Risk
2/13/2013
10:30 AM
50%
50%

Xerox Targets Cloud Document Security Worries

Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.

Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to "print" documents to the cloud?

That's the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.

Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.

A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers they're authorized to print to and then select one for a particular print job.

[ Have you patched your Flash browser plug-in? Read more at Adobe Issues Emergency Patch For Flash Player. ]

In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.

But making printers -- and the documents they've scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that remain publicly accessible due to being misconfigured. Indeed, as further highlighted by recent reports of vulnerabilities in HP's implementation of the JetDirect standard, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.

Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? "From a security point of view, what we're trying to do is get beyond that barrier with many IT administrators -- that it's unknown to me, and if it's unknown, it's bad," said Larry Kovnat, Xerox's senior manager of product security, speaking by phone. "You'll put something with all these capabilities in the enterprise, and IT will say, I don't know anything about this device, I'm going to put it on a VLAN and shut it off."

According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also whitelist which applications are allowed to run. "The only software that should be running on these devices is software that we wrote; it's not a general-purpose device," said Kovnat. The devices also tie into McAfee's ePolicy Orchestrator, which according to Kovnat, means that "now we can present the device to the IT administrator as a manageable endpoint on the network."

ConnectKey devices can also be monitored using Cisco's TrustSec, which will allow IT managers who use Cisco's Identity Services Engine to watch the traffic going to and from the multifunction printers. "While we haven't embedded anything [from Cisco] in the device, we've worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone who's trying to impersonate a printer," Kovnat explained.

Xerox's forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a "one-button process," said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. "They can grab a document and store it [in the cloud], all in an automated way."

But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xerox's security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.

Kovnat also addressed the report of weaknesses in HP's implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has disputed some of the researcher's findings.) "The protocol itself isn't flawed -- it's just meant for printing, not security," said Kovnat of JetDirect. "So if you don't build the right controls into a device, you can get to the internals of a printer in ways that you're not meant to."

Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that they're not being used by someone to try and inappropriately access other print jobs or a disk or network shares. "The job coming in has to be a valid print job, and these print-control commands are filtered, so there's no access by the printing subsystem to any of the underlying subsystems, or computing resources," Kovnat said. "We test that extensively."

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/14/2013 | 8:59:18 PM
re: Xerox Targets Cloud Document Security Worries
This has very interesting security implications, both bad and good. The good news is that it puts printers on the security radar screen for once.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?