April 18, 2016 at 10:09

How is the secure printing system implemented on the device closest to the user (follow-me printing)


    Suppose you are a bank, an oil company, or just paranoid. You want to:
    • Cleaning ladies, enemies and reptilians did not pick up documents from printers.
    • The printer memory was cleared reliably after printing.
    • The target seal was missing.
    • Large jobs are automatically redirected to devices with a cheap fingerprint.
    • When sending a print job 50 times (as a panicking user often does), only one crawled out.
    • So that the texts are filtered by stop words, and the pictures are recognized and also not printed if they contain confidential data (not all solutions have it).
    • In rare cases - well, and so that in the documents on the fly the word "right" is replaced by "left" to mislead a potential enemy.

    It is expensive, but has long been used in financial institutions. There, the print looks like this: you send the job to the print server, it processes the file (if necessary, it sends it to the security guard for manual approval, but not all solutions also have this feature), and then it sends it to a specific printer only when you enter the pin and show your fingerprint directly on the device so that the document falls into your hands. Or don’t attach your smart card like a personal building pass.

    I will tell in more detail.

    Entertaining statistics


    According to various surveys and reports, about 20% of employees print less than 10 sheets in one business day. 11-50 sheets - 61% of employees, 51-100 sheets - 12% of employees, more than 100 sheets - 7% of employees. 70% of respondents use one side of the sheet, ≈50% of the survey participants are not worried about the number of pages printed (according to VTsIOM). 40% of printouts could be printed in duplex and b / w (data from Nuance Communications).

    How the secure printing system works


    Secure printing allows you to identify each user and give his printouts only to him. At the same time, it doesn’t matter where the task came from - you can send a document for printing from St. Petersburg, then come to a meeting in your office in Moscow, enter the code on the printer (or log in using the card or biometrically) and get it exactly where you arrived. Ideally (if the timeout is sufficient and security policies allow you to do this), it turns out something like this:



    Unlike regular printing, the following happens:
    • Modern printers with built-in management software or an MFP (or modules for your existing hardware) are purchased, which provide user identification.
    • All of them are networked together under the control of a print server, on which one of the secure printing systems is installed.
    • When you send a print job, it gets into the secure printing system. Then DLP checks the files (more on that later), and then waits for your authentication on one of the printers. As a rule, you must either enter a pin, or, in more serious cases, attach your RFID tag (pass to the building) or your finger to the biometric reader.
    • After that, the printing system removes all traces of the document from the printer’s memory (especially if HDD is used there, where document images may remain after an unexpected power outage).


    Where and why is it used


    Given the price of introducing identifiers on printers, as a rule, the main reason is security, sometimes excessive, turning into paranoia. The price bites: from 400 euros for an authentication kit for 1 device to 1000 euros, depending on the type of reader. Plus, we need controllers for old printers and MFPs (new ones for the most part have support right in the OS).

    The second reason for implementation, oddly enough, is cost savings. In a five-year perspective, it turns out cheaper. The fact is that instead of putting individual printers in each office, you can get by floor MFPs and display the entire stream on them, but knowing that each document is personally taken by an employee. For example, we have implemented it on some floors in this way, and the binding goes either to the task pin or to the RFID pass mark in the building.

    If the user decided not to come and enter a pin, it will not be printed.

    If the user panicked and sent 30 identical documents for printing, one will be displayed (well, or 30, if you specifically set it up).

    Generally, secure printing eliminates inappropriate printing. Given the total identification, each “left” printout has a name.

    The final effect is the loss of documents that users send to print and forget to pick up (usually up to 20% in the stream), the lack of re-printing of documents, a sharp decrease in the printing of personal documents, cheaper due to the application of the rules and conditions for redirecting tasks to more efficient devices, control color printing and forced conversion to b / w or double-sided printing for certain groups of users (types of documents, time, etc.), reporting.

    Big brother is watching you


    The joy of the information security department in total control:
    • There is an option to manually confirm each document (not all solutions).
    • There is a fully automatic leak monitoring mode.
    • Individual solutions have a confirmation mode only for documents that raise questions from the robot.
    • The user identifies himself before printing.
    • There is information who, what, where, when printed.


    Typically, the operations are as follows:
    • On “cool” integrations, at the very beginning, a list of stop words is compiled (or a list of filters is imported from the leak prevention system - all these are DLP functions). Everything that should not be printed at the office will not be displayed at the print server level, but a notification will be generated for the information security. Some systems can also be trained by specifying documents for which control is needed - there are either the simplest neural networks according to words, or not very complex heuristics.
    • Each document is scanned for compliance with filters, and the information is collected not only from the text part: everything that can be converted to text is converted. In particular, images are recognized, since ABBYY has a very fast OCR-module, which with its quality raises a number of questions about where else Big Brother uses it already outside the corporate market.
    • With a suspicious document or a configured control rule (for groups of employees, for the length of the document, etc.), manual control is performed. The principle of escalation depends on the specific software used for the server, there are usually a lot of settings.
    • Automatic transformations can be performed with a document: for example, all surnames are deleted, drawing resolution is reduced to 12 dpi, random numbers are displayed instead of financial indicators, etc. Replacing “right” with “left” and “north” with “south” is not a joke , we had similar situations in practice. These solutions are very rare and usually very specialized.
    • Printing policies are applied: for example, forced black-and-white translation for this user who does not have rights to color printing. The most common policy is sending documents of more than 100 pages to a printer with the lowest cost of the print in the office and sending notifications to the user about it by mail.
    • And, finally, only after that the document queues to wait for the user to come to the printer and two-factor authentication. Out of the box, AD Username / Password, PIN codes, contactless cards are supported: HID (I, II), EM-Marine, Mifare, iClass, Hitag, Cotag, Legic, Indala, ISO, Deister, Paxton, conventional magnetic cards, barcodes codes and biometric scanners (fingerprints).


    Implementation Experience


    One large oil company was developing a secure printing system for remote offices. The main office is in a rented business center. The building is large, several floors, the system was built centrally at once to all offices. Integration is such that no matter where you send it, you can get it in another city within 24 hours.

    MFPs and printers were located in printer rooms protected by access control systems, but for greater security access controllers for MFPs with contactless card authentication were also used.

    Since the last link in the printout leak was a garbage can, shredders were installed instead, capable of grinding paper clips, chewing gum, and even not very large parts of the human body. But not the teeth. Something else had to be invented with teeth.

    A mobile printing policy was set up - when an employee was printing from a tablet or phone, there was a floor on the Wi-Fi router, and already there the task was queued for the nearest printer.

    “Own” devices, including mobile, were distinguished by certificates for Wi-Fi (802.1x).

    The park was upgraded from three different sets of equipment, purchased in layers with a difference of several years, and from different vendors. The freshest layer supported authentication technologies at the OS level of printing devices and MFPs, the rest required special controllers.

    Information security brought the idea of ​​safe printing, but it seems that financiers were most happy - they were able to tie all printing costs to specific units. Then they set up detailed reports on printed and copied tasks and set limits for various user groups: they forbade color printing of some units, limited a number of users to print documents for more than 20 pages and only on business hours. For one of the departments we set up forced conversion to b / w and forced two-sided printing.

    Sysadmins also began to smile when they realized that now the failure of the printer simply meant a user trip to another without special incidents. And hysteria with an urgent replacement was gone.

    Limitations (by the example of FollowMe)


    Out of the box it works with the OS:
    • Windows (starting with Win95).
    • Apple Macintosh
    • AS / 400 iSeries.
    • LINUX / UNIX.
    • Other OSs with LPR protocol support.

    There is integration with the Windows Active Directory, Novell eDirectory, OpenLDAP.

    For solutions, for example, the Nuance vendor needs a server with the following parameters: Windows 2003 Server SP2 (32/64 bit), Windows 2008 Server Service Pack 1 (32/64 bit), or Windows Server 2008 R2 server (32/64 bit). An analog of Intel Xeon 64 in terms of performance, at least 1 GB of free RAM (a minimum of 4 GB is recommended), 5 GB on the HDD for buffering work printing and data processing (10 GB is recommended). If users work with OpenOffice and MS Office, they will need more installations on the server (in the case of MS, this means another license).

    For printing, you can send the file either in the usual way or via e-mail, or give the URL through the corporate portal to the page that you want to print (this is often used for mobile printing).

    References


    • List of vendors:
      Ringdale - one of the leaders in printing technologies, a comprehensive FollowMe solution allows companies to reduce printing costs, increase printing efficiency and security ( Ringdale FollowMe Printing );
      Nuance - a multinational corporation, a manufacturer of software in the field of communications, speech and image recognition, printing, solutions: SafeCom and Equitrac ;
      YSoft is a European company specializing in managing access to printed documents using ID cards and readers, SafeQ .
      HP- a leading global manufacturer of equipment and software, in particular printing equipment and printing systems, HP Access Control and HP Imaging and Printing Security Center solutions ,
      ThinPrint is a good solution on the market for print optimization, tight integration with solutions of leading world manufacturers of terminal access technologies and virtualization; implementation of secure printing; Personal Printing ;
      MyQ is a European company specializing in print management and secure printing using OCR access control and character recognition technologies, solutions ;
      Artie- A Russian company, whose solutions include ASUPiM, - an automated print management and monitoring system, as well as providing secure printing with OCR character recognition technologies, solutions: ASUPiM and PrintSafe .
      Ubiquitech - Develops a range of products for intelligent print management. For example, Ubiquitech EASY / VDMS Server is a ready-made server solution for printing management in SMB, HSPM / PSPM is a server solution for printing management in large companies, Public Print solution is a solution for organizing paid printing services in libraries, airports, hotels, etc. .
    • My mail is OScherbakov@croc.ru.
    Tags:

    Also popular now: