Risk
2/13/2013
10:30 AM
Connect Directly
RSS
E-Mail
50%
50%

Xerox Targets Cloud Document Security Worries

Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.

Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to "print" documents to the cloud?

That's the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.

Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.

A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers they're authorized to print to and then select one for a particular print job.

[ Have you patched your Flash browser plug-in? Read more at Adobe Issues Emergency Patch For Flash Player. ]

In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.

But making printers -- and the documents they've scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that remain publicly accessible due to being misconfigured. Indeed, as further highlighted by recent reports of vulnerabilities in HP's implementation of the JetDirect standard, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.

Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? "From a security point of view, what we're trying to do is get beyond that barrier with many IT administrators -- that it's unknown to me, and if it's unknown, it's bad," said Larry Kovnat, Xerox's senior manager of product security, speaking by phone. "You'll put something with all these capabilities in the enterprise, and IT will say, I don't know anything about this device, I'm going to put it on a VLAN and shut it off."

According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also whitelist which applications are allowed to run. "The only software that should be running on these devices is software that we wrote; it's not a general-purpose device," said Kovnat. The devices also tie into McAfee's ePolicy Orchestrator, which according to Kovnat, means that "now we can present the device to the IT administrator as a manageable endpoint on the network."

ConnectKey devices can also be monitored using Cisco's TrustSec, which will allow IT managers who use Cisco's Identity Services Engine to watch the traffic going to and from the multifunction printers. "While we haven't embedded anything [from Cisco] in the device, we've worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone who's trying to impersonate a printer," Kovnat explained.

Xerox's forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a "one-button process," said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. "They can grab a document and store it [in the cloud], all in an automated way."

But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xerox's security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.

Kovnat also addressed the report of weaknesses in HP's implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has disputed some of the researcher's findings.) "The protocol itself isn't flawed -- it's just meant for printing, not security," said Kovnat of JetDirect. "So if you don't build the right controls into a device, you can get to the internals of a printer in ways that you're not meant to."

Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that they're not being used by someone to try and inappropriately access other print jobs or a disk or network shares. "The job coming in has to be a valid print job, and these print-control commands are filtered, so there's no access by the printing subsystem to any of the underlying subsystems, or computing resources," Kovnat said. "We test that extensively."

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/14/2013 | 8:59:18 PM
re: Xerox Targets Cloud Document Security Worries
This has very interesting security implications, both bad and good. The good news is that it puts printers on the security radar screen for once.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio