It feels like we have been promised the paperless office forever. When I first entered the IT industry in the mid 1990s, it was a mantra, and it is still a mantra today. The fact is, we still need to print. We may have moved away from managers’ administrative assistants printing emails for them to read, but the fact that HP still has a highly profitable printing arm that could afford a $1 billlion dip into its pocket to buy Samsung’s printing arm shows how big a business it still is. What is also interesting is that enterprises and businesses are still having so many problems. These problems are being compounded with the introduction of new end user technologies like DaaS, VDI, and mobile devices such as tablets and phones.
New technologies bring new technical challenges to solve, and DaaS (Desktop as a Service) is no different. Desktop services that run in the cloud and must be accessible from almost anywhere and any device bring a whole new security challenge to the enterprise. This challenge involves not just access control, but also the requirements for printing.
Before we look at these requirements, we need to consider the types of workers utilizing the DaaS desktop and the types of companies that receive access via the DaaS environment. A common method of categorizing workers is to define them as power workers, task workers, or road warriors. However, this is quite limiting. A task worker could also be a road warrior, for instance, or a road warrior could also be a power worker. Perhaps a matrix methodology would be better. Here is a basic matrix of worker type versus document type that is readable and printable.
|Worker Type||Can Read||Can Print|
|Classified||Restricted||Commercial In Confidence||Unrestricted||Classified||Restricted||Commercial In Confidence||Unrestricted|
|Static — Task Worker||N/A||P||N/A||N/A||P|
|Static — Knowledge Worker||P||P||P||P||P|
|Static — Power Worker||P||P||P||P||P|
|Roaming — Knowledge Worker||P||P||P||P||P||P|
|Roaming — Power Worker||P||P||P||P||P||P|
|Mobile — Task Worker||N/A||P||P||P|
|Mobile — Knowledge Worker||P||P||P||P||P||P|
|Mobile — Power Worker||P||P||P||P||P||P|
N/A = Not applicable
P = Possibly applicable, depending on role
check = Applicable
Printing is still the elephant in the room. I find it peculiar that I am having the same conversations with clients regarding print capabilities in 2016 that I was in the late 1990s. There are entire product sets from the likes of HP and Ricoh that deal exclusively with role-based access to printing, covering follow-me printing, password-protected printing, which printer can print a particular classification of documents, and the like. These, however, tend to be costed at the high end of the market.
In the UK, any company that needs to undertake work for the defense services must have a robust solution to document management and printing. (I assume things are the same if a US company is contracted to undertake work for the DoD.) Low-end document management systems like Microsoft SharePoint and third-party additions like janusNET can cover this by tagging documents with a classification tag in metadata and then utilizing role-based access controls to enforce access. However, once again, the elephant in the room is printing. Just because you are allowed to read a classified document does not mean you can print it. Further, even if you are allowed to print it, there may be legal restrictions on where it can be printed. For companies that cannot afford the Michelin-starred secure printing solutions mentioned above, the question is whether any offerings are available that can afford them greater security for their printing networks.
First, we need to define the minimum requirements for printing classified documents:
|Classified Printing Questions||Yes||No|
|Is the printer authorized for classified printing?|
|Does the user have permission to print the document?|
|Is the user at an authorized location for printing?|
|Log of printed documents: who, when, where?|
If any of the first three options are negative, then the document should not print. Option four is mandatory for audit purposes and should log both successful and failed printing attempts. It is necessary to know who, when, and where a document was printed to gain insight into the why. Configuring options one and two is relatively easy and can be managed by Active Directory groups and policies. The location awareness is slightly more problematic, especially now that Microsoft has removed the feature from Windows 10.
Printing in a mobile world is complicated enough with bandwidth limitations and potential intercepts. Therefore, encryption needs to be added into the print stream, too, for those times when a print job needs to be sent from a mobile environment to a secure printer.
The fact is that the average Enterprise would not be able to fulfill all the requirements for secure printing with an out-of-the-box solution sensibly priced for its budget. However, companies can get close to reaching this goal with Active Directory, Group Policy, and a few third-party products.
As already mentioned, SharePoint coupled with janusNET can protectively mark and tag documents for classification status. Active Directory Rights Management Services can be used to apply permissions to those files, including print authorization, with the addition of the Active Directory Rights Management Services Mobile Device Extension. This protection can be extended to mobile and Mac devices. However, this does not secure the print stream. Common Windows-based print protocols are not encrypted. This is where the final product in the arsenal comes into play: Cortado ThinPrint can be used to encrypt the print stream. Those of you who are au fait with server-based computing and virtual desktop infrastructure will be well aware of ThinPrint, a product that effectively compresses a print stream to save bandwidth. However, it is now much more. It has two-factor authentication with verified devices, and it has encryption of the print stream between client devices and certified printers.
Yes, printing is the elephant in the room. However, with careful planning and product selection, both software and hardware, it can be safe and secure.