700 likes | 909 Views
Data Security on TA Triumph-Adler SynControl Systems (System Support). 21.08.2014. ISO 15408 EAL3 – Common Criteria. History & Background The constant increase in the use of information technology in the business world led to increased demands in view of data security.
E N D
Data Security on TA Triumph-Adler SynControl Systems(System Support) 21.08.2014
ISO 15408 EAL3 – Common Criteria • History & Background • The constant increase in the use of information technology in the business world led to increased demands in view of data security. • Already by the end of the 1980s, the complex area of IT security and the related demands for a secure operation of IT systems and products resulted in the development of standardised criteria for the evaluation and testing of IT security.
ISO 15408 EAL3 – Common Criteria • History & Background • 1989: The „Bundesamt für Sicherheit in der Informationstechnik“ (BSI – German Federal Office for Information Security) issues a catalogue of criteria for the evaluation of IT systems that allows independent evaluation institutes to evaluate IT systems in line with unified criteria and IT products in view of the effectiveness of their security relevant measures. • 1991: Germany, France, the UK and the Netherlands publish „Information Technology Security Evaluation Criteria“ (ITSEC), i. e. harmonised pan-European IT security criteria. • 1998: Completion of the „Common Criteria“ (CC) – „Common Criteria for Information Technology Security Evaluation “ (version 2.0), thereby introducing internationally accepted evaluation criteria for IT security
ISO 15408 EAL3 – Common Criteria • What is behind ISO 15408 EAL3? • ISO 15408 is an international Security Standard in the framework of the Common Criteria which states that the safety engineering of products must comply with the aforementioned standard. • Several EA levels exist (0-7) within ISO 15408. • EAL3 is the currently relevant level for office systems and stands for a certain level of security and confidentiality within ISO 15408 (Evaluation Assurance Level), which states that security functions must be methodically tested and evaluated, including the control of their development environments.
ISO 15408 EAL3 – Common Criteria • Link to the Common Criteria website: http://www.commoncriteriaportal.org/thecc.html • Link to the BSI website: BSI (German Federal Office for Information Security): http://www.bsi.de/
ISO 15408 EAL3 – Common Criteria Links to relevant websites of IPA: • A list of certified products of all manufacturers can be found under the following link of the Japanese Evaluation Institute IPA: • http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list.html • A list of products that are currently being certified can be found under: • http://www.ipa.go.jp/security/jisec/jisec_e/prdct_in_eval.html • Details on the certification of Data Security Kits (B), (C), (D) and (E) can be found under: • http://www.ipa.go.jp/security/jisec/jisec_e/c0035_it4035_ecvr.htm • http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list/c0151_it7182.htm • http://www.ipa.go.jp/security/jisec/jisec_e/c0057_it5065.htm#itkz7031
ISO 15408 EAL3 – Common Criteria • Which TA Triumph-Adler products comply with ISO 15408? • Data Security Kit (B)* (DC 2060/2080) • Data Security Kit (C)* (DC 2325/2330/2230/2240/2250) • Data Security Kit (D)* (DCC 2625/2632/2635) • Data Security Kit (E)* (DCC 2725/2730/2740/2840/2850, DC 2430, DC 2242/2252, CLP 4550) • The certificate is issued in the name of the original manufacturer Kyocera Mita (the certification is chargeable to each applicant!). • Since TA Triumph-Adler systems are identical in construction, we can assure our customers the compliance of our systems with the ISO regulation. *optional
ISO 15408 EAL3 – Common Criteria • What is the effect of installing the optional Data Security Kit? • Overwriting and encryption functions of the system hard disk and the optional printer hard disk* are enabled: Overwriting: • Data are stored on the hard disk until they are overwritten with other data => with recovery programs data can be retrieved and used illegally. • The security kit deletes and overwrites output data so that these can no longer be recovered – this happens automatically. *depending on the system
ISO 15408 EAL3 – Common Criteria • What needs to be taken into account when installing the optional Data Security Kit? • Two overwriting methods are available and can be selected by the administrator: • Simple overwriting: A certain area (when overwriting) or the whole storage area (when initialising) of the hard disk will be overwritten with zeros (0), so that data recovery is made impossible. • Triple overwriting (default): First, the same area as before will be overwritten twice with random data, followed by zeros (0). This method is more secure than simple overwriting and makes data recovery almost completely impossible.
ISO 15408 EAL3 – Common Criteria • What is the effect of installing the optional Data Security Kit? Encryption (AES Encryption): • Scanned originals and other user data are stored on the hard disk. • The security kit encrypts data before they are stored on the hard disk => this increases security, because data can only be decrypted during normal use. • Encryption is carried out automatically in line with AES (Advanced Encryption Standard). In the US this standard is approved for governmental documents which are subject to the highest secrecy level.
ISO 15408 EAL3 – Common Criteria • What needs to be taken into account when installing the optional Data Security Kit? • The system is initialised during installation of the security kit. That means that data stored on the hard disk will be deleted. • The function „Repeat Copy“ is no longer available after installation. • A button „Security“ will be added to the system menu after installation. • If the Data Security Kit is installed correctly, the hard disk icon will appear in the lower right corner of the display (in security mode).
Security Settings at TA Triumph-Adler Systems • Security settings at the system: • Authentication at the system (input of numeric code) • Locking the USB host • Locking „Repeat Copy“ • Locking/partially locking the display
Authentication at the System (alpha-numeric) • Authentication at the system prevents unauthorised access by third parties. • User defined limitations can be set (account ID, numeric password) for printing, scanning, copying and faxing.
Authentication at the System (numeric) • Authentication at the system prevents unauthorised access by third parties. • User defined limitations can be set (account ID, numeric password) for printing, scanning, copying and faxing.
Disabling the USB Host for Optional Data Storage Media • The USB host can be locked via the Embedded Web Server:
Disabling „Repeat Copy“ • „Repeat Copy“ can be locked by either of the following ways: • Installation of the Data Security Kit • Locking and switching the function off in the system menu
Disabling „Repeat Copy“ Disabling/partly disabling the Display The function „Repeat Copy“ can be locked by partially locking the display in the Embedded Web Server:
Security Settings (Scanning) • The security of the scan functions mainly depends upon the security settings of • the user network: • FTP: Security settings of the FTP server are active: Input of user name and password is required. • SMB: Security settings of the user network are active: Usually, the user has to log in with user name and password. • E-Mail: Like SMB - SMTP security settings are active: Usually, a sender address known to the SMTP server has to be used.
Security Settings (Scanning) • A higher security level for scanning is available with the installation of the optional PDF Upgrade Kit. This kit encrypts and compresses PDF files generated on the system. Opening as well as printing and editing of PDF files can be restricted.
Security Settings (Scanning) • There are two encryption levels: • „low level“ (40 bit) • „high level“ (128 bit)
Security Settings (Scanning) • Another possibility to enhance the security level on TA Triumph-Adler systems when using e-mail transmission is the domain restriction for transmission and reception.
Network Security Settings • Authentication at the Embedded Web Server • Network authentication • Certificates • General settings and helpful hints
Authentication at the Embedded Web Server • Accessing the Embedded Web Server is possible (default). Via „Basic“ and „Security: Account Settings“ an administrator password can be set. Access to the Embedded Web Server can be encrypted by SSL. • At the system several administrators with different passwords can be registered. Moreover, users can be registered and given a password.
Network Authentication • This setting for log-on at the system offers the highest network security standard. • Log-on at the system is possible via inputting a user name and password. • Two authentication methods exist: • NTLM • KERBEROS • Which of the two is used depends on the network and server operating system. • Network authentication can be combined with the authentication at the system as well as the account management (limitation for printing, scanning, copying and faxing). • Passwords, user control and security levels are adjustable with TA Triumph-Adler systems.
Network Authentication • Network authentication and server settings (defaults) can be made at the system or via the Embedded Web Server.
Combining Network and System Authentication with Account Management • Settings at the system: • Setting up a local user via the Network Print Monitor
Combining Network and System Authentication with Account Management • Configuration of the local user
Combining Network and System Authentication with Account Management • Assigning/mapping an account to/with a local user
Combining Network and System Authentication with Account Management • Settings for the system authentication
Combining Network and System Authentication with Account Management • Settings in the KX printer driver
Combining Network and System Authentication with Account Management • Limiting and controlling of accounts via network authentication with the Network Tool for Accounting
Network Security Settings / Certificates • Certificates offer another possibility to enable communication security in the network. • This ensures a secure connection between the print system and the client. • The certificate generated by the printer is exported, stored in the certification memory of the clients (Windows XP/Vista) and judged „secure“. • These settings ensure that no error message (insecure certificate) is generated at the client.
Network Security Settings / Certificates • Examples of error messages:
Network Security Settings / Certificates The general name must be identical to the host name of the system.If no DNS (Domain Name System) is used, the host name must be assigned an IP address (file „Hosts“ under Windows\System32\drivers\etc).
Network Security Settings / Certificates • Export of a certificate:
Network Security Settings / Certificates • Import of a certificate at the client: The call is made via: „Start“, „Run“, „certmgr.msc“ and „OK“
Network Security Settings / Certificates • Import of a certificate at the client:
Network Security Settings / Certificates • Import of a certificate at the client:
Network Security Settings / Certificates • Import of a certificate at the client:
Security Settings (Printing) • The network security is mainly dependent upon the settings of the user network. • The security settings of the TA Triumph-Adler systems can be adapted to the majority of security standards within client networks. • Various security settings are available from IP filtering, SSL, HTTPS, SMNP V1, V2C, V3, SMTP and POP3 domain restriction, over NTLM and KERBEROS authentication, Data Security Kit*, PDF Upgrade Kit* and locking/partially locking the display up to restricting users (printing, scanning, copying). • Combining the log-on with the user name and password and the installation of the Data Security Kit* ensures the highest possible security level for TA Triumph-Adler systems in a client network. *optional
Printing and Storing of Print Jobs to the Hard Disk • Available security settings when printing • Security settings in the printer driver
Printing and Storing of Print Jobs to the Hard Disk • Security settings: • Securing the Document Box with a password • Using the Data Security Kit • Sending Private Print jobs with a password
Security Settings (Printing) • IP filtering • IP filtering allows to restrict access to the system to registered IP addresses. • Access to certain protocols (SNMP, FTP, HTTP, HTTPS, etc.) can be limited with IP filtering.
Security Settings (Printing) • Encrypted printing via SSL • The transmission to the print system as well as the print data stream are encrypted so that reading out data in the network by third parties is impossible.
Security Settings (Printing) • How to proceed when printing with SSL encryption: • Enable SSL encryption at the system • Main switch ON/OFF • Install a new printer in Windows (minimum requirement: Windows XP)
Security Settings (Printing) • Select network printer and use following syntax: • (HTTPS://Printservername or IP address/printers/lp1)
Security Settings (Printing) • Should setting up an HTTPS port fail, it has to be checked in the Internet Explorer whether local access to the network is available.
Security Settings (Printing) • Select and install printer and select HTTPS port
Security Settings in the Printer Driver • When using a print system with network authentication or local user this setting is also active in the printer driver. Driver settings can be secured by a password.