[Sussex] Secure printing

Steve Dobson steve.dobson at syscall.org.uk
Mon Jan 5 19:28:27 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Brendan

Not sure why to submitted this twice, but I will only answer once :-)

Brendan BT Account wrote:
> We are quoting for an NHS job where they want secure transmission of
> patient data. HTTPS will securely handle information between browsers
> and the servers and we can encrypt/password protect any downloadable
> reports. However, printing would seem to be more tricky as by default
> Postscript and raw text files (to label printers) are unencrypted.
> Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would
> seem to be handle laser printers. Has anyone experience in encrypting
> printer output or any suggestions?  Thanks, Brendan

What is the physical layout of the servers, network and workstations?
How secure is the physical stuff?  Browsers need a secure communications
link because they often communicate over a network (Internet) which is
not secure.

On the other hand printers normally sit in offices without armed guards
checking the identities of anyone coming to correct their print jobs.
Once a print as been done it is just sitting there and anyone can pick
it up and read it.  What security is at the other end to ensure the
security of the data once made physically manifest?

The first rule of security, which I learnt for my days working a
military systems supplier, is "that if you don't have physical security
you don't have security at all!"  The army will post an armed guard with
orders to shot to kill) by the printer to check identities it that what
takes to secure the system.  They will also post guards along the route
of the network cabling if that needs to be secured too.

If the network isn't secure[1] then the NHS has bigger problems than
print job security.  I would suggest that you ask some probing question
about their infrastructure.

Steve

[1] An example would be if a patient could plug their laptop into the
same network as the NHS's staff.  As the patients are not trusted people
(and we will assume here that all staff are) then they should be on a
physically separate networks to guard against casual network traffic
snooping.  After all the SMB protocol as used by Windows to share files
and print jobs transmits it's passwords (and all it's data) in clear
text - very useful to your causal network snooper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJYl9Qu7HOw0Q66oERAqzXAJ40ZNtCJvB8uhrVYGcyZbl1DEh0QgCguknq
A6Gni033dx0IsEMuIw7RYdk=
=Fa+f
-----END PGP SIGNATURE-----



More information about the Sussex mailing list