The world we live in now requires identity for everything. The subject of identity is often bundled with the subject of security. However, security is not the only advantage of being able to properly identify output activity. Anonymous print needs to be consigned to the past.
A modern print solution needs to be able to assign an identity to a print job, whether it originates from a System Z environment, an ERP solution, an EHR solution, a desktop (including Mac, LINUX, and BYODs), or a mobile device. The ability to assign identity that is recognized by the organization’s security/identity management solution is key, and LRS excels at providing this in a holistic manner.
Here’s the problem: your organization is printing documents anonymously.
Why is that a problem? Well, think about it. First, you need to be concerned with security. Positive authentication not optional anymore. No one can enter your offices or buildings without identifying themselves. Usually this is done with a badge; guests are required to sign-in at the front desk. If someone sends an e-mail, they are identified as the sender. No employee uses a server, desktop, application, or even a phone without attaching their identity to that device or program via some sort of login session.
By contrast, when it comes to print, you are releasing information (contained in the print data) from desktops, servers, mobile phones, etc. with almost complete anonymity. Even if you do figure out some way to track a document, what you usually know for sure is that a generic “Document” has been printed. Maybe a name is attached, maybe not. Probably not.
On the same subject, if you were to describe your work-related anxieties, what wakes you up in the middle of the night? What could happen in your organization (and by extension you)? In your mind (this is a thought experiment), visualize a graph of those fearful bad things. Imagine that the events where bad things happen appear as spikes in a graph and that graph is a theoretical timeline. The bigger the event, the bigger the spike.
Major natural disasters like earthquakes, hurricanes, floods, and wildfires would certainly be very big spikes. But those events can to a certain degree be planned for, and they don't happen every day. The same could be said for the occasional data center outages, cloud service provider outages, etc. But you plan and even practice for such events with high availability (HA) and disaster recovery (DR) infrastructure and plans. Some other events would correlate to data loss, but you are also looking at ways of mitigating loss of data, so you may be recording phone calls for later auditing and you're also monitoring emails, preventing use of thumb drives, etc.
Now look at your imaginary graph. It has an occasional big spike of a natural or man-made disaster. But what else do you see? Little spikes. So many that it just looks like a rough surface down at the bottom of the graph with hundreds or thousands of little spikes. What are they? That is anonymous data leaving your organization in the form of print. Unmonitored and unidentified, this problem is not going to go away. In fact, today’s work-from-home environments feature zero trust initiatives and an increasing ability for individuals to print anywhere anytime any place to printers that may not even be inside of the protective sphere of your enterprise. Suddenly those little spikes become potentially even more likely and unmanageable.
You can't stop someone from printing if it is their job. A person working in finance needs to print financial documents and the person working in HR needs to print documents that contain employee personal information. Hospital staff may, depending on their job, be required to print financial and health information for a patient. The point is you can't prevent a print job from being printed based on simple content. Looking for things like key a keyword called “confidential” is not a viable option for protecting print data.
You might also think “we'll just stop printing.” Try that and see how it works for you. Of course, we want to avoid unnecessary print, but we also need to print on occasion and that print needs to be managed.
What you can do is employ data loss detection. How do you do that?
Step 1: Establish and Enterprise-Wide Output Audit
You need to identify who owns a document. Who generated this document? You may say “no problem, I can look at the desktop logs.” But what if it was printed from a mobile phone? What if it was triggered by a user from a background application running on a Windows or UNIX server or maybe even a mainframe using an account that's different than the user’s desktop login account? Can you attach identity to that output? Likely not.
Luckily, there is a way to mitigate this. You need a good audit, but how would you audit all your output if people are printing anonymously from several different platforms and applications?
You need a central framework for print. You need the ability to capture the owner of a print job no matter the source, and no matter how they've generated it. Here is where I am going to name names. Using LRS VPS means you can audit output coming from System Z. LRS VPSX will give you audit data from servers, desktops and mobile devices. If somehow you have output that still resists identity, we have solutions for that too. All this data, including dozens of pieces of meta-data attached to each job, is stored either on your own database or managed by LRS in the cloud using LRS Mission Control.
Step 2 Use a Digital Archive for Content Auditing
You can save a copy of the output for a period in a digital archive. The audit will tell you who, what, where, when, etc. but without a digital archive, you will still be missing the key piece of information, namely, the content of the printed document. LRS PageCenterX makes it possible. It is capable of running at scale but is also secure and able to manage data retention with intelligent policies (as well as API access). You can also customize its interface to meet your specific needs.
Now you have the ability to go back and look at who printed what, when, where, and how. That may be a simple random audit by a human being. Or, since you have a very detailed audit with many metadata points about this document, you might be able to use your own in-house AI solution to identify patterns of behavior based on job roles that tells auditors where to look. If you have such audit processes working properly, you will have a single solution with a single control pane across every platform. Whether some of your outputs coming from on prem, the Cloud, or from a roaming user authenticated using Zero Trust, you can still identify who printed what, and you've got a copy to look at. If you're doing that, suddenly your response time to find and respond to data loss should be very quick.
What Happens if You Do Nothing?
The adage: “obscurity is not security” fits well here. History is full of high-profile data leaks that came from print, so one shouldn't pretend unauthorized print isn’t happening.
Frankly, you will also need to audit what hardcopy documents are being digitized too. So, end-user scanning should be part of this design.
Another true saying: “You can’t manage it if you can’t measure it”. I would posit that you cannot manage the security of your organization without identity.
How Can You Justify This Level of Auditing?
Here’s the upside. If you implement an Enterprise Output Management (EOM) solution, the return on investment from the solution, including user and IT productivity and infrastructure reduction, will usually pay for the audit solution. Usually in months. If you doubt this, read here and here.
Beyond Improved Authentication
By implementing the aforementioned solutions, you are not just building a stand-alone system that helps you improve security. You are simultaneously building the foundation for addressing any future requirements in your organization. For instance, all that meta-data available captured on every print job can be strategically useful. That data can help you improve forensics, cost accounting, green initiatives, and more.
It’s said that a thousand-mile journey begins with a single step. That said, it helps to have some idea of the final destination before departing. By de-anonymizing the printed documents used in your business processes and using output and print auditing software from LRS, you can gain critical insight into user behavior that improves both your security and your bottom line.
Sound good? Contact Us to learn how.