HP J2383B HP Jetdirect Print Servers - Philosophy of Security - Page 9

• If HTTP was used (a popular protocol) to read the document, a proxy server could be involved and there is probably a cached copy of the document in the proxy server's RAM and potentially on the proxy server's hard disk • There is probably a "deleted" copy of the document on the user's hard drive that was used to render the document in the browser (i.e., a temporary file). Note: "deleted" is used in quotes to indicate that a normal user believes the file has been deleted, but the file can be recovered via specialty software or forensics. • There is probably a "deleted" copy of the spooled print file on the user's hard drive. If network print spoolers (Windows, NetWare, UNIX/LINUX, and so on) were used instead of direct printing, the document was probably sent in the clear to the network print spooler and a copy exists on the network print spooler's hard drive. • When the user or a print spooler sends the document to the actual network printer, unless the machine was printing using IPsec or another security technology to the actual printer, the print image of the file was probably sent over the local network in the clear. • There is probably a copy of the raster image on the printer's hard drive. • If the user forgot a printout (e.g., due to paper jam, too many copies, delayed print job, etc...), there is a paper copy available at the printer. If there was a paper jam, there may be partial copies in the recycle bin after the jam was cleared. • The user decides that an outsourcer under a trusted non-disclosure agreement needs a copy of the document as well and emails one of the printouts directly to them from an MFP. Unless it is the same machine as was used to print the document, there is probably another copy on the MFP's hard drive. • The document was probably sent in the clear over email, available to be sniffed. • The document may in fact be stored by email servers along the way and perhaps "deleted" as well. Note: These electronic copies are available on servers that are probably not covered by your security policy! • There is probably a "deleted" copy of the PDF on the outsourcer's hard drive when it was viewed via email. • There is probably a "deleted" copy of the spool file on the outsourcer's hard drive when it was printed. In addition, if an intermediate print spooler is used, there is a "deleted" copy on that hard drive. • The document was probably sent to the outsourcer's printer in the clear and could be sniffed. • The outsourcer's printer probably has a "deleted" copy of the raster image on its own hard drive. • If the outsourcer forgot to pick up the printout, there is a copy by their printer. Any problems with the print job, there are probably partial copies in the recycle bin. • The outsourcer probably saves the PDF file. If it was an internal server, there is probably a copy on its hard drive and potentially any backup tapes or DVDs. • After the meeting is over, a user inadvertently places the document in a normal paper recycle bin rather than the confidential document bin. Greedy reductionism will often result in a false sense of security by making security seem easy and not looking at the big picture. Looking at security holistically, one can see that while buying an encrypted hard disk for a printer/MFP may be a good step in certain circumstances, there are also many other ways to obtain these documents as well. If your documents are important enough to buy an encrypted hard disk for your printer, then the security around all the other ways of obtaining the document probably should be evaluated too. For the sake of argument, let's assume that all the previous ways of capturing a document were locked down and a customer purchased an encrypting hard drive for their printer. All is well right? Well, now we can then begin down the road of The Verification Problem. The Verification Problem Let's work through a simple example. 9