Cloud print management
requires true cyber-security
Concerns with moving to the cloud for print management
© Quocirca 2023
2023-2024 : Security is the top barrier to cloud print management adoption
Despite the benefits of improved IT efficiency, flexibility, and scalability, the cloud can create a range of security concerns. These include potential data breaches due to cloud vulnerabilities and lack of identity, credential, and access controls. Overall, 36% of organisations using MPS are concerned with device and document security in the cloud, rising to 40% in the US and 44% in Germany. The retail sector is the most concerned at 44%, compared to just 29% in the professional services sector. A lack of demonstrable cost savings comes in second place (29%), followed by impact on performance (29%).
The Cloud Print Services Market Landscape, 2023
© Quocirca 2023
Average total cost of a breach
The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.
2023 Cost of Data Breach Study
Benchmark research sponsored by IBM Security
Research Report/ Ponemon Institute
Celiveo 365 is addressing those concerns
|Protecting company data (device security concerns)||Zero-Trust-Access security – unique ECC-P256 Certificate Chain are loaded in smart MFP/printers and in any endpoint (Cloud and local) to not reply on credentials. User and admin authentication is performed using Microsoft OpenID and OAuth2.||
|Protecting company data (documents security concerns)||
Each Celiveo 365 client benefits from a dedicated SQL Server PaaS database, no sharing, no risk.
Documents data receive a dual encryption to proect them at rest and in motion. ECC-P256 certs are used and rely on mutual authentication/validation to avoid potential TLS 1.2/1.3 key generation vulnerablity.
|Performance (impact on printing if lose connectivity)||Access control to smart MFP is still possible for MFP walkup activities (copies, fax, email) thanks to the Celiveo embedded agent. For High Availablity on Print, our engineers are working on it, stay tuned!||
|Migration of workloads to/from the cloud||Celiveo 365 compress all communication to/from the Cloud and on smart printers/MFP the authentication stays local.||
|Consistent printing across multivendor fleet (driver issues or driver limitations with cloud print drivers)||Celiveo 365 is directly interfaced with Microsoft Universal Print driverless printing in Azure||
|Functionality (e.g. on-prem print management may offer more functionality than cloud version)||Celiveo 365 shares the same advanced features list as Celiveo 8, its Intranet and Private Cloud version, such as rules and reporting||
|Regulatory compliance||Celiveo 365 is audited daily by Microsoft for compliance with the 12 most stringent security norms including SOC-2, ISO27001, HIPAA/HITRUST, UKO, AU/NZ-ISM, NIST SP 800-53 R5 and FedRAMP H||
|Data governance/sovereignty concerns||Celiveo 365 is available on 5 regional Azure datacenter: USA, EU (France), Switzerland, Singapore, Australia||
|Constraints over future change of hardware (activating new devices quickly)||Celiveo 365 handles network printers from all brands through its enterprise-class web portal, adding printers happens in a few seconds||
| Vendor lock in (being tied into a provider)
||Celiveo 365 is printer brand agnostic, you keep your freedom of choice and can aggregate printers from different vendors under one print management solution||
| Interoperability with on-premise infrastructure
||Celiveo 365 is supporting Windows 10, Windows 11, Windows 365, Windows Server 2016 and newer, MacOS, Azure Virtual Desktop, Chromebook Enterprise clients, all with Zero-Trust-Access security||
Important Information Is Often Printed
- Unattended documents are hijacked on printers output trays
- Print job names are visible to everyone using shared print queues
- With a click by IT, all print jobs are archived by Windows print servers
- All stuck documents are released as soon as a failing printer is repaired
- IT can see, archive, intercept, view and reprint any print jobs from any user
- Unauthorized people can use MFPs to send data out if those are unlocked
Celiveo 365 Secures Documents, printers and MFP
- Access control for MFP & Printers1
- No more unattended printing
- End-to-end Encryption, advanced stealth mode to comply with privacy regulation
- Strong User Authentication
- ID users with Smartphone, PIN code, ID Code, Badge1, PKI Smartcard1, Yubikey1
- PowerBI Advanced Audit and Reporting, with usage data stored in your tenant
1: Advanced feature on printers supporting the Celiveo 365 agent
Printing is totally unprotected by default
More and more leaks happen from insiders, who have access to the corporate IT as part of their job to maintain it. Few people know it is so easy to read the CEO or CFO print jobs, one just needs to be server administrator or use free tools. All IT contractors and printing solutions suppliers also have access to a wealth of information when maintaining the system. And nobody will be aware someone captures and reads documents from his desk, possibly from another continent. Such events directly falls under the strict GDPR regulation, protecting personal information contained in print jobs.
Is such data interception complex? Not at all without a proper cyber-secure solution like Celiveo!
The easy way: make Windows Server copy print jobs
Triggering copies of all print jobs from a specific user can be programmed in a few seconds and free viewers display those documents on the PC of the remote administrator.
Sniffing and intercepting documents on the network
Just search Google for “Printer Hacking Wireshark” and you can find complete step-by-step cookbooks on how to see on your screen all print jobs going to a specific printer. Then any free PCL or Postscript viewer allows to display those documents
Viewing SQL server data (and modifying it)
SQL Server Data Tool (SSDT) is free on Microsoft web site. The company that installs/maintains the solution knows the database credentials it is possible to change PIN codes, badge numbers, see jobs list names, copy print jobs file depot etc.
Printers should be on a VLAN
Technicians servicing printers have access to everything a hacker needs:
- A LAN plug to the corporate network
- A power plug
- Plenty of time as nobody find strange to see them with a laptop next to an opened printer
An interesting pentest was conducted by Direct Defense, posing for a printer repair person, and indeed they got core IT access, read more here.
IP Phones are on a VLAN, why not printers?
Printers are often not a on VLAN just because they need to be addressed directly by local PC and Mac, for printing.
With Celiveo 365, printer and MFPs can be moved to their VLAN, totally isolated from the PC and the IT system. Celiveo 365 acts like a sanitation layer and gets contacted by printers, MFPs and Celiveo IoT service for passive printers to retrieve print flow.
Make printers & MFP harmless
When printers and MFPs are on a VLAN, there is no more risk to provide physical access to a rogue service technician:
- the printer LAN plug only provides public Internet access, this has no more benefit to hackers than a public hotspot.
- the Celiveo 365 Certificate Chain inside the printer not exportable, secure in the certificates vault
- Even if the Celiveo 365 certificate was exported (i.e. due to a printer firmware defect) it can’t be used without complex user information such as a valid (salted) SHA256 of a PIN or card number and repetitive authentication failures trigger the Celiveo 365 lockout.
Secure Print & Scan
With Celiveo 365, computers don’t speak directly to printers, there is no need to open any loophole in the network segmentation to allow local PC to print.
Celiveo 365 Scan to Cloud from MFPs1 is secure as it is peer-to-peer with Microsoft SharePoint and OneDrive, no server or service in-between.
Celiveo 365 traffic and activity is monitored 24×7 by a cloud security posture management (CSPM) and a cloud workload protection platform (CWPP) to protect your information. Endpoints are protected using Certificate Chains and thanks to positive mutual TLS handshake it is impossible for a hacker to pretend or play a Man-in-the-middle-attack.
Celiveo 365 is about Security, Cost reduction, Cloud…
Azure data centers in 5 regions, Zero-Trust-Access architecture with Certificate chains, automatic protection of printers and dedicated SQL Server PaaS
Security backed by Entra ID / AAD Group policies, with sub-delegation capability on reduced fleet scopes
GDPR Print Jobs Meta Data Stealth mode hash and cipher to not link print jobs with end-users in (improbable) case of data loss
Tenant-specific encryption ECC cert chains ensure your print jobs and API calls are not encrypted the same as for any other company
Documents are fully encrypted using PKI ECC + AES, in motion and at rest