To provide secure, enterprise cloud printing, PrinterOn leverages multiple methods of network security to make sure printing is always done in a secure manner no matter who is using the service or where they are accessing it from.
PrinterOn applies industry standard best practices for all network security and communications. All PrinterOn services are protected by fully signed and verifiable certificates that ensure connections are encrypted and that their authenticity can be confirmed. Additionally, clients such as the PrinterOn mobile apps, ensure that all communication is done securely at the client level. Users will be notified whenever attempting to connect to any discovered services using a self-signed certificate to ensure users are aware of the service identity prior to a connection being established.
To understand PrinterOn network security, it is important to understand how its components deliver secure printing services as part of the end-to-end print workflow. All services operate in the background, seamless to the end user. The diagram below depicts a high level overview of the components that constitute PrinterOn. Most externally facing services are port-configurable.
PrinterOn provides a number of authentication options. The power in the architecture is that PrinterOn can leverage cloud-based user authentication. Any OpenID Connect-compatible identify management solution, such as Microsoft Azure AD, can be used. This flexible, standards-based authentication support enables even more flexibility to deploy a pure cloud secure printing solution. PrinterOn also supports independent user management without the need for third-party integration. This independent user management follows the same network security principles as Azure AD and other identity management providers using OpenID Connect. In addition, PrinterOn supports traditional LDAP or Active Directory configurations to authenticate users when printing.
PrinterOn supports traditional LDAP or Active Directory configurations to authenticate users when printing. Typically, most organizations will already be leveraging Microsoft® Active Directory, but for the ones that do not, PrinterOn also supports user authentication against LDAP user database servers. Authentication services are managed centrally by the Central Print Services allowing print jobs to be associated with a user’s existing credentials irrespective of the submission method. In addition to authenticating the print jobs at submission time, the PrinterOn service can also be configured to allow for print user authentication at release time.
Azure AD Identity Management
PrinterOn supports cloud-based user authentication and identity management solutions (IDM). Any OpenID Connect-compatible identity management solution (such as Microsoft Azure AD), can be used. While the authentication services are managed centrally by CPS, client applications such as PrinterOn mobile apps and PrintWhere desktop clients, perform the authentication process with the cloud-based identity management solution. Upon authentication, the IDM solution returns an access token to the client which it uses for retrieving printers and submitting print jobs. In addition, the token enables PrinterOn to ensure the user is still authorized to use the service without requiring the user to re-authenticate. This method also ensures print jobs are associated with the proper user.
Print Data Encryption
PrinterOn can be configured to leverage certificates to generate public/private key data encryption for data at rest. For example, a user uploads a Word document through the print service. The job is securely delivered to the service using TLS. Once documents are received by PrinterOn, they are rendered and converted to a printable form. To encrypt print data at rest outside the secure PrinterOn service environment, every service instance generates a unique RSA 1024-bit public and private key pair and publishes the public key to the PrinterOn service. A unique, one time use 128-bit AES encryption key is then generated. The print data is then compressed and encrypted using 128-bit AES encryption and the 128-bit AES key is encrypted using the asymmetric RSA key before being included with the print metadata. Finally, the Print Delivery Station (PDS) downloads the data over a secure TLS connection and stores the print job securely on a PC or server. This scheme effectively creates two levels of encryption for every print job.
Print Data Security
Documents remain encrypted until a user enters their secure and private release code. By leveraging PrinterOn public/private key encryption technology with private keys stored in the release software, only the PDS that manages the selected printer is capable of decrypting the print job.
The PrinterOn service uses industry accepted secure cloud storage best practices. Each customer’s data is stored in a dedicated and isolated storage container for their print data. The container is protected with access control rules limiting access to the customer connected services. Network security can be increased by reducing the number of components interacting with the data and allowing the PDS to directly download the print jobs from the cloud storage on demand.
Fundamentally, the PrinterOn architecture considers all print job data to be transient and not persistent. This means that the solution minimizes the amount of time print data is stored in it. This includes both the submitted documents and the print data destined for the printer. Input documents are deleted as soon as they have been converted to a printable format and completely processed. Depending on the stage of the processing, different APIs may be used to delete the data.
PrinterOn uses modern “cloud-aware” databases to store and manage an organization’s data. The specific database technology used depends on use case, but includes both SQL and NoSQL databases. In all cases, the same high level of network security is applied. Databases are deployed in facilities with comprehensive control environments that includes the necessary policies, processes and control activities for the delivery of each of the cloud service offerings.