If HTTP was used (a popular protocol) to read the document, a proxy server could be
involved and there is probably a cached copy of the document in the proxy server's RAM
and potentially on the proxy server's hard disk
There is probably a "deleted" copy of the document on the user's hard drive that was used to
render the document in the browser (i.e., a temporary file). Note: "deleted" is used in
quotes to indicate that a normal user believes the file has been deleted, but the file can be
recovered via specialty software or forensics.
There is probably a "deleted" copy of the spooled print file on the user's hard drive. If
network print spoolers (Windows, NetWare, UNIX/LINUX, and so on) were used instead of
direct printing, the document was probably sent in the clear to the network print spooler and
a copy exists on the network print spooler's hard drive.
When the user or a print spooler sends the document to the actual network printer, unless the
machine was printing using IPsec or another security technology to the actual printer, the print
image of the file was probably sent over the local network in the clear.
There is probably a copy of the raster image on the printer's hard drive.
If the user forgot a printout (e.g., due to paper jam, too many copies, delayed print job,
etc...), there is a paper copy available at the printer. If there was a paper jam, there may be
partial copies in the recycle bin after the jam was cleared.
The user decides that an outsourcer under a trusted non-disclosure agreement needs a copy
of the document as well and emails one of the printouts directly to them from an MFP.
Unless it is the same machine as was used to print the document, there is probably another
copy on the MFP's hard drive.
The document was probably sent in the clear over email, available to be sniffed.
The document may in fact be stored by email servers along the way and perhaps "deleted"
as well. Note: These electronic copies are available on servers that are probably not covered
by your security policy!
There is probably a "deleted" copy of the PDF on the outsourcer's hard drive when it was
viewed via email.
There is probably a "deleted" copy of the spool file on the outsourcer's hard drive when it
was printed. In addition, if an intermediate print spooler is used, there is a "deleted" copy
on that hard drive.
The document was probably sent to the outsourcer's printer in the clear and could be sniffed.
The outsourcer's printer probably has a "deleted" copy of the raster image on its own hard
If the outsourcer forgot to pick up the printout, there is a copy by their printer. Any problems
with the print job, there are probably partial copies in the recycle bin.
The outsourcer probably saves the PDF file. If it was an internal server, there is probably a
copy on its hard drive and potentially any backup tapes or DVDs.
After the meeting is over, a user inadvertently places the document in a normal paper recycle
bin rather than the confidential document bin.
Greedy reductionism will often result in a false sense of security by making security seem easy and
not looking at the big picture. Looking at security holistically, one can see that while buying an
encrypted hard disk for a printer/MFP may be a good step in certain circumstances, there are also
many other ways to obtain these documents as well. If your documents are important enough to buy
an encrypted hard disk for your printer, then the security around all the other ways of obtaining the
document probably should be evaluated too. For the sake of argument, let's assume that all the
previous ways of capturing a document were locked down and a customer purchased an encrypting
hard drive for their printer. All is well right? Well, now we can then begin down the road of The
The Verification Problem
Let's work through a simple example.