Today, just about anyone
can access and disseminate information easily using a multi-function device.
While scan to email, scan to fax and scan to desktop have become everyday
ad-hoc scanning procedures, security at the point of capture is a potential
vulnerability. It is more important than ever for organizations to prevent the loss
or leak of sensitive data.
sensitive information or sharing secure information between personnel,
a truly unified solution
can measurably reduce risk, demonstrate compliance and protect customers and brand and intellectual property, all while
adhering to the security and the transparency requirements of an organization.
A unified solution can
also provide information security and risk mitigation with capabilities such as
user authentication, restricted network access, document encryption, business
process audit trails, outbound fax number validation, fax filtering and secure
mobile printing, PDF password lock, PDF/A support and should complement
existing data loss prevention (DLP) software investments.
Compliance Is Everywhere
There are more than 20,000
compliance requirements worldwide. Even if an organization isn't directly
affected by compliance, it's highly likely that suppliers and partners are
impacted by varying regulations and may pass down a request for compliance from
According to Enterprise
Strategy Group, there are currently 10,000 regulations impacting data management
in the US alone. Corporate scandals, the 9/11 terrorist attacks and banking
crises have driven the need to protect employees, investors, shareholders and
taxpayers with increased security of their assets. Privacy and transparency are
center point "hot" topics as a result of the global explosion of the Internet
as well as increased regulations imposed upon corporations by the government
At a global level, we are
seeing the introduction of many new federal, state and industry-specific
regulations seeking to
control the way data is managed. The impact of non-compliance with these
regulations can result in
significant monetary penalties to the company or — at a more personal level —
fines and jail sentences
imposed on the CEOs, CIOs and CFOs who ultimately carry responsibility for the
actions of employees
related to corporate governance and non-compliance to regulatory compliance.
Data Loss Prevention
loss prevention (DLP) is a computer security term
referring to systems that identify, monitor and protect data in use (e.g.,
endpoint actions), data in motion (e.g., network actions) and data at rest
If you have an environment
where multiple multi-function devices (MFDs) are deployed and there are
multiple users managing documents "owned" by multiple departments, there exists
a significant opportunity for data loss and, thus, a critical focus on DLP
systems and complementary software to insure a safe environment.
When it comes to managing
security for a fleet of MFDs (either one brand or several), CIOs and other IT
executives need to answer tough questions when it comes to protecting data.
For example, in the data
categories mentioned above:
Data in Use (Operational Security), is data not in an at rest state. Users print,
copy, move and otherwise manipulate data to which they have access.
- Is the appropriate user scanning
to applicable destinations?
- Is the user entering data
incorrectly (i.e., incorrect fax numbers)?
Data at Rest
includes but is not limited to archived
data, data which is not accessed or changed frequently, files
stored on hard drives, USB thumb drives, files stored on backup
disks and also files
stored off-site or on a storage area network (SAN).
Key questions are:
- How do you prevent users from gaining access to this
data or contributing to workflows and scan destinations that do not have appropriate
- Is there data or settings information resident on
the MFD that can compromise the network such as user email address, local
network shares locations, SMTP gateways or service accounts?
Motion, also known as data in transit, is literally information that's
moving between two nodes on a network.
An email, for example, is classified as data in motion between the time
it's sent and the time the recipient receives it. This applies to actions other
than email, as long digital bits are being copied around via a network.
Key questions are:
- Is SMTP or SMB transfer (which are
defaults on MFDs) secure?
- Is the transfer from the MFD
Point of Capture Data Loss Prevention Capabilities
DLP combined with complementary software properly deployed can easily
handle security throughout your fleet of MFDs.
Here are some key areas that should be covered to ensure full security:
Since a copier or scanner
is typically a shared device, security dictates that only authorized users can
access your network applications and resources. This is done through password
or smart card-based authentication using your existing network security
infrastructure (Common Access Cards, Windows, Active Directory, Novell NDS,
etc.), eliminating the need for extra passwords. After log on, the credentials
will be validated and user information is populated. The username will be shown
and a personalized scan menu will appear, giving greater control and security.
Authentication should be
seamlessly integrated with the document workflow to ensure optimal auditing
and security of the documents being captured and routed to various destinations,
such as email, folders, SharePoint, fax ECM systems, etc.
A secure DLP solution
should restrict access to network resources using a multi-function device,
limiting the ability of
anyone gaining access to the device to browse the network or perform activities
that cannot be traced back to an individual. User-level and password
authentication can be enabled for all scanning functions available to that
Look for a server-based
solution as opposed to device-based authentication, which requires extensive
from IT. Server-based authentication
can be managed centrally, lowering total cost of ownership and allowing
clustering, failover and other system redundancy techniques.
Also seek out a solution
that supports swipe cards on all systems using third-party solutions.
Exposure of Sensitive Network Information Settings
Many organizations are
purchasing add-on features to MFDs to encrypt hard drives and other
data/documents that pass through the MFD. However, the MFD often stores
critical settings information on the device such as SMTP gateways, user email
addresses, SMB shares and service accounts. Take care that you choose a
solution that simply only stores an IP address. This will make certain critical
internal IT systems are masked from possible intruders.
Privacy and Document Encryption
Physical access control,
data security and data encryption practices are very important areas in the
MFD capture market. Communications between MFDs and your DLP server and
destinations can be encrypted to ensure your digitized paper documents are only
visible to those with proper authorization.
Look for an encryption
component that provides ECB, RC2 and RC4 encryption algorithms as
well as synchronous
encryptions for faster rate of encryption to secure data-routing to the final
Look for solutions that
have the ability to secure the document at the point of capture. It should allow you to set a password when
scanning confidential information to PDF and, thus, protect the PDF file from
unauthorized access. Upon creation, the
document should be encrypted using the author's password, which will make it
impossible to open any document created with these settings without the keyword.
This is a significant asset for HR, Accounting and other departments which
manage sensitive or personally identifiable information.
Organizations produce vast
and rapidly growing volumes of electronic records that because of their
historical value need to be managed, preserved and made accessible for future
generations. PDF/A is an ISO standard
(ISO 19005) file format that has also been certified by the United States
National Archives and Records Administration (NARA) for long-term archival of
electronic documents. Robust distributed capture software will allow
organizations to scan documents directly into text-searchable PDF/A formats and
automatically populate the metadata properties important for archival: Title, Author, Subject, Date and Keywords
(such as records retention schedule).
Another key aspect of MFD
security software is activity logging, which enables a user to capture tracking
information about each scanned or faxed document and monitor usage of the
scanning device. When tracking is enabled, the user is prompted to enter one or
more customizable fields, like account number, department or patient ID,
before the file is sent. Having a full
audit trail of scans and faxes provides an organization with the tools to take
pro-active, pre-emptive measures to ensure
the proper performance and
security of all processes.
Fax Number Validation
Faxing poses serious
potential security issues and risks to every company where it us used. The
number of organizations that have been exposed by a breach of confidential or
personal identifiable information by just "sending a fax to the wrong
number" is massive. Look for a solution that mitigates the risk of
mistyped fax destinations by retrieving pre-authorized numbers from a secure
Intercepting documents to
prevent confidential data loss is another critical aspect of your security
software. Look for a solution that can
pro-actively filter outboard fax communication.
employees, it's also important to think about security for mobile
printing. There are several simple, easy
and secure options that should be integrated into your security platform. A good system will allow users to print
documents from any Internet-enabled laptop, iPad or smartphone with no drivers,
no software to install. It should be
just as easy as sending an email to the appropriate networked printer or
multi-function device's email address and where it can automatically print the
attachment on your designated printer.
While there are many reasons that an organization might want to be
in the limelight, it's definitely not because of a security breach. Organizations — public and private — which
are managing from one to many MFDs must consider then a key information management
component of their infrastructure and secure them accordingly.
MIKE MORPER is the vice president of marketing at Notable Solutions, Inc. For more information, visit www.nsiautostore.com.