Transcript Slide 1
Overview
•
•
•
•
•
•
Business Risk
Secure MFP Program
Device Security
Access Security
Document Security
End of Life Security
Business Risk
• MFP’s - An Overlooked Security Threat
• Internal Threats
• External Threats
Significant Business Risks
• Theft of Data, Intellectual Property
• Unauthorized Access to Records
• Malicious Exploitation
• Regulatory Compliance Issues
Business Risk
MFP’s & Printers – An Overlooked Security
Threat
• All types of data copied, scanned, faxed,
printed on MFP’s
• Personal information, Health Records,
Financial Statements, Confidential Reports,
e-mails, Customer Records and Employee
Files, Social Security, Credit Card Numbers,
Defense related data.
Business Risk
Internal Threats (20% Traceable to insiders*)
• Left unsecured an MFP or Printer is a huge point
of vulnerability to your network and your
business
• Confidential documents can be retrieved from
the MFP hard drive, taken from an output tray
and emailed or faxed without authorization.
• MFPs and printers provide employees with a
point of entry to the network that can be used to
bypass network security mechanisms thus
providing access to information on the network.
*2009 Data Breach Investigation Report
Business Risk
External Threats (74% External*)
• Data is also at risk via external threats,
• Via Wide-Area Network (WAN), the public
Internet or a Virtual Private Network (VPN),
stored documents, scanned data or print jobs
can be intercepted.
• Malicious intrusions in the form of Denial of
Service (DOS) attacks can be initiated via an
unsecured MFP or Printer.
• Packet sniffers can be used to intercept data and
sent to unauthorized parties
• Data stored on the copier’s hard disk drive can
be retrieved remotely.
*2009 Data Breach Investigation Report
Secure MFP Program
Toshiba’s Solution – Secure MFP
• Secure MFP addresses multiple avenues of
vulnerability with a broad array of
countermeasures which are grouped as
follows
•
•
•
•
Device Security
Access Security
Document Security
End of Life Security
• This holistic approach provides for defense
in depth.
*2009 Data Breach Investigation Report
Secure MFP Program
Toshiba Security Assessment
• Assesses the current state
• Audits the devices (MFP’s)
• Audit the document infrastructure
• Assesses vulnerabilities in 4 categories
•
•
•
•
Device Security
Access Security
Document Security
End of life Security
• Each category has many vulnerabilities &
countermeasures
• Assigns grade, None, Basic, Optimal, Enhanced
• Creates roadmap to secure future state
Device Security
Categorization
Optimal
Device
Access
Document
End of Life
Secure
Networking
Enterprise
Tracking/Release
Document DRM Solution
Policy
Implemented
Secure Data
Network Authentication
Print Queues
N/A
Core
Technologies
Simple Authentication
Document Protection
N/A
Enhanced
Basic
Device Security
Countermeasures
• SSL
• IPv6
• IP Filtering
• SMB Signing
• IPSec
• Advanced Encryption
• Data Overwrite Kit
Device Security
• SSL
• SSL is a cryptographic protocol widely
used on the Internet to provide secure
communications for transfer of personal
information.
• MFP devices employ this common
encryption technology to protect all data
traveling to and from the MFP.
• Print jobs sent via SSL are encrypted
through symmetric cryptography, ensuring
that the print data is secure and will not be
used for any purpose other than print
output.
Device Security
• IPv6
• Commonly known as the next generation
Internet Protocol— IPv6 is the latest
version of IP.
• With the introduction of IPv6 come several
new features that address IP security
needs, such as a larger IP address range,
protection from scanning and attacks, and
built-in support for authentication and
confidentiality.
• Toshiba supports IPv6 as part of our
ongoing commitment to meeting your
current and future network needs.
Device Security
• IP Filtering
• IP Filtering acts like a firewall to protect
your internal network from intruders.
• IP filtering lets you control what IP traffic to
allow into and out of your network by
filtering data from specified network
addresses.
• MFP devices utilize this mechanism as a
means of controlling which computers have
access to its network functions.
Device Security
• SMB Signing
• SMB Signing adds a digital signature to
data transferred between the MFP and the
server during network authentication.
• The signatures verify that the identity of the
server matches the credentials expected
by the MFP, and vice versa.
• By verifying that data is received from
authenticated sources, the signature
ensures the integrity of all
communications.
Device Security
• IP Sec
• Internet Protocol Security (IPsec) is a protocol
suite for securing Internet Protocol (IP)
communications by authenticating and
encrypting each IP packet of a data stream.
IPsec also includes protocols for establishing
mutual authentication between agents at the
beginning of the session and negotiation of
cryptographic keys to be used during the
session.
• IPsec can be used to protect data flows
between a pair of hosts (e.g. computer users
or servers), between a pair of security
gateways (e.g. routers or firewalls), or
between a security gateway and a host.
Device Security
• Advanced Encryption
• Advanced Encryption features 128-bit
encryption and decryption of all data being
written to the hard disk drive of the device.
• This includes all copy, print, fax, and scan
information for every document processed
on the multifunction device.
• Toshiba’s 128-bit encryption utilizes the
Triple Data Encryption Standard (DES)
algorithm.
Device Security
• Data Overwrite Kit
• The Data Overwrite Kit completely overwrites all
information on the hard drive after every job. It
works by deleting all data within the File
Allocation Table (FAT) partition, in addition to
overwriting the actual data.
Device Security
Basic (Core eBridge Technologies)
• SSL
• IPv6
• IP Filtering
• SMB Signing
Device Security
Enhanced (Secure Data)
• Advanced Encryption
• Data Overwrite Kit
Device Security
Optimal (Secure Networking)
• IPSec
Access Security
Countermeasures
• Department Codes
• Strong Passwords
• Usage Limitations
• Job Log
• Network Authentication w/RBAC
• Email Authentication
• SmartCard Authentication
• Ringdale FollowMe, PaperCut FindMe
Access Security
• Department Codes
• Department Codes are private pre-set codes
that give authorized users full functionality at
the device, allowing them to copy, print, fax,
and scan.
• In addition to controlling access, Department
Codes provide valuable data tracking and
usage information, which allows network
administrators to easily track and view the
volume and type of jobs being produced by
each department or user.
Access Security
• Strong Passwords
• Strong Passwords negate the
effectiveness of password detection tools
that can crack passwords instantaneously.
• Toshiba employs a ten-digit alphanumeric
administrative password and a log-on
limitation of up to three attempts.
• This process helps foil attempts to crack
the administrative password by making it
more difficult to ascertain, and disabling
log-on privileges after three failed
attempts.
Access Security
• Usage Limitations
• Usage limitations allow the administrator to
control and track output at the device.
• This also adds an additional level of
security to control access to the device,
and provides enhanced visibility to help
track and control costs associated with the
device’s use.
Access Security
• Job Log
• Job Log is a Toshiba feature that makes it
easy to track data and documents.
Information about each completed job is
stored within the e-STUDIO Job Log.
• Print, fax, and scan jobs are tracked with
detailed information including the user
name, date, time, number of pages, type of
paper, and type of job.
Access Security
• Network Authentication
• Network Authentication provides an additional
means of control via the network.
• Ideal for larger scale installations with numerous
users, network administrators can control access
at the device in the same manner that they
control network access from the desktop.
• Users are required to input their network user
name and password to gain access to the control
panel.
• Network Authentication can also be used in
conjunction with Role Based Access Control
(RBAC) which allows the administrator to control
access to specific functionality by individual user.
(i.e. copy, print, scan, fax)
Access Security
• Email Authentication
• Email Authentication is critical when
conducting business via the Internet or
Email, because it ensures that you are
corresponding with an authentic
addressee.
• Toshiba’s Email authentication technology
allows organizations to manage the Emails
being sent from each multifunction device.
Access Security
• SmartCard Authentication
• SmartCard Authentication offers extensive
security features designed to eliminate
unauthorized operation and reduce costs
and downtime.
• By utilizing a streamlined, single point of
entry, SmartCard Authentication facilitates
the user log-in process by requiring a card
swipe instead of typing a User Name and
Password.
• You control who has authorization, thereby
maintaining cost efficiency and security.
Access Security
• Ringdale FollowMe *
• Secure Printing - Print jobs are never lost, stolen
or picked up accidentally - nothing gets printed
until the user is identified and authenticated at the
printer.
• Convenience Printing - Print jobs follow users to
their choice of network printer.
• Authenticated Printing - Authenticate on the
printer or MFP with PIN codes, bar codes,
proximity, swipe or smart cards to enable
equipment feature access and usage profiles.
• Green Printing - Advance green initiatives
across the enterprise by eliminating duplicate
print jobs at source, enforcing printing restrictions
to conserve toner, paper and developer.
* Not available in every location
Access Security
• PaperCut FindMe *
• Secure Printing - Print jobs are never lost, stolen
or picked up accidentally - nothing gets printed
until the user is identified and authenticated at the
printer.
• Convenience Printing - Print jobs follow users to
their choice of network printer.
• Authenticated Printing - Authenticate on the
MFP with username/password, proximity cards to
enable equipment feature access and usage
profiles.
• Green Printing - Advance green initiatives
across the enterprise by eliminating duplicate
print jobs at source, enforcing printing restrictions
to conserve toner, paper and developer.
* Not available in every location
Access Security
Basic (Simple Authentication)
• Department Codes
(with reporting)
Access Security
Enhanced (Network Authentication)
• Network Authentication w/RBAC
• SmartCard Authentication
Access Security
Optimal (Enterprise Tracking & Release)
• Ringdale FollowMe
• PaperCut FindMe
Document Security
Countermeasures
• SecurePDF
• Private Print
• Print to Hold
• HardCopy Security
Document Security
• Secure PDF
• Secure PDF provides control and
protection for scanned documents sent to
Email and network folders.
• With Secure PDF, users can assign a
password to a scanned document that
controls access to viewing, printing, editing
and copying its content.
• Furthermore, up to 128-bit encryption can
be applied to ensure it is stored safely.
Usage Limitations can be set for copy and
print jobs, in addition to black/white and
color output limitations.
Document Security
• Private Print
• Private Print offers complete control of print
output by requiring users to input a
password to initiate their printout.
• Private Print is ideal when printing
confidential information by preventing other
people from accidentally or intentionally
picking up the wrong print job.
• Toshiba has made this process even more
flexible by giving users the option to either
print private documents individually, or to
print multiple private documents at one
time
Document Security
• Print to Hold
• Print to Hold
eliminates paper wastage through job loss
by holding the job at the MFP and
releasing it only on demand
Document Security
• Hardcopy Security
• Hardcopy Security embeds a background
image or configurable string(s) that reveal
themselves if the document is copied.
Document Security
Basic (Document Protection)
• SecurePDF
• Private Print
• Print to Hold
• HardCopy Security
End of Life Security
Policy
• Policy Implemented
• As the owner of any HDD data it is the
client’s responsibility for an end of life
policy which ensures that as MFP and
Printers reach their end of life either
through lease end or technological refresh
that the hard drive is scrubbed of all data.
Certifications
• CCEVS Common Evaluation
and Validation Scheme
• The CCEVS program recognizes and validates
security solutions based upon an internationally
accepted methodology. Toshiba products comply
with the Common Criteria Evaluated Assurance
Level, and conform to ISO/IEC15408 (Information
Technology Security Evaluation Criteria).
Standards
• Dod – The Department of Defense
• The U.S. Department of Defense manual outlines
rigid policies and standards in
the interest of protecting the security of
the United States. Toshiba’s Disk
Overwrite solution clears and sanitizes
hard disk drives that may contain
classified information.