Data Security on TA Triumph-Adler SynControl Systems (System Support)

Data Security on TA Triumph-Adler SynControl Systems(System Support)

22.04.23

2

ISO 15408 EAL3 – Common Criteria

History & Background

The constant increase in the use of information technology in the business world led to increased demands in view of data security.

Already by the end of the 1980s, the complex area of IT security and the related demands for a secure operation of IT systems and products resulted in the development of standardised criteria for the evaluation and testing of IT security.

3

History & Background

1989: The „Bundesamt für Sicherheit in der Informationstechnik“ (BSI – German Federal Office for Information Security) issues a catalogue of criteria for the evaluation of IT systems that allows independent evaluation institutes to evaluate IT systems in line with unified criteria and IT products in view of the effectiveness of their security relevant measures.

1991: Germany, France, the UK and the Netherlands publish „Information Technology Security Evaluation Criteria“ (ITSEC), i. e. harmonised pan-European IT security criteria.

1998: Completion of the „Common Criteria“ (CC) – „Common Criteria for Information Technology Security Evaluation “ (version 2.0), thereby introducing internationally accepted evaluation criteria for IT security

ISO 15408 EAL3 – Common Criteria

4

What is behind ISO 15408 EAL3?

ISO 15408 is an international Security Standard in the framework of the Common Criteria which states that the safety engineering of products must comply with the aforementioned standard.

Several EA levels exist (0-7) within ISO 15408.

EAL3 is the currently relevant level for office systems and stands for a certain level of security and confidentiality within ISO 15408 (Evaluation Assurance Level), which states that security functions must be methodically tested and evaluated, including the control of their development environments.

ISO 15408 EAL3 – Common Criteria

5

Link to the Common Criteria website:

http://www.commoncriteriaportal.org/thecc.html

Link to the BSI website:

BSI (German Federal Office for Information Security):

http://www.bsi.de/

ISO 15408 EAL3 – Common Criteria

6

Links to relevant websites of IPA:

A list of certified products of all manufacturers can be found under the following link of the Japanese Evaluation Institute IPA:

http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list.html

A list of products that are currently being certified can be found under:

http://www.ipa.go.jp/security/jisec/jisec_e/prdct_in_eval.html

Details on the certification of Data Security Kits (B), (C), (D) and (E) can be found under:

http://www.ipa.go.jp/security/jisec/jisec_e/c0035_it4035_ecvr.htm

http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list/c0151_it7182.htm

http://www.ipa.go.jp/security/jisec/jisec_e/c0057_it5065.htm#itkz7031

ISO 15408 EAL3 – Common Criteria

7

Which TA Triumph-Adler products comply with ISO 15408?

Data Security Kit (B)* (DC 2060/2080) Data Security Kit (C)* (DC 2325/2330/2230/2240/2250) Data Security Kit (D)* (DCC 2625/2632/2635) Data Security Kit (E)* (DCC 2725/2730/2740/2840/2850, DC 2430, DC 2242/2252,

CLP 4550)

The certificate is issued in the name of the original manufacturer Kyocera Mita (the certification is chargeable to each applicant!).

Since TA Triumph-Adler systems are identical in construction, we can assure our customers the compliance of our systems with the ISO regulation.

*optional

ISO 15408 EAL3 – Common Criteria

8

What is the effect of installing the optional Data Security Kit?

Overwriting and encryption functions of the system hard disk and the optional printer hard disk* are enabled:

Overwriting:

Data are stored on the hard disk until they are overwritten with other data => with recovery programs data can be retrieved and used illegally.

The security kit deletes and overwrites output data so that these can no longer be recovered – this happens automatically.

*depending on the system

ISO 15408 EAL3 – Common Criteria

9

What needs to be taken into account when installing the optional Data Security Kit?

Two overwriting methods are available and can be selected by the administrator:

Simple overwriting: A certain area (when overwriting) or the whole storage area (when initialising) of the hard disk will be overwritten with zeros (0), so that data recovery is made impossible.

Triple overwriting (default): First, the same area as before will be overwritten twice with random data, followed by zeros (0). This method is more secure than simple overwriting and makes data recovery almost completely impossible.

ISO 15408 EAL3 – Common Criteria

10

What is the effect of installing the optional Data Security Kit?

Encryption (AES Encryption):

Scanned originals and other user data are stored on the hard disk. The security kit encrypts data before they are stored on the hard disk => this

increases security, because data can only be decrypted during normal use. Encryption is carried out automatically in line with AES (Advanced Encryption

Standard). In the US this standard is approved for governmental documents which are subject to the highest secrecy level.

ISO 15408 EAL3 – Common Criteria

11

What needs to be taken into account when installing the optional Data Security Kit?

The system is initialised during installation of the security kit. That means that data stored on the hard disk will be deleted.

The function „Repeat Copy“ is no longer available after installation. A button „Security“ will be added to the system menu after installation. If the Data Security Kit is installed correctly, the hard disk icon will appear in the

lower right corner of the display (in security mode).

ISO 15408 EAL3 – Common Criteria

12

Security Settings at TA Triumph-Adler Systems

Security settings at the system:

Authentication at the system (input of numeric code) Locking the USB host Locking „Repeat Copy“ Locking/partially locking the display

13

Authentication at the System (alpha-numeric)

Authentication at the system prevents unauthorised access by third parties.

User defined limitations can be set (account ID, numeric password) for printing, scanning, copying and faxing.

14

Authentication at the System (numeric)

Authentication at the system prevents unauthorised access by third parties.

User defined limitations can be set (account ID, numeric password) for printing, scanning, copying and faxing.

15

Disabling the USB Host for Optional Data Storage Media

The USB host can be locked via the Embedded Web Server:

16

Disabling „Repeat Copy“

„Repeat Copy“ can be locked by either of the following ways:

Installation of the Data Security Kit Locking and switching the function off in the system menu

17

Disabling „Repeat Copy“ Disabling/partly disabling the Display

The function „Repeat Copy“ can be locked by partially locking the display in the Embedded Web Server:

18

Security Settings (Scanning)

The security of the scan functions mainly depends upon the security settings of

the user network:

FTP: Security settings of the FTP server are active:

Input of user name and password is required. SMB: Security settings of the user network are active:

Usually, the user has to log in with user name and password. E-Mail: Like SMB - SMTP security settings are active:

Usually, a sender address known to the SMTP server has to be

used.

19

Security Settings (Scanning)

A higher security level for scanning is available with the installation of the optional PDF Upgrade Kit. This kit encrypts and compresses PDF files generated on the system. Opening as well as printing and editing of PDF files can be restricted.

20

Security Settings (Scanning)

There are two encryption levels: „low level“ (40 bit) „high level“ (128 bit)

21

Security Settings (Scanning)

Another possibility to enhance the security level on TA Triumph-Adler systems when using e-mail transmission is the domain restriction for transmission and reception.

22

Network Security Settings

Authentication at the Embedded Web Server Network authentication Certificates General settings and helpful hints

23

Authentication at the Embedded Web Server

Accessing the Embedded Web Server is possible (default).

Via „Basic“ and „Security: Account Settings“ an administrator password can be set. Access to the Embedded Web Server can be encrypted by SSL.

At the system several administrators with different passwords can be registered. Moreover, users can be registered and given a password.

24

Network Authentication

This setting for log-on at the system offers the highest network security standard. Log-on at the system is possible via inputting a user name and password. Two authentication methods exist:

- NTLM - KERBEROS

Which of the two is used depends on the network and server operating system. Network authentication can be combined with the authentication at the system as

well as the account management (limitation for printing, scanning, copying and faxing).

Passwords, user control and security levels are adjustable with TA Triumph-Adler systems.

25

Network Authentication

Network authentication and server settings (defaults) can be made at the system or via the Embedded Web Server.

26

Combining Network and System Authentication with Account Management

Settings at the system:

Setting up a local user via the Network Print Monitor

27

Combining Network and System Authentication with Account Management

Configuration of the local user

28

Combining Network and System Authentication with Account Management

Assigning/mapping an account to/with a local user

29

Combining Network and System Authentication with Account Management

Settings for the system authentication

30

Combining Network and System Authentication with Account Management

Settings in the KX printer driver

31

Combining Network and System Authentication with Account Management

Limiting and controlling of accounts via network authentication with the Network Tool for Accounting

32

Network Security Settings / Certificates

Certificates offer another possibility to enable communication security in the network.

This ensures a secure connection between the print system and the client.

The certificate generated by the printer is exported, stored in the certification memory of the clients (Windows XP/Vista) and judged „secure“.

These settings ensure that no error message (insecure certificate) is generated at the client.

33

Network Security Settings / Certificates

Examples of error messages:

34

Network Security Settings / Certificates

35

Network Security Settings / Certificates

The general name must be identical to the host name of the system.If no DNS (Domain Name System) is used, the host name must be assigned an IP address (file „Hosts“ under Windows\System32\drivers\etc).

36

Network Security Settings / Certificates

Export of a certificate:

37

Network Security Settings / Certificates

Import of a certificate at the client:

The call is made via:„Start“, „Run“,„certmgr.msc“ and „OK“

38

Network Security Settings / Certificates

Import of a certificate at the client:

39

Network Security Settings / Certificates

Import of a certificate at the client:

40

Network Security Settings / Certificates

Import of a certificate at the client:

41

Security Settings (Printing)

The network security is mainly dependent upon the settings of the user network. The security settings of the TA Triumph-Adler systems can be adapted to the

majority of security standards within client networks. Various security settings are available from IP filtering, SSL, HTTPS, SMNP V1,

V2C, V3, SMTP and POP3 domain restriction, over NTLM and KERBEROS authentication, Data Security Kit*, PDF Upgrade Kit* and locking/partially locking the display up to restricting users (printing, scanning, copying).

Combining the log-on with the user name and password and the installation of the Data Security Kit* ensures the highest possible security level for TA Triumph-Adler systems in a client network.

*optional

42

Printing and Storing of Print Jobs to the Hard Disk

Available security settings when printing Security settings in the printer driver

43

Printing and Storing of Print Jobs to the Hard Disk

Security settings:

Securing the Document Box with a password Using the Data Security Kit Sending Private Print jobs with a password

44

Security Settings (Printing)

IP filtering

IP filtering allows to restrict access to the system to registered IP addresses. Access to certain protocols (SNMP, FTP, HTTP, HTTPS, etc.) can be limited with

IP filtering.

45

Security Settings (Printing)

Encrypted printing via SSL

The transmission to the print system as well as the print data stream are encrypted so that reading out data in the network by third parties is impossible.

46

Security Settings (Printing)

How to proceed when printing with SSL encryption:

Enable SSL encryption at the system Main switch ON/OFF Install a new printer in Windows (minimum requirement: Windows XP)

47

Security Settings (Printing)

Select network printer and use following syntax:

(HTTPS://Printservername or IP address/printers/lp1)

48

Security Settings (Printing)

Should setting up an HTTPS port fail, it has to be checked in the Internet Explorer whether local access to the network is available.

49

Security Settings (Printing)

Select and install printer and select HTTPS port

50

Security Settings in the Printer Driver

When using a print system with network authentication or local user this setting is also active in the printer driver.

Driver settings can be secured by a password.

51

Security Settings in the Printer Driver

If user boxes have been defined under device properties, item „hard disk“, secure printing into the box is possible.

15 digit passwort

52

Security Settings in the Printer Driver

A password can be set for secure printing to prevent access by unauthorised users to the print data at the system.

53

Security Settings in the Printer Driver

In order to prevent unauthorised printing of copies, a „Security Watermark“ can be set in the driver under emulation „PCL-XL“.

54

Security Settings in the Printer Driver

Prior to activating the Security Watermark function in the PCL-XL emulation, the plug-in „Security Watermark“ has to be installed.

55

Security, Logging at the System

Through logging at the system it is possible to trace unauthorised access attempts. All activities (jobs) can be traced at the system under „Status“ and „Log“.

56

Security Settings when Printing with the Optional Network Card UT-110G

Log-file function FTP over SSL Printing over HTTPS Encrypted printing with certificates (Windows systems) Securing the print server with a password IP filtering Receiving encrypted ThinPrint data Locking the display Network authentication E-mail traffic/transmission

57

Using the log-file function:

Security Settings when Printing with the Optional Network Card UT-110G

58

FTP over SSL

FTP data transmission via an encrypted data and control channel Using SSL is recommended to avoid that unencrypted user names, passwords and

data can be read out by third parties (condition: FTPS-able FTP client).

Security Settings when Printing with the Optional Network Card UT-110G

59

Printing over HTTPS with SEH‘s tool Print Monitor

HTTP data transmission via an encrypted data and control channel. Using SSL is recommended to avoid that unencrypted user names, passwords and

data can be read out by third parties. The easiest way to enable the configuration is via the PRINTSERVER Print

Monitor.

Security Settings when Printing with the Optional Network Card UT-110G

60

Settings when printing over HTTPS

Security Settings when Printing with the Optional Network Card UT-110G

61

Encrypted printing with Windows systems including certificates

The PRINTSERVER Print Monitor enables encrypted printing with Windows systems. Condition: Internet Explorer 5.1 and Directory Service Client.

Security Settings when Printing with the Optional Network Card UT-110G

62

Certificates can be generated with the network card UT-110G or via a certification server.

This certificate can be imported onto the network card.

How to export a certificate:

Issuing a certificate is initiated at the server. In the Management Console a snap-in is generated and the certificate is exported with a key.

Security Settings when Printing with the Optional Network Card UT-110G

63

How to import a certificate:

The certificate is imported via the website of the network card.

Security Settings when Printing with the Optional Network Card UT-110G

64

How to secure the network card with a password via the Print Server Homepage:

This setting requires a password if changes are made.

Security Settings when Printing with the Optional Network Card UT-110G

65

Limiting system access through IP filtering

Security Settings when Printing with the Optional Network Card UT-110G

66

Receiving encrypted ThinPrint data

Using SSL encrpytion enables a secure connection when sending print jobs from the ThinPrint server to the print server.

The ThinPrint server asks the print server for a certificate. With the certificates the ThinPrint server checks whether the print server is allowed

to receive print data. If encryption is activated for the ThinPrint server, a certificate of a common

Certification Agency (CA) must be installed on the ThinPrint server as well as on the print server.

Security Settings when Printing with the Optional Network Card UT-110G

67

Locking the display* (disabling the configuration at the display)

Security Settings when Printing with the Optional Network Card UT-110G

*for systems with display that support this function

68

Network authentication

Through authentication a network can be prevented from unauthorised access. The print server can participate in various authentication methods.

Security Settings when Printing with the Optional Network Card UT-110G

69

E-mail transmission (SMTP and POP3) can be secured through authentication:

User name and password for authentication at the server User name and password for log-in at the server including TLS encryption

Security Settings when Printing with the Optional Network Card UT-110G

70

Thank you very much

for your attention!