Transcript Slide 1
Overview • • • • • • Business Risk Secure MFP Program Device Security Access Security Document Security End of Life Security Business Risk • MFP’s - An Overlooked Security Threat • Internal Threats • External Threats Significant Business Risks • Theft of Data, Intellectual Property • Unauthorized Access to Records • Malicious Exploitation • Regulatory Compliance Issues Business Risk MFP’s & Printers – An Overlooked Security Threat • All types of data copied, scanned, faxed, printed on MFP’s • Personal information, Health Records, Financial Statements, Confidential Reports, e-mails, Customer Records and Employee Files, Social Security, Credit Card Numbers, Defense related data. Business Risk Internal Threats (20% Traceable to insiders*) • Left unsecured an MFP or Printer is a huge point of vulnerability to your network and your business • Confidential documents can be retrieved from the MFP hard drive, taken from an output tray and emailed or faxed without authorization. • MFPs and printers provide employees with a point of entry to the network that can be used to bypass network security mechanisms thus providing access to information on the network. *2009 Data Breach Investigation Report Business Risk External Threats (74% External*) • Data is also at risk via external threats, • Via Wide-Area Network (WAN), the public Internet or a Virtual Private Network (VPN), stored documents, scanned data or print jobs can be intercepted. • Malicious intrusions in the form of Denial of Service (DOS) attacks can be initiated via an unsecured MFP or Printer. • Packet sniffers can be used to intercept data and sent to unauthorized parties • Data stored on the copier’s hard disk drive can be retrieved remotely. *2009 Data Breach Investigation Report Secure MFP Program Toshiba’s Solution – Secure MFP • Secure MFP addresses multiple avenues of vulnerability with a broad array of countermeasures which are grouped as follows • • • • Device Security Access Security Document Security End of Life Security • This holistic approach provides for defense in depth. *2009 Data Breach Investigation Report Secure MFP Program Toshiba Security Assessment • Assesses the current state • Audits the devices (MFP’s) • Audit the document infrastructure • Assesses vulnerabilities in 4 categories • • • • Device Security Access Security Document Security End of life Security • Each category has many vulnerabilities & countermeasures • Assigns grade, None, Basic, Optimal, Enhanced • Creates roadmap to secure future state Device Security Categorization Optimal Device Access Document End of Life Secure Networking Enterprise Tracking/Release Document DRM Solution Policy Implemented Secure Data Network Authentication Print Queues N/A Core Technologies Simple Authentication Document Protection N/A Enhanced Basic Device Security Countermeasures • SSL • IPv6 • IP Filtering • SMB Signing • IPSec • Advanced Encryption • Data Overwrite Kit Device Security • SSL • SSL is a cryptographic protocol widely used on the Internet to provide secure communications for transfer of personal information. • MFP devices employ this common encryption technology to protect all data traveling to and from the MFP. • Print jobs sent via SSL are encrypted through symmetric cryptography, ensuring that the print data is secure and will not be used for any purpose other than print output. Device Security • IPv6 • Commonly known as the next generation Internet Protocol— IPv6 is the latest version of IP. • With the introduction of IPv6 come several new features that address IP security needs, such as a larger IP address range, protection from scanning and attacks, and built-in support for authentication and confidentiality. • Toshiba supports IPv6 as part of our ongoing commitment to meeting your current and future network needs. Device Security • IP Filtering • IP Filtering acts like a firewall to protect your internal network from intruders. • IP filtering lets you control what IP traffic to allow into and out of your network by filtering data from specified network addresses. • MFP devices utilize this mechanism as a means of controlling which computers have access to its network functions. Device Security • SMB Signing • SMB Signing adds a digital signature to data transferred between the MFP and the server during network authentication. • The signatures verify that the identity of the server matches the credentials expected by the MFP, and vice versa. • By verifying that data is received from authenticated sources, the signature ensures the integrity of all communications. Device Security • IP Sec • Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. • IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. Device Security • Advanced Encryption • Advanced Encryption features 128-bit encryption and decryption of all data being written to the hard disk drive of the device. • This includes all copy, print, fax, and scan information for every document processed on the multifunction device. • Toshiba’s 128-bit encryption utilizes the Triple Data Encryption Standard (DES) algorithm. Device Security • Data Overwrite Kit • The Data Overwrite Kit completely overwrites all information on the hard drive after every job. It works by deleting all data within the File Allocation Table (FAT) partition, in addition to overwriting the actual data. Device Security Basic (Core eBridge Technologies) • SSL • IPv6 • IP Filtering • SMB Signing Device Security Enhanced (Secure Data) • Advanced Encryption • Data Overwrite Kit Device Security Optimal (Secure Networking) • IPSec Access Security Countermeasures • Department Codes • Strong Passwords • Usage Limitations • Job Log • Network Authentication w/RBAC • Email Authentication • SmartCard Authentication • Ringdale FollowMe, PaperCut FindMe Access Security • Department Codes • Department Codes are private pre-set codes that give authorized users full functionality at the device, allowing them to copy, print, fax, and scan. • In addition to controlling access, Department Codes provide valuable data tracking and usage information, which allows network administrators to easily track and view the volume and type of jobs being produced by each department or user. Access Security • Strong Passwords • Strong Passwords negate the effectiveness of password detection tools that can crack passwords instantaneously. • Toshiba employs a ten-digit alphanumeric administrative password and a log-on limitation of up to three attempts. • This process helps foil attempts to crack the administrative password by making it more difficult to ascertain, and disabling log-on privileges after three failed attempts. Access Security • Usage Limitations • Usage limitations allow the administrator to control and track output at the device. • This also adds an additional level of security to control access to the device, and provides enhanced visibility to help track and control costs associated with the device’s use. Access Security • Job Log • Job Log is a Toshiba feature that makes it easy to track data and documents. Information about each completed job is stored within the e-STUDIO Job Log. • Print, fax, and scan jobs are tracked with detailed information including the user name, date, time, number of pages, type of paper, and type of job. Access Security • Network Authentication • Network Authentication provides an additional means of control via the network. • Ideal for larger scale installations with numerous users, network administrators can control access at the device in the same manner that they control network access from the desktop. • Users are required to input their network user name and password to gain access to the control panel. • Network Authentication can also be used in conjunction with Role Based Access Control (RBAC) which allows the administrator to control access to specific functionality by individual user. (i.e. copy, print, scan, fax) Access Security • Email Authentication • Email Authentication is critical when conducting business via the Internet or Email, because it ensures that you are corresponding with an authentic addressee. • Toshiba’s Email authentication technology allows organizations to manage the Emails being sent from each multifunction device. Access Security • SmartCard Authentication • SmartCard Authentication offers extensive security features designed to eliminate unauthorized operation and reduce costs and downtime. • By utilizing a streamlined, single point of entry, SmartCard Authentication facilitates the user log-in process by requiring a card swipe instead of typing a User Name and Password. • You control who has authorization, thereby maintaining cost efficiency and security. Access Security • Ringdale FollowMe * • Secure Printing - Print jobs are never lost, stolen or picked up accidentally - nothing gets printed until the user is identified and authenticated at the printer. • Convenience Printing - Print jobs follow users to their choice of network printer. • Authenticated Printing - Authenticate on the printer or MFP with PIN codes, bar codes, proximity, swipe or smart cards to enable equipment feature access and usage profiles. • Green Printing - Advance green initiatives across the enterprise by eliminating duplicate print jobs at source, enforcing printing restrictions to conserve toner, paper and developer. * Not available in every location Access Security • PaperCut FindMe * • Secure Printing - Print jobs are never lost, stolen or picked up accidentally - nothing gets printed until the user is identified and authenticated at the printer. • Convenience Printing - Print jobs follow users to their choice of network printer. • Authenticated Printing - Authenticate on the MFP with username/password, proximity cards to enable equipment feature access and usage profiles. • Green Printing - Advance green initiatives across the enterprise by eliminating duplicate print jobs at source, enforcing printing restrictions to conserve toner, paper and developer. * Not available in every location Access Security Basic (Simple Authentication) • Department Codes (with reporting) Access Security Enhanced (Network Authentication) • Network Authentication w/RBAC • SmartCard Authentication Access Security Optimal (Enterprise Tracking & Release) • Ringdale FollowMe • PaperCut FindMe Document Security Countermeasures • SecurePDF • Private Print • Print to Hold • HardCopy Security Document Security • Secure PDF • Secure PDF provides control and protection for scanned documents sent to Email and network folders. • With Secure PDF, users can assign a password to a scanned document that controls access to viewing, printing, editing and copying its content. • Furthermore, up to 128-bit encryption can be applied to ensure it is stored safely. Usage Limitations can be set for copy and print jobs, in addition to black/white and color output limitations. Document Security • Private Print • Private Print offers complete control of print output by requiring users to input a password to initiate their printout. • Private Print is ideal when printing confidential information by preventing other people from accidentally or intentionally picking up the wrong print job. • Toshiba has made this process even more flexible by giving users the option to either print private documents individually, or to print multiple private documents at one time Document Security • Print to Hold • Print to Hold eliminates paper wastage through job loss by holding the job at the MFP and releasing it only on demand Document Security • Hardcopy Security • Hardcopy Security embeds a background image or configurable string(s) that reveal themselves if the document is copied. Document Security Basic (Document Protection) • SecurePDF • Private Print • Print to Hold • HardCopy Security End of Life Security Policy • Policy Implemented • As the owner of any HDD data it is the client’s responsibility for an end of life policy which ensures that as MFP and Printers reach their end of life either through lease end or technological refresh that the hard drive is scrubbed of all data. Certifications • CCEVS Common Evaluation and Validation Scheme • The CCEVS program recognizes and validates security solutions based upon an internationally accepted methodology. Toshiba products comply with the Common Criteria Evaluated Assurance Level, and conform to ISO/IEC15408 (Information Technology Security Evaluation Criteria). Standards • Dod – The Department of Defense • The U.S. Department of Defense manual outlines rigid policies and standards in the interest of protecting the security of the United States. Toshiba’s Disk Overwrite solution clears and sanitizes hard disk drives that may contain classified information.