Laptop device with multicolored balls next to it

Layer 4: Device security

Security threats are no longer limited to personal computers, servers, or networks. Any device — even basic networked printers — needs countermeasures against a diverse range of threats. As multifunction printers’ (MFPs) functionality has evolved, they have become core IT assets. As the computing capability of what was traditionally categorized as “printer/copiers” has grown, so have potential threats, which can include:

  • Malicious access via networks

  • Tapping into and alteration of information over the network

  • Information leaks from storage media

  • Unauthorized access via a device’s operation panel

  • Improper access through fax telephone lines

  • Information leaks via hardcopy

  • Security policy breaches due to carelessness

Simply hoping you don’t get hit is not the answer. Superior technology, diligence, and knowledge are essential, requiring a deep understanding of how to tackle potential issues caused by vulnerabilities in your devices, the data they process, and the networks to which they connect.

Download the full guide

Device authentication

Controlling access by authentication according to your security policies is necessary. Healthy, secured devices can offer another critical level of security, including remote insight into device configuration, alerts related to usage and supplies, critical service alerts, and warnings for upcoming service issues.

Device protection

When machines aren’t performing as expected, there are not only costs associated with downtime, but it can negatively impact other user behavior, which may include less than desirable workarounds.

Keeping device firmware updated can be accomplished remotely and in batches, and updates can be set to your schedule.

Digitally signed firmware

If an MFP or printer’s built-in software — also known as firmware — is altered or compromised, that device can then be used as a method of intrusion into the corporate network to damage the device or platform for other malicious purposes. Ricoh-designed devices are built using a Trusted Platform Module (TPM) and are designed to not boot up if the firmware has been compromised. Ricoh’s TPM is a hardware security module that validates the controller core programs, Operating System, BIOS, boot loader, and application firmware.

Ricoh MFPs and printers use a digital signature to judge firmware validity. The public key used for this verification is stored in an overwrite-protected, non-volatile region of the TPM. A root encryption key and cryptographic functions are also contained within the TPM and cannot be altered from the outside. Ricoh uses a Trusted Boot procedure that employs two methods to verify the validity of programs/firmware:

  • Detection of alterations

  • Validation of digital signatures

Ricoh devices are designed to boot up only when firmware and applications are verified to be authentic and safe for users.

Disable unused protocols and services

To make it easy to add network devices, many vendors’ network-enabled systems are routinely shipped to the customer with all network protocols and services set to “enabled or active” — but unused services on network devices pose a security risk. Compromised ports can lead to various threats, including the destruction or falsification of stored data, Denial of Service (DoS) attacks and viruses or malware entering the network.

There is a simple but often overlooked solution for this particular risk source: disable all unrequired services. Ricoh device administrators can easily lock down unneeded services, helping to make devices less susceptible to hacking. In addition, specific protocols — such as SNMP or FTP — can be completely disabled to close off the risk of them being exploited.

Fax line security

Enabling a device’s fax feature may mean connecting it to the outside via a telephone line — which means that blocking potential unauthorized access via the analog fax line is critical. Ricoh embedded software is designed to only process appropriate types of data (i.e., fax data) and send that data directly to the proper functions within the device. Because only fax data can be received from the fax line, the potential for unauthorized access from the fax line to the network or to programs inside the device is eliminated.

The Facsimile Control Unit (FCU) in Ricoh fax-enabled devices supports only G3 FAX protocols. Therefore, even if an initial connection is established with a terminal that does not use these protocols, the MFP will view this as a communication failure and terminate the connection. This prevents access to internal networks via telecommunication lines and ensures that no illegal data can be introduced via these lines.

Simplify managing devices

Managing devices can be time-consuming, and security gaps can emerge unintentionally when aspects of proper device management go unattended. Ricoh device management software, such as Streamline NX, gives IT managers a central control point to monitor and manage their fleet of network-connected print devices — whether spread across multiple servers or geographic regions — from a single management console.

Here’s how Ricoh does it:

  • SNMPv3-encrypted communications between devices and servers

  • Central controls allow administrators to control access, monitor security settings, and manage device certificates

  • Automated firmware update tasks reduce exposure from outdated firmware

  • Deploy customer-approved firmware versions, or use the latest firmware available from Ricoh

  • The Security Analyst add-on for Streamline NX provides an at-a-glance dashboard for assessing device security policy compliance and offers a best practices checklist for whether devices are in policy

Meters and alerts

When an early warning enables teams to resolve a problem before it causes downtime, it helps reduce the risk of unexpected user behavior, such as unsanctioned workarounds. If machines are not operating as expected, users may choose a different, unsecured course of action. They may print or scan from a local device with no ability to audit activity or protect the data being moved.

Using monitoring and management software with devices lets you collect information and keep your device healthy with timely alerts. This includes automatic collection of meter data based on your set schedule, low/replace toner alerts, critical service alerts, and upcoming critical service issues.

@Remote.NET

Ricoh’s @Remote Connector NX enhancement for Streamline NX collects approaching critical service alerts and communicates them directly to your service provider. Your provider can schedule remote firmware updates and push critical updates immediately. The @Remote Connector also collects device meters and makes them available on a pre-defined schedule — along with notifications of consumables levels — to maintain uptime and reduce administrative burden. The collected data is available via the @Remote.NET web portal.

Types of Encryption

Independent security standards and certifications

Common Criteria is used internationally for the evaluation of information technology security. It is used for measuring whether security functions are appropriately developed for IT products. The Common Criteria Certification is a standard recognized by more than 25 nations of the world. Domestic and overseas multifunction copier vendors are eager to obtain authentication for digital multifunction copiers.

The Common Criteria Certification process verifies protection provided by multiple security technologies against various security threats. The certification covers, for example, system validity verification at the start, access control, and logging, data protection by encryption, and data deletion at machine disposal. Therefore, it helps protect our products from various threats — such as software alteration, invalid access, and information leakage.

Recommended for you

Layer 3: Application security
Layer 3: Application security

Layer 3: Application security

Application security best practices are essential to protect data and information. In this section of our Security Guide, we share what to do and how to do it.

Essentials security guide
Essentials security guide

Essentials security guide

Read about how our solutions and equipment support a multi layered security approach to help protect data and information.

Layer 5: Data security
Layer 5: Data security

Layer 5: Data security

Information and data security are top priorities for organizations. In this chapter, we share strategies to protect data and ensure compliance.

  1. * The FIPS 140-2 CMVP validated hard drive is available now in limited supply for many of our products.
  2. ** Firmware upgrade available as a planned future release. May not be suitable for all devices.