Xerox’s Security Summit Takes Aim at Customers’ Printer Infrastructure

Xerox executives participate in the ringing of the opening bell at the New York Stock Exchange on Jan. 23.

There’s no dearth of talk surrounding the need for enhanced security for businesses when it comes to protecting the sanctity of their servers, data, storage and personal computers. But it was the desire to channel that awareness and focus it on one of the most often-overlooked elements, the printer’s infrastructure, that brought more than 200 attendees to the Xerox Security Summit, held Jan. 23 at the New York Stock Exchange.

The event featured a number of guest speakers, led by noted computer security consultant, author and hacker (!) Kevin Mitnick. From the Xerox side, presentations were given by Dr. Alissa Johnson, chief information security officer; Steve Hoover, senior vice president and chief technology officer; Ersin Uzun, vice president and director of system sciences laboratory for PARC (a Xerox Company) and Mike Feldman, executive vice president and president, North American operations.

Xerox executives and guests were on hand for the Jan. 23 Security Summit, which included a trip to the New York Stock Exchange.

Feldman opened the event by delivering the keynote speech on security, then took the attendees to the floor of the NYSE, where he had the privilege of ringing the opening bell. That paved the way to a series of presentations given by a number of Xerox’s key partners, including Candace Worley, chief technical strategist for McAfee; Dov Yoran, senior director of strategy and business development for Cisco; and Sergio Caltagirone, director of threat intelligence and analytics for Drago.

“Our main message was, you need to be diligent around your print infrastructure,” Feldman noted. “Your printers and multifunction devices are connected to your network; they are storing important information and will have access to the network, where you could have issues with malware, viruses or hacking attacks. This could create major problems if you’re not thinking about things holistically.”

Feldman guided attendees through Xerox’s four-pillar, multilayered approach to security, particularly in regards to printers. The points encompass:

• Intrusion prevention. The use of proper authentication to control access to the devices and its features enables safeguarding data and preventing malicious misuse.
• Device detection. Xerox uses verification tests to alert against harmful changes to systems firmware, employing McAfee’s whitelisting technology to prevent unauthorized changes to the system firmware. Cisco’s Identity Service Engine also comes into play here. Xerox has profiled more than 200 Xerox devices into the engine, which prevents non-approved printers from connecting to the network.
• Document and data protection. These capabilities include protecting printed output with a simple pin code or a card release system, such as a badge, up to the highest encryption standards to protect stored data using encrypted, password-protected styles to safeguard scans as well.
• External partnerships and certifications. Acknowledging that optimal security requires a best-in-class amalgamation of technology providers such as the aforementioned McAfee and Cisco, Xerox is using these partnerships and standards, both domestic and international (such as the NIAP common criteria certification standard), to develop an optimal security suite.

So why have printers and MFDs lagged behind their systems counterparts in security awareness? Feldman believes the natural tendency is for businesses to focus on their servers and data centers foremost, and rightly so. After all, for the longest time copiers were not connected to the network, and the single-function printers did not have hard drives or data. That has changed considerably in the last 5-10 years.

“There are now multifunction devices that are connected directly to the network and connected in many cases to the cloud,” Feldman said. “We’re using things like the Internet of Things to monitor our devices and make sure they’re functioning and have toner. Getting customers to recognize that these devices are hanging right off of their network, just like a server, and should be taken seriously has been something that we have worked hard to educate our customers on. A lot of them recognize this, but not at the same level as servers and data centers. That could be a vulnerability we need to guard against.”

The evolution of security standards walks hand-in-hand (or ideally, one step ahead of) the advancements and loopholes discovered and penetrated by cyberattackers. The Wannacry attack perpetrated at the onset of 2018 illustrates the ingenuity and savvy demonstrated by tech criminals and underscores the ongoing quest to lock down security vulnerabilities. That Xerox’s security mechanisms have not fallen to a breach to date provides little solace, and it’s what keeps the manufacturer awake at night…or at least thinking about future threats.

In the wake of the Summit, Feldman has received positive feedback from attendees who weren’t conscious of the full range of security implications, and that the presentation signaled a call to action on their behalf. Even industry representatives from verticals that traffic in heightened security, such as health care and financial services, garnered takeaways they felt worthy of acting upon in the immediate future.

“You have to have constant vigilance in this space,” Feldman said. “As new technologies come out and new vulnerabilities open up, you have to be constantly evolving that capability. There are other things we’re interested in doing in this space as well. Content security is another aspect that takes security to the next level, where we have intellectual rights on a document that is tied to certain users that can limit what they can do specifically with that document. That’s an area of interest from users and within Xerox as well. We’ve been testing and piloting this type of software solution with some of our customers. We believe that’s where security solutions are heading next.”