Federal Civilian Agencies’ Next Security Vulnerability

by Tara Condon 24. August 2015 09:19

By Tara Condon & Henry Gold

Recent data breaches at the Internal Revenue Service (IRS) and the Office of Personnel Management re-focused the technology community on security challenges facing U.S. government and federal civilian agencies. Many of these groups provide critical services that impact the everyday lives of Americans, including the Social Security Administration, Food Safety and Inspection Service, and the U.S. Postal Service. As such, a security incident’s impact would be pervasive.

One of the reasons why the security landscape is cumbersome to manage is the increasing number of network-connected devices. Today’s peripherals are now smart devices. All of these access points offer new avenues to access sensitive information. Specifically, printers and copiers offer a new point of vulnerability.

Security Risks of MFDs: 

Standalone printers and, later, combination printer/copiers, were largely output devices. A command was entered; the function was executed. The main security risk - leaving sensitive items on the printer tray – was mitigated by physical security. Many users were issued individual printers that were kept in locked offices. 

Document scanning changed the game. Multi-Function Devices (MFDs) were born.  What was once a peripheral was now an intelligent system with document memory and consistent access to the network. Also, with this additional functionality came a (justifiably) higher price tag. This meant that printer / copier / scanners became shared resources, typically kept in public areas, where personnel and visitors have unfettered access. 

Enabling PIV Card Authentication:

In recognition of the vulnerability of these access points, government regulations now require PIV card authentication (sometimes referred to as CAC – Common Access Card – access) on all network connected devices. Today, federal civilian agencies are struggling with how to meet this requirement. 

A number of major printer manufacturers now offer built-in PIV authentication on new devices. There is also a printer agnostic solution offered by API Technologies, called the Netgard®, that may be used on both new and existing MFDs and printers, including wide format printers.

Photo of Netgard® MFD courtesy of API Technologies

 

Regardless of which solution you choose for PIV authentication, here are two key features you should be aware of that enable you to comply with government security best practices:

  • Scan to Home: What this means is that the person doing the scanning may only place the document in a designated folder on the network. The person may then retrieve that document from the designated network location and use it for his/her intended purpose.  This feature ensures no confidential or sensitive materials can be sent in an uncontrolled fashion – for example: sending a scanned document to a personal email address via the printer.

  • Secure Print Release: MFDs are often stationed in easily accessible parts of the office. This means that sensitive printed material may sit out in the open for some time before an employee has the opportunity to retrieve it. When the Secure Print Release feature is enabled, the employee would walk to the printer and scan her PIV card. Then documents would be printed (“released”) when she is standing there to retrieve them. This security measure also has the added benefit of saving paper and toner, which saves operating cost. 

Protecting the information assets of federal civilian agencies is of vital importance. Securing access to network entry points is key to thwarting security threats. When reviewing their security best practices, federal civilian agencies are encouraged to remember that peripherals – such as MFDs – present vulnerability. PIV and/or CAC card enablement is necessary to secure these network entry points. The good news is that there are a number of government compliant, commercially available solutions to meet the need. 

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is a security expert and frequent panelist on security-related issues. He is General Manager of SSIA North America for API Technologies Corp.

Tags: , ,

Secure Systems & Information Assurance

Month List

Tag cloud