Big I, little t Blog
Big I, little t Blog
About The Blog
Contact Us
Guest Blogger Guide
Events
AIIM/On Demand Blog
AIIM/On Demand Videos
Xerox at AIIM/On Demand
On Demand Website
EIP
Xerox Partner Summit 2007
Search this blog

Podcasts
Videos
IT Xchange Webcast Series
Xerox Thought Leadership Program
Recent Posts
Archives

    Full Archive

Categories
Feeds

Blogroll
Xerox Exchange
doingitbetter
Techdirt
IT Conversations
Rough Type
The Enterprise Content Management Blog
Content Log
Slashdot.org
InfoWorld’s “SMB IT”
InfoWorld’s “IT Troubleshooter”
ZDNet’s IT Facts
ZDNet’s Government IT
ZDNet’s Education IT
Document Imaging Talk
Computerworld
The Daily Blog
The Tech Beat
Tech Linkletter CIO
Koch’s IT Strategy
Inside eWeek News
Advice Line (IT Blog on InfoWorld)
IT Garage
IT Borderlands
Real World IT
PrintCEO Blog
Get Bizucated
Free Color Printers
ShopFloor.org
 
Trade Publication Links
Baseline
CIO
CIO Decisions
CIO Insight
CIOUpdate.com
CMS Watch
CNET/ZDNET
Computerworld
CRN
Digital Publishing Solutions
e-Content
eDoc Magazine
eWeek
Federal Computer Week
Government Computer News
Government Technology
Healthcare IT News
Health Management Technology
Healthcare Informatics
Health Data Management
IDG News Service
InformationWeek
InfoWorld
Intelligent Enterprise
KMWorld
Network Computing
Network World
Office Solutions
Office World News
PC Magazine
PC World
VARBusiness
Washington Technology
WhatTheyThink.com
ABA Banking Journal
Bank Technology News
U.S. Banker
Wall Street & Technology
National Underwriter
Insurance & Technology
Tech Decisions for Insurance
Campus Technology
District Administration
eSchool News
T.H.E. Journal
 
Industry Analyst Firm Links
Baseline
AMR Research
BERTL
Better Buys for Business
Bissett Communications Corp.
Blackstone Research Associates
BPIF
Buyers Laboratory Inc.
Cambashi
Caslon & Co.
CharisCo Printer Labs
consultROY.com
Current Analysis
DA Digital
DigitalPrintInfo
DocuTrends
epMI
EquaTerra
Financial Insights
Footprint Communications
Forrester Research
Gartner Inc.
Gilbane Group, Inc.
Roger P. Gimbel & Associates
IDC
Industry Analysts, Inc.
InfoTrends, Inc.
Intellective Solutions
INTERQUEST
J Zarwan Partners
John M Hamm & Associates
Lyra Research, Inc.
Madison Advisors
NAPL
Naselli & Associates
Nima Hunter Inc
Pro Buyers LLC
RIT
Schnoll Media Consulting
Spencer & Associates
State Street Consultants, Inc.
TowerGroup
Winterberry Group LLC
XEXCO/Strategy Analytics Ltd
 
Blog Home   |    Recent Posts   |    Archive   |    Feeds   |    Podcasts   |    Events   |    Search   |    Blogroll


« Reviving the "I" in CIO | Main | Black Hat »

Compliance

Since the inception of Sarbanes-Oxley, and even earlier as driven by HIPAA, protection of information assets has come into the forefront of IT concerns. The nightmare scenario is having key intellectual property leave the organization without detection until it is too late. Maybe it’s a key manufacturing process, or an integrated circuit design, or a proprietary search algorithm, or even a soft drink’s secret formula.

IT is increasingly taking the lead in making sure that the necessary controls are in place to protect both personally identifiable information, and core intellectual property assets. The emphasis has been on the desktop and network boundary, and increasingly as workers become more mobile, or portable devices and the virtually unlimited storage capacity in them.

However, only recently have the most proactive organizations begun to consider office equipment in their overall compliance plan. Am I talking about the copier, you ask? Well, the truth is what looks like just the innocuous office copier is today a sophisticated device with a powerful computer embedded in it. From the network point of view, the “copier”, or as we prefer to call it, the multifunction printer, is just another network node. MFPs copy of course, but they also print, fax, scan and email. The devices exist to increase productivity and reduce cost. However, they need to be managed in controlled in a way commensurate with their power and sophistication.

Putting one of these devices on your network does not immediately open you up to attack. But with any information technology, there needs to be defined policies for deployment and usage. Who is allowed to use the device, under what circumstances, and how can that usage be monitored to enforce compliance? This means that devices need to have robust access controls, including strong authentication and authorization mechanisms, preferably integrated with the network domain. It means devices should have the ability to control usage so that only properly authorized individuals can use the advanced features. And there has to be the tracking mechanisms in place, like an internal audit log, so that there is a reliable record of who did what and when. Just imagine the damage if someone were to send an inappropriate email from one of these devices, without having been required to log in and authenticate, or without the ability in the device to track who was sending the email and to whom.

One thing customers should be factoring into their purchasing decisions is whether the machine is Common Criteria, or ISO15408, certified. The Common Criteria is an international standard for evaluating information technology products. The value of the standard is that it is internationally recognized and therefore provides a basis of comparison of the security robustness of various products. Most MFP manufacturers have obtained a certification for components of their MFD system. Xerox is the only manufacturer to obtain certification for the entire device. One of the unique things about MFPs is the inclusion of page description language interpreters that allow them to print documents. Of particular concern is PostScript which can be manipulated to access proprietary areas of the internal disk outside of the intended operation, and then to either reprint that information when commanded by the attacker, or even send it back to the attacker over the network. It’s very important that the internal design of the MFP has the proper controls on PostScript so that it performs its intended function without the possibility of compromise. Many vendors usually ignore PostScript when they submit their devices for certification. They also tend to ignore the internal web server, which is another very popular avenue for attack. And finally, they ignore the fax interface and whether that presents any ability to dial into the devices and gain access to the network. The situation is exactly analogous to checking that the front door of your home is locked while ignoring all the other doors and windows. It doesn’t matter how many deadbolts you’ve got on the front door if the back door is wide open.

Finally customers should be looking at the vendor as whole. The vendor should have the necessary global coverage to support large multinational entities, and the quality of design that provides confidence that security controls are being implemented in products across the board. Then the customer can have confidence that not only is the behavior of the devices standardized across the fleet, but that also the vendor has the necessary support infrastructure to assist the customer in the protection and control of their important company information.

Larry Kovnat
Product Security Manager
Xerox Office Group
http://www.xerox.com/security

For more information: IT Security Webcast

Posted by Larry Kovnat on August 4, 2006 09:58 AM |

TrackBack

TrackBack URL for this entry:
http://www.bigilittletblog.com/mt-tb.cgi/4

Post a comment
Site hosted by Xerox Corporation.