Today, just about anyone can access and disseminate information easily using a multi-function device. While scan to email, scan to fax and scan to desktop have become everyday ad-hoc scanning procedures, security at the point of capture is a potential vulnerability. It is more important than ever for organizations to prevent the loss or leak of sensitive data.
Whether protecting sensitive information or sharing secure information between personnel, a truly unified solution can measurably reduce risk, demonstrate compliance and protect customers and brand and intellectual property, all while adhering to the security and the transparency requirements of an organization.
A unified solution can also provide information security and risk mitigation with capabilities such as user authentication, restricted network access, document encryption, business process audit trails, outbound fax number validation, fax filtering and secure mobile printing, PDF password lock, PDF/A support and should complement existing data loss prevention (DLP) software investments.
Compliance Is Everywhere
There are more than 20,000 compliance requirements worldwide. Even if an organization isn't directly affected by compliance, it's highly likely that suppliers and partners are impacted by varying regulations and may pass down a request for compliance from their partners.
According to Enterprise Strategy Group, there are currently 10,000 regulations impacting data management in the US alone. Corporate scandals, the 9/11 terrorist attacks and banking crises have driven the need to protect employees, investors, shareholders and taxpayers with increased security of their assets. Privacy and transparency are center point "hot" topics as a result of the global explosion of the Internet as well as increased regulations imposed upon corporations by the government regulatory agencies.
At a global level, we are seeing the introduction of many new federal, state and industry-specific regulations seeking to control the way data is managed. The impact of non-compliance with these regulations can result in significant monetary penalties to the company or — at a more personal level — fines and jail sentences imposed on the CEOs, CIOs and CFOs who ultimately carry responsibility for the actions of employees related to corporate governance and non-compliance to regulatory compliance.
Focus on Data Loss Prevention
Data loss prevention (DLP) is a computer security term referring to systems that identify, monitor and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions) and data at rest (e.g., data storage).
If you have an environment where multiple multi-function devices (MFDs) are deployed and there are multiple users managing documents "owned" by multiple departments, there exists a significant opportunity for data loss and, thus, a critical focus on DLP systems and complementary software to insure a safe environment.
When it comes to managing security for a fleet of MFDs (either one brand or several), CIOs and other IT executives need to answer tough questions when it comes to protecting data.
For example, in the data categories mentioned above:
Data in Use (Operational Security), is data not in an at rest state. Users print, copy, move and otherwise manipulate data to which they have access.
Key questions are:
- Is the appropriate user scanning to applicable destinations?
- Is the user entering data incorrectly (i.e., incorrect fax numbers)?
Data at Rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks and also files stored off-site or on a storage area network (SAN).
Key questions are:
- How do you prevent users from gaining access to this data or contributing to workflows and scan destinations that do not have appropriate access?
- Is there data or settings information resident on the MFD that can compromise the network such as user email address, local network shares locations, SMTP gateways or service accounts?
Data in Motion, also known as data in transit, is literally information that's moving between two nodes on a network. An email, for example, is classified as data in motion between the time it's sent and the time the recipient receives it. This applies to actions other than email, as long digital bits are being copied around via a network.
Key questions are:
- Is SMTP or SMB transfer (which are defaults on MFDs) secure?
- Is the transfer from the MFD encrypted?
Point of Capture Data Loss Prevention Capabilities
DLP combined with complementary software properly deployed can easily handle security throughout your fleet of MFDs. Here are some key areas that should be covered to ensure full security:
Authentication
Since a copier or scanner is typically a shared device, security dictates that only authorized users can access your network applications and resources. This is done through password or smart card-based authentication using your existing network security infrastructure (Common Access Cards, Windows, Active Directory, Novell NDS, etc.), eliminating the need for extra passwords. After log on, the credentials will be validated and user information is populated. The username will be shown and a personalized scan menu will appear, giving greater control and security.
Authentication should be seamlessly integrated with the document workflow to ensure optimal auditing and security of the documents being captured and routed to various destinations, such as email, folders, SharePoint, fax ECM systems, etc.
Restricted Network Access
A secure DLP solution should restrict access to network resources using a multi-function device, limiting the ability of anyone gaining access to the device to browse the network or perform activities that cannot be traced back to an individual. User-level and password authentication can be enabled for all scanning functions available to that specific person.
Look for a server-based solution as opposed to device-based authentication, which requires extensive point-to-point management from IT. Server-based authentication can be managed centrally, lowering total cost of ownership and allowing clustering, failover and other system redundancy techniques. Also seek out a solution that supports swipe cards on all systems using third-party solutions.
Reduce Exposure of Sensitive Network Information Settings
Many organizations are purchasing add-on features to MFDs to encrypt hard drives and other data/documents that pass through the MFD. However, the MFD often stores critical settings information on the device such as SMTP gateways, user email addresses, SMB shares and service accounts. Take care that you choose a solution that simply only stores an IP address. This will make certain critical internal IT systems are masked from possible intruders.
Document Privacy and Document Encryption
Physical access control, data security and data encryption practices are very important areas in the MFD capture market. Communications between MFDs and your DLP server and destinations can be encrypted to ensure your digitized paper documents are only visible to those with proper authorization. Look for an encryption component that provides ECB, RC2 and RC4 encryption algorithms as well as synchronous encryptions for faster rate of encryption to secure data-routing to the final destination.
PDF Password Lock
Look for solutions that have the ability to secure the document at the point of capture. It should allow you to set a password when scanning confidential information to PDF and, thus, protect the PDF file from unauthorized access. Upon creation, the document should be encrypted using the author's password, which will make it impossible to open any document created with these settings without the keyword. This is a significant asset for HR, Accounting and other departments which manage sensitive or personally identifiable information.
PDF/A
Organizations produce vast and rapidly growing volumes of electronic records that because of their historical value need to be managed, preserved and made accessible for future generations. PDF/A is an ISO standard (ISO 19005) file format that has also been certified by the United States National Archives and Records Administration (NARA) for long-term archival of electronic documents. Robust distributed capture software will allow organizations to scan documents directly into text-searchable PDF/A formats and automatically populate the metadata properties important for archival: Title, Author, Subject, Date and Keywords (such as records retention schedule).
Activity Logging
Another key aspect of MFD security software is activity logging, which enables a user to capture tracking information about each scanned or faxed document and monitor usage of the scanning device. When tracking is enabled, the user is prompted to enter one or more customizable fields, like account number, department or patient ID, before the file is sent. Having a full audit trail of scans and faxes provides an organization with the tools to take pro-active, pre-emptive measures to ensure the proper performance and security of all processes.
Outbound Fax Number Validation
Faxing poses serious potential security issues and risks to every company where it us used. The number of organizations that have been exposed by a breach of confidential or personal identifiable information by just "sending a fax to the wrong number" is massive. Look for a solution that mitigates the risk of mistyped fax destinations by retrieving pre-authorized numbers from a secure database.
Outbound Fax Filtering
Intercepting documents to prevent confidential data loss is another critical aspect of your security software. Look for a solution that can pro-actively filter outboard fax communication.
Secure Mobile Printing
With on-the-road employees, it's also important to think about security for mobile printing. There are several simple, easy and secure options that should be integrated into your security platform. A good system will allow users to print documents from any Internet-enabled laptop, iPad or smartphone with no drivers, no software to install. It should be just as easy as sending an email to the appropriate networked printer or multi-function device's email address and where it can automatically print the attachment on your designated printer.
While there are many reasons that an organization might want to be in the limelight, it's definitely not because of a security breach. Organizations — public and private — which are managing from one to many MFDs must consider then a key information management component of their infrastructure and secure them accordingly.
MIKE MORPER is the vice president of marketing at Notable Solutions, Inc. For more information, visit www.nsiautostore.com.