Tuesday, April 3, 2012

Our organizaton handles a good bit of information that we are required, by Federal law, to keep confidential. I think the network is fairly secure, but I worry about the security of printed output. Is this a valid concern, and if so how should we address it?

Indeed, it's a very serious concern. The hacker community has demonstrated that it is quite possible to access information through modern printers. The current crop of high-production printers have their own disk drives where they store information between the time it arrives from the network and the completion of the print job. Many of them also have web-based interfaces, which allow users to remotely access to the printer console. These features create a number of vulnerabilities to worry about. This is especially true if the documents in question are governed by privacy requirements from HIPPA, SSA, Sarbanes-Oxley,  or other federal guidelines.

But you are not alone. The printer industry is fully aware of these concerns and the IEEE has issued a standard for printer security - IEEE P2600. This standard sets requirements for four levels of security, from the highest (level one) to the weakest (level four). Of course the level you need depends on the nature of your work, the legal environment governing the information in question.

There are some specific issues to discuss with your vendor when shopping for a secure printer. First of all, lets think about the internal storage. For highest security, your printer should overwrite documents on the drive as soon as printing is complete, and should store them until then using an industrial-strength encryption algorithm.

You also want to be on guard against secure documents being sent to an unattended printer where an unauthorized user might pick them up. To avoid this, select a printer that requires the user log-in again from the console before the job is actually printed and sent to the tray. You might even want to require two-factor authorization to avoid an interloper from snagging a private doc.

Remote access to printers also poses a risk. Researchers at Columbia University were able to modify the firmware of HP printers remotely so that the printers sent documents printed on them across the net to another destination. HP now uses digital signatures on its firmware, so unauthorized tampering of this sort is no longer possible. But similar exploits are no doubt possible.

So yes - printer security issues are real - but relying on IEEE P2600 as a guide, you should be able to select a printer that meets your requirements.

