Skip to main content
Main Menu

Clarifying the business impact of technology

Reports

Featured Content

Attitudes to cloud-based services vary, but over time there has been increasing uptake as the benefits are recognised by more and more businesses. Those in the vanguard recognise that there is ground work to do; certain security measures must be put in place to enable safe use of cloud-based platforms and applications.  At the other end of the spectrum there is investment in security too, as measures are taken to try and limit access to cloud-based services.

Articles

Featured Content

The dread of any IT manager is in making a significant purchase of hardware or software to then find that they are stuck with it due to the way that the vendor has created it.  The use of proprietary systems has always seemed to lead to this vendor lock-in – and it has always been advised against.

Presentations

Featured Content

There has been a lot of hype about wearable technologies and the Internet of Things (IoT) and how it might impact consumers, but there are areas in enterprise where this innovation is already presenting new opportunitites and perhaps some new threats. Organisations of all sizes need to be taking a closer look.

Blogs

Featured Content

HP: Putting Print Security on the CISO Agenda

Amidst a rapidly evolving threat landscape, where malware and exploits continue to proliferate, endpoint security often fails to adequately protect networked printer and multifunction printer (MFP) devices. With its new enhanced LaserJet enterprise printer range, announced on 22 September 2015, HP is demonstrating its serious commitment to closing the print security gap. 

In today's increasingly mobile and interconnected digital enterprise, cyberattacks are increasingly sophisticated, designed to inflict maximum damage to an organisation's systems and networks. The loss of sensitive information - be it personal or financial - can have huge repercussions - both financial and legal - not to mention the impact on brand reputation. According to the Ponemon Institute, the average consolidated total cost of a data breach is $3.79 million. Meanwhile, Quocirca's recent enterprise managed print services (MPS) study revealed that over 70% of organisations have suffered at least one data breach as the result of unsecured printing. Yet printing is an overlooked area in the Chief Information Security Officer (CISO) agenda. While focus is given to protecting traditional IT endpoints such as laptops, PCs and mobile devices, ignoring printers as a vital endpoint in an overall information security plan can leave an organisation exposed and vulnerable.

The print security gap
So what is the importance of securing these supposedly "peripheral devices"? Today's MFPs are advanced and intelligent document processing hubs which print, copy, scan and email. Information resides on hard disk, in memory and with most MFPs now running advanced web servers, these devices are exposed to the same risk as any PC device. At a basic level, there is the opportunity for uncollected sensitive or confidential information to be picked up from output trays - accidentally or maliciously - by the wrong recipient. Fortunately there are a range of simple tools that enable user authentication (either via a smartcard or user PIN) to ensure print jobs are only released to authorised users. But at a deeper level, networked printers and MFPs need to be protected at the firmware and network level. Without adequate protection, the web server on an MFP can be exploited and compromised, providing open access to an enterprise's network. Indeed, it is not specifically the data on an MFP that may be targeted, it is an entry point to the wider network.

HP's security enhanced enterprise LaserJet products
HP's recent announcements aim to address these vulnerabilities and demonstrate a significant advancement in printer security. It boldly claims its new HP LaserJet Enterprise 500-series printers are "the world's most secure printers" because they support a strong set of default security features and settings, but perhaps, most importantly include advanced embedded security capabilities, specific only to HP devices. These include:

  • HP Sure Start. To prevent an attack at the point of start-up, HP is implementing BIOS-level security with HP Sure Start. This applies the same BIOS security protecting HP's Elite line of PCs since 2013 to new HP LaserJet Enterprise printers. In the event of a compromised BIOS, a hardware protected "golden copy" of the BIOS is loaded to self-heal the device to a secure state.
  • Whitelisting. This ensures that only HP authentic code and firmware can be installed and loaded onto devices.
  • Run-time Intrusion Detection. This protects the printer by continuously monitoring memory to identify, detect and highlight potential attacks to Security Information and Event Management (SIEM) tools like ArcSight. The device will automatically reboot flushing memory and bringing it back to a safe state. This technology was developed in partnership with Red Balloon Security, a US based embedded device security company.

Additionally, HP will retro fit legacy devices, allowing customers to benefit from these security features for devices from 2011. According to HP, with a firmware update, all three features can be enabled on the HP LaserJet Enterprise printers delivered since April 2015. For HP LaserJet Enterprise printers launched since 2011, two of the features, whitelisting and Run-time Intrusion Detection, can be enabled through an HP FutureSmart service pack update.

Notably, HP is also addressing the needs of enterprises which operate a mixed fleet environment. HP JetAdvantage Security Manager, currently the industry's only policy-based printer security compliance solution, enables IT to establish and maintain security settings such as closing ports, disabling access protocols, auto-erase files and more. When a reboot occurs, the HP Instant-On Security feature will check and reset any impacted settings automatically to bring devices into compliance with the organisation's policy. Quocirca believes this is a real opportunity for HP to set industry standards with integrated print security management, much in the same way HP Web JetAdmin has become a standard tool for enterprise print management.

HP also offers a comprehensive Printing Security Advisory Service, which evaluates an enterprise's current print security position and recommends solutions to address an organisation's print security risk exposure. Indeed, Quocirca is seeing that managed print services customers are most advanced here, often undertaking security assessments which identify vulnerabilities. In fact 90% of organisations using MPS had started or completed a security assessment. Certainly, this is having a positive impact, with Quocirca's research revealing that data loss is much lower amongst those that have conducted an assessment. Almost half of those that had conducted a security assessment indicated no data loss compared to 14% of enterprises that have started the process.

MPSSecurity

Quocirca Opinion
Print is often an afterthought in the security equation, leaving an organisation's data and networks exposed to unnecessary risk. While all manufacturers offer some form of built-in security features along with third party secure print solutions, there remains the opportunity to educate enterprises on the real risks that unsecured printers and MFPs pose. Consequently enterprises remain uncertain of how to implement a secure print strategy that integrates with a broader information security strategy. Quocirca recommends that enterprise clients consider a managed print service that offers a broad security assessment and addresses the need for a layered approach to security, dependent on the business needs.
 
HP certainly now has a comprehensive set of hardware, software and services offerings to evaluate and minimise the risk exposure for their enterprise clients. This enterprise LaserJet product range introduction will certainly raise more awareness of the need to better secure the print environment and we expect that HP's competitors will respond by highlighting their solutions and services in this area. HP's market dominance positions it well to lead the market and potentially set industry standards.
 
Chief Information Security Officers (CISOs) need to tighten print security, not only to protect information that resides on printer endpoints but also recognise that an unsecured printer is a potential gateway to the corporate network. Ultimately, any security strategy is only as strong as its weakest link.

Latest Content

Blog
News
Blog
Blog

There is no reason why the crowds arriving at Cloud Expo Europe in April 2016 should not be more enthusiastic than ever about the offerings on show. Back In 2013, a Quocirca research report, The Adoption of Cloud-based Services (sponsored by CA Inc.) looked at the attitude of European organisations to the use of public cloud services. There were two

By Clive Longbottom
Over a decade ago, Quocirca looked at the current means of securing data, and decided that there was something fundamentally wrong. The concept of solely relying on network edge protection, along with internal network and application defences misses the point. It has always been the data that matters - in fact, not really even the data, but the information and intellectual property that data represents. 

To our minds, enterprise content management (ECM) has not lived up to expectations around information security: it only dealt with a very small subset of information; it was far too expensive; and has not evolved to support modern collaboration mechanisms. It is also easy to circumvent its use, and far too easy for information assets to escape from within its sphere of control. 

As an increased need for decentralised collaboration evolved and cloud computing offered new ways of sharing information, the problem became more complex. There was an increase in the difficulty of defining the network edge as the value chain of contractors, consultants, suppliers, customers and prospects grew, and in ensuring that the new silos of data and information being held in places such as Dropbox, Box and other cloud-based data stores were secure. However, in contrast to the problems with ECM, the use of cloud-based information sharing systems was in trying to stop individuals from using them: usage has grown, and in many cases, the organisation is oblivious to these new data stores. 

Sure, these silos have evolved to provide greater levels of security - but they are self-contained, with any such security being based primarily around encrypting files at the application or email level, or managing documents/files as long as they remain within the secure cloud repository or local secure 'container' (the encapsulation of a file in a proprietary manner to apply security on that file) on the host. 

The problem with just using application- or email-based encryption is that if that passcode created by the user is not strong, it can be hacked. Keys also have to be distributed to each person that needs to have access to the data - and such sharing is difficult and insecure in itself. Each key created has to be managed by the owning organisation (even where key management tools are in place), which presents another problem when keys are lost and have to be recovered. However, all data that is outside of the central repository is now out there forever - once received and unlocked, it can be forwarded as emails, be modified, it leaves uncontrolled copies of itself all over the place. 

The same with the use of containers to try and track and monitor how data is being dealt with. It is difficult, outside of a full digital/information rights management (DRM/IRM) platform to track data across a full value chain of suppliers and customers - and it is expensive. Using containerised defences within a system still has drawbacks: the security only works across those using the same system or cloud container. Once that file leaves the container, the data is in the clear for anyone to do whatever they wish with (as described above). 

To try and address the problem, Quocirca came up with an idea we called a compliance oriented architecture, or a COA. The idea was to provide security directly to data, such that it was secure no matter where it was within or outside of a value chain. At the time, the best we could come up with to create a COA was a mix of encryption, data leak prevention (DLP) and DRM. We accepted that this would be expensive - and reasonably easy for individuals to work around. 

Since then, we have seen many technical products that have gone some way towards information security, yet none, to our mind has hit the spot of the COA. 

Now, we wonder whether FinalCode has come up with the closest system yet. 

When Quocirca first spoke with FinalCode, although we liked the approach, we had worries over its interface and overall usability. We liked the technical approach - but felt that individuals may not have enough understanding of its value and operation to actually use it. With its latest release, FinalCode 5, Quocirca believes that the company has managed to come up with a system that offers the best COA approach to date. 

What does FinalCode do? It acts as a secure proxy between an information asset and the individual. Either directly through its own graphical interface or through the use of its application program interface (API), documents can be secured as close to source as possible - with policy being enforced by the OS and through the application being used (e.g. Microsoft Office, CAD applications, etc) in most cases. So the sender and recipients work in the application they are accustomed to. 

Once the document to be shared is put through FinalCode, the FinalCode system encrypts it with a one-time code, and manages keys as necessary. The information creator (or a corporate policy) applies rules around how the information can be used - and by whom. Joe may have read, edit and email forward capabilities; Jane may only have read. When the document reaches them, they first have to download a very small FinalCode client (a one-time activity). From there on, everything is automated - they do not have to know any keys, and they will be informed at every step what they can do. 

So, if Jane tries to forward on the document, she will be informed that she is not allowed to do this. If she tries to cut and paste any content from the document to another one, she will be prevented. 

It makes no odds where Jane is - she can be within the same organisation as the originator; could be a trusted partner in the value chain, or could be an accidental inclusion into an email list. All the actions that she can do are controlled by the file originator or a corporate policy. Should Jane have received the file by accident, she won't be able to do anything with it, as her name will not be in the list created by the originator for her to gain access to the content of the file itself. If a trusted person leaves the company they work for, then the files they have access can be remotely deleted by the originator. It also means that the document can be stored anywhere, distributed in any way - as FinalCode's capabilities are not container based, files can be used in whatever workflow suites the user or business requires; secured files can be output to a local disk, a network share or a cloud service - and all its restrictions and functionalities are maintained. 

Other functions include setting the number of times a document can be opened, including a visible or invisible watermark on documents and allowing recipients access to a file for a set time period only. 

This is all managed without FinalCode 'owning' the data at all. Although FinalCode operates as a cloud service, it is only really operating as a key management and functional control mechanism. As far as it is concerned, all information is just ones and zeros; it never actually sees the data in the clear. Encryption is carried out at the originating client; decryption is carried out at the receiving client. And the receiving client obtains the usage permissions all maintained by the FinalCode server. 

With pricing being based on low-cost subscriptions, FinalCode is a system that can be rolled out pretty much to everyone within an organisation, providing this high level of a COA. There will be problems for FinalCode - there always are for vendors. It is, as yet, still not a well-known name. It also runs the risk of being confused with the likes of Dropbox and Box. However, with the right messaging, FinalCode can deal with the second problem (indeed, it should be able to work well alongside such cloud stores) - and as its usage grows, its name should spread organically. 

So, when the business asks from the back seat as to whether they are there yet in their seemingly endless journey to a COA, IT can now honestly respond with an "almost there, yes". (Note: since writing this article, another company, Vera, has come to Quocirca's attention that looks similar. We will be investigating...)

Original URL

Bob Tarzey will be a judge again this year for the SC Magazine Awards Europe.

SC Mag says: "The SC Magazine Awards Europe honour professionals working to secure enterprises of all sizes and the vendors that deliver innovative security technologies. The awards are widely regarded as the most prestigious IT Security industry awards and a big part of their success lies with the judges and the judging process."

The winners are usually annouced around the time of Infosec Europe, this year in June.