPPS).
* Did you know that PaperCut Pocket and Hive can even secure the printed page to a certain extent? Check out the Watermarking and Digital Signatures features for more information.
Phishing emails have become an art form - scammers are getting astonishingly crafty at trying to get you to believe that they’re your bank and they really really need your password right now.
In the same way that you eye them with suspicion, we’ve built in digital signatures (a printer fingerprint of sorts) to thwart printer impersonation. If someone pretends they’re a printer on the network and pretends that it’s definitely safe to send them your document to print, PaperCut Pocket or Hive will be on to it and block the job.
Sadly, with encryption getting stronger, security protocols getting more robust, and system designs getting more fortress-like every day, the weakest link in security can often land up being the humans. Here’s where PaperCut Pocket and Hive can strengthen that link:
- Users - the good news is that by using Pocket or Hive, you’re already thinking about print security, and you already have a head start. Features like Secure Print Release can help stop sensitive documents from being printed on unattended MFPs. Watermarking and Digital Signature usage can also encourage responsible document ownership, and help people track down leaked documents.
- Administrators - we’ve made it easy (and hopefully fun!) for IT departments to configure Pocket and Hive securely - even giving the organization a ‘Security Score’ so that SysAdmins can see how they’re doing. While SysAdmins have access to see the document names, print times, and printer names of documents being printed, and might have access to see a print job thumbnail of the first page of the job - they will not be able to see the actual content of the print job or make changes to the print job. They also cannot redirect a job to print out at their chosen location. A print job is secure, encrypted, and only available to be released by the user who printed the job.
- PaperCut Support - at PaperCut we have always treated security as a top priority, whether it’s 2FA login protection for all our staff, or ensuring strict access controls around our source code. When it comes to our cloud products, the same applies - only the staff who need to access the support tools to support our products actually have the extended access - and when that access is needed, it’s logged so that we can audit who’s done what and when. Don’t be shy - meet the team!
Does my actual print job data get uploaded to the cloud?
If you have the Cloud Node disabled (under Manage > Edge Mesh) then your actual print documents (print document data) is never uploaded to the cloud. Your print job will always remain on your local network. The only information that gets uploaded to the cloud is job metadata (like page count, page size info, job owner information, and optionally a thumbnail image of the first page of the document). The only other information that travels between your network and the cloud is process instructions (Edge Nodes reporting that they’re online or the cloud instructing an Edge Node to print a job etc).
If you have the Cloud Node enabled (under Manage > Edge Mesh) then not only will job metadata and process instructions travel to the cloud, but the actual print document data (the contents of the print job) will be uploaded to the cloud too. This can happen not only if a user is printing off-network (when the job gets uploaded to the Cloud Node right at the start) but can also happen if a user on your network is printing, and all the local-network Edge Nodes are offline (which will still only happen if you have the Cloud Node enabled!).
If you have extremely strict data laws, or if you’re at all worried - keep the Cloud Node disabled (it’s disabled by default).
What data exactly gets uploaded to the cloud?
Job metadata (like page counts, color information, owner information, page size information etc) and Edge Node / Client instructions (Edge Nodes reporting they are online or the PaperCut Printer client asking which Edge Nodes to use etc).
To be more precise, here’s a full list of data uploaded to the cloud:
- document name
- owner (email address)
- date/time of print
- page size
- file size
- file format
- number of pages (total and number of color vs grayscale)
- number of copies
- color mode (black and white vs color)
- duplex mode (duplex vs one-sided)
- thumbnail of the first page (unless you have Print Job Thumbnails set to ‘Disabled’)
- host name (of originating client)
- ip address (of originating client)
- operating system (of originating client)
In addition to the above, if you’re using the Cloud Node:
- full document contents get uploaded to the cloud