Embedded security, whitelists promise to make managing security easier on print-centric devices
LAS VEGAS – Printers, MFPs, copiers and other document-centric output devices haven’t had much of a seat at the IT department’s table historically. But with a new partnership, Xerox and McAfee are seeking to change that, at least from a security perspective.
At McAfee’s Focus 2012 conference here, the two companies announced a pact that will see McAfee Embedded Control and McAfee Embedded Management into Xerox’s WorkCentre and ColorQube product lines by the first quarter of next year.
Rick Dastin, president of the Office and Solution Business Group at Xerox, described print-centric devices as sort of a forgotten part of a company’s security stance – with only 13 per cent of organizations mentioning printers or MFPs as a potential “at risk” device in a recent joint poll by the two companies.
But in an era when every printer has a hard drive, and most printers run some variety of Web server software for remote access, there’s no reason to think that printers aren’t at risk.
“You can do any of the normal injections – anything that can be done to a Web server, you can do to these devices,” said Tom Moore, vice president of embedded security for McAfee. “You can access the drive, or you can own the machine via firmware.”
Tackling these security issues isn’t anything new for Xerox. But to date, its approach has been “building higher and higher fences,” as Dastin puts it – building gates to prevent unauthorized and unwanted access to print devices. But what was missing, in Dastin’s analogy, was “the barking dog inside the house” that could tell a company if the bad guys had made it over the fence.
With McAfee’s embedded tools, he figures he’s found his barking dog.
The very function-specific nature of printers makes them easy to control from the perceptive, Moore suggested. Because they serve a limited number of functions, it’s easy to create a “whitelist” of applications that should be allowed to run on the printer, meaning that even if malware gets in, the company should be able to avoid that malware from ever being executed. That said, the plan is to keep the system “dynamic enough” to accept (legitimate) firmware updates and access new, but authorized, applications on the devices.
“We don’t have to change the filesystem very much, so we can make this whitelist very tight,” Moore said.
The other priority was making sure the security oversight doesn’t interfere with device performance expectations.
Getting print devices more firmly into the IT stack is a major goal for Xerox – even though today a slim majority of organizations (just over 10 per cent) put printers/copiers under that umbrella. “We don’t want to be in the peripheral business, we want to be in the integral business,” he said.
And getting into the IT security story is big part of that approach. Step two will come in the near future, when the companies will produce a co-branded version of McAfee’s ePO dashboard, bringing ePO management functionality to the company’s products, but maintaining “that printer feel” when it comes to the tools.
Dastin said the goal was to make the security stack easy enough that it could be enabled (at least with default settings) by even traditional printer dealers who don’t have a background in security management tools. But things get really interesting in terms of solution-building when it comes to managed print services, a growing area of focus for Xerox.
In particular, adding to the security story there will help with a subtle but important change Xerox is hoping to have with its managed print services providers and their customers.
“We want to go from managed print services to managed document services,” he said.