The IT security climate has changed. While in the past the challenge has been to convince customers
of the need for security, the current need is to show how a product's security capabilities complement
a customer's existing security environment.
Security measures have evolved through the years, from firewalls that kept intruders out, to
sophisticated virus throttling systems that detect viruses before they take hold and prevent them from
spreading. Attacks now often originate from inside the network, for example: employees take
advantage of access, wireless networks are improperly secured, and unaware users introduce viruses
or worms to the secure network.
As attacks increase in sophistication, hardening the internal network's security—from clients and
servers to the imaging and printing infrastructure—becomes critical. Further, regulatory requirements,
including Sarbanes-Oxley and the Health Insurance Portability Protection Act, are mandating
Imaging and printing security
Security of the imaging and printing environment has long been ignored by IT administrators. Printers
and scanners have been considered little more than network appliances, posing none of the risks of
client and server PCs. Recent publications by hacker groups have raised the awareness that imaging
and printing devices are more than simple appliances, and that these devices have capabilities
beyond printing and scanning.
This whitepaper explains the threats and risks unique to imaging and printing environments and
provides recommendations and strategies to prevent their effects. Parallels to common security
capabilities are drawn to aid in explaining hardcopy-specific needs. Imaging and printing devices
are put into the context of regulatory requirements, although—as will be seen—there is no simple
Common Criteria Certification
While Common Criteria Certification provides a valuable means for assessing the security capabilities
of a product, it is important to understand the true significance of Certification, what Common Criteria
is and is not, and the role Common Criteria Certification plays in imaging and printing manufacturer's
marketing differentiation claims.
Common Criteria Certification provides no credible means for assessing the true security capabilities
of hardcopy products today, and should not be used as a measure for purchasing requirements.
Common Criteria does not dictate necessary security functionality, it merely provides a means to
assess the correctness of a manufacturer's implementation claims.
The varying levels of EAL (Evaluation Assurance Level) certification foster further confusion. Higher
certification levels are assumed to provide greater levels of security. However, as certification reflects
only the manufacturer's functional claims, the higher levels of certification are frequently meaningless.
The majority of the hardcopy industry currently certifies Disk Erase and Analog Fax functions, but this
certification does not accurately portray a product's security capabilities or vulnerabilities. A product
may advertise certification of these capabilities while providing no, or rudimentary, protection for the
To ensure Common Criteria Certification provides value, it is important to understand the product's
complete range of capabilities versus those for which certification is claimed. While certification can
prove what a product does properly, it says nothing of what a product does not do, and to what
degree that omission represents a security risk.