Transcript Security Presentation - Xerox Office Products

Xerox and Information Security
Keeping your data safe and secure so you can focus on what matters most: your business.
Overview
Is security on your mind?
Are you worried about your
data on devices?
At Xerox, we help protect your
data at every potential point of
vulnerability so you don’t have to.
Are you worried about the
security of your data transferred
over the network?
We know that by staying focused on
what we do best, you can stay
focused on what you do best.
Are you worried about
MFPs being the weak link on
your network?
2
Xerox Security Goals
We’ve identified five key goals in our quest to provide secure solutions to
every one of our customers:
3
Confidentiality
Integrity
Availability
Accountability
Non-Repudiation
• No unauthorized
disclosure of data
during processing,
transmission or
storage
• No unauthorized
alteration of data
• System works
properly
• System performs as
intended, free from
unauthorized
manipulation
• No denial of service
for authorized users
• Actions of an entity
can be traced directly
to that entity
• Mutual assurance that
the authenticity and
integrity of network
communications are
maintained
• Protection against
unauthorized use of
the system
Security Vulnerabilities: Industry Risks and Costs
Businesses of all sizes have
sensitive information that is
valuable to cybercriminals and
that must be protected. However,
the threat landscape is changing
constantly. Cybercriminals
continue to focus their attention
on small- and mid-sized
businesses (SMBs), because
they are easier targets than
large, multinational corporations.
The average total cost of a data
breach for the participating
companies increased 23% over two
years to $3.79 million.*
The average cost paid for each lost
or stolen record containing sensitive
and confidential information
increased from $145 in 2014 to $154
in 2015.*
* 2015 Cost of Data Breach Study: Global Analysis, IBM and Ponemon Institute, May 2015.
4
Security Vulnerabilities: Industry Risks and Costs
Who’s at risk?
5
Security Vulnerabilities: Industry Risks and Costs
Healthcare
Financial Services
The need to share important medical data and patient
information electronically makes security a major concern.
• Health Insurance Portability and Accountability Act of
1996 (HIPAA)
• Health Information Technology for Economic and
Clinical Health (HITECH) Act
Direct deposit, online banking, debit cards and other
advances in information technology are revolutionizing the
financial services industry. Though more convenient for
both customers and businesses, this heavy use of
technology has its own set of security concerns.
Government
Strict regulations are in place to ensure the information
being shared is safe and secure.
6
Education
Transcript requests, financial aid applications and even
class notes can all be found online. Because some schools
have their own medical centers, they also have to store
and share medical information electronically. This
interactive environment enhances the student experience
and improves staff productivity, but it also makes schools
susceptible to security threats.
The Xerox® Security Model
Strategy
• State-of-the-Art Security Features
Xerox offers the broadest range of security
functionality on the market, including:
– Encryption
– Authentication
– Authorization Per User
– Auditing
• Certification
– ISO 15408 Common Criteria for Information
Technology Security Evaluation
7
The Xerox® Security Model (continued)
• Maintenance
– Ensuring that software updates are issued
on an ongoing basis
– Notification of new security bulletins
with RSS feeds
– Responding to identified vulnerabilities
– Providing secure installation and
operation guidelines
– Providing Common Criteria information
– Making patches available at
www.xerox.com/security
8
Unrivaled Security for Total Peace of Mind
Devices Visible to IT
Data on the Network
Secure data transmission with IPsec,
HTTPS,SNMPv3, sFTP and encrypted email.
Device Access
Prevent general access to restricted devices with user
access and internal firewall on printer.
Data Protection
Keep personal and confidential information safe with
encrypted hard disk (AES 256-bit, FIPS 140-2 validated) and
image overwrite.
Auditing and Tracking
Track access and attempted access to the device, including
comprehensive audit logs and confirmation reports.
Malware Protection
Protect your data and device from malicious intrusions with
McAfee whitelisting technology.
Compliance
Xerox® MFPs meet key government and
industry security standards, e.g., Common
Criteria and HIPAA.
Risk Management
Proactive, ongoing vulnerability assessment
keeps a close eye on emerging threats and
the latest risks.
0101 0
Policy Management with Cisco®
1
Complete visibility into network and policy
0
management includes user identification,
1
provisioning and audit logs.
0
0101 1
0
1
0
1 0101010101010101010101010101010101010101
0
0101 1
0
1
0
1
0101 0
9
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected
Device Access
• Network Authentication
Role Based Assess Control (RBAC)
Non-logged-in User/
Logged-in User
System
Administrator
• Microsoft® Active Directory® Services
Print User Permissions
• LDAP Authentication
• SMTP Authentication
• POP3 Authentication Before SMTP
• Role Based Access Control (RBAC)
• Print User Permissions
10
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Accounting
Administrator
Keeping the Device and Data Protected (continued)
• Smart Card Authentication
Smart Card Authentication
• Xerox® PrintSafe Software
• Device User Interface and
Remote User Interface Access
11
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected (continued)
Xerox® PrintSafe Software
12
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected (continued)
Document Protection
Secure Print
• Scan Data Encryption
• Print Stream Encryption
• Secure Print
• Encrypted PDF/Password-Protected PDF
• Fax Forwarding to Email and Network
• Fax Destination Confirmation
• Digital Signatures
• Secure Watermarks
• User/Time/Date Stamp
13
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected (continued)
Data Security
Image Data Encryption
• Image Data Encryption
• Image Overwrite
• Volatile and Non-Volatile Memory
• Secure Fax
• S/MIME for Scan to Email
Image Overwrite
• Scan to Email Encryption
• Job Log Conceal
• Hard Drive Retention Offering
• PostScript Passwords
14
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected (continued)
Audit Tracking
Audit Log
The Audit Log interface is accessed from a System
Administrator’s workstation using any standard Web browser.
15
The log can then be exported into a .txt file,
and then opened in Microsoft® Excel®.
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping the Device and Data Protected (continued)
Malware Protection
• Embedded McAfee® Embedded
Control powered by Intel®
Security
• McAfee ePolicy Orchestrator®
(ePO™)
Alerts
Normal usage
• Known users
• Approved
software
• McAfee Integrity Control
Known files
and software
Attacks
• Unknown users
• Malicious acts
• Polymorphic
zero-day attacks
Whitelisting technology allows only
approved software to run
Unknown files
and software
16
• Email
• Xerox®
Management
Tools
• McAfee ePO
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping Data on the Network Protected
Network Security
IP Address Filtering
• IP Address Filtering
• Secure Sockets Layer/Transport
Layer Security (TLS)
• IPsec Encryption
• Network Ports Enable/Disable
• Digital Certificates
• SNMPv3
• SNMP Community Name Strings
• 802.1X Authentication
• Firewall
• Fax and Network Separation
17
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping Data on the Network Protected (continued)
802.1X Authentication
How It Works
802.1X authentication for wireless LANs provides centralized, server-based
authentication of end users.
1
A client sends a “start”
message to an access
point, which requests
the identity of the client.
18
2
The client replies with
a response packet
containing an identity,
and the access point
forwards the packet to
an authentication
server.
3
The authentication
server sends an
“accept” packet to the
access point.
4
The access point places
the client port in
authorized state, and
traffic is allowed to
proceed.
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Keeping Data on the Network Protected (continued)
Policy Management
Policy Management with Cisco TrustSec®
• Protects your printing assets by enforcing
security policies centrally at the network level
• Ensures only authorized role-based access to
the printers
• Detection of unauthorized printers on
network—only allows approved MFPs and
printers to be deployed
• Anti-spoofing capabilities by profiling devices
19
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Risk Assessment and Mitigation
Proactive Security for Emergent Threats
• Keep a close eye on the latest risks
• Issue security bulletins
• Distribute RSS feeds
• Provide you with a wealth of information
Xerox® Security Bulletins and Patch Deployment
Visit www.xerox.com/security for timely information
updates and important resources.
20
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
Regulatory and Policy Compliance
• Payment Card Industry (PCI) Data
Security Standards Version 3.0
• Dodd-Frank Wall Street Reform and
Consumer Protection Act
• Sarbanes-Oxley
• ISO-15408 Common Criteria for
Information Technology Security
Evaluation
• Basel II Framework
• The Health Insurance Portability and
Accountability Act (HIPAA)
• E-Privacy Directive (2002/58/EC)
• ISO-27001 Information Security
Management System Standards
• Gramm-Leach-Bliley Act
• Control Objectives for Information and
Related Technology
• Family Educational Rights and
Privacy Act
• Statement on Auditing Standards No. 70
• The Health Information Technology for
Economic and Clinical Health Act
21
• NIST 800-53, adopted by Federal
Government and DOD in 2014
Common Criteria Evaluation
Independent, objective validation of the reliability, quality and trustworthiness of IT products
Achieving Common Criteria Certification
• Rigorous process
• Product testing by a third-party laboratory that has been accredited by the National
Voluntary Laboratory Accreditation Program (NVLAP)
Visit www.xerox.com/information-security/common-criteria-certified/
to see which Xerox® MFPs have achieved Common Criteria Certification.
22
Manufacturing and Supplier Security Practices
Electronic Industry Citizenship
Coalition (EICC) Code of Conduct
Demonstrates stringent oversight of their
manufacturing processes.
On-Site Audits
Ensures integrity of the process all the way
down to the component level.
23
Manufacturing and Supplier Security Practices
U.S. Customs Agency Trade
Partnership Against Terrorism
• Within North America, all trailers moving
between the factory, product distribution
centers and Carrier Logistics Centers
are sealed at the point of origin.
• All trucks have GPS locators installed
and are continuously monitored.
U.S. Customs Trade Partnership Against Terrorism
24
Hard Drive Retention Offering for Xerox® Products
Xerox provides a Hard Drive Retention Offering to allow customers
in the United States, for a fee, to retain the hard drive on leased
Xerox® products. This service may be required for customers with
very sensitive data, perhaps classified, or with internal policies or
regulatory standards that mandate specific disposition processes
for hard drives.
25
Hard Drive Retention Offering for Xerox® Products
(continued)
Upon request for this service offering, a Xerox service technician will
travel to the customer location, remove the hard drive and provide it
‘as is’ to a customer representative. At this time, Xerox does not
provide hard drive sanitization, cleansing or destruction services onsite
at customer locations. Customers will need to make arrangements for
final disposition of the physical hard drive received from the technician.
To determine if your Xerox® product contains a hard drive or review security
features available to secure data on hard drives, please visit
www.xerox.com/harddrive.
26
Summary
Xerox® MFPs lead the industry.
Xerox continues to engineer and
design all of its products to ensure the
highest possible level of security at all
potential points of vulnerability.
For more information about the many
security advantages offered by Xerox, visit
our security website,
www.xerox.com/security.
27
At Xerox, we work hard at keeping
your data safe and secure so you
can focus on what matters most:
your business.
Security Checklist
• IP/MAC Address Filtering
• Secure Fax
• User Permissions
• IPsec Encryption
• Port Blocking
• IPv6
• Scan to Mailbox Password
Protection
• “Full System” Common Criteria
Certification
• 802.1X Authentication
• Secure Print
• Scan to Email Encryption
• Hard Drive Retention Offering
• Print Restrictions
• Audit Log
• Integration with Standard
Network Management Tools
• Security Updates Via RSS
Feeds
• Role Based Access Control
• Embedded McAfee® Protection
Powered by Intel® Security
• Digital Signatures
• Smart Card Authentication
• McAfee® Integrity Control
• 256-bit AES Hard Disk
Encryption
• Common Access
Card/Personal Identity
Verification
• Cisco TrustSec® Integration
• Encrypted PDF/PasswordProtected PDF
• Image Overwrite
28
• McAfee® ePolicy Orchestrator®
Integration
Not all security features are available on all Xerox® products. To find the security information for your product, visit www.xerox.com/security.
©2016 Xerox Corporation. All rights reserved. Xerox® and Xerox and Design® are trademarks of Xerox Corporation in the United States and/or other countries. Updated 4/16 BR18553 SECPA-01UE