Organisations rely on a sophisticated network of computers and peripherals to create, manage, process, share and archive information. But regardless of its form, be it physical or digital, this information is vulnerable to a whole host of technological, physical and human threats unless it is protected by a secure IT infrastructure.

Bernard Cassidy, Ricoh UK & Ireland, takes a good look at the security issues around multifunctional devices.
 
For a security conscious organisation, points of weakness in the network are no longer acceptable and they need reassurances from manufacturers that adding devices to the infrastructure will not compromise information security.

Under these circumstances security of the photocopier, which has evolved from the single function grey box sitting in the corner of the office, to the multifunctional, networked document processing hub found at the heart of more and more businesses, has become a key consideration.

The document hub

In many respects, multifunctional devices (MFDs) now have the same power as PCs. They can be used to email documents, store confidential data, and reproduce sensitive information and, whilst this brings numerous benefits, it can also raise serious questions about information security. 

What would be the impact on staff morale if, for example, details of the pay-roll were left lying around the printer, or if they were accidentally picked-up by the wrong person? How would shareholders react to news that details of new business prospects had been distributed to a competitor through the MFD scan to email function? It's certainly food for thought.

Realising the potential for the abuse and misuse of MFDs and the role which print devices could play in compromising security, IT managers are demanding more measures to mitigate the risk to which the infrastructure is exposed. Organisations must identify the specific risks associated with networked devices and act to secure their interests. As a starting point, they should ask themselves the following questions:

  • Is access to the MFD controlled by authentication?
  • Can the administrator remotely enable or disable the device's ports to control its usage?
  • Are print files encrypted?
  • Can latent digital images on the hard drive be overwritten?
  • Does the device track usage, providing a footprint of each user for monitoring purposes?

If the answer to any of these questions is no, it's time to re-evaluate security.

New modes of security

Identifying MFDs as a potential security weakness is not new. Indeed, organisations operating incredibly stringent security practices have been known to remove the hard disk from the device before installation to avoid confidential data making its way into the wrong hands. Whilst this does enable them to overcome some security concerns, the removal of the hard disk can considerably reduce the benefits of using MFD technology.

It's just one example, but it illustrates the lengths companies have gone to in the past to mitigate the perceived risks of using MFD technology. Thankfully, manufacturers have been quick to respond to such concerns and these somewhat draconian measures are used less frequently in new implementations.

Authentication, from password to smart card, copy protection and data overwrite features and, in the future, biometric access will have an increasingly significant part to play in protecting the enterprise.

So what kind of measures should organisations adopt in order to combat security threats? As with all aspects of information security, a combination of policies, staff education and technology needs to be used to maximise the effectiveness of a security strategy. 

Policies must dictate the usage of MFD technology, outlawing any inappropriate practices to protect against risks, such as the leaking of confidential data. These policies must then be backed by comprehensive staff education to ensure all employees are made aware of potential risks and the role they themselves play in maintaining information security. 

Organisations have implemented access limitation systems in their PC server environment where users are required to input a user name and password each time they log into the network. The same level of security should be maintained at all log in points on the network, including MFDs, allowing controlled access to appropriate features for individual users or departments. This restricts the flow of unauthorised copies, prints and scans on the network, helping to increase cost controls in the process.

IT managers can control who accesses confidential information by implementing simple security checks on MFDs. For example, authentication requires staff to input their log-in details and password just as they would to access their PC.

Similarly, two-factor authentication methods, such as smart cards and biometric readers, could ensure that access to a MFD is restricted and that print jobs can only be released by the authorised users. In more complex environments enterprises can also provide up to four different levels of administration and supervisor rights - managing permission for machine default settings, network default settings, access to stored files and managing local address books.

As with any form of network traffic, unprotected print jobs are vulnerable when they transfer from the desktop to the output device. Encryption of this traffic is essential in order to restrict the ability of hackers to access this data in transit. Other uses of encryption on your MFD include; data in the local address book, print job authentication and encrypted passwords when using PDF direct print functions.

Ultimately, however, greater awareness of the tasks MFDs can perform is essential in order to encourage organisations to treat them with the same priority as any other aspect of IT security. 

The rise of regulatory compliance and corporate governance means the repercussions of security breaches have never been greater and weaknesses in the infrastructure are unacceptable. After all, you wouldn't leave an unprotected server lying around by the water cooler for anyone to access, would you?

Bernard Cassidy is security product manager at Ricoh UK & Ireland.