Implementing Zero-Trust? Don’t Forget About Printers
When John Kindervag defined the zero-trust model in 2010, printers were not top-of-mind. As the adoption of this model increases, it is likely that most people are still not taking printing into account as a vulnerability. As president Biden’s executive order recommended the adoption of zero-trust environments, it is time to consider the outlying functions of IT and how they can be securely incorporated into a zero-trust setup.
The Importance of Printers
You may be wondering if printing is actually all that important in today’s digital and virtual world and whether printing is even worth thinking about. But on closer inspection, it’s clear that without printing it would be impossible to manufacture most goods (label printing), take care of patients in health care facilities and hospitals, sell goods in a retail establishment, create movies and TV shows and generally establish a reliable, universally usable interface to connect the digital world to people everywhere. In fact, printers handle some of the most sensitive information that exists in many organizations.
However, while printers are ubiquitous, they are also often invisible. Between unpatched firmware—be it because that’s not on IT’s mind or because the manufacturer doesn’t offer patches—and, in many cases, unrestricted access, printers can quickly become a significant security vulnerability. Attackers can use printers as an inconspicuous access point from which to gain access to an organization. Or, the information printers process could become a target from inside or outside an IT environment.
Zero-Trust for Printing
Luckily, there is a solution. Unlike other IT systems, zero-trust for printing primarily involves putting printers into a separate, controlled environment (network) and closely regulating and monitoring who has access to those printers.
Moving the printers onto a separate network should be child’s play to anyone familiar with configuring networks. Once that process is complete, printers don’t need—and shouldn’t have—direct access to the internet from their network. This segmentation ensures that a printer cannot be used to infiltrate the corporate network or leak information to an attacker.
There is also the cloud to consider. In a world where SaaS and web applications are increasingly popular, it makes sense to turn to cloud printing solutions to connect devices, applications and networks that generate print jobs and the networks that host the printers. A small, energy-efficient, hardened hub can provide connectivity for one or all printers on the network and ensure there is no direct connectivity between printers and the internet.
In this scenario, the hub would start an outbound connection to the cloud printing service and receive encrypted, compressed print jobs destined for one of the printers it connects to in return. This architecture dramatically simplifies setup and maintenance. It also requires no changes to firewalls and other network equipment, allowing a cloud printing solution to be deployed behind a consumer-grade cable modem in a remote office and a complex large corporation’s network.
Cloud Printing Services
With the printer-side networking secured, attention should be paid to users, applications, endpoints and their ability to securely send print jobs to the printer(s). Once again, cloud printing services are the easiest way to fulfill these requirements.
A print app will connect the user’s computer, tablet, smartphone and the applications on these devices to the cloud printing service through another easy-to-manage, outbound connection to the internet.
Zero-trust requires that users only access the resources they need and authenticate to these resources before they can be used. The print app will satisfy both requirements by requiring the user to log in—ideally through single sign-on (SSO)— before granting access only to those printers the organization has assigned to the user.
Once the print job has been sent to the cloud printing service, processed with a native printer derived from the destination printer and compressed and encrypted for the journey to the printer, the zero-trust printing setup requires the user to authenticate at the printer through a smartphone app, badge swipe or authentication on the printer’s display.
Similarly, a JavaScript drop-in and an API can provide access to the same cloud printing service for front-end printing from web applications—avoiding tedious downloads of PDFs—or backends of SaaS applications. On the user-facing side, secure pull printing can be enabled for these scenarios to complete the safe chain-of-custody of print data.
Information security and zero-trust environments are more important than they have ever been. We’ve become painfully aware of just how exposed our environments are in the past two years, and recent world events have not made IT safer. While printing may not be top-of-mind for many, it remains a critical resource for our organizations and processes much of the most proprietary information our organizations possess. We must include this resource in our security and zero-trust concepts, and cloud printing services make it easy to do so.
