16 May 2015
When we talk about information security we often forget printing. We add labels like ‘Confidential’ or ‘Top secret’ to documents to make it clear to everyone that these documents contain the company’s crown jewels. But when it comes to printing the printouts stay in the printer output bin, sometimes for days and accessible for everyone.
Fortunately most printer vendors developed secure print systems to support the users in the secure handling of information. In a secure print system documents are not output immediately when printed by the user. Instead, they are cached by the print service and output only after request by the user.
Before the user can request a printout he has to sign-in to the printer with his username and password. Since it is very annoying to sign in for every printout users can register their ID cards or special printing cards to speed up the output process. For fallback, e.g. if the user forgot his ID card, sign in with username and password is possible.
Secure Printing Threat Model. Click to enlarge.
If a user requests a printout, he places his ID card on the card reader attached to the printer. The built-in Authentication Manager (AM) sends an  Authentication Request to the Authentication and Authorization Manager (AAM). The AAM checks against the Active Directory whether the user is valid  and against the ID-Card Database  whether the ID-Card is valid and registered. Upon successful authentication the AM notifies  the Print Manager (PM). The PM on the printer retrieves a list of the user’s prints jobs from the Print Service and prints the selected jobs or all.
This works perfect. And since every document is cached by the print service and send only on request to the printer the users can request printouts on every printer attached to the secure printing system.
Unfortunately documents cannot be output when the network connection to i.e. the Authentication and Authorization Manager is not available. And this is a real disaster!
To boost availability the secure print system suppliers introduced the local credential cache . After successful sign in to the printing system the user’s credentials and badge number  is cached in the printer. If the connection to the AAM service is down, the system authenticates the user against the locally cached credentials. Great!
But with the local credential cache the suppliers built-in a weakness into the system. If a terminated user could disturb the network connection to the AAM he could use the secure printing system with the credentials stored on the printer.
To securely terminate an employee you need to disable his ID card and his active directory account immediately. This will make sure that he can no longer access the secure printing system.
In addition you shall clear the user’s credentials from every printer he used for secure printing to make sure that he cannot access the secure print system in the case of a system failure.
At this time at the latest, risk evaluation makes sense. Under normal conditions it is very unlikely that an employee without administrative privileges could disturb the connection to the AAM. Thus the risk is low that an employee without administrative privileges can exploit this weakness.
But it is necessary to check the workflows for terminating employees. Since an employee can reach the secure print system by login with his username and password it is very important to disable the account immediately. This will prevent unauthorized access.
If you already introduced a secure printing system I would strongly recommend to restart the risk evaluation process for your printing system and to check the processes for terminating employees.
… and have a good weekend.