I D C M A R K E T S P O T L I G H T

Transcription

1 I D C M A R K E T S P O T L I G H T S e c u r i n g t h e Print Ecosys t e m : An E s s e n t i a l As p e c t o f I T S e c u r i t y f o r B u s i n e s s June 2015 Adapted from IDC MarketScape: U.S. Smart Multifunction Peripheral Vendor Assessment by Keith Kmetz, IDC # and Market Analysis Perspective: Worldwide Security Products, 2013 by Christian A. Christiansen, John Grady, et al., IDC # Sponsored by Nuance Securing the IT landscape is a difficult task. While most organizations believe they do a decent job of securing their overall IT infrastructure, the threat level is still high and attacks are often successful at wreaking havoc. Companies addressing their security requirements need to make sure they include paper-based formats and business processes in addition to digital formats. This means that print is an essential piece of a company's IT security program. Because printers and MFPs reside on a company's network, they represent vulnerable points if not properly secured. This IDC Market Spotlight discusses why print security needs to be a comprehensive program that addresses the changing market dynamics around new points of computing accessibility such as mobility, cloud, and other technologies. Introduction: The Need for Print System Security Today's businesses face a barrage of business-related content in all forms (e.g., paper, audio, video, social) as part of the current business climate in the 3rd Platform (see Figure 1). IDC anticipates that the escalation of digital content will continue to dramatically increase for the foreseeable future and heighten the requirement for an increased focus on overall IT security. Most companies understand and have long recognized the importance of IT security in protecting intellectual property. Unauthorized access to such data and documents can impact competitiveness and/or result in costly and time-consuming penalties that can halt an organization's normal business operations. However, organizations also face the unenviable paradox of maintaining secure access to sensitive company documents and information, while new technologies (e.g., mobile devices, cloud) are providing workers with an expanding range of accessibility to this same content. If these two dynamics are not carefully balanced, there exists a potentially harmful conflict between allowing for a greater range of employee use and access while ensuring the highest available security measures. Securing the IT landscape is a difficult task. Most organizations believe they do a decent job of securing their overall IT infrastructure, but the threat level is still high and attacks are often successful at wreaking havoc. In fact, IDC research reveals that 80% of all organizations will suffer at least one successful attack causing serious harm that requires remediation. Also, a third of these organizations will not be able to prevent over half of these attacks (see Figure 2). In addressing security requirements, companies need to make sure they employ a comprehensive solution that includes paper-based formats and business processes in addition to digital formats. IDC 1930

2 This means that print is an essential piece of a company's IT security program. One possible explanation of the high security breach percentage shown in Figure 2 is that many organizations overlook the print infrastructure as an important component of their total IT security strategy. In our view, this is a serious error. Here's why. Printers and MFPs are typically distributed throughout the organization and reside on the company's network for day-to-day use. Their presence on the network allows for easy access by company employees but also represents vulnerable points of easy entry to and exit from the organization, if these devices are not properly secured. The appeal of targeting printing equipment to gain unauthorized entry into an organization should not be minimized. Printers and MFPs are just like personal computing systems both are often equipped with displays, keyboards, hard drives, and memory and house company data. Additionally, printing devices are increasingly accessible via mobile devices and the cloud and connected to company document management systems. Without the appropriate cautionary measures in place, networked printers and MFPs are obvious attractive candidates for hackers to gain entry into a company's IT environment. Thus, we believe it is crucial for companies to secure these assets so that their use is appropriate and authorized by the organization. FIGURE 1 3rd Platform Transformation Continuous Industry Transformation Immediacy Future of Work Abundance New Buying Centers Efficiency Personalization Mobility Cloud Social Business Big Data/ Analytics Source: IDC, IDC

3 FIGURE 2 Security Breach Success Rates Source: IDC, 2015 Addressing the Security Vulnerabilities in the Print Ecosystem Now that printers and MFPs have been established as potential security threats, companies can and should take steps to ensure that this equipment is as secured as possible. The most obvious point of print security vulnerability resides with the devices and the people who use them. IDC recommends that organizations minimize potential threats by identifying and addressing print security tactics with the following issues in mind: Securing access to the device Securing the connection Securing the data and content Ensuring that any peripheral hardware devices attached to the MFP (card readers) are secure Establishing a broader security services program that incorporates print as part of an expanded IT security initiative 2015 IDC 3

4 Securing Access to the Device Appropriate access to printing equipment refers to the control, monitoring, tracking, and reporting of all usage and for what purpose. There are numerous mechanisms in place for companies to ensure proper and secured use of their printing assets. User Authentication and Authorization Users should have to authenticate themselves prior to using printers or MFPs. This authentication can come in a variety of forms, including the use of passwords, cards/badges, and even biometrics, to make sure that only appropriate parties have access to the device and its capabilities. This small step means that the user has been authorized to use the equipment. Without authorization, access to the machine and its capabilities will be denied. Once authenticated, each individual user can be set up to have access to specific capabilities. This may mean that some users have unrestricted access to all functions and features, while other users may be allowed only certain defined capabilities. This approach ensures that organizations are aware of who has access to what features, as defined by company management and set up by IT administrators. From an output perspective, this could mean that a user has access to certain documents but may be blocked from printing this content or any printing at all from specific applications and/or file types. From a document distribution standpoint, users may be granted wide access to scanning functions but be restricted to certain destinations for any scan. For example, scanning could be allowed internally within an organization but not to outside entities. This security provision limits costly breaches by providing authorization rights to scan outside the company to selected (authorized) personnel. As the market extends into a more mobile computing platform, the ability to print documents securely anytime/anywhere within an organization becomes increasingly important as well. Mobile workers cannot always be limited to printing to assigned devices, but require more global access inside of an organization. In such cases, a user can benefit from sending a print job to any printer in the company, but the job is not printed until the user authenticates himself/herself at the device. This is a security benefit as well as a productivity benefit for users to print from any company printing device. Tracking and Monitoring With a user authentication system in place, organizations should implement a process in which the usage of all print equipment is tracked quickly, accurately, and efficiently. These typically softwarebased systems have important cost and service efficiency roles and participate in providing a secured print environment. A periodically generated audit report should tell IT administrators how these devices are being used by any number of criteria (e.g., by device, by user, by department). If unusual activity is revealed, the audit trail should quickly uncover potential unauthorized use by the specified criteria. The audit report ensures ongoing management review so that the company knows that its print policies are being followed and that its print usage is being well-managed. This management process helps ensure the highest level of security by identifying any questionable usage patterns and quickly working toward resolution. These management tracking and monitoring software tools also help identify any potential unauthorized use. As a result, security breaches can be discovered and restitution can be dealt with much more quickly, as demanded in an increasingly mobile marketplace IDC

5 Device-Specific Access Features There are also a number of device-specific access features that help drive a more secure printing environment. Examples include: Authorized firmware updates. Printers and MFPs are often upgraded with new capabilities and features via firmware available over the network. However, some users are nervous about potential virus infiltration when updates are offered in such a manner. To alleviate this issue, some firmware is digitally identified to be from an appropriate source so that the customer does not have to be concerned with a potential security problem with these downloads. Locked input trays. Specialty media (e.g., prescription pads) should be available only to appropriate staff (e.g., doctors, pharmacists). Printers and MFPs can be equipped with locked input trays to ensure that such media is used only by authorized users. This means that specialty media can be loaded or removed only by authorized personnel. Additional protections can be deployed through print management software and the application of print rules to ensure that files that need to be printed on media in a locked output tray are always sent to the appropriate device and tray. Antifraud technology. Printers and MFPs can be equipped with detection features that ensure appropriate supplies are used with the device. Some organizations have implemented a genuine OEM toner cartridge policy for their printing equipment. If an unauthorized toner cartridge is installed in the machine, the user will be notified about this potential policy breach so that a replacement can be found. Securing the Connection Perhaps complicating the secure connection of the device, IDC's 3rd Platform broadened access via the proliferation of mobile devices and the cloud. As users are provided with an even greater array of accessibility to business information, the threat of a security breach increases. While many companies laud the new levels of productivity available in the 3rd Platform, these entities must also be wary of ensuring proper access with these new technologies in place. As a result of their presence on a computer network and being one of the possible entry points to the network, printers and MFPs are potentially vulnerable to attacks if not secured. This means device access points need to be secured, including network ports, wireless connectivity, and features that meet the standards for network security and sending/receiving communication via scanning and faxing (e.g., IPSec, IEEE, IP filtering). Securing the Data and Content Securing data and content starts with all points on the printing device that may hold sensitive documents and data. The most obvious place to start is with the standard hard drive that many devices incorporate. Typical security measures securing the hard drive include encryption, lock, wipe/erasure, and overwrite kits. These offerings are designed to ensure that any information resident on the hard drive is removed so that information is not available to unauthorized users or hackers. This feature can be programmed so that hard disk cleaning occurs as often as the customer desires. Additionally, other hard drive security features ensure that if the drive is removed, data cannot be accessed without appropriate authorization. It is also important for the device and hard drive to be secured throughout their life cycles, including end of life. When a printer or an MFP is removed from circulation, the supplier must initiate an end-of-life security process that cleans any resident information off the device before it is resold or disposed of IDC 5

6 Otherwise, any data left in memory or on the hard drive could fall into unauthorized hands, resulting in an unintended security breach. Beyond the device's hard drive and memory, printers and MFPs can be equipped with encryption capabilities for any type of document processed on the machine (e.g., prints, scans, PDFs, documents with digital signatures). Encryption is an important security feature because such documents ensure that only authorized recipients can open and access the information contained in them. IT departments should ensure that all encryption software is current so that the highest level of security is maintained. Document information can also be secured via the fax function. MFPs can be programmed to hold faxes in memory until the recipient authenticates himself/herself at the device, which then allows the fax to be printed. If an alternative to fax is preferred or warranted, solutions are available that replace the MFP's fax card with a software solution that places limits on who users can fax to. Watermarks or other types of markings also help secure documents by validating the source, status, or other qualifications of the content that validates it for users. Securing the content refers to and acknowledges that the printing device is more than just a generator of paper processes. Printing equipment is increasingly being used as a tool for both print and digital including structured and unstructured data. Thus, the device's security features must adequately address conventional paper-based processes. That's a given. However, as printing equipment takes on a more prominent role in digitally based content, adequate security measures need to be in place in order to address emerging business processes that may or may not lead to print use. Making Systems Intuitive and Easy to Use Of course, all of these print security capabilities offer the necessary benefit of an increasingly secured print environment. However, it is necessary for the activation of the security experience to be as intuitive, user-friendly, and consistent across devices as possible to ensure global use across the organization. Additionally, the environment can't be so secured that guests can't be accommodated. Most organizations permit occasional guest usage to their printing assets. It is often necessary and expected that companies provide access to basic print features and functionality so that guests don't have to navigate a complex technology maze. Guest access to a predefined range of printing services should be made available for this purpose and does not sacrifice any security protocols. "Beyond the Box" Security That Addresses a Broader IT Need Security is a far-reaching topic that spans a myriad of IT issues beyond just print. As a result, we observe many print-centric providers expanding their security and consulting portfolio beyond print. Such programs intend to provide customers with a comprehensive print and IT security offering that is typically scalable, depending on the size and needs of the customer, and designed to optimize the security requirements of customers IDC

7 Questions Decision Makers Need to Think About When Considering a Secured Print Environment IDC developed a list of questions for decision makers to address to ensure that their company's print environment is as secure as possible. These issues should be discussed and reviewed with the organization's print provider. Are all authorized users authenticated at each printing device so that their access is documented and understood by the organization? Are documents and other important business information encrypted when sent over your network (e.g., scan, , Internet)? Is this capability at least available to your user base? How does your organization manage unclaimed print jobs on the printer? Are users able to print a document without physically presenting themselves at the machine? Does your organization track usage of each device? What information is available through such monitoring that ensures the highest level of security? How are the company's points of access on the network secured to prevent unauthorized access to the organization's intellectual property? How are the memory and hard drives of printing assets secured? Does your organization provide guest access to your company's printers and MFPs? How has this capability been implemented, and is it secured? Can employees scan to accounts? How is this done securely? Can designated service providers offer services that include print but extend into a broader IT security program? Can the providers demonstrate the effectiveness of their program as implemented by other customers? What happens to printing equipment at end of life? What security measures are taken? These questions can serve as a checklist for decision makers to make sure that the use of company print assets is well-known and that possible unauthorized use can be quickly discovered. Key Considerations This IDC Market Spotlight has obviously pointed out that IT security is important. If organizations don't have appropriate measures in place, the cost of an IT security breach can be substantial in terms of dollars, but equally (if not more) critical is the potential harm to a company's reputation. The good news is that steps are available to organizations that want to add to their IT security program. However, these steps should be taken at a pace that's comfortable for the company. When it comes to IT security, we have observed overly paranoid organizations moving too quickly and operating in a panicked fashion, especially after a harmful breach. This scenario can make it difficult to execute during the security crisis and cause a massive disruption to operations. Companies need to not only acknowledge the problem and offer a well-thought-out strategy for the current situation but also outline an approach that addresses the elimination of potential future occurrences. The harsh reality is that no organization is 100% secure and the number of attacks will continue to escalate. Whether hacking is done for fun or vengeful purposes, the increasingly digital age will also breed more attacks on the vulnerable points within an organization's IT infrastructure. We anticipate that such increased activity will also become more sophisticated in response to the heightened capabilities available in IT security protection IDC 7

8 This IDC Market Spotlight highlights print as an often omitted piece of an organization's IT security strategy. Since many companies seek to reduce their dependency on print and move to more digitally based work processes, the print component and the related equipment could be overlooked. As long as companies continue to operate with both digital and paper-based business information, they must include security coverage of both formats to maximize their IT security infrastructure. We believe that organizations should include print as part of a comprehensive IT security solution. Conclusion As the print market and computing landscape in 3rd Platform environments continues to evolve, the importance of ensuring the highest level of security with respect to a company's business information cannot be underestimated. Print security has to be part of this effort. Businesses of all types, small and medium-sized businesses (SMBs) as well as enterprises, need to understand that true print security goes far beyond just considering what a passerby might read in a printer/mfp output tray. Instead, print security needs to be an established and comprehensive program that addresses the changing market dynamics around new points of computing accessibility (e.g., mobility, cloud) and the securing of device/fleet/networked assets. A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC, visit For more information on IDC Custom Solutions, visit Global Headquarters: 5 Speen Street Framingham, MA USA P F IDC