Security Solutions. Concerned about information security? You should be!

Transcription

1 Security Solutions Concerned about information security? You should be!

2 Various security threats surrounding the office Ricoh s proposal for a security management system. Information technology is the great enabler for sharing of knowledge across your enterprise. To ensure continued business growth, it is imperative that risks regarding information security are continually assessed, then effectively addressed. Ricoh, the total solution provider, has the resources and expertise to partner in this on-going effort. Technical Threats Theft Wire-tapping Information leaks Falsification Computer viruses Denial of service Spoofing Physical Threats Natural threats -Earthquakes -Fires -Power shortages Hardware breakdowns Software bugs Human Threats Unlawful use of computers Stealing and removal of information Operation errors Ricoh takes a multi-layer approach to information security Security measures typically involve the tightening of security against outside threats. However, greater risks come from insiders, those with unrestricted access to technology, including network-connected systems, such as digital copiers, printers, scanners, fax systems, and all-in-one s (Multifunctional Products). In assessing vulnerabilities, reexamine these devices for any potential security risks. Whether users are processing files electronically, or handling paper documents, measures can be taken to secure each step in the document lifecycle. Ricoh Security Solutions protect information from origination to output, with embedded security features and add-on solutions that enable you to take a multi-layer approach to information security without disruption to normal (authorized) document workflow. Risk Prevention and Protection Information Assets LAN Document Security Hardware Software Data recording media Documents Conversations Network Security Firewall Intrusion Detection System Anti-virus measures Intrusion detection Firewall Anti-virus measures Allows total protection all the way from electronic documents to paper documents. Remote access How do you protect valuable information assets? Today, technology-driven organizations rely on a sophisticated network of computers and peripherals to create, manage, process, share and archive information. Whether in electronic or paper form, this information is vulnerable to technical, physical and human threats (illustrated above). In order to protect information assets the lifeblood of every business IT (Information Technology) departments must build a secure infrastructure. Recognizing this urgent need, Ricoh has developed a comprehensive suite of Security Solutions that help better manage and protect information. By implementing security measures, you prevent abuse of office equipment resources and information leaks, thus minimize exposure to negative business forces, forces that can otherwise result in diminished competitiveness, eroding client and shareholder trust, even costly litigation. Addressing information security means balancing the need for access and protection Every business is vulnerable to threats, from abuse of copier resources to theft of proprietary customer information. Can you do more to protect yourself from such opportunistic or targeted threats? Start by asking yourself Is access to the system controlled by passcode? Can the administrator remotely enable/disable the device s ports to control device usage? Are print files encrypted? Can latent digital images on the hard drive be overwritten? Does the device track usage, i.e., provide a footprint of each user for monitoring/tracking purposes? The answer to these questions should be yes. Ricoh offers security solutions that meet rigorous standards, balancing the need for access and protection. The result are robust office systems that IT professionals can deploy with confidence. 1 2

3 Ricoh s ongoing efforts to realize security systems that satisfy the highest international standards. Strengthening ISMS (Information Security Management Systems) in the entire Ricoh Group. Strengthening the security functions of products and systems. What is ISMS? ISMS (Information Security Management Systems) is the name given to a comprehensive framework by which business enterprises and other organizations can appropriately manage information while protecting classified information. Not limited to computer system security measures, this plan offers a total risk management system that includes basic policies (security policies) for handling of information, concrete plans based on those polices, implementation and operation of plans, and periodic reassessment of objectives and plans. [ ISMS Standards ] The British Standards Institution (BSI) developed BS7799 as the standard regulations for ISMS. BS7799 is composed of two parts. Part 1 consists of guidelines. Part 2 is composed of certification screening regulations. In the year 2000, BS7799 Part 1 became an international standard as ISO/IEC These are implementation guidelines and not certification standards. Certification standards correspond to BS7799 Part 2. At present, however, they have not reached the level of international standards. Production What is ISO15408? Delivery The ISO15408 certification system certifies that security functions have been reliably designed and implemented for the individual hardware and software systems of an enterprise. In addition to design and function, certification covers the entire lifecycle, including production, shipment, sales, installation and service. It is awarded as the result of inspection (evaluation) by a third-party examining authority. The common measuring stick acting as the standard of evaluation at this time is ISO Thanks to these regulations it is possible to carry out a systematic evaluation from a variety of standpoints of the level of security of products connected with information technology. Hardware Sales What are Common Criteria? Common Criteria (CC) are IT security evaluation standards common throughout the world that resulted by combining the various IT security evaluation standards used in North America and the European nations. These countries had conducted evaluations and certification according to standards unique to their nations. However, with growing demand for procurement of international information systems, the need had arisen for standards that have universality in international society. In 1994, Common Criteria were created as IT security evaluation standards common around the world. ISO15408 resulted when these Common Criteria became international standards in National Standards Prior to Creation of CC Systems Software USA: TCSEC Canada: CTCPEC Europe: ITSEC ISMS Certification ISO15408 Certification Ricoh s comprehensive suite of Security Solutions has placing the company among an elite group of 91 Japanese businesses that have undergone rigorous screening and subsequent certification for ISMS (BS7799 Part 2). As a world leader in high-performance digital imaging technology, Ricoh plans to expand ISMS certification to include it s many global business enterprises. Ricoh has obtained ISO15408 certification, EAL3, for the Ricoh DataOverwriteSecurity System (DOSS) Type A/B. This assures that the targeted security functionality three-pass overwrite of hard drive data - is appropriate to meet a given threat and that it has been correctly implemented. Furthermore, EAL3 evaluates systems to guarantee that security is being maintained in all processes, from the development environment to production, shipment, installation and use. EAL2 involves primarily the evaluation of the products themselves, not the entire process. Consequently, Ricoh plans to obtain certification for future systems and solutions based on EAL3 (or higher) evaluation criteria. [ Seven-Step Evaluation Assurance Levels (EAL) ] The higher the number of the level, the stricter the evaluation. Generally speaking, EAL1-4 are aimed at commercial products, while EAL5 or higher are said to be for military uses. 3 4 Level 7 Level 6 Level 5 Level 4 Level 3 Level 2 Level 1

4 Make no compromises when it comes to information security Take a multi-layer approach to information security When connecting digital office technology to your network, there should be assurance that system resources and data are protected from disruptive forces inside or outside your organization. This enables IT personnel to embrace products that would otherwise posed a security risk, and provides employees with high-performance equipment that streamlines workflow (saving money!), while protecting your vital business interests. Ricoh views information security from two perspectives, electronic and paper. Electronic security encompasses the safeguarding of scan data that can be compromised when a user transmits a digital image from a device, over the or a private intranet. Paper security involves the securing of sensitive, confidential or classified print data that is output from a device and possibly retrieved or viewed by unauthorized individuals. Ricoh Security Solutions take these common vulnerabilities into account, while also providing access control methods to restrict device usage. So, based on your operating environment and application requirements, Ricoh can minimize security threats by enabling organizations to take a multi-layer approach, one that leaves nothing to chance. Information Leaks from Printed Documents Left Unauthorized Access to Device Information Leaks from Printed Documents Left 3 Locked Print Unauthorized Access to Device 1 Authentication Leaking of /Fax Address Information Leaking of /Fax Address Information Leaking of /FAX address information 7 Address Book Encryption Unauthorized Access to Networks HDD Unauthorized Access to Networks HDD 4 8 SSL Printing Network Port Control Leaking of Remaining Data on HDD Leaking of Remaining Data on HDD 2 DOSS (DataOverwriteSecurity System) LANs LANs Unauthorized Access from Fax Lines Unauthorized Access from Fax Lines 6 Prevent Fax Line Access Unauthorized Distribution of Confidential Documents with Scan to Unauthorized Distribution of Confidential Documents with Scan to 5 Restrict Manual Address Entry External Print data Scan data External Print data Scan data 5 6

5 Details on Security Solution 1 Prevent Unauthorized System Usage 2 Secure Hard Drives Authentication is an security feature that restricts unauthorized users, or group of users, from accessing system functions or changing machine settings. This important capability enables the system administrator to employ Access Limitation Management, helping to protect your installed base from unapproved usage or tampering. User Authentication User Authentication enables you to restrict machine access so that only those with a valid user name and password can access functions. Four User Authentication methods are available, one of which can be employed to address your specific security needs. Login Authentication Server (Existing Microsoft Windows NT server) Unauthorized person Ricoh s DataOverwriteSecurity System (DOSS) is an embedded firmware security solution that overwrites copy, print and scan data that is stored on an s internal hard drive by writing over the latent image with random sequences of 1 s and O s, making any effort to access and reconstruct residual data virtually impossible. Two data erasure methods are available 1. Auto Erase Memory 1 Overwrites data immediately after a job is completed. If a job comes in while the system is overwriting the previous job, the overwriting process is automatically interrupted until the job is completed. A B C Authentication Authentication Login Can not access 2. Erase All Memory 2 Erases all data in the machine (setting information, /fax address book information, counter information, etc.) and is recommending if relocating or discarding a machine. Available functions for individual user User A User B User C Copy Copy, printer Copy, printer, scanner Login user name and password access restrictions also available with in the same manner as PCs Three overwrite settings are available 1. NSA (National Security Agency, U.S.A) Standard 3 Overwrites temporary data on the hard drive, twice with random numbers and once with zeros. 2. DoD (Department of Defense, U.S.A) Overwrites temporary data with a number, its complement, and random numbers, then checks the results. 1.Windows Authentication 2.LDAP Authentication 3. Random Numbers Overwrites temporary data with random numbers the specified number of times, from 1 to 9. The default setting is three times. Verifies the identity of the user by comparing login credentials (user name/password) against the database of authorized users on the Windows Network Server, thus granting or denying access to functions. 3.Basic Authentication 1 Authenticates a user utilizing the user name/password registered locally in the s Address Book. No one without a valid user name/password can access the machine. Administrator Authentication A registered administrator manages system settings and user access to functions. Up to four Administrators 2 can share the administrative tasks, enabling you to spread the workload, and limit unauthorized operation by a single administrator, though the same individual can assume all roles. In addition, a separate Supervisor can be established for setting or changing the administrator passwords. 1 Basic Authentication and User Code Authentication can be utilized in non-windows and/or non-networked office environments. 2 Machine Administrator / Network Administrator / File Administrator / User Administrator Authenticates a user against the LDAP (Light-weight Directory Access Protocol) server, so only those with a valid user name/password can access your global address book, i.e., search and select addresses stored on the LDAP Server. 4.User Code Authentication 1 Utilizes Ricoh s standard User Code system to authenticate the user. The operator simply enters their User Code, which is compared to the registered data in the s address book. No one without a valid User Code can access the machine. ISO15408 Common Criteria Certification The Ricoh DOSS Type A & B are ISO Common Criteria Certified (EAL 3). This certification is a recognized worldwide standard that defines security requirements and establishes procedures for evaluating security of IT systems and software. DOSS Type C & D are now evaluated. 1 Auto Erase Memory does not overwrite documents stored in the Document Server, information registered in the Address Book, Counters stored under each User Code or network settings. 2 Supported by DOSS Type C & D. 3 NSA Standard only in DOSS Type A & B. 3 Locked Print Locked Print maintains confidentiality by suspending document printing until the authorized user enter the correct password from the device control panel. This eliminates the possibility of anyone viewing or removing a document from the paper tray. 7 8

6 Other Security Functions 4 Secure Print Data Specify User Access Level Print data communicated between a network PC and connected can be encrypted using SSL (Secure Sockets Layer) technology via IPP ( Printing Protocol). Consequently, any attempt to tap print data will fail; intercepted data is indecipherable. Documents stored within the s Document Server (hard drive) can be accessed by PC users on the network. To restrict access, you can control the permission level granted to each user, preventing unauthorized usage of stored information. <Before encryption> <After encryption> Four types of access levels are available: Read only : User can print and send stored files Edit : In addition to Read Only, user can change the print settings for stored files Edit/Delete : In addition to Read Only and Edit, user can delete stored files Full Control : In addition to Read Only, Edit, and Edit/Delete, user can specify the user and their access permission Not encrypted communication path Encrypted communication path by SSL Personal information (Name, address, age) Confidential information (Patent, technical information) Personal Information????????????????? Confidential information????????????????? Unauthorized data access Prevention of unauthorized data access Password-protect Files Enhance Password Protection 5 Restrict Manual Address Entry Using an s Scan-to- feature, it is possible to transmit hardcopy documents to one or multiple addresses, around the corner or around the globe. The user simply enters the address manually (ad hoc), via the s touch screen, or selects a pre-registered address from the device s internal address book (or global address book via LDAP). However, since manual address entry can be a potential source of information leaks, this feature can be disabled, limiting communication to only pre-registered addresses. This creates a closed network for secure communication with authorized destinations only. Each file stored on the s Document Server (hard drive) can be password protected. Only those users with the correct password can access the files. It is possible to set a password by using from 4 to 8 digits of figures. Control IP Address Access Even though a file stored on the s Document Server (hard drive) is password-protected, that does not prevent someone from attempting to break the code. The Enhance File Protection feature addresses this security issue by automatically locking the document after a false (invalid) password is entered ten times. An IP address access control mask prevents access to the by non-registered clients, improving management of multiple PCs (on the same network) and enhancing network security. 6 Prevent Fax Line Access Non-registered IP address Ricoh s fax module supports the industry-standard ITU-Group 3 (G3) communication protocol. If a connection is established with a remote terminal that is not using the G3 protocol, the terminates the connection. This prevents access from telecommunications lines to internal networks via the s fax module, ensuring that no illicit data can be introduced. Registered IP address Secure the Address Book 8 Control Network Ports To protect information registered in the s address book, this data can be encrypted, preventing unauthorized viewing/reading. The network administrator can enable or disable IP ports, thus controlling different network services provided by the print controller to an individual user. As a result, unwanted device communication can be prevented. 003 Available Not available 9 10

7