Risk
2/13/2013
10:30 AM
50%
50%

Xerox Targets Cloud Document Security Worries

Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.

Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to "print" documents to the cloud?

That's the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.

Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.

A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers they're authorized to print to and then select one for a particular print job.

[ Have you patched your Flash browser plug-in? Read more at Adobe Issues Emergency Patch For Flash Player. ]

In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.

But making printers -- and the documents they've scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that remain publicly accessible due to being misconfigured. Indeed, as further highlighted by recent reports of vulnerabilities in HP's implementation of the JetDirect standard, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.

Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? "From a security point of view, what we're trying to do is get beyond that barrier with many IT administrators -- that it's unknown to me, and if it's unknown, it's bad," said Larry Kovnat, Xerox's senior manager of product security, speaking by phone. "You'll put something with all these capabilities in the enterprise, and IT will say, I don't know anything about this device, I'm going to put it on a VLAN and shut it off."

According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also whitelist which applications are allowed to run. "The only software that should be running on these devices is software that we wrote; it's not a general-purpose device," said Kovnat. The devices also tie into McAfee's ePolicy Orchestrator, which according to Kovnat, means that "now we can present the device to the IT administrator as a manageable endpoint on the network."

ConnectKey devices can also be monitored using Cisco's TrustSec, which will allow IT managers who use Cisco's Identity Services Engine to watch the traffic going to and from the multifunction printers. "While we haven't embedded anything [from Cisco] in the device, we've worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone who's trying to impersonate a printer," Kovnat explained.

Xerox's forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a "one-button process," said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. "They can grab a document and store it [in the cloud], all in an automated way."

But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xerox's security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.

Kovnat also addressed the report of weaknesses in HP's implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has disputed some of the researcher's findings.) "The protocol itself isn't flawed -- it's just meant for printing, not security," said Kovnat of JetDirect. "So if you don't build the right controls into a device, you can get to the internals of a printer in ways that you're not meant to."

Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that they're not being used by someone to try and inappropriately access other print jobs or a disk or network shares. "The job coming in has to be a valid print job, and these print-control commands are filtered, so there's no access by the printing subsystem to any of the underlying subsystems, or computing resources," Kovnat said. "We test that extensively."

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/14/2013 | 8:59:18 PM
re: Xerox Targets Cloud Document Security Worries
This has very interesting security implications, both bad and good. The good news is that it puts printers on the security radar screen for once.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.