Printer makers mum on new security standard
New security guidelines that govern the features and use of devices such as printers, copiers and multifunction systems are available, but details about hardware compliant to these standards are scant.
The IEEE 2600, said to be the first set of standards for "secure installation, configuration, or usage" of hardcopy devices, are targeted at both manufacturers and users of the systems. The standards require for instance, features such as access control and audit record to be present in the devices.
The IEEE 2600 main standards were approved in 2008, but additional standards for four associated security profiles are only starting to be released (see insert).
The IEEE 2600 gives rise to four additional standards based on four clearly-defined security or protection profiles. According to IEEE, a profile is used as part of the certification process, which is based on the Common Criteria for Information Technology Security Evaluation or ISO/IEC 15408, an international standard for computer security.
The protection profiles are classified as:
IEEE P2600.1--Standard for a Protection Profile in Operational Environment A, for devices that require a relatively high level of document security, operational accountability and information assurance. Information in such environments may include trade secrets and that are subject to legal and regulatory considerations. The standard was released in a document dated Jun. 12, 2009.
IEEE P2600.2--Standard for a Protection Profile in Operational Environment B, for devices in commercial environments that need moderate document and network security, and security assurance. According to minutes of a meeting dated Apr. 29, 2009, the standard will be available later in the year.
IEEE P2600.3--Standard for a Protection Profile in Operational Environment C, for devices in a public-facing environment in which document security is not guaranteed, but access control and usage accounting are important. Such environments include public libraries and Internet cafes.
IEEE P2600.4--Standard for a Protection Profile in Operational Environment D, for devices that require basic network security to prevent misuse from outside of the environment. Such environments include small offices and home offices.
Hardcopy device makers ZDNet Asia contacted were unable to indicate whether their current products meet the IEEE 2600 standard, or when products compliant with the new standard will be available.
In an e-mail, a Singapore-based Epson spokesperson said the company was unable to reveal the status of Epson equipment compliant to the standard "due to restrictions on product development information". He added that Epson has modular security tools such as EpsonNet Authentication Print, which can be used on existing Epson laser printers to allow only holders of contactless cards access to printouts.
Users can enjoy cost savings by "progressively upgrading their existing devices" to tap these options when necessary, the spokesperson noted. "[These modular tools] may already meet the IEEE 2600 standard--even the stringent IEEE P2600.1 standard--but are merely yet to be certified."
Canon Singapore issued a similar e-mail response: "While we are making progress towards achieving compliance with the various requirements of the new standard, we are not able to provide any details regarding such matters as the launch schedule or regions for compliant products, or for cost issues related to the standard."
Hewlett-Packard did not respond in time for the article.
A document from Sharp, dated December 2008, claimed that its multifunctional devices comply, if not exceed, the IEEE 2600-2008 standards.
More attention on securing hardcopy devices
Printer and multifunction device (MFP) security has become more important over the last few years, according to a recent document from Gartner.
Vishal Tripathi, principal research analyst for print markets and management at Gartner, told ZDNet Asia in an e-mail interview that there exist a number of potential security threats to such devices.
"Often there are documents that are left on printers, copiers and MFPs...there is a probability of confidential information being copied from an MFP or printer's hard disc drive," he said. "As MFPs are connected to a network, this also provides an entry point to hackers.
"In a worst case scenario, a user from the outside can obtain confidential information, [or launch a] DoS (denial-of-service) or DdoS (distributed denial-of-service) attack, which will make computer resource unavailable to its intended users or even place a virus on the device."
The key to protecting printers and MFPs, said Tripath, lies in how well a vendor or user secures four elements: the physical interfaces, local interfaces, network interfaces and the telephone line.
There are various features and technology available to make such systems more secure, he added. For instance, manufacturers have introduced "Common Criteria security solutions" to offer encryption and data overwrite features for various levels of use. There are also means to secure confidential information, such as counterfeit-proof security paper, secure copy, hard-disk erase and "pull printing", which requires a password to be entered to release a print job from a server.
Gerry Chng, advisory partner at Ernst & Young, noted that most organizations in the Asia-Pacific region already have security measures in place for handling hardcopy information. The economic downturn has also heightened the need to protect confidential data, he pointed out.
"In view of the recent economic challenges where staff turnover and attrition may be higher than before, more than ever, companies are wary of the risk of leakage of sensitive information and are actively looking to mitigate such risks."
Hardcopy system security, he added, should not be addressed in isolation. "Hardcopy systems need to be considered as part of the overall organizational data protection strategy and addressed holistically with other possible data channels.
"Organizations need to understand clearly their legitimate business needs and the associated risks, before deciding on the data protection measures required to mitigate the risk to an acceptable level," he pointed out. "Without understanding the business needs and a plan to address the risk of data leakage holistically, organizations run the risk of preventing business operations from functioning while driving insecure information handling practices underground."
Ho Wah Lee, head of IT advisory at KPMG in Singapore, pointed out in a phone interview that at the end of the day, standards are recommended but not compulsory. It is subject to the interpretation of vendors and users, and the actual implementation of such devices.
It's not like [there] is a standard or guideline and therefore we're safe--it depends on a number of [factors]," he added.