Xerox and Information Security
Keeping your data safe and secure so you can focus
on what matters most: your business.
BR5329
SECPA-01UB
Overview
Is security
Are
you worried
on your
about
mind?
yoursecurity
MFPs
the
data
being
onof
the
the
your
weak
device?
data
linktransferred
on your network?
over the
At Xerox, we help protect your data at every potential point of
network?
vulnerability so you don’t have to.
We know that by staying focused on what we do best, you can stay
focused on what you do best.
2
Xerox® Security Goals
We’ve identified five key goals in our quest to provide secure solutions to every
one of our customers:
Confidentiality
Integrity
Availability
Accountability
Non-repudiation
• No unauthorized
disclosure of
data during
processing,
transmission or
storage
• No unauthorized
alteration of data
• System works
properly
• System performs
as intended, free
from
unauthorized
manipulation
• No denial of
service for
authorized users
• Actions of an
entity can be
traced directly to
that entity
• Mutual
assurance that
the authenticity
and integrity of
network
communications
are maintained
3
• Protection
against
unauthorized use
of the system
Security Vulnerabilities: Industry Risks and Costs
Businesses of all sizes have sensitive information that is valuable to
cybercriminals and that must be protected. However, the threat landscape is
changing constantly. Cybercriminals are now focusing their attention on smalland mid-sized businesses (SMBs), because they are easier targets than large,
multinational corporations.
• The average organizational cost of a data breach in 2011 was $5.5 million.*
• Total breach costs have grown every year since 2006.*
• Data breaches in 2010 cost their companies an average of $214 per
compromised record, up $10 (5%) from 2009.*
*“2010 Annual Study: US Cost of a Data Breach.” The Ponemon Institute, LLC, March 2011.
4
Security Vulnerabilities: Industry Risks and Costs
Who’s at risk?
5
Security Vulnerabilities: Industry Risks and Costs
Healthcare
The need to share important medical data and patient information electronically makes security a major
concern.
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
Government
Strict regulations are in place to ensure the information being shared is safe and secure.
• Federal Information Security Management Act of 2002 (FISMA)
Financial Services
Direct deposit, online banking, debit cards and other advances in information technology are
revolutionizing the financial services industry. Though more convenient for both customers and
businesses, this heavy use of technology has its own set of security concerns.
Education
Transcript requests, financial aid applications and even class notes can all be found online. Because
some schools have their own medical centers, they also have to store and share medical information
electronically. This interactive environment enhances the student experience and improves staff
productivity, but it also makes schools susceptible to security threats.
6
The Xerox® Security Model
Strategy
• State-of-the-art Security Features
Xerox offers the broadest range of security functionality on the market, including:
– Encryption
– Authentication
– Authorization per User
– Auditing
• Certification
– 15408 Common Criteria for Information Technology Security Evaluation
• Maintenance
– Software updates being issued on an ongoing basis
– RSS feed for notification when new security bulletins are released
– Response to identified vulnerabilities
– Patches available at www.xerox.com/security
– Secure installation and operation
– Common Criteria information
7
Unrivaled Security for Total Peace of Mind
Devices Visible to IT
Compliance
Xerox MFPs meet key government and
industry security standards, e.g., Common
Criteria and HIPAA.
Data on the Network
Secure data transmission with IPsec,
HTTPS,SNMPv3, sFTP and encrypted email.
Device Access
Prevents general access to restricted devices with rolebased user access and firewall on printer.
Data Protection
Keep personal and confidential information safe with
encrypted hard disk (AES 256-bit FIPS 140-2 validated)
and image overwrite.
Auditing and Tracking
Track access and attempted access to the device, including
comprehensive audit logs and confirmation reports.
Malware Protection
Protect your data and device from malicious intrusions with
Whitelisting.
8
Risk Management
Proactive ongoing vulnerability assessment –
keeps a close eye on emerging threats and
the latest risks.
Policy Management
Complete visibility into network and policy
management includes user identification,
provisioning and audit logs.
0101 0
1
0
1
0
0101 1
0
1
0
1 0101010101010101010101010101010101010101
0
0101 1
0
1
0
1
0101 0
Keeping the Device and Data Protected
Device Access
• Network Authentication
• Microsoft Active Directory Services
• LDAP Authentication
• SMTP Authentication
• POP3 Authentication before SMTP
• Role Based Access Control (RBAC)
• Print User Permissions
• Smart Card Authentication
• Secure Access
9
Print User
Permissions
Smart
Card
Authentication
Secure
Role
Based
Access
Assess Control (RBAC)
Non-logged-in
User /
Logged-in
User
System
Administrator
Accounting
Administrator
Keeping the Device and Data Protected
Document Protection
• Encrypted PDF / Password-protected
PDF
• Fax Forwarding to Email and Network
• Fax Destination Confirmation
• Digital Signatures
• Secure Watermarks
• User/Time/Date Stamp
• Secure Print
10
Secure Print
Keeping the Device and Data Protected
Data Security
• Hard Disk Encryption
• Image Overwrite
• Volatile and Non-volatile Memory
• Secure Fax
• S/MIME for Scan to Email
• Scan to Email Encryption
• Job Log Conceal
• Hard Disk Retention Offering
• PostScript Passwords
11
Image
Overwrite
Hard Disk
Encryption
Keeping the Device and Data Protected
Audit Tracking
• Audit Log
The Audit Log interface is accessed from a System
Administrator’s workstation using any standard web
browser.
12
The log can then be exported into a
.txt file, and then opened in
Microsoft® Excel®.
Keeping the Device and Data Protected
Malware Protection
• Embedded McAfee Agent
• McAfee’s ePolicy Orchestrator (ePO)
• McAfee Integrity Control
Alerts
• Xerox
Management
Tools
Normal usage
• Known users
• Approved software
Known files
and software
Attacks
• Unknown users
• Malicious acts
• Polymorphic zero-day
attacks
13
• Email
• McAfee ePO
Whitelisting technology allows only
approved software to run
Unknown files
and software
Keeping Data on the Network Protected
Network Security
• Secure Sockets Layer / Transport Layer
Security (SSL/TLS)
• IPsec Encryption
• Network Ports On/Off
• Digital Certificates
• SNMPv3
• SNMP Community String
• 802.1X Authentication
• Firewall
• Fax and Network Separation
• IP Address Filtering
14
IP Address
802.1X
Authentication
Filtering
Keeping Data on the Network Protected
Policy Management
Policy Management with Cisco TrustSec®
• Protects your printing assets by enforcing
security policies centrally at the network
level
• Ensures only authorized role-based
access to the printers
• Detection of unauthorized printers on
network—only allows approved MFPs
and printers to be deployed
• Anti-spoofing capabilities by profiling
devices
15
Xerox
Risk Assessment and Mitigation
Proactive Security for Emergent
Threats
• Keep a close eye on the latest risks
• Issue security bulletins
• Distribute RSS feeds
• Provide you with a wealth of information
Xerox® Security Bulletins and Patch
Deployment
Visit www.xerox.com/security for timely
information updates and important
resources.
16
Regulatory and Policy Compliance
• Payment Card Industry (PCI) Data Security Standards (2006)
• Sarbanes-Oxley
• Basel II Framework
• The Health Insurance Portability and Accountability Act (HIPAA)
• E-Privacy Directive (2002/58/EC)
• Gramm-Leach-Bliley Act
• Family Educational Rights and Privacy Act
• The Health Information Technology for Economic and Clinical Health Act
• Dodd-Frank Wall Street Reform and Consumer Protection Act
• ISO-15408 Common Criteria for Information Technology Security Evaluation
• ISO-27001 Information Security Management System Standards
• Control Objectives for Information and Related Technology
• Statement on Auditing Standards No. 70
17
Common Criteria Evaluation
Independent, objective validation of the reliability, quality, and trustworthiness of
IT products
Achieving Common Criteria Certification
• Rigorous process
• Product testing by a third party laboratory that has been accredited by the
National Voluntary Laboratory Accreditation Program (NVLAP)
18
Common Criteria Certification
Xerox® ColorQube®
8700*/8900*
(undergoing evaluation)
Xerox® WorkCentre®
4250/4260
WorkCentre 7200 Series*
(undergoing evaluation)
WorkCentre 5150
WorkCentre 5800
Series
(undergoing evaluation)
Xerox® D95/D110/D125
Copier/Printer
Xerox® ColorQube 9300
Series
(undergoing evaluation)
Xerox® Color 550/560
Printer
WorkCentre 7775
(undergoing evaluation)
WorkCentre 7800 Series
(undergoing evaluation)
WorkCentre 5300
Series
*ColorQube 8700 and 8900 with ConnectKey Controller will be available Q2 2013
19
Manufacturing and Supplier Security Practices
EICC Code of Conduct
• Demonstrates stringent oversight of
their manufacturing processes.
On-site audits
Ensures integrity of the process all
the way down to the component level.
European Commission Taxation and
Customs Union
•
Facilitates trade
•
Protects the interests of the
European Union and its citizens.
20
Customs Security Program – membership pending
Manufacturing and Supplier Security Practices
US Customer Agency Trade
Partnership Against Terrorism
• Within North America, all
trailers moving between the
factory, product distribution
centers and Carrier Logistics
Centers are sealed at the point
of origin.
• All trucks have GPS locators
installed and are continuously
monitored.
21
US Customs Trade Partnership Against
Terrorism
Product Returns and Disposals
1. Trade removal is picked up from customer location by a Xerox® authorized and
trained Carrier.
2. Unit is returned on a Xerox® dedicated truck network back to a Xerox® facility,
contracted remarketer or taken to local scrap yard using a selected carrier.
3. If the machine has outlasted its useful life in sum or in whole, the machine is crushed
and sent to a Xerox® contracted recycler.
4. Otherwise, machine is sanitized to DoD standards prior to remanufacture or resale.
5. Recycler shreds the compacted units and separates pieces into raw material
categories (plastics, metals, glass, etc.)
6. Raw material is recycled (99.4% landfill avoidance), reducing environmental impacts.
22
Summary
Xerox® MFPs lead the industry.
Xerox continues to engineer and design all of its products to ensure the highestpossible level of security at all potential points of vulnerability.
For more information about the many security advantages offered by Xerox,
visit our security website, www.xerox.com/security.
At Xerox, we work hard at keeping your data safe and secure so you
can focus on what matters most: your business
23
Security Checklist















24
IP/MAC Address Filtering
IPsec Encryption
IPv6
802.1X Authentication
Secure Print
Scan to Email Encryption
Encrypted PDF/Password-protected
PDF
Digital Signatures
“256-bit AES” Hard Disk Encryption
Image Overwrite
Secure Fax
Port Blocking
Scan to Mailbox Password Protection
Hard Disk Retention Offering
Print Restrictions













Audit Log
Role Based Access Control
Smart Card Authentication
Common Access Card / Personal
Identity Verification
User Permissions
Secure Access
“Full System” Common Criteria
Certification
Integration with Standard Network
Management Tools
Security updates via RSS feeds
Embedded McAfee
McAfee Integrity Control
Cisco® TrustSec® Inegration
McAfee ePolicy Orchestrator
Integration