Patent Application
20200167490
Sensitive data can be protected from being printed in an unauthorised manner based on enforcement of a secure print policy that enables a security protocol to be followed. Some services, such as pull-print for example, may be configured by an administrator to use transport layer security (TLS) with known and verified printer certificates to provide some assurance that a user is printing to a printer identified by a company's IT policies. Tools can be provided that allow IT security management to monitor endpoints for non-compliant incidents and anomalies to allow security breaches to be identified quickly. It is also possible to perform print job routing in a distributed printing environment, where print job destination rules associate print job destinations with a security level to allow print jobs to be associated with a print job destination if security requirements are met.
Various features of certain examples will be apparent from the detailed description which follows, taken in conjunction with the accompanying drawings, which together illustrate, by way of example only, a number of features, and wherein:
In the following description, for purposes of explanation, numerous specific details of certain examples are set forth. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least that one example, but not necessarily in other examples.
There is disclosed a method for enforcing a secure print policy by cryptographically binding the security policy to a rendering or print job. The job can be released to a rendering apparatus, such as a 2D or 3D printer for example, once a remote attestation protocol has been used to verify the security properties of the printer (or an intermediary device).
According to an example, a security policy is associated with a print job and the release of the print job occurs when the policy has been satisfied by verifying security properties of the printer or an intermediary device. The security policy can be cryptographically bound to the print job to ensure that it cannot be modified without detection. The security policy can be used in conjunction with a remote attestation protocol to verify security properties of the printer or the intermediary device before passing sensitive information to the printer or the intermediary device.
According to an example, a security policy can be instantiated and associated with a print job instance. Devices participating in a printing workflow can verify that a targeted printer satisfies the policy before allowing the document to be sent to the printer. This includes verification of the printer's integrity (attestation) and that the printer possesses a known public key or group public key based on the policy. Other aspects can also be checked, such as printer functionality, location, or other context.
A security policy can comprise of one or more of the following non-exhaustive list of properties: whether a printer is to have full-disk encryption turned on; a specific set of printers that the document is to be printed at (e.g. any printer, Printer A and Printer B, or any office Y printer); whether the print job can be retained after use; whether a printer is to have a specific operating system version installed; an expiry date on the print job after which it is to be destroyed if it is not released; and whether a print job can be transported on a bring-your-own-device (BYOD) or mobile device. These properties can be pred-defined and/or user configurable.
In an example, a policy can be used to enforce a number of properties about a printer including administrator defined values (name, location and so on), properties of the identity (e.g. expiration), and configuration of the printer (software, settings, hardware components).
Referring back to
In this connection,
In an example, the key can be shared using an authenticated encryption scheme. For example, a symmetric key can be encrypted with the public key of the intended printer to ensure only it can receive the symmetric key.
In an example, before the print job is provided to the printer or intermediary device, a device such as a mobile phone can verify that the targeted printer satisfies the security policy at block 120. In an example, if the print job goes directly to the printer, the user's workstation can verify that the printer satisfies the policy. In an example, if the print job is encrypted under a user key or sent using a mobile device, the user's mobile device can verify the policy once the printer is selected. In an example, if the print job is sent to a pull-print server, the server can check the policy. To verify the policy, the verifying device can ask the printer to perform a remote attestation to verify the printer's configuration as recorded in the measurement log. The policy can also be sent to the verified printer to ensure it handles the print job according to its criteria (e.g. does not retain the document after printing).
In an example, a print job is encrypted such that it is released when a user enters or otherwise provides a decryption PIN at or to a printer. Therefore, the job is released to the specific printer, but it does not tell the user anything about the integrity of the printer. Provided that the security properties and/or security policy have been verified, the print job or print document can be released to the printer or intermediary device at block 130. The policy is then selectable by the user at print time (from a print driver for example). This enables use cases to provide customers high assurance that print jobs are delivered to printers meeting specific requirements. For example, a job can be created that can be printed by printers in a secure location as defined by a privileged group key provided to such printers. For example, this covers scenarios where a user is in a public location like a hotel and wants to ensure print jobs are only released to printers with known configurations and security protection.
The methods described improve the security of a printing workflow and are of value to organizations such as law firms and financial institutions that manage highly confidential documents. Electronic documents vary in the degrees of protection that need to be afforded to them. This extends into the printing domain. The methods described make it possible to define a security policy for a print job and be given assurance that the policy can and has been adhered to during the printing process. In an example, print jobs can be sent from a PC or mobile device over an unencrypted channel to the printer, or transport security like transport layer security (TLS) can be used.
In an example, since the identity of the endpoint is known, the integrity of the printer endpoint can be expressed in the security policy connection. This provides support for embedding integrity statements in TLS certificates and enhances its value and effectiveness. As such, the methods described add assurance that a pre-defined security policy has been adhered to and that the policy itself has not been modified. This makes enforcing security policies for print jobs much easier because a workstation issuing a print job has knowledge of how a target printer is secured or configured. For example, when printers have a certificate installed to enable TLS protocols for transport security, the user can tell how the target printer has been configured and if it is a valid printer, given a security policy that specifies which printers to use.
The methods described also remove the need for all printers to be maintained by a central authority and gives the user the control or assurance that the authority has performed checks. For example, services like pull-print may be configured by an administrator to use TLS with known and verified printer certificates and using the pull print service provides some guarantees that the user is printing to a printer identified by the enterprise IT policies.
Examples in the present disclosure can be provided as methods, systems or machine-readable instructions. Such machine-readable instructions may be included on a computer readable storage medium (including but not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon.
The present disclosure is described with reference to flow charts and/or block diagrams of the method, devices and systems according to examples of the present disclosure. Although the flow diagrams described above show a specific order of execution, the order of execution may differ from that which is depicted. Blocks described in relation to one flow chart may be combined with those of another flow chart. In some examples, some blocks of the flow diagrams may not be necessary and/or additional blocks may be added. It shall be understood that each flow and/or block in the flow charts and/or block diagrams, as well as combinations of the flows and/or diagrams in the flow charts and/or block diagrams can be realized by machine readable instructions.
The machine-readable instructions may, for example, be executed by a general-purpose computer, a special purpose computer, an embedded processor or processors of other programmable data processing devices to realize the functions described in the description and diagrams. In particular, a processor or processing apparatus may execute the machine-readable instructions. Thus, modules of apparatus may be implemented by a processor executing machine readable instructions stored in a memory, or a processor operating in accordance with instructions embedded in logic circuitry. The term ‘processor’ is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate set etc. The methods and modules may all be performed by a single processor or divided amongst several processors.
Such machine-readable instructions may also be stored in a computer readable storage that can guide the computer or other programmable data processing devices to operate in a specific mode.
For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor.
Such machine-readable instructions may also be loaded onto a computer or other programmable data processing devices, so that the computer or other programmable data processing devices perform a series of operations to produce computer-implemented processing, thus the instructions executed on the computer or other programmable devices provide a operation for realizing functions specified by flow(s) in the flow charts and/or block(s) in the block diagrams.
Further, the teachings herein may be implemented in the form of a computer software product, the computer software product being stored in a storage medium and comprising a plurality of instructions for making a computer device implement the methods recited in the examples of the present disclosure.
While the method, apparatus and related aspects have been described with reference to certain examples, various modifications, changes, omissions, and substitutions can be made without departing from the spirit of the present disclosure. In particular, a feature or block from one example may be combined with or substituted by a feature/block of another example.
The word “comprising” does not exclude the presence of elements other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the claims.
The features of any dependent claim may be combined with the features of any of the independent claims or other dependent claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 17305949.4 | Jul 2017 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US2018/041937 | 7/13/2018 | WO | 00 |
