Inkjet & Digital Printing

Making Multifunction Devices Ready for the Enterprise

Friday 26. October 2012 - In my last article I discussed the huge technology advances in enterprise scale multifunction devices -- that is, devices that combine printing, scanning, faxing, and copying into one product. The result of this dramatic product evolution is enormously increased complexity but without major security enhancements, multifunction devices (MFDs) could be vulnerable to all kinds of threats including hackers, malware, and viruses.

By Mark Gibbs
In my last article I discussed the huge technology advances in enterprise scale multifunction devices — that is, devices that combine printing, scanning, faxing, and copying into one product. The result of this dramatic product evolution is enormously increased complexity but without major security enhancements, multifunction devices (MFDs) could be vulnerable to all kinds of threats including hackers, malware, and viruses.
Today’s sophisticated multifunction devices are, in reality, powerful server platforms engineered to handle large-scale document input and output tasks on behalf of large groups of enterprise and Small to Medium Business (SMB) users which means they handle large amounts of corporate data.
The risk with these devices is that if some type of malware or a hacker should compromise the MFD’s integrity, sensitive corporate information could be exposed or stolen. Just as much of a concern is the issue that a compromised multifunction device could be used to mount internal attacks on other network devices. It’s obvious that enhanced comprehensive security defenses for the latest generation of enterprise and SMB multifunction devices are not an option but a strategic necessity.
Now, physically securing a multifunction device is straightforward: It involves rendering the machine immovable, having locked access panels, having physical tamper detection mechanisms, controlling and auditing maintenance, and so on. But that’s not the complete story because alongside physical security goes the need for digital security. MFDs now use sophisticated “embedded” operating systems which demand a different security strategy to defend them adequately.
Securing an embedded operating system is a complex task. One of the most commonly used embedded operating systems is Linux, arguably the most famous open source OS and it is because of this popularity that Linux is quite easy to “lock down” at a basic level.
In the security industry this locking down process is called “hardening” and there are plenty of tools to help do this. These tools remove unused system components, assess and limit access rights, get rid of anything unnecessary, and generally streamline the operating system for use in a specific environment.
But while those techniques might seem like a good enough solution, when it comes to a complex enterprise-level product like a sophisticated multifunction device, a lot more rigorous, in-depth control of what actually goes on in the operating system while it’s in use is needed.
Xerox, the leading manufacturer of enterprise and SMB multifunction devices, has been a pioneer in MFD security over the last decade and now, recognizing that standard network security techniques such as IP filtering and audit logs weren’t enough for the security challenges of the 21st Century, the company has partnered with McAfee to implement McAfee Embedded Control software on Xerox multifunction products.
McAfee Embedded Control (MEC) is a small piece of code that is added to the Linux kernel — the core of the operating system — when it is compiled so that it is an inseparable, tightly integrated service and from this position MEC can “vet” every piece of code running, about to be run, or stored in the multifunction device system.
The way McAfee Embedded Control does this is by maintaining a secure database of “signatures” of all authorized code modules and continuously monitoring the entire operating system. If MEC detects that any module has been changed or that an unknown module is attempting to load or execute, it blocks execution and raises an alert to the McAfee ePolicy Orchestrator, the centralized management console for McAfee Embedded Control.
The McAfee Embedded Control agent in each multifunction device also integrates with the standard Xerox Device Manager application to provide a single point of print management and exception reporting for all Xerox devices on a network.
The Xerox and McAfee partnership has made the goal of bringing multifunction device network security up to the same level as servers, workstations, routers, storage systems, etc., a reality in a well-architected, cost-effective, and robust solution.
It’s now possible to bring the unarguable business benefits of sophisticated multifunction devices into enterprise and SMB environments with new levels of safely and security that effectively address the real threats of today.