by
Fabrício Treviso
Marketing Coordinator Latin America, ACDI
Regardless of which product you choose to account for or control your printing (naturally, we recommend PaperCut NG or PaperCut MF), there are some considerations and recommendations we would make here as well.
Sensitive information should be secure while being transmitted between the application components. Check for protocols such as HTTPS being supported when accessing administration interfaces and between embedded applications and servers.
Data that is stored, is also an important consideration. Are you free to use and secure a database of your choice and manage backups to your organization’s standards?
PaperCut MF is developed from the ground-up with security in mind. With a strong heritage in the education market, the software has been battle-tested and security-hardened over years of student attacks at schools and universities around the world.
PaperCut retains a strong security culture, with both proactive and reactive security practices built into our company’s processes. We regularly review third party components for security vulnerabilities. All incoming security reports are immediately reviewed by our PaperCut Security team. Any mitigating or defensive workarounds are put in place and fixes implemented and published typically within days.
We respectfully recommend you look for strong security credentials with any print software you introduce into your workflow. Specific security hardening measures used by PaperCut NG/MF and other security minded solutions include:
- Process isolation — print management software should run in isolated processes away from the operating system kernel. Processes should run under the minimum necessary user privileges. For example, it should not be necessary to run long- running tasks under the root or administrator user.
- Secured APIs — public APIs should have multiple layers of security. PaperCut uses authentication tokens coupled with IP address filtering to ensure that API calls are properly authenticated and are from a trusted source.
- Code signing — your installers and code should be code-signed by the vendor to give assurances that you are running unmodified code that is authored directly by the vendor.
- Sandboxing — when there’s even a small risk that aspects of the solution could become compromised, we work to engineer the solution to anticipate the threat and contain any damage. Sandboxing is one method where VMs, or process-level isolation techniques, are used to add layers into the system so that a compromise in one area/ component does not open up a whole system.
- Secure web pages — web pages should have built-in protections against SQL injection, Cross-Site forgery and Cross-Site Scripting attacks.
- Directory Services — (such as Google, AD, LDAP, etc) should be leveraged to authenticate users in preference to storing passwords in the print management system. If users are defined outside a directory service (e.g. guest printing accounts), the password should be securely encrypted. PaperCut NG/MF uses Bcrypt for this purpose.
- Fail-Closed Design — an important security principle is to shut down access, such as the network connection from an MFD to the authentication server, whenever a failure occurs. With a “fail-open design”, a simple action like removing a network cable, could render a device open to attack. PaperCut NG/ MF uses a “fail- closed design” as a core design principle in all print security areas.
