According to an April 2022 study, only 64% of professionals in North America are familiar with the zero trust security architecture concept. Considering the complex mix of security approaches and the alphabet soup of solutions, this isn’t surprising.
The zero trust security strategy is one of the most effective approaches to securing your digital assets, and with plenty of zero trust tools in the market, implementing it on computers and mobile devices is relatively straightforward. But how about with printing?
With the right solution, zero trust and printing can go hand in hand. This allows you to maintain a secure print environment that interfaces seamlessly with the rest of your security architecture.
What Is Zero Trust?
The zero trust concept centers around a “never trust, always verify,” perspective regarding devices, people, networks, and applications connecting to your network. You view each element as a danger, so each device, user, or application has to prove otherwise before they’re allowed to interface with your data and resources.
A core element of a zero trust environment is least privilege, which sets permissions only according to what users need to do their jobs. As Senior Solutions Architect for Pharos John Janikowski puts it, “The policy is going to define which members need access to which resources. And it’s going to be based on the business process, the acceptable level of risk that we can have.”
Another way of thinking about zero trust is from the perspective of one of its nicknames: “perimeterless security.” While “never trust, always verify” provides a high-level view of the concept, the moniker “perimeterless security” highlights the topological ramifications.
Zero trust moves away from an approach that presumes perimeter security—implemented using a firewall—is enough to protect your environment. This makes it necessary to position security mechanisms around each individual device, user, and application—as well as other networks. By assuming that each protected area is both a threat and an attack surface, zero trust provides comprehensive, strategically redundant protective measures.
John further illustrates why this approach is necessary. Once an attacker gets through the perimeter, they can move laterally—east to west—to “access any other resource that’s inside the network.” By requiring authorization even within the network, you can prevent an attack from spreading from one segment of your network to another.
The Printing Environment and Zero Trust
Print has been an overlooked component of most organizations’ security strategies, but that should not be the case. This is particularly true considering organizations’ continued adoption of remote work and the increasing number of printer-related threats, such as PrintNightmare.
Reasons why you should adopt a zero trust security approach to printing include:
- To leverage verification and authentication processes because hackers can use your print infrastructure to spread malware
- To implement endpoint validation prior to allowing a device to connect because an attacker can present authentication credentials even though they’re using a different device to attack your network
- To use zero-knowledge encryption that keeps your data hidden from everyone except you, including service providers. This can help block an attack coming from the provider’s side of the interaction. As John explains, you secure your environment “by ensuring that eavesdroppers who are watching over that session aren’t able to see the data that’s being passed back and forth”
- To implement end-to-end encryption and ensure anyone trying to intercept or spy on your data can’t read it
You can accomplish these and other objectives by adopting the following seven tenets of zero trust that Pharos identified in this whitepaper.
1. All Communication Is Secured Regardless of Network Location
This means that even if the communication is coming from within your own network, it’s presumed to be a threat. By verifying the authenticity of the person and device connecting, you can protect your network from people who have gotten into your building or past your firewall.
2. All Data Sources and Computing Services Are Considered Resources
Designating both data sources and computing services as resources makes them all subject to authentication and verification. By distrusting even data sources that have proven to be safe in the past, you can stop attacks from hackers that have since found a way of exploiting them.
3. Access to Individual Enterprise Resources Is Granted on a Per-Session Basis
By only granting access per session, you avoid the trap of trusting that a resource remains safe over time. By verifying each resource before every session, you can stop an attacker pretending to be an authorized individual.
4. Access to Resources Is Determined by Dynamic Policy and May Include Other Behavioral Attributes
A dynamic policy regarding how resources can be accessed does several things, primarily:
- Makes it harder for an attacker to guess which kinds of credentials or questions they will be asked when trying to log in
- Makes it less likely for an attacker to bypass the system because it flags both inauthentic credentials and suspicious behavior. For instance, if someone tries to connect from a strange location, the system can identify this behavior and block access to the resource
- Makes access more difficult for an attacker by forcing them to provide additional credentials based on behavior. For example, if an attacker takes a guess at a password but gets it wrong, the system can require that additional credentials be presented
5. All Assets Are Secured and Monitored
Ensuring every device that interacts with your network has the appropriate security controls makes it harder for hackers to identify “low-hanging fruit,” or those devices that are trusted by the system and are easy to hack.
John breaks this down this way: “The enterprise assures that all owned devices and associated devices are in the most secure state possible.” That’s a good first step, but he adds that the organization has to “monitor the assets to ensure they remain in the most secure state possible.” To be effective, this needs to include all personal and Internet of Things (IoT) devices.
6. Resource Authentication and Authorization Is Dynamic and Strictly Enforced
If your authentication and authorization processes are dynamic, an attacker can’t use access credentials that worked in the past. This is because these credentials can be changed from one session to another. For example, if your system uses cryptography to generate a per-session authenticator, every session gets its own unique token that serves as the access credential.
7. Infrastructure Communication and Connection Data Is Collected and Analyzed
By collecting data regarding the state of your network infrastructure, you make it easier to spot anomalies, as well as identify the strong and weak elements of your security architecture. In addition, in the event of a breach, your data serves as the foundation for post-mortem analysis, making it easier to determine what went wrong and address the vulnerability.
Zero Trust Printing with Pharos Cloud
Pharos Cloud makes it easy to incorporate the seven tenets of zero trust architecture because it:
- Encrypts data while in transit using Transport Layer Security (TLS) between all endpoints
- Focuses on protecting individual resources, such as the user’s workstation and printer, instead of network segments
- Verifies the identity of the user before allowing them to print by checking for an identity token and requiring additional authentication if necessary
- Keeps user identities stored securely in the cloud using non-reversible hashes
- Reduces the danger of misplaced employee cards by enabling the removal of the ID badge registration
- Does not depend on insecure protocols that hackers can exploit—Pharos Cloud encourages users to disable them and checks to make sure they’re not being used
- Verifies that the destination printer is the intended endpoint before sending the document to it from the workstation or the cloud
Not all print management solutions support zero trust, with only a few enabling employee printing in a comprehensive zero trust ecosystem. For instance, most organizations still use insecure RAW or LPR protocols to deliver jobs, both of which have been used to hack printers for years. Also, organizations that still rely on traditional print processes using servers and queues often don’t have client authentication measures in place. This means that even if the organization’s security team had implemented zero trust across the rest of its IT infrastructure, they wouldn’t be able to use zero trust policies to secure their printing environment.
With Pharos Cloud, you get a wide range of control and management features and an infrastructure that abides by zero trust principles. See how it can benefit your organization by setting up a demo today.