December 16, 2024
How to Address IT’s Top 5 Security Concerns
Corey Ercanbrack
Whether you’re a small business with 100 employees or a multinational enterprise with a workforce of 10,000, you have a shared priority: safeguarding the security of your network.
There’s good reason for that. According to Harvard Business Review reporting, ransomware attacks rose by 150% between 2019 and 2020, and that deeply worrying trend shows no signs of stopping. According to an IBM report, data breaches cost companies an average of $4.86M in 2024, a 10% increase from 2023. Mission-critical security exploits like Log4j and PrintNightmare crop up every couple of months. With the shift to remote and hybrid work, organizations are scrambling to plug newly visible gaps without inconveniencing their end users.
This article will address five security concerns that are top of mind for today’s CIO or IT director:
- Minimizing attack surfaces
- Protecting data
- Embracing Zero Trust
- Safely supporting remote work
- Mitigating cyberattacks
All of these security concerns intersect in the print environment. That’s not just something we’re saying as a print automation solution. It’s what our customers are telling us day in and day out.
With that in mind, we’ll also discuss how Vasion Print’s core solution and our Advanced Security Bundle solve these pressing and emerging challenges while minimizing your attack surfaces and protecting proprietary data. Let’s dive in.
1. Attack Surfaces
Your attack surface is the number of points that an unauthorized user could breach to extract data or deliver a malicious payload. The size of your attack surface correlates directly with your infrastructure.
In the print environment, “infrastructure” equates almost entirely to print servers. If you have 50 print servers, you have 50 possible attack surfaces—each with multiple attack vectors and hundreds of megabytes of confidential user data as a target.
PrintNightmare is a perfect—and scary—example of the power and scope of an exploit that leverages print servers as a ubiquitous (and therefore often overlooked) attack surface. It preys on untrusted drivers, turning those modules into rogue agents. But the present tense is important here. PrintNightmare hasn’t gone away. It might no longer be grabbing headlines in the tech media, but its three variants remain a critical security vulnerability across the board. Some researchers have even argued that patched servers shouldn’t be considered immune.
At the same time, the comprehensive fix for PrintNightmare and other print server exploits is both simple and obvious. To minimize your attack surface, you just take the vulnerable infrastructure out of the equation. Problem solved.
This is why our customers didn’t even bat an eyelid when PrintNightmare appeared. They didn’t have to worry about print servers being exploited as they waited for a patch. Why? Because Vasion Print had superseded their print servers the moment it was deployed. Malicious actors can’t attack what doesn’t exist.
From its very first line of code, the core Vasion Print solution has been laser-focused on eliminating print servers through a centralized, enterprise-grade, direct IP printing platform. Since then, Vasion Print’s footprint has only grown smaller and more secure as it evolved into a cloud-native SaaS offering with support for all major cloud identity providers (IdPs).
That reduction in infrastructure has huge benefits for cost savings, ease of use, and resiliency, as many organizations have already discovered hundreds of times over. Now, they’re realizing they can add security to that list, too.
2. Data Protection
I’ll bet your organization is already taking serious steps to secure your digital data. If you have several individuals or teams of people working with important documents, you’re probably making sure that all those folders and files have very specific access privileges. No unauthorized users can open or interact with them. The same goes for apps and other software.
But what about printed documents?
That’s a different story.
We can all probably share a bunch of anecdotes about how unsecure everyday printing can be. I remember a time when I would have to sprint from my desk to the printer as soon as I clicked “Print” to grab a sensitive print job as soon as it hit the tray.
In the real world, however, things don’t always go according to plan. You print a confidential job, get distracted by a phone call or a meeting, and then forget to pick it up. So it sits in the output tray, where someone else accidentally grabs it along with their own papers. Whether they wanted to or not, they’ve now seen that private salary information or the upcoming product behind the codename.
This is the number one way data gets leaked in many companies. The 2022 Quocirca Print Security Landscape study found that 67% of companies reported a print-related data loss as the result of unsecure printing practices like these.
Here’s where Secure Release Printing comes in.
Secure Release Printing has been an optional feature for Vasion Print customers for many years, and we’re now making this proven technology a cornerstone of our new Advanced Security Bundle. Secure Release Printing asks the user to authenticate via badge or credentials while physically present at the printer before the job can be executed. The user who initiated the job is the only one who can retrieve it.
Vasion Print’s new Advanced Security Bundle also includes a very convenient technology called Mobile App Release. This, too, is a feature we introduced several years ago and have been refining and augmenting ever since. It functions similarly to Secure Release, except it uses the user’s mobile device as the authentication mechanism.
It’s important to mention something about simplicity here. We know from experience that forcing users to jump through all sorts of hoops in the name of security is self-defeating because it only makes those users want to circumvent those protocols. That’s why Secure Release Printing and Mobile App Release are incredibly intuitive. Users can seamlessly incorporate them into their workflows, so data protection becomes a natural and fundamental part of their productivity.
Another important thing that advanced features like these have in common is that they tap into the inherent security of the core Vasion Print solution. By eliminating print servers, we haven’t just reduced an attack surface. We’ve also ensured that print data is never sitting in some intermediary point like a server-based print queue. With Vasion Print, the TLS-encrypted print job goes from the user’s device directly to the printer. This direct IP paradigm avoids single points of failure where someone could tap into that data stream.
If you look at the full feature set of our Advanced Security Bundle, you’ll spot something interesting: Off-Network Printing. This might sound like it goes against our “keep it local” philosophy when it comes to protecting print data. But the reality is that remote work—which I’ll cover in more detail below—is now a dominant force in the modern workplace, and we need to find a way to support it securely.
Vasion Print’s Off-Network Printing mirrors the direct IP approach of our core solution but extends these capabilities to any authorized off-network device. It does this by establishing a secure tunnel between the initiating device and the local destination printer behind the firewall—no VPN required! All the print data is TLS-encrypted along that single path, and it’s never at rest.
We’ll continue to build on this model to offer optional functionality that can temporarily store the encrypted print job in the cloud for added convenience. Authorized users will then be able to execute the job locally using one of our release mechanisms to push the encrypted cloud data to our software on the destination printer.
Between our core Vasion Print solution and the functionality in our Advanced Security Bundle, we now have two scenarios that cover any use case while still protecting print data by design:
- Local direct IP printing, enhanced by Secure Release Printing and Mobile App Release.
- Off-Network Printing, where cloud data is protected end to end.
3. Zero Trust
Zero Trust is a computer security concept that first appeared in 1994, yet it didn’t start seeing mainstream adoption for another two decades. Basically, the name says it all. In a Zero Trust environment, the assumption is that every device is potentially compromised. To keep those devices contained, there should be multiple authentication mechanisms and access control policies in place for users as well as their machines.
That’s a tall order—very simple in theory, a lot messier in practice. As a result, you have a lot of IT leaders asking themselves and their teams, “How do we get to Zero Trust while still keeping all the essential pieces of our IT puzzle?”
Printing has historically been one of the trickier pieces. After all, the very concept of printing is a holdover from the analog world of ink and paper. Its primary purpose is to turn what we see on our screen into something we can hold. Maybe that’s why it sometimes feels like there are light years separating today’s print environment from modern cloud computing, where the user’s location is fluid.
So, when you’re talking security best practices, maybe the question is better phrased like this: How can a technology with such a classic pedigree as printing be modernized for the era of cloud-based Zero Trust models?
The starting point is authentication.
First, you’ve got to get single sign-on (SSO) in place. You can think of SSO as the one-stop shop for users to sign in to all their cloud services at the same time. SSO works hand-in-hand with—but is also distinct from—the identity provider, or IdP. The IdP is the data store for digital identities and functions like a guest list. If you’re not on the list, you don’t get in.
What makes IdP different from traditional authentication is that it’s not limited to individual users. In keeping with the Zero Trust philosophy, IdP also verifies apps, devices, and any other entity that wants to connect to the network.
The second step is multi-factor authentication (MFA). It’s designed to double (or even triple) check the validity of any authentication process—similar to presenting your passport after showing your driver’s license. One everyday example of MFA is the SMS verification codes you receive when logging into websites. Enterprise-grade systems are naturally more varied and robust.
For the third and final step, you’ll need to implement adaptive identification. This is a context-based security concept that emerged in response to mobile device adoption, and it’s taken on more importance during the global shift to remote work. In simple terms, adaptive ID means, “I’m going to trust you a lot more if you’re working out of your home office than if you’re in the local coffee shop.” At home, you might be able to go for days without re-authenticating. At the coffee shop, it will be much more frequent.
All of this is difficult—if not impossible—to apply to the traditional print environment. That’s why Vasion Print, as a cloud-native SaaS solution, creates a bridge between the two. Our core platform supports all major IdPs, including Okta, Azure AD, Google Identity, and seven more. We tightly integrate with industry standards like Security Assertion Markup Language (SAML), System for Cross-domain Identity Management (SCIM), and OpenID Connect (OIDC) to update and authenticate principals and authorize access to printers.
In short, before a print job can come through, Vasion Print makes sure the user and device are thoroughly vetted.
And as far as admin tasks go, Vasion Print’s role-based access control (RBAC) lets you limit the scope of access while also delegating more responsibility to power users. You can even let users install printers themselves without worrying about them doing anything beyond that. So you get granular security and fewer support calls.
There are two more important aspects of Zero Trust that are worth mentioning here. One involves shrinking your network. The other has to do with conducting ongoing audits.
As I detailed previously, Vasion Print was designed from the outset to eliminate infrastructure—namely, print servers. That doesn’t just minimize your attack surface. It also shrinks your network: fewer devices, less exposure, and less to keep tabs on and lock down.
In addition, Vasion Print’s core platform includes powerful auditing capabilities. From end user print activity to admin configuration changes, you can see exactly who did what, where, and when. That rich oversight, coupled with Vasion Print’s authentication and access control, creates a secure print environment that supports Zero Trust policies.
4. Remote Work
These days, any conversation about Zero Trust is incomplete if it doesn’t tie into remote work.
Some form of remote work—or its close cousin, hybrid work—is widely acknowledged as the workplace structure going forward. A recent survey we conducted revealed that over 80% of our customers envision their employees in remote or hybrid work models for the foreseeable future.
Generally, many of the same technologies that are enabling Zero Trust are also key to hardening the security around remote work. These include the cloud-based IdPs, MFA, auditing, RBAC, and other protocols and practices I laid out above.
The Remote User’s Point of View
I’d like to use an example that we featured during a live demo. We had an employee named Amber sitting by the pool on top of a hotel downtown. She was connected to the hotel’s Wi-Fi, enjoying some downtime, checking the headlines and her social media feeds on a mobile device.
Then she realized she needed to print a document back here at the office. The printer, of course, was connected to our corporate network.
Think about all the moving parts involved in that device chain. How in the world does Amber print without resorting to all kinds of inconvenient network acrobatics? And more importantly, how does she do it securely?
This is where Vasion Print’s Off-Network Printing plays a huge part. Using this feature in our new Advanced Security Bundle, Amber was able to remotely print a job from her personal mobile device to an in-house printer with a tap or two. Vasion Print handled all the authentication and access control along the way, even if that involved concurrent IdPs. Plus, Vasion Print TLS encrypted the print job from end to end to safeguard against interception.
As far as Amber is concerned, all this was as simple as printing from an in-house PC. Maybe even simpler. She stays productive when she’s offsite, and her print data stays secure. A win-win.
It’s not hard to envision how this would apply equally well in a hoteling or desk-sharing scenario. Then add Vasion Print’s built-in location-aware functionality to those possibilities. This feature set can determine where a user or device happens to be based on criteria like their IP address. In other words, if a hybrid user sits down at a new desk in a new building, they can automatically be associated with a nearby printer and even have it auto-install on their compatible device.
Also available is Offline Secure Release Printing. This is useful in scenarios where a remote user prints a job to the in-house corporate printer for later retrieval. Let’s say they send the print job from their mobile phone at home, then come into the office the following day without their phone. They’ll still be able to release the waiting print job simply by swiping their badge.
5. Cyberattacks
It wasn’t all that long ago that cyberattacks seemed like a peripheral threat. Sure, there were always script kiddies knocking at the door, and once in a while, you’d see something serious emerge with the media educating us on a widespread vulnerability that was ripe for exploitation. But on the whole, as long as your software was reasonably up to date, you weren’t biting your nails every time a device connected to the Internet.
How times have changed.
The rate of what is arguably the most public-facing form of cybercrime, malicious e-mails, soared 600% during the pandemic. In 2024, we’ve seen how the use of generative AI makes cybercriminals more effective and protected than ever before. Looking to next year, Cybercrime Magazine has predicted that global cybercrime costs will amount to $10.5 trillion USD annually by 2025—up from $3 trillion in 2015.
In short, cybercrime is a money maker. Malicious actors are now more organized, savvy, and mobilized than ever. They’ve grown bolder and more sophisticated.
With cyberattacks, it’s no longer a matter of if. It’s a matter of when. Software is developed, installed, configured, and used by humans—so it’s never going to be impervious. And unfortunately, there are a lot of other humans who will seize any chance they get to exploit a chink in the armor. Of the 1,500 companies included in McAfee’s report, only 4% had managed to avoid some form of cyber incident in (pre-pandemic) 2019.
Every organization is going to feel the sting at some point.
The good news is your hands aren’t tied. There are solutions. Cybercrime mitigation and prevention are already baked into the way companies like ours are delivering and maintaining software in the SaaS era.
Classic software models used a more protracted release cycle. You’d install a software solution on-prem, often taking a wait-and-see approach to gradual updates that enhanced functionality or plugged security holes. The typical cycle was measured in months or even years.
But then news of an exploit would emerge. CVE-1234 could enable a user to gain control of the entire network by printing a black-and-white document in color! Then it was a race to adjust settings, disable functionality, and limit access in the immediate term while you waited weeks and weeks for a patch to arrive. PrintNightmare is an obvious example of the drawbacks of this old-school approach.
Cloud-native SaaS solutions like Vasion Print, by contrast, are both more proactive and more responsive. They’re constantly being updated behind the scenes to pre-empt possible exploits and close existing loopholes. It’s like getting into your car every morning with the knowledge that it received a full tune-up, comprehensive safety inspection, and performance upgrade sometime during the night.
Our SaaS platform issues rolling updates throughout the day that improve functionality and address potential security gaps. And here’s the best part: Once those deployments become common code, every single one of our SaaS customers is updated at the server level. There’s no more damage control followed by a long, anxious wait for a security patch that IT then has to apply across the board. Instead, vulnerabilities can be addressed universally in a matter of hours.
We’re also working on some exciting functionality that will further capitalize on the advantages of this architecture. In the future, every software component that’s part of the Vasion Print solution—from agents to clients—will be able to receive automatic rolling background updates.
Agility like that is how you manage cyberattacks. It’s also how Vasion Print’s modern SaaS approach saves time, headaches, and costs several times over.
Protect Your Print Environment
Secure your network and protect data using direct IP printing from Vasion Print.