How zero-trust security can bolster Managed Print Services (MPS) offerings
The rise of zero-trust
Ransomware and other targeted security attacks have increased during the pandemic. Lately, thousands of companies have been impacted due to the exploitation of security issues with Kaseya edge of network devices[1] and supplies in the US were halted due to exploitation of security holes[2].
Meanwhile, the massive shift to a hybrid workforce with a large proportion of employees working from home has seen an exponential growth in the attack surface as more devices and users connect to the network across multiple locations and across public cloud services and applications.
The expanded threat landscape means that traditional edge-of-ntetwork devices such as firewalls and anti-virus protection are no longer applicable as total defence approaches. Instead, the zero-trust model has emerged as a different approach to security, where the assumption is that nothing can be trusted implicitly or explicitly on the network.
Whilst a traditional network is built around the idea of inherent trust, a zero-trust model assumes that a breach will happen – so every device and user represents a security risk and must be authenticated, authorised and encrypted before granting access. This “never trust, always verify” approach uses multiple levels of protection to prevent threats, limit lateral movement through micro-segmentation and enforce granular user-access controls such as least-privileged access.
Effective zero-trust security requires persistent advanced security targeted at ensuring that malicious actors have to work harder to breach the defences.
Print vulnerabilities
In the hybrid workplace, printers left unprotected remain a source of potential vulnerability, particularly those purchased for home use which may not comply with strict BYOD (Bring Your Own Device) policies. Like any IT endpoint, a compromised printer can open up whole areas of issues for the overall corporate network. Not only can documents that have been stored or printed be compromised, without the correct security controls, networked printers and MFPs can be a major ingress point to access the corporate network.
The proliferation of home printers and the shift to a more distributed print infrastructure, away from centralised printing in the post-pandemic office means there is a heightened need to secure the print environment to prevent data and overall security breaches.
This has come to the fore recently with the Microsoft Windows Print Spooler Vulnerability (PrintNightmare) where Microsoft issued a critical vulnerability warning and patch due to the accidental publishing of a proof of concept (PoC) compromise of its print spooler[3].
Quocirca’s Print Security Study revealed that just 21% of IT Decision Makers are very confident in the security of their print infrastructure. pointing to the need for solutions and services that can help organisations mitigate these risks and improve print security confidence. To effectively combat advanced security threats, organisations need to combine network security with data and endpoint security for the print environment – which is key to a zero-trust architecture.
How can MPS providers support the zero-trust journey?
MPS providers must build expertise to address the zero-trust requirements of their customers. This means offering and implementing a multi-layered security proposition to protect printing across the hybrid work environment.
There are a range of opportunities for MPS providers to attach services that support the delivery of zero trust projects:
- Security assessments. Identifying users and devices: There is a need for organisations to know who and what is connecting to the business network. As companies grapple with having a proportion of their workforce working remotely, securing access to internal systems presents a major challenge. MPS providers must be able to help their prospects and customers in identifying where weaknesses already exist. This will generally require a full audit of applications, devices and users.
- Rationalisation and optimisation: MPS providers can then use that information gleaned from the first step to provide in-depth recommendations on how to optimise the environment. For example, through the adoption of a more focused BYOD policy, the number of different manufacturers and types of home printer can be minimised, and the basic security of acceptable devices can be dictated. This can then be used to roll home printers into a more cohesive managed print service.
- More comprehensive managed print services: Through a comprehensive security assessment, an MPS provider can then offer a comprehensive service for the provision, implementation and management of all printers within the scope of the customer. This enables greater process control as well as visibility as to what those working from home are doing with company information assets. A suitable MPS can also ensure that new connecting devices meet required security requirements, and can either provision remediation security for those that do not or lock them out of the system before they actually connect. Alongside this, it opens up opportunities for MPS providers to gain control of consumable supplies with monitoring of using providing the capability to supply home users with ink/toner and paper in a just-in-time (JIT) manner.
- Help apply solid security standards: Multi-factor authentication (MFA) provides a greater level of control over who can access the network through requiring an extra level of security via a separate device. Cloud-based MFA services offer mitigation against malicious network ingress by identity theft or by brute-force username/password attacks. Identity access management (IAM) and single sign on (SSO) technologies can also help in ensuring that greater security is in place without the users themselves needing to be trained in how to take a security-first approach. Beyond ensuring MFP hardware adheres to stringent security standards, MPS providers should also ensure that data collection agents (DCAs) are tested and certified to avoid potential security exploits.
- Application of better security policies: MPS providers can help organisations create effective information classifications and individual and group permissions. Devices can also be classified and allowed access to only those areas where the device’s security is sufficient for such access. Users should never be allowed privileges higher than they need – and should never be allowed to share such privileges. This can help not only in preventing malicious security breaches from outside the organisation, but also accidental or malicious insider security issues. Such policies are unlikely to be complex – but few organisations will already have such policies in place.
- Help end users keep control: Mobile app-based print management along with informed information routing and pull printing can ensure that users have greater control over what is happening. Certain print jobs may not be suitable for home printing, due to either the quality of print required or the security of the information included. Routing can ensure that the print job gets sent to the right printer. Pull printing enables users to control what is printed at their own device – and this can be layered on to even the simplest home printers with the right MPS in place.
- Network segmentation: The age of the ‘walled garden’ security approach is no longer fit for purpose. If someone compromises that one network, they could damage productivity, spread malware across the whole network, steal proprietary information, or simply sit on the network gathering information for a larger attack. Segmenting a customer network into multiple zones with policies controlling what data and users can cross over these boundaries will help mitigate against such issues. An MPS provider may be able to provide network controls between each end-user access device and the print network through the application of an MPS service that abstracts the print activity away from the main network. This then makes it harder for malicious users to attempt to use printers as an attack vector.
- Continuous monitoring:There is a need for the continuous monitoring of all devices, users and data flows. Alongside this, the monitoring of the health and security posture of the network and all managed endpoints allows for better responses to zero-day threats. MPS providers are ideally positioned to provide such cloud-based services with continuous patching and updates of device firmware, print drivers and security policies, alongside the capability to analyse activity across a broad range of customers to help identify and deal with emerging threats.
The world has changed, and old security approaches are no longer fit for purpose. Cloud-based MPS providers are ideally situated to take a strong position in providing new approaches to deal with environments where the platform is less physically definable and where devices and users are distributed across managed and less-managed environments. By creating a set of solid messages around zero-trust security with meaningful benefits to prospects and customers, MPS providers can successfully monetise future opportunities in the security market.
Find out more in Quocirca’s Print Security 2020 Study
Hear from the key vendors in this space on Quocirca’s In the Spotlight podcast
[1] https://www.zdnet.com/article/kaseya-ransomware-supply-chain-attack-everything-you-need-to-know-updated/
[2] https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/
[3] https://www.theverge.com/2021/7/6/22565868/microsoft-printnightmare-windows-print-spooler-service-emergency-patch-hotfix