konica minolta australia ops security whitepaper · problems with the dca and/or the dca health...

Konica Minolta Australia OPS Security Whitepaper

Version 1.09

Date: June 2016

Konica Minolta Australia

Optimised Print Services

OPS Security Whitepaper

Commercial in Confidence

of 15

Introduction Konica Minolta’s Optimised Print Services (OPS) is committed to providing software products that are secure for use in all network environments. Konica Minolta’s OPS software products only collect the critical metrics necessary to manage a printing environment, and never collect any personal, user or job information.





of 15

Contents

Contents ........................................................................................................................ 3

The Optimised Print Services System Configuration..................................................... 4

The Data Collection Agent (DCA) ................................................................................. 5

Types of information collected ...................................................................................... 5 System Requirements ................................................................................................... 6

Optional remote updates ............................................................................................... 7 Network traffic ............................................................................................................... 7 The communication method .......................................................................................... 8

Data collection and transmission methods .................................................................... 9 Scanning locally attached printers............................................................................... 10 IP Ranges ................................................................................................................... 10 Masking Private Data .................................................................................................. 11

DCA Submission Authentication ................................................................................. 11

The OPS Web Portal ................................................................................................... 12

Permissions based user management ........................................................................ 12 HTTPS access ............................................................................................................ 12

The Konica Minolta OPS Server ................................................................................. 13

Backup Procedures ..................................................................................................... 13

Server Upgrades ......................................................................................................... 13 System Access ........................................................................................................... 13 Account Information Storage ....................................................................................... 13

Security ....................................................................................................................... 13

Regulatory Requirements ........................................................................................... 14

Health Insurance Portability & Accountability Act (HIPAA) .......................................... 14

Sarbanes-Oxley (SOx) ................................................................................................ 14 Gramm-Leach-Bliley Act (GLBA) ................................................................................ 14 Federal Information Security Management Act (FISMA) ............................................. 15





of 15

The Optimised Print Services System Configuration





of 15

The Data Collection Agent (DCA)

The OPS Data Collection Agent (DCA) is a software application that is installed on a non-dedicated networked server at

each location where imaging device metrics are to be collected. If being used to monitor local attached printers, the DCA

will also reside on the attached PC or laptop.

The DCA runs as a Windows® service (or, optionally, a scheduled task), allowing it to operate 24 hours a day, 7 days a

week.

Multiple DCA Installations can be made to cover given customers environments, especially for

• multi-site installations • WANs with low available bandwidth • separated networks • very large fleets ( > 1,000 printing devices)

In this case, any duplicated coverage (2 DCAs collecting data of the same device) is resolved by the receiving database.

Types of information collected

The OPS DCA attempts to collect the following information from printing devices during a network scan:

IP address (can be masked)

Toner cartridge serial number

Device description

Maintenance kit levels

Serial number

Non-toner supply levels

Meter reads

Asset number

Monochrome or colour identification

Location

LCD reading

MAC address

Device status

Manufacturer

Error codes

Firmware

Toner levels

Miscellaneous (machine specific)

Hostname

No print job or user data is collected.

The amount of detail collected from each machine will vary – depending on its age and the way the machine is

programmed.





of 15

System Requirements

Hardware:

Non-dedicated server powered on 24 hours a day, 7 days a week. If a server is not available, the DCA can be installed on

a desktop computer system powered on 24 hours a day, 7 days a week, but this method carries a risk of transmission

difficulties.

Minimum requirements of the hardware:

• Operating system: Windows Server 2008 R2, Windows Server 2012 R2, Hyper-V Server 2012, Windows Vista, Windows 7, Windows 8 32/64 bit, Windows 10 32/64 bit

• Network card: 100mbit or higher (system must have only one active network card) • RAM: 512MB or higher • CPU: 1GHz or higher • Microsoft .NET Framework 2.0, 3.5 or 4.0 installed • Internet connected browser • Minimum 1GB free hard drive space (will increase if you elect to keep log files for long periods of time)

* Instructions for installing a DCA Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2,

Windows Server 2012 R2, implements a new feature called Universal Account Control (UAC), which can cause installation

problems with the DCA and/or the DCA Health Check service.

These issues can be avoided by following the below procedures.

After downloading the DCA installation file

• Right click on the DCA_Install.msi file and select Properties. • Under the Compatibility tab, click to enable the Run as Administrator check box. • Proceed to install the DCA. Follow the installation steps as suggested from the Installation Wizard.

Virtualization software support:

If you want to install the DCA on a virtual machine, the following virtualization software will support the installation:

Microsoft Virtual Server 2005

VMWare GSX + ESX

Important:

Do not install the DCA on a laptop.

If you plan to use the DCA to collect data via VPN, please be aware that due to the extended transmission, there is a risk of data loss.





of 15

Optional remote updates

The DCA contains an optional remote update feature, which is activated by enabling the Health Check and Intelligent

Update options. Health Check will periodically ensure that the DCA service is operating, and if not, it will restart the DCA

service.

Intelligent Update allows the DCA to check for a receive software updates and DCA

configuration changes posted by the Konica Minolta OPS administrators.

These features are enabled and disabled at the end user site, and are not required.

Each major and minor release of the software goes through a quality control process which includes system testing.

Network traffic

The network traffic created by the DCA is minimal, and will vary depending on the number of IP addresses being

scanned. The table below outlines the network load associated with the DCA compared to the network load associated

with loading a single standard webpage.

Network Byte Load Associated with the DCA

Event Approximate Total Kbytes

Loading a single standard webpage 60K

DCA scan, blank IP 5K

DCA scan, 1 printer 7K

DCA scan, 1 printer, 1 subnet 96K

DCA scan, network of 13 printers 111K





of 15

The communication method

The DCA collects imaging device metrics at a specified interval (SNMP, ICMP and HTTP) in the private (LAN/WAN)

network of the customer. DCA transmits these data to the central database secured via HTTPS-Protocol. This procedure

of transmitting data using HTTPS is exactly the same as a user-PC which opens a HTTPS website with a standard web

browser.

Due to this:

there is no need to open specific ports in the firewall

only the proxy settings need to be configured in the DCA, if applicable

The communication from the DCA to the data base is outbound exclusively.

There is not any inbound connection to the DCA, if configured this way.

(Note: In case the “Intelligent Update" is activated on the DCA, it asks for new software versions whenever contacting the

server. Then the software might be downloaded after the DCA has initiated the connection.)

The HTTPS transport method is using SSL encryption on port 443. A VeriSign SSL certificate is installed on the central

web server https://ap.pfprdjp.bt.konicaminolta.com The connection built by the local DCA can be restricted to above

target exclusively.

This data transmission fully respects customer’s security environment like Proxy-Servers, Content-Scan and filtering,

Anti-Virus and Anti- Malware Solutions, IPS/IDS Systems, Firewalls including authentication to these systems.

The location and number of DCAs to be utilized is depending on the individual structure of the customer’s IT network.

The recommended number of devices for each is a maximum of 2,000 devices.

https://ap.pfprdjp.bt.konicaminolta.com/





of 15

Data collection and transmission methods

The DCA collects imaging device metrics at a specified interval using SNMP, ICMP, and HTTP; it then transmits the data

to the centralized database via FTP (port 21/port 20), HTTP (port 80), or HTTPS (port 443).

Data is transmitted using HTTPS, because this provides SSL 128-bit encryption of the data during transmission. FTP

and HTTP do not provide encryption.

To protect the data, the OPS software uses encryption from end to end. The printer DCA files are never stored in plain text. The only time the data is “in the clear” is when it has been processed and stored in the Konica Minolta OPS database. There are two purposes of encryption:

To protect the data from interception and viewing/use without authorisation

To authenticate the Printer DCA and ensure integrity of the data (i.e. that it hasn’t been tampered with).

Each Printer DCA has its own encryption key, which must match the encryption key on the OPS server to verify the data

is actually coming from that Printer DCA. It makes it difficult to tamper with the data, because an attacker would need to

know the encryption keys, algorithms used, and be able to re-create the checksums.

The data that is being transmitted can be checked at any time for a client network administrator.

The files that contain the data are stored in C:\Program Files (x86)\Printer DCA\data_archive (default location). The

files have the “pfd” extension. The data in these files is encrypted, however can be viewed at any time by using the DCA

software’s inbuilt “file viewer”.





of 15

Scanning locally attached printers

The DCA software can be installed on PC’s and laptops to monitor print volumes on locally attached printers, and to then

push this information back to the server based DCA software for reporting on the whole printer fleet.

The software can be installed directly on the PC, or can be pushed out from the server based DCA. If using this method,

it is recommended that the push be done after hours, depending on how many PCs are being pushed out to. Depending

on the number of travelling laptops you may need to push this out a number of times in order to push the software out to

all devices.

IP Ranges

IP ranges can be fully configured to only scan those ranges where print devices reside.

Alternatively, specific IP addresses of specific print devices can be specified instead. Please note, that every time a new

printer is installed on the network, that the DCA software will have to be configured with the new device IP address.

It is recommended to allow the scan to take place over as broad a range as possible, to be able to capture any new

devices that appear over time, and to reduce the workload when changes to the print environment occur over time.

IP ranges or specific IP addresses can be configured before doing your first scan of the network with the DCA software,

by not select the “Start Service” option during initial installation. Once the software is installed, configure the IP

addresses as required and then do a “Force Scan”.

If you have already done a full scan of your network, devices can be hidden from “Views”, by contacting your Konica

Minolta Account Manager, who will alter the setting appropriately. A historic record of that device will still remain in the

database from the initial scan, however no additional information will be captured.

Please note – that by hiding a device from Views, both parties (Konica Minolta and the Client) will not be able to see the

device. This may distract from the value of the service to the Client as they will lose the ability to remotely monitor their

devices.





of 15

Masking Private Data

For privacy reasons, the following types of information that the software collects, can be masked in the transmission file

to the central server:

IP Address of devices included in the scan

Telephone numbers collected from devices (masked by default) – used mainly for fax machines

DCA host system information (IP address, MAC address, subnet, etc)

DCA Submission Authentication

The OPS DCA has to be activated on the Konica Minolta OPS server prior to the DCA installation. This activation

process includes:

• Creation of a DCA account on the Konica Minolta OPS Server • Association of a clients DCA Installation and the DCA Account based on a unique PIN • Generation of a unique Shared Key used to encrypt data exchange between the Konica Minolta OPS Server

and the DCA Installation

DCA Accounts can have an Expiration Date when their credentials to submit data to the PFE Server are revoked

automatically; The Konica Minolta OPS Server Administrator can also revoke these credentials at any time by de-

activating the DCA. Data submissions from a DCA start being rejected by the Konica Minolta OPS server immediately

after the DCA Expiration Date comes or the DCA is de-activated.

The Konica Minolta OPS Server checks if the submitting DCA has an Active account on the Server prior to data

acceptance. If the DCA account exists and is Active, the data is saved in a file on the Server for further processing;

otherwise, the submission is ignored and no data is saved on the Server.

The Shared Key that is used to encrypt data exchange between the Konica Minolta OPS Server and a DCA is stored in

the Konica Minolta OPS Server database and is protected by security means of MS Windows Server and MS SQL

Server.

The DCA Installation stores the Shared Key in an encrypted local storage. The encryption algorithm uses hardware

parameters and Windows® Product ID of the DCA Host; this ensures that the Shared Key will not be used on DCA

Installations other that the one where it was stored during DCA Activation.





of 15

The OPS Web Portal

The OPS Web Portal is the online interface used to access the collected information.

Permissions based user management

Access to the OPS Web Portal is controlled with permissions-based user management. Users must log in to OPS Web

Portal using a designated username and password getting from the Service Provider.

HTTPS access

The website is accessed using HTTPS as our web server is installed with an SSL security certificate. This provides a

128-bit encryption when data is being transferred over the Internet.





of 15

The Konica Minolta OPS Server

The Konica Minolta OPS Server is hosted within the Konica Minolta network.

Backup Procedures

A full backup of the server is taken weekly.

A differential backup is taken daily.

Server Upgrades

Upgrades are tested before being released on the live server.

Notifications are sent out when the server is planned to be down during the upgrade.

System Access

Only a limited number of administrators have full access to the server.

Physical access to the server is key-lock restricted.

The room where the server is stored is secured with an ID card based system to ensure only authorised personnel have

access to the server, and to provide audit tracking of those that have accessed the room.

Account Information Storage

User account names and passwords are stored as a one-way MDF5 hash to ensure the details are secured.

Security

The server uses Verisign’s SecureServerID.





of 15

Regulatory Requirements

Health Insurance Portability & Accountability Act (HIPAA)

Compliance with HIPAA is not affected by usage of the OPS software.

Because the software does not collect, house or transmit any information regarding the content of the print jobs, there is

no risk to any electronic protected health information (ePHI) as defined by HIPAA, even if this information is printed or

otherwise sent to print devices that are monitored by the OPS software.

For more information about HIPAA, visit: http://www.hhs.gov/ocr/hipaa/

Sarbanes-Oxley (SOx)

Compliance with SOx is not affected by usage of the OPS software.

Because the software is not intended to be used as part of an internal control structure as outlined in Section 404:

Management Assessment of Internal Control, there is no interference with these controls.

Information Technology controls are an important part of complying with Sarbanes-Oxley. Under this Act, corporate

executives become responsible for establishing, evaluating and monitoring the effectiveness of internal control over

financial reporting. The OPS software is not designed or intended as an IT control system, and will not interfere or put at

risk other systems that are.

For more information about SOx, visit: http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/

Gramm-Leach-Bliley Act (GLBA)

Compliance with GLBA is not affected by usage of the OPS software.


no risk to any customers personal financial information, even if this information is printed or otherwise sent to print

devices that are monitored by the OPS software.

For more information about the GLBA, visit: www.ftc.gov/privacy/privacyinitiatives/glbact.html

http://www.hhs.gov/ocr/hipaa/

http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/

http://www.ftc.gov/privacy/privacyinitiatives/glbact.html





of 15

Federal Information Security Management Act (FISMA)

Compliance with FISMA is not affected by usage of the OPS software.

Because the software is not intended to be used as part of an internal control structure, there is no interference with

these controls.


no risk to any customers personal financial information, even if this information is printed or otherwise sent to print

devices that are monitored by the OPS software.

For more information about the FISMA, visit: http://csrc.nist.gov/groups/SMA/fisma/index.html

http://csrc.nist.gov/groups/SMA/fisma/index.html

konica minolta australia ops security whitepaper · problems with the dca and/or the dca health...

Documents