The Necessity of Security16 Mar, 2005 By: Bill Vendramin imageSource
The Necessity of Security
Most copiers/printers have become full-blown IT devices with network
capabilities; that is clearly not a secret. What might be eluding the attention
of dealers, however, is the security software that is becoming increasingly
necessary to protect the important information that is being stored in the
In the past, these security issues were not a major concern, especially with
analog copiers. There was little chance that the copiers or printers we sold
would pose any threat to our beloved customers. With the Internet, though, a
copier technician is potentially a threat. In fact, nearly everyone is a threat,
including employees, vendors, customers, Internet users, Web browsers, and so
on. Unfortunately, it takes only one rogue user to place an organization at
have been a lot of changes in the past 10 years. Who would have thought a
desktop computer could fit in the palm of your hand? Who would have thought you
would be able to access the Internet from nearly anywhere? These changes are
affecting the business world. The organization of today is one that relies on
digital services. These services are becoming more and more influential to the
Users are not just employees sitting at a cubicle in the corporate office. They
are attached to the network via VPNs or extranets often on the other side of the
world. Each user poses a unique challenge to security. This includes the
security of the information passing around the office through network-capable
copiers and printers.
Today, knowledge is key, and an MFP is one of the core devices where this
knowledge can be found—whether it is in the marketing department’s printer or accounting department’s copier. Is this information valuable? You bet. It's expensive to
gather data and even more expensive to gather knowledge. Yet, in seconds, a
document can be zipped across the Internet to a competitor who could potentially
receive the knowledge at very little cost. This is why providing authorized
access for a MFP through security software is so very important.
In addition, with today’s digital systems, a user has the ability to remove a
hard drive and take all of the data with it. This data may contain medical
information, credit information, or, as outrageous as it may sound, national
defense information. Removal of the hard drive, and the information on it,
represents a physical document security issue.
Companies, however, must also assess the risks associated with remote printing.
Remote printing poses a unique challenge because a user can print a sensitive
document, such as a patient’s medical history, to a machine that is accessible
to users who should not have access to that information. Users who have access
to documents that need to be controlled should be authenticated onto the device,
thus preventing unauthorized printing of sensitive documents. Providing this
security to a customer is an added value a dealer can bring to the table.
There are manufacturers who are addressing security issues. Maybe the most
well-known in the industry for being proactive with this issue is Sharp, which
uses systems called Data Security Kits. Sharp, however, does not focus solely on
file system changes and writing over the hard drive. Instead, the company is
encrypting the data stored on the hard drive, making retrieval of the data
outside of the machine extremely difficult. This also minimizes the threat of
someone stealing information from a physical device.
The Sharp Data Security Kits extends the security suite to minimize unauthorized
access through the use of IP filters and MAC address filters. These types of
filters are commonly used by Internet service providers in a similar
fashion—protecting against unauthorized use of their networks via IP Spoofing or
by potential attacks via known exploits like Smurf amplification.
Additional security can be added to a MFP using software such as AirZip’s
FileSECURE (www.airzip.com) service. This is an Internet-based software service
that allows documents to be distributed in several manners. Distribution of the
document may be time sensitive and have an expiration date, or distribution may
be based on a set of permissions such as view, print or save ability. This
service extends the security of the MFP by extending document rights beyond the
network of the MFP device. Other security programs include Adobe LiveCycle (www.adobe.com/products/server/adobedesigner/main.html)
and DigiMarc (www.digimarc.com).
The Legislative Changes—What
if, as a grocery store chain, we could purchase an entire list of credit
information for all consumers in the U.S. and combine that information with our
database of purchases at our grocery stores nationwide? In essence, this
hypothetical grocery store could, based on credit information, adjust prices on
individual items to increase the total gross margin of the total basket of goods
purchased – with the knowledge these wealthier individuals won't price shop as
aggressively. The store can easily do this by offering instant coupons.
This scenario poses a unique security issue: one of privacy. Should credit
information be distributed to anyone who seeks to purchase it? What about
privacy? Due to the rapid changes in the marketplace relating to security, the
legislature has reviewed these problems and have legislated what they feel are
solutions. The focus recently has been on the Sarbanes-Oxley (SOX) act, the
Health Insurance Portability and Accountability Act (HIPAA) and the
Gramm-Leach-Bliley Act. Each of these originates from potential security issues
caused by our advancement in technology.
Many opportunities may arise to sell security due to the impact of legislation
on an organization. Medical facilities are aware of HIPAA, which was introduced
to protect the confidentiality of consumer health information. Under the HIPAA
privacy rule, providers must guard against misuse of health information as well
as limit the sharing of this information. For these customers, it is important
to demonstrate how easy it would be to intercept a print job or make a copy of
someone else's information from a non-secured machine. Follow up can then be
made with a secured machine to show how a pin number or security code is needed
to obtain the document.
Sarbanes-Oxley is similar to HIPAA; however, Sarbanes-Oxley will apply to larger
organizations. Typically, the CIO would be involved with SOX concerns. Many
publicly traded companies are already hiring large auditing and consulting firms
to audit their IT resources.
With SOX, the IT department will be reviewing physical document security as well
as any potential virtual issues, such as intrusion detection and virus
protection. Individuals in the IT world will appreciate the ability to block
access to the machine as far as configuration and operation are concerned. IT
personnel live in the world of IP addresses, active directories, and ports. They
would appreciate a demonstration on how the unit can block access to authorized
users only and in particular access to specific
ports. IT staff needs to be trained to assist sales personnel with these
The Overall Strategy—Document
security is still an awareness issue. Customers are still under the perception
the modern day copier is just like the days of the analog machine. They need to
be informed of the potential pitfalls as well as benefits from document
Selling security solutions, however, is a complex venture. It would be
convenient if every scenario could be bundled into a nice, short online seminar.
Unfortunately, security expertise is not something you can place into a single
set of instructions. The very nature of security is a cat-and-mouse game. Like
most things in life, understanding document security is a time consuming task.
However, it is clearly a hot topic that will reward those with the foresight to
offer their expertise in the form of a premium value-added service.
Bill Vendramin is the IT Director for Kramer
Leonard, Inc., an office products dealer based in Indiana. He has been in the
Internet service arena for over 10 years, including service as the vice
president for a regional ISP where he handled network operations. He can be