Xerox Targets Cloud Document Security Worries

  /     /     /  
Publicated : 22/11/2024   Category : security


Xerox Targets Cloud Document Security Worries


Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.



Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to print documents to the cloud?
Thats the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.
Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.
A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers theyre authorized to print to and then select one for a particular print job.
[ Have you patched your Flash browser plug-in? Read more at
Adobe Issues Emergency Patch For Flash Player
. ]
In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.
But making printers -- and the documents theyve scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that
remain publicly accessible
due to being misconfigured. Indeed, as further highlighted by recent reports of
vulnerabilities in HPs implementation of the JetDirect standard
, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.
Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? From a security point of view, what were trying to do is get beyond that barrier with many IT administrators -- that its unknown to me, and if its unknown, its bad, said Larry Kovnat, Xeroxs senior manager of product security, speaking by phone. Youll put something with all these capabilities in the enterprise, and IT will say, I dont know anything about this device, Im going to put it on a VLAN and shut it off.
According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also
whitelist
which applications are allowed to run. The only software that should be running on these devices is software that we wrote; its not a general-purpose device, said Kovnat. The devices also tie into McAfees
ePolicy Orchestrator
, which according to Kovnat, means that now we can present the device to the IT administrator as a manageable endpoint on the network.
ConnectKey devices can also be monitored using Ciscos TrustSec, which will allow IT managers who use
Ciscos Identity Services Engine
to watch the traffic going to and from the multifunction printers. While we havent embedded anything [from Cisco] in the device, weve worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone whos trying to impersonate a printer, Kovnat explained.
Xeroxs forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a one-button process, said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. They can grab a document and store it [in the cloud], all in an automated way.
But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xeroxs security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.
Kovnat also addressed the report of weaknesses in HPs implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has
disputed
some of the researchers findings.) The protocol itself isnt flawed -- its just meant for printing, not security, said Kovnat of JetDirect. So if you dont build the right controls into a device, you can get to the internals of a printer in ways that youre not meant to.
Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that theyre not being used by someone to try and inappropriately access other print jobs or a disk or network shares. The job coming in has to be a valid print job, and these print-control commands are filtered, so theres no access by the printing subsystem to any of the underlying subsystems, or computing resources, Kovnat said. We test that extensively.
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the
A Guide To Network Vulnerability Management
report, we examine the products and practices that will get you there. (Free registration required.)

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Xerox Targets Cloud Document Security Worries