Sensitive Public Sector Information Still Vulnerable at Printers and MFPs

by | Feb 6, 2018 | Documents Security, Print Security, Strong User Authentication | 0 comments

Public Sector entities put enormous effort into protecting confidential and secret information from unauthorized access. Sophisticated methods have been developed to stop sensitive information being copied over the network, uploaded to the cloud or copied to a USB stick. But there is still one ‘low tech’ storage medium that time and again proves to be the Networks weakest link, paper and printers.

Sensitive and confidential information on paper is the same as sensitive information on computers. Both need to be protected from unauthorized access. Both need to be protected with the same diligence and if printed documents are lost or misplaced, they should be traceable back to the person who authenticated the release from the printer.

Here then are some methods to ‘lock’ down the leakage of confidential printed documents to unauthorized ‘eyes’.

1. Document Classification

Protect the confidentially and integrity of information and ensure it can only be accessed by the intended authorized person. Protective markings e.g. ‘Confidential’, ‘Secret’ and ‘Top Secret’ go a long way in preventing information leaking to unauthorized personnel. Moreover, different classification levels might require higher levels of user authentication. When there is no resident application to apply protective marking’s, Celiveo’s Public Sector connector provides a classification popup window at time of print, so the user can select if the document requires high or low security classification. A low security print job might only require authentication and release by simple proximity card. Conversely, if a highly secure print job is selected, the job will be automatically encrypted and require a higher level of authentication to release it. What if there is already a resident Protective Marking application such as TITUS in place? If electronic information that has already been classified needs to be printed, Celiveo’s custom interface fully integrates with TITUS to automatically apply the same protective classification to the printed documents and requiring the equivalent level of user authentication for print release.

2. Authentication at the printer

There are typically two ways to authenticate at a printer:
  • Something you know such as a PIN code
  • Something you have like an access card
For greater security Two-step or Two-factor Authentication should be considered.

Two-step Verification
Two-step authentication attempts to combine two authentication factors for greater security e.g. PIN code + access card. However, some data security experts point to two-step verification as a single-factor approach in which there are two steps but they both involve factors that can easily be compromised by attackers. Thus, two-step verification does not necessarily guarantee authentication or data security.

Two-factor Authentication
Two factor authentication utilizing Public Key Infrastructure (PKI) technology ensures the strongest possible security. With PKI authentication, only a simple user ID, entered the login screen is required to begin the login process. Passwords and credentials are eliminated from the login process, thus removing the primary means that hackers use to gain unauthorized access to accounts and compromise data security.
A robust authentication system is essential for protecting information and provides proof that a user performed an action such as printing, copying or sending a message.
The Celiveo Public Sector Connector supports both contact and contactless PKI Smartcard dual factor authentication on MFP’s, with contactless PKI still being an emerging market in 2018.

3. Encryption

Peer-to-Peer (PC to printer) encryption of print jobs provides security and confidentiality. Encryption restricts access to information to authorized users and protects classified and sensitive documents, making them unreadable to all but authorized users e.g. Protecting documents from accidental or deliberate manipulation provides assurance that security has not been compromised. Authentication at the printer releases the print job ensuring that the person authenticating is who they claim to be and who has the authority to release that job. Encryption technologies come in many forms with strength generally being the biggest differences in one variety from the next. The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by Governments and numerous Public Sector organizations. AES is largely considered impervious to attacks using all possible combinations. Security experts believe that AES to be the de facto standard for encrypting data in the public and private sector. When combined with RSA private key encryption, stored on a Smartcard, decryption and print release happens when a PIN code is entered to gain access to the private key in the Smartcard. AES+RSA provides the strongest possible secure authentication at the printer level. Celiveo Public Sector Connector complies with information confidentiality regulation where print jobs are encrypted by AES+RSA key.


  • MFPs and printers process most of the confidential information, are vulnerable and need to be secure
  • Communication to such printers and MFPs is also very vulnerable, from TCP-IP to servers and solutions, it is required to verify the solution provides “stealth-mode” where even the top IT and solution maintainer is unable to access sensitive information, see who is printing, what they are printing.
  • Protectively Mark documents to a Security Classification by selecting from a drop down or using a resident application.
  • Ensure that print jobs are encrypted.
  • Release classified document with the highest level authentication.