An insecure Cloud Print SaaS may
compromise your most confidential document on the Internet

 

Few Cloud Print SaaS are really secure

 

When you move to Internet Cloud Pull Print, your most confidential information will flow on the public internet: letters, contracts, invoices.
It is then recommended to perform a due diligence to ensure your information can’t be compromized by the SaaS company delivering the Cloud Print service.

Many Print Management solutions are merely Intranet solutions moved in a VM, itself moved to the Cloud. It means the support can access all documents inside the VM.

When encryption is mentionned, it merely means the data flow is sent over TLS 1.2 or 1.3. That flow can often be intercepted by a man-on-the-middle attack, and a print job for user A could be released in front of user B through network replay. When a company has hundreds or thousands of printers it is necessary to ensure that can’t happen.

A due diligence on SaaS Cloud Print solution can be the following:

  • Is the SaaS provider ISO 27001:2022 certified? Be aware that ISO 27001:2015 does not cover SaaS or Cloud so it is critical to get the full certification details and its scope. We have seen companies certifying their mailroom and claiming full compliance
  • Is the solution in a VM in the Cloud? If yes that VM is a black box, anything can happen to your data inside, the best and the worst, without your knowledge
  • Is the solution featuring a certificates-based Zero-Trust-Access architecture that stop man-in-the-middle attacks, for all printers?
  • Is the solution creating any VPN between its Cloud VM and a local software? If yes that can create a dangerous backdoor to your firewall.
  • Is the solution storing end-user information in its database?
  • Is there any other company data in the database where your data is stored?
  • How often are the security audit performed on the SaaS infrastructure and by who?
  • Request security architecture and flow documents
  • Request a recent greybox pentest report from the Cloud SaaS provider

That liste of questions will be useful for the key concern that companies have reported to Quocirca on Cloud Print: “Protecting company data (device and document security concerns).

What limits the adoption of Cloud Print

Concerns with moving to the cloud for print management
© Quocirca 2023

2024 : Cloud print management solutions have been widely adopted and will continue to grow

 According to Quocirca’s latest research, 69% are already using a cloud print management solution, rising from 55% in 2023. The majority continue to operate a hybrid cloud environment, with 74% saying they manage their print environment using a mix of on-premise and cloud. Although just 4% say they manage their print environment fully in the cloud now, this rises to 18% believing that their print environment will be fully in the cloud by 2026.

Download Report

 The Cloud Print Services Market Landscape, 2024

© Quocirca 2024

US$ 4.45M

Average total cost of a breach

The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.

2023 Cost of Data Breach Study
Benchmark research sponsored by IBM Security
Research Report/ Ponemon Institute

Download the Quocirca 2024 Cloud Print Services Market Landscape

Celiveo 365 Cloud Print is addressing those concerns

 

Concern

Celiveo 365

Compliance

Protecting company data (device security concerns)

Zero-Trust-Access security – unique ECC-P256 Certificate Chain are loaded in smart MFP/printers and in any endpoint (Cloud and local) to not reply on credentials. User and admin authentication is performed using Microsoft OpenID and OAuth2.

Celiveo is ISO 27001:2002 certified, covering SaaS, Cloud, PII, GRPD.

Protecting company data (documents security concerns)

Each Celiveo 365 client benefits from a dedicated SQL Server PaaS database, no sharing, no risk.

Documents data receive a dual encryption to proect them at rest and in motion. ECC-P256 certs are used and rely on mutual authentication/validation to avoid potential TLS 1.2/1.3 key generation vulnerablity.

Performance (impact on printing if lose connectivity)Access control to smart MFP is still possible for MFP walkup activities (copies, fax, email) thanks to the Celiveo embedded agent. For High Availablity on Print, our engineers are working on it, stay tuned!

Migration of workloads to/from the cloudCeliveo 365 compress all communication to/from the Cloud and on smart printers/MFP the authentication stays local.

Consistent printing across multivendor fleet (driver issues or driver limitations with cloud print drivers)Celiveo 365 is directly interfaced with Microsoft Universal Print driverless printing in Azure

Functionality (e.g. on-prem print management may offer more functionality than cloud version)Celiveo 365 shares the same advanced features list as Celiveo 8, its Intranet and Private Cloud version, such as rules and reporting

Regulatory complianceCeliveo is ISO 27001:2022 certified, also covering SaaS, Cloud, PII, GRPD.
Celiveo 365 is audited daily by Microsoft for compliance with the 12 most stringent security norms including SOC-2, ISO27001, HIPAA/HITRUST, UKO, AU/NZ-ISM, NIST SP 800-53 R5 and FedRAMP H

Data governance/sovereignty concernsCeliveo 365 is available on 5 regional Azure datacenter: USA, EU (France), Switzerland, Singapore, Australia

Constraints over future change of hardware (activating new devices quickly)Celiveo 365 handles network printers from all brands through its enterprise-class web portal, adding printers happens in a few seconds

Vendor lock in (being tied into a provider)
Celiveo 365 is printer brand agnostic, you keep your freedom of choice and can aggregate printers from different vendors under one print management solution

Interoperability with on-premise infrastructure
Celiveo 365 is supporting Windows 10, Windows 11, Windows 365, Windows Server 2016 and newer, MacOS, Azure Virtual Desktop, Chromebook Enterprise clients, all with Zero-Trust-Access security

Important Information Is Often Printed

  • Unattended documents are hijacked on printers output trays
  • Print job names are visible to everyone using shared print queues
  • With a click by IT, all print jobs are archived by Windows print servers
  • All stuck documents are released as soon as a failing printer is repaired
  • IT can see, archive, intercept, view and reprint any print jobs from any user
  • Unauthorized people can use MFPs to send data out if those are unlocked

Celiveo 365 Secures Documents, printers and MFP

  • Access control for MFP & Printers1
  • No more unattended printing
  • End-to-end Encryption, advanced stealth mode to comply with privacy regulation
  • Strong User Authentication
  • ID users with Smartphone, PIN code, ID Code, Badge1, PKI Smartcard1, Yubikey1
  • PowerBI Advanced Audit and Reporting, with usage data stored in your tenant

1: Advanced feature on printers supporting the Celiveo 365 agent

Printing is totally unprotected by default

More and more leaks happen from insiders, who have access to the corporate IT as part of their job to maintain it. Few people know it is so easy to read the CEO or CFO print jobs, one just needs to be server administrator or use free tools. All IT contractors and printing solutions suppliers also have access to a wealth of information when maintaining the system. And nobody will be aware someone captures and reads documents from his desk, possibly from another continent. Such events directly falls under the strict GDPR regulation, protecting personal information contained in print jobs.
Is such data interception complex? Not at all without a proper cyber-secure solution like Celiveo!

The easy way: make Windows Server copy print jobs

Print jobs are sent as clear data through most print server and network connections. They are stored in a specific print server directory %systemroot%system32spoolprinters*.spl.
Triggering copies of all print jobs from a specific user can be programmed in a few seconds and free viewers display those documents on the PC of the remote administrator.

Sniffing and intercepting documents on the network

Just search Google for “Printer Hacking Wireshark” and you can find complete step-by-step cookbooks on how to see on your screen all print jobs going to a specific printer. Then any free PCL or Postscript viewer allows to display those documents

Viewing SQL server data (and modifying it)

SQL Server Data Tool (SSDT) is free on Microsoft web site. The company that installs/maintains the solution knows the database credentials it is possible to change PIN codes, badge numbers, see jobs list names, copy print jobs file depot etc.

Printers should be on a VLAN

Technicians servicing printers have access to everything a hacker needs:

  • A LAN plug to the corporate network
  • A power plug
  •  Plenty of time as nobody find strange to see them with a laptop next to an opened printer

An interesting pentest was conducted by Direct Defense, posing for a printer repair person, and indeed they got core IT access, read more here.

IP Phones are on a VLAN, why not printers?

Printers are often not a on VLAN just because they need to be addressed directly by local PC and Mac, for printing.

With Celiveo 365, printer and MFPs can be moved to their VLAN, totally isolated from the PC and the IT system. Celiveo 365 acts like a sanitation layer and gets contacted  by printers, MFPs and Celiveo IoT service for passive printers to retrieve print flow.

Make printers & MFP harmless

When printers and MFPs are on a VLAN, there is no more risk to provide physical access to a rogue service technician:

  • the printer LAN plug only provides public Internet access, this has no more benefit to hackers than a public hotspot.
  • the Celiveo 365 Certificate Chain inside the printer not exportable, secure in the certificates vault
  • Even if the Celiveo 365 certificate was exported (i.e. due to a printer firmware defect) it can’t be used without complex user information such as a valid (salted) SHA256 of a PIN or card number and repetitive authentication failures trigger the Celiveo 365 lockout.

Secure Print & Scan

With Celiveo 365, computers don’t speak directly to printers, there is no need to open any loophole in the network segmentation to allow local PC to print.

Celiveo 365 Scan to Cloud from MFPs1 is secure as it is peer-to-peer with Microsoft SharePoint and OneDrive, no server or service in-between.

Celiveo 365 traffic and activity is monitored 24×7 by a cloud security posture management (CSPM) and a cloud workload protection platform (CWPP) to protect your information. Endpoints are protected using Certificate Chains and thanks to positive mutual TLS handshake it is impossible for a hacker to pretend or play a Man-in-the-middle-attack.

Celiveo 365 is about Security, Cost reduction, Cloud…

Azure data centers in 5 regions, Zero-Trust-Access architecture with Certificate chains, automatic protection of printers and dedicated SQL Server PaaS

~

Security backed by Entra ID / AAD Group policies, with sub-delegation capability on reduced fleet scopes

GDPR Print Jobs Meta Data Stealth mode hash and cipher to not link print jobs with end-users in (improbable) case of data loss

Tenant-specific encryption ECC cert chains ensure your print jobs and API calls are not encrypted the same as for ​any other company​

Documents are fully encrypted using PKI ECC + AES, in motion and at rest