Securing MFPs in a CAC Environment: Today and Tomorrow Critical Considerations



Similar documents
Addressing Security Issues The ecopy solution for document imaging

Nuance ecopy ShareScan 5 and ecopy PDF Pro Office 5 Reviewers' Guide

Addressing document imaging security issues

U.S. Army best practices for secure network printing, scanning, and faxing.

HYBRID PLATFORM FOR ADVANCED SOLUTIONS (HyPAS ) Technology Brief

efficient workflow security capability streamlined productivity SOFTWARE SOLUTIONS

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

Integrating paper-based information for Sarbanes-Oxley Section 404 compliance The ecopy solution for document imaging

Breakthrough office-scanning performance.

Unleashing BPM: Eliminate process bottlenecks created by paper

Nuance ecopy ShareScan. Brings paper documents into the digital world. Document capture & distribution Nuance ecopy

CAC/PIV PKI Solution Installation Survey & Checklist

CoSign by ARX for PIV Cards

efficient workflow security features streamlined productivity SOFTWARE SOLUTIONS

IMAGER security solutions. Protect Your Business with Sharp s Comprehensive Document Security Solutions

ecopy ShareScan v4.35 for ScanStation Product Overview

efficient workflow security capability streamlined productivity SOFTWARE SOLUTIONS

White Paper. Document Security and Compliance. April Enterprise Challenges and Opportunities. Comments or Questions?

SeCUritY. Safeguarding information Within Documents and Devices. imagerunner ADVANCE Solutions. ADVANCE to Canon MFP security solutions.

Samsung Security Solutions

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

SECURITY WITHOUT SACRIFICE

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data

Sharp s MFP Security Suite The best of the best in the Market

Whether your organization is small, medium or large, OpenText RightFax meets these

HIPAA Security Compliance for Konica Minolta bizhub MFPs

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

Enabling Growth and Driving Business Transformation. cloud

GlobalScan. Capture, process and distribute documents with exceptional efficiency. Workflow Suite Family

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Whether your organization is small, medium or large, OpenText RightFax meets these

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Simplify essential workflows with dynamic scanning capabilities. GlobalScan NX Server 32/Server 750 Capture & Distribution Solution

Smart Card Setup Guide

INTENT OF THIS DOCUMENT:

Workflow Suite Family. GlobalScan. Capture & Distribution Solution Comprehensive Document Control. scalable. ersatile. powerful

Sharpen your document and data security HP Security solutions for imaging and printing

document process automation

Evaluation. Common Criteria. Questions & Answers Xerox and Canon. Xerox Advanced Multifunction Systems

GlobalScan NX. Server 32/Server 750. Intelligent scanning for smarter workflow

SafeCom Smart Printing Administrator s Quick Guide

Security Solutions. Concerned about information security? You should be!

Konica Minolta Unity Document Suite. Powerful integrated document processing. Document capture & distribution Unity Document Suite

DATASHEET. Xythos on Demand. Productivity and collaboration tools

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

One Platform for all your Print, Scan and Device Management

QRadar SIEM 6.3 Datasheet

Everything You Need to Know About Effective Mobile Device Management. mastering the mobile workplace

McAfee Endpoint Encryption Manager

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Quick Reference Guide

Nuance ecopy ShareScan v5. Document Imaging Software. Digitize and streamline paper-based workflows.

Data Storage That Looks at Business the Way You Do. Up. cloud

Compliance in the Corporate World

Authentication in Apache Lenya

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

ecopy ShareScan 4.2 Installation and Setup Guide for ALL Part Number: 73-ALL (10/2007)

ADVANCED SOLUTIONS FOR. Healthcare. patient safety quality of care Meaningful Use unstructured documents

CLOUD FAX SOLUTIONS BUYER S GUIDE

MyQ Version Comparing (v5.2)

IBM Client Security Solutions. Client Security User's Guide

Equitrac Office. Administration Guide Equitrac Corporation

HP ProtectTools Embedded Security Guide

Protecting Data at Rest

Ricoh Security Solutions Comprehensive protection for your documents and information. ecure. proven. trusted

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Document Archiving White Paper. Secure. Accessible. Reliable

Solgenia Facsys. Fax what you want, when you want and how you want

SECURITY. Konica Minolta s industry-leading security standards SECURITY

PrinterOn Print Management Overview

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

The End of Services for Mac (SFM): Evaluating Your Replacement Options

HIPAA: Health Care Transformation to Electronic Communications

Integrating Paper into EMC Documentum ApplicationXtender with ecopy

User Guide Remote PIV to VDI Using a PIV Card

Transcription:

WHITE PAPER Securing MFPs in a CAC Environment: Today and Tomorrow Critical Considerations

Contents The Mandate for Increased Security...1 Key Considerations...1 Critical Security Level Considerations...1 Platform Flexibility...3 The ecopy CAC Implementation...4 Summary...5 ii

Today s sophisticated network copiers or multifunctional products (MFPs), integrate copier, scanner, printer and facsimile functionality into a single platform, with the added capability of network-based document capture, storage and distribution. A primary on-ramp to the government s network, these devices can convert hardcopy documents into easily shared digital fi les. As a centralized network document processing hub, MFPs can also pose a potential risk to mission-critical information and applications. Theft or redirection of data is a danger when anonymous walk-up usage is possible. With an expanding MFP installed base deploying safeguards that ensure that only authorized users gain access to the device is not only a best practices imperative, but a federal mandate. The Mandate for Increased Security The driving force behind the MFP security initiative is Homeland Security Presidential Directive-12 (HSPD- 12). HSPD-12 specifi es that all U.S. government employees must use a common identifi cation standard to access physical facilities and information systems that access classifi ed and unclassifi ed networks, as well as network peripherals, such as MFPs. That standard is the Common Access Card (CAC) 1 used within a public key infrastructure (PKI), a system originally developed for the U.S. Department of Defense (DoD). Based on HSPD-12, offi ce equipment manufacturers and solution providers have moved quickly to develop government-specifi ed two-factor MFP CAC authentication products. Simply called MFP CAC solutions, these products support CAC cryptographic log-on capabilities for utilization of DoD-certifi ed CAC technology and public key-enabled applications. In short, government-approved MFP CAC solutions must secure the device by requiring walk-up users to be authenticated on the DoD s Certifi cate Authority server, a far more secure way to lock down the device than entry of a username and password. Key Considerations Discretion in design of these solutions has raised concern that many military branches within the DoD source products they think will meet the HSPD-12 mandate. In fact, they may be leaving their networks wide open, thus vulnerable to a security breach. Indeed, fi ve of the six MFP CAC solutions available today employ an embedded architecture that runs on a proprietary operating system, or web interface, that may not meet the DoD s security standards, potentially putting sensitive information at risk. That said, it is critical to gather detailed information when evaluating MFP CAC solutions. To begin that process, seek answers to the questions related to two key areas, Security Levels and Platform Flexibility. 1 Federal agencies are migrating to the Federal Information Processing Standard 201 (FIPS 201) Personal Identity Verifi cation (PIV) card. The PIV and CAC have the same form factor, but the PIV provides for interoperability across all federal agencies. Regardless of form, all federal civil servants and members of the military are issued a smart card as a condition of their employment. 1

Critical Security Level Considerations Does the MFP CAC solution address security on multiple levels, specifi cally Device, File, Network, and User levels? Device Security Is the user authenticated directly to the domain/active Directory list? After a user is successfully authenticated at the MFP, does the session allow the user Microsoft Active Directory access using LDAP, so the global address book and folder permissions are securely obtained? Note: This ensures that the solution ties into the existing user management infrastructure. Does the solution support secure single-session log on for all functions? In other words, when moving between applications, do you have to log in/out to switch functions, for example, move from Copy mode to Scanner mode? File Security Does the solution provide for secure file deletion? Put another way, when documents are deleted, does the solution comply with the DoD s clearing and sanitizing standards by overwriting the fi le contents according to DoD 5220.22-M? Can PDF files be encrypted and password-protected? In other words, can the fi le be encrypted and require the recipient to enter a password before the fi le is viewed, printed, or edited? Network Security Does the solution have points of native integration? More specifi cally, does the solution work with the native credentialing requirements, e.g., Microsoft SharePoint, to provide pass-through authentication to back-end directories? Does the solution support the Network Drive using secure native file services via SMB? In other words, does the solution transfer fi les to, for instance, a back-end fi le repository through secure channels, thus leverage existing security policies? Note: Transfer via FTP is not a secure communication method. User Security Is user authentication performed using DoD-approved software (middleware)? More specifi cally, when the user inserts his/her CAC into the reader, does the CAC solution utilize governmentapproved Validation Authority (VA) software, such as ActivIdentity and Tumbleweed, to initiate communication with the DoD PKI Server, and, in turn, authenticate the user? Note: ActivIdentity and Tumbleweed are third-party software solutions that offer a comprehensive, scalable, and reliable framework for real-time validation of digital certifi cates. Other similar software is available through CoreStreet, VeriSign, or NetSign. 2

Does the solution support Activity Logging and Document tracking? In other words, is there an audit trail for each device that records all scan events? Note: Solutions that supports archival of a backup image, e.g., a PDF, meet federal compliance requirements governing record retention. Does the solution support Microsoft Exchange (MAPI) for Scan to Mail, along with digital signature? Put another way, can the user digitally sign e-mail, whereby the signature is accepted as valid, authentic, and legally binding? Note: The Army s digital signature policy states that all e-mails sent from an Army-owned system or account, which contain an embedded hyperlink and/or attachment, must be digitally signed. Not all MFP CAC solutions support digital signature. Platform Flexibility Is the MFP CAC solution a prudent investment going forward, that is, built on a platform that can adapt to changing security and compliance requirements? Is the solution pre-compliant? In other words, does the solution utilize non-proprietary technologies that satisfy DoD security requirements through NIAP, DoD CON, JITC, and Common Criteria, such as ActivIdentity, Tumbleweed, and Microsoft Windows? Note: A solution built on the Windows platform utilizes Microsoft s authentication architecture, which meets the highest validation level of Common Criteria certifi cation EAL4. Does the solution facilitate other compliance 2 mandates? More specifi cally, does the solution meet rigorous requirements set forth by HSPD-12, and at the same time, assist with HIPAA and SOX federal mandates. Note: Any network technology that does not comply with DoD CAC PKI security mandates, including MFPs, may be decommissioned. Can the solution operate across different MFP or scanner makes/models? In other words, does the solution offer an open platform, thus operate with legacy products, future models, and mixed fl eets? Note: Embedded MFP CAC solutions are proprietary, thus work with only one make of machine. Does the solution support more than Scan to Mail? More specifi cally, can the solution also authenticate to Scan to File, Scan to Desktop, Scan to Captaris RightFax, and Scan to Microsoft SharePoint functions? Note: Some solutions only support limited Scan-to functionality. 2 CAC authentication is an identity verifi cation process that not only supports HSPD-12, but also facilitates compliance with federal mandates, such as HIPAA (Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX). 3

Can the MFP user preview a scan job? Put another way, can the user see an image of the scanned document on the display before pressing the [Send] button, possibly preventing direction of a fi le to the wrong recipient? How are development changes handled? In other words, if the solution requires a security update, is that process automatic or does the administrator have to push down patches? Note: Manual implementation of updates, either by batch confi guration or direct modifi cation at the device control panel can be time-consuming and ineffi cient. Is the solution easy to administer? More specifi cally, are software utilities available to minimize IT involvement and streamline management and maintenance? Does the solution provide a common user interface across the installed base of MFPs? In other words, does the solution offer a single, consistent user interface that provides IT personnel and users with instant familiarity, regardless of MFP make or model? The ecopy CAC Implementation ecopy, Inc., a leading provider of solutions that integrate paper documents into business software applications, offers a pre-compliant MFP CAC solution that will enable you to answer Yes to all of the consideration questions. Unlike other offerings, the CAC-enabled ecopy ScanStation (which includes ecopy ShareScan software) 3 runs as a Windows application on the Microsoft operating system, an OS that already adheres to the strictest CAC security requirements, including Common Criteria and others. Furthermore, ecopy s CAC implementation is platform-independent, so users can be authenticated at any compatible MFP equipped with ecopy s CAC-enabled ScanStation. The process is simple. The user inserts his/her CAC into the card reader. DoD-approved Validation Authority (VA) software, ActivIdentity or Tumbleweed, automatically communicate with the domain controller and DoD PKI Server respectively, to determine whether or not authentication is required. If so, the user is presented with an Enter Pin#. When the CAC certifi cate is successfully authenticated, the device unlocks. Removal of the card from the reader shuts the ecopy application down; the user is automatically logged out of the Windows operating system. The MFP s scanning function is, once again, locked. 3 CAC-enablement services are not available on the ecopy ShareScan embedded platform. 4

Summary A highly secure yet fl exible solution, ecopy s MFP CAC solution is pre-compliant and platform-independent. These key differentiators mean that the ecopy solution supports interoperability, that is, can be deployed within a mixed fl eet of MFP makes and models 4. Additionally, when a machine reaches end-of-life, or the lease expires, the CAC-enabled ecopy ScanStation is fully compatible with the new system. And regardless of MFP make, the system utilizes certifi ed Windows security protocols, maintaining the highest level of security and minimizing risks to every organization s most valuable asset information. 4 ecopy ScanStation is compatible with Canon, HP, Konica Minolta, Lanier, Océ, Ricoh, Savin, Sharp, Toshiba, and Xerox products. 5

E-mail R White Paper Securing MFPs in a CAC Environment: Today and Tomorrow Data Builder, Inc. Your Document Contractor Document Management Cost Recovery Information Management Fax Server ecopy ShareScan software works with all major MFP brands Disclaimer Though no CAC solution can guarantee against all threats to information security, establishing proof of identity at the MFP is a fundamental and government mandated starting point. Nuance and the Nuance logo, are trademarks or registered trademarks of Nuance Communications, Inc. or its affi liates in the United States and/or other countries. All other trademarks referenced herein are the property 2009 of their Nuance respective Communications, owners. Inc. All rights reserved. 6

L- The experience speaks for itself NUANCE COMMUNICATIONS, INC. ONE WAYSIDE ROAD 781 565 5000 BURLINGTON, MA 01803 NUANCE.COM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information