konica minolta australia ops security whitepaper · problems with the dca and/or the dca health...
TRANSCRIPT
Konica Minolta Australia OPS Security Whitepaper
Version 1.09
Date: June 2016
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 2 of 15
Introduction Konica Minolta’s Optimised Print Services (OPS) is committed to providing software products that are secure for use in all network environments. Konica Minolta’s OPS software products only collect the critical metrics necessary to manage a printing environment, and never collect any personal, user or job information.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 3 of 15
Contents
Contents ........................................................................................................................ 3
The Optimised Print Services System Configuration..................................................... 4
The Data Collection Agent (DCA) ................................................................................. 5
Types of information collected ...................................................................................... 5 System Requirements ................................................................................................... 6
Optional remote updates ............................................................................................... 7 Network traffic ............................................................................................................... 7 The communication method .......................................................................................... 8
Data collection and transmission methods .................................................................... 9 Scanning locally attached printers............................................................................... 10 IP Ranges ................................................................................................................... 10 Masking Private Data .................................................................................................. 11
DCA Submission Authentication ................................................................................. 11
The OPS Web Portal ................................................................................................... 12
Permissions based user management ........................................................................ 12 HTTPS access ............................................................................................................ 12
The Konica Minolta OPS Server ................................................................................. 13
Backup Procedures ..................................................................................................... 13
Server Upgrades ......................................................................................................... 13 System Access ........................................................................................................... 13 Account Information Storage ....................................................................................... 13
Security ....................................................................................................................... 13
Regulatory Requirements ........................................................................................... 14
Health Insurance Portability & Accountability Act (HIPAA) .......................................... 14
Sarbanes-Oxley (SOx) ................................................................................................ 14 Gramm-Leach-Bliley Act (GLBA) ................................................................................ 14 Federal Information Security Management Act (FISMA) ............................................. 15
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 4 of 15
The Optimised Print Services System Configuration
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 5 of 15
The Data Collection Agent (DCA)
The OPS Data Collection Agent (DCA) is a software application that is installed on a non-dedicated networked server at
each location where imaging device metrics are to be collected. If being used to monitor local attached printers, the DCA
will also reside on the attached PC or laptop.
The DCA runs as a Windows® service (or, optionally, a scheduled task), allowing it to operate 24 hours a day, 7 days a
week.
Multiple DCA Installations can be made to cover given customers environments, especially for
• multi-site installations • WANs with low available bandwidth • separated networks • very large fleets ( > 1,000 printing devices)
In this case, any duplicated coverage (2 DCAs collecting data of the same device) is resolved by the receiving database.
Types of information collected
The OPS DCA attempts to collect the following information from printing devices during a network scan:
IP address (can be masked)
Toner cartridge serial number
Device description
Maintenance kit levels
Serial number
Non-toner supply levels
Meter reads
Asset number
Monochrome or colour identification
Location
LCD reading
MAC address
Device status
Manufacturer
Error codes
Firmware
Toner levels
Miscellaneous (machine specific)
Hostname
No print job or user data is collected.
The amount of detail collected from each machine will vary – depending on its age and the way the machine is
programmed.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 6 of 15
System Requirements
Hardware:
Non-dedicated server powered on 24 hours a day, 7 days a week. If a server is not available, the DCA can be installed on
a desktop computer system powered on 24 hours a day, 7 days a week, but this method carries a risk of transmission
difficulties.
Minimum requirements of the hardware:
• Operating system: Windows Server 2008 R2, Windows Server 2012 R2, Hyper-V Server 2012, Windows Vista, Windows 7, Windows 8 32/64 bit, Windows 10 32/64 bit
• Network card: 100mbit or higher (system must have only one active network card) • RAM: 512MB or higher • CPU: 1GHz or higher • Microsoft .NET Framework 2.0, 3.5 or 4.0 installed • Internet connected browser • Minimum 1GB free hard drive space (will increase if you elect to keep log files for long periods of time)
* Instructions for installing a DCA Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2,
Windows Server 2012 R2, implements a new feature called Universal Account Control (UAC), which can cause installation
problems with the DCA and/or the DCA Health Check service.
These issues can be avoided by following the below procedures.
After downloading the DCA installation file
• Right click on the DCA_Install.msi file and select Properties. • Under the Compatibility tab, click to enable the Run as Administrator check box. • Proceed to install the DCA. Follow the installation steps as suggested from the Installation Wizard.
Virtualization software support:
If you want to install the DCA on a virtual machine, the following virtualization software will support the installation:
Microsoft Virtual Server 2005
VMWare GSX + ESX
Important:
Do not install the DCA on a laptop.
If you plan to use the DCA to collect data via VPN, please be aware that due to the extended transmission, there is a risk of data loss.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 7 of 15
Optional remote updates
The DCA contains an optional remote update feature, which is activated by enabling the Health Check and Intelligent
Update options. Health Check will periodically ensure that the DCA service is operating, and if not, it will restart the DCA
service.
Intelligent Update allows the DCA to check for a receive software updates and DCA
configuration changes posted by the Konica Minolta OPS administrators.
These features are enabled and disabled at the end user site, and are not required.
Each major and minor release of the software goes through a quality control process which includes system testing.
Network traffic
The network traffic created by the DCA is minimal, and will vary depending on the number of IP addresses being
scanned. The table below outlines the network load associated with the DCA compared to the network load associated
with loading a single standard webpage.
Network Byte Load Associated with the DCA
Event Approximate Total Kbytes
Loading a single standard webpage 60K
DCA scan, blank IP 5K
DCA scan, 1 printer 7K
DCA scan, 1 printer, 1 subnet 96K
DCA scan, network of 13 printers 111K
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 8 of 15
The communication method
The DCA collects imaging device metrics at a specified interval (SNMP, ICMP and HTTP) in the private (LAN/WAN)
network of the customer. DCA transmits these data to the central database secured via HTTPS-Protocol. This procedure
of transmitting data using HTTPS is exactly the same as a user-PC which opens a HTTPS website with a standard web
browser.
Due to this:
there is no need to open specific ports in the firewall
only the proxy settings need to be configured in the DCA, if applicable
The communication from the DCA to the data base is outbound exclusively.
There is not any inbound connection to the DCA, if configured this way.
(Note: In case the “Intelligent Update" is activated on the DCA, it asks for new software versions whenever contacting the
server. Then the software might be downloaded after the DCA has initiated the connection.)
The HTTPS transport method is using SSL encryption on port 443. A VeriSign SSL certificate is installed on the central
web server https://ap.pfprdjp.bt.konicaminolta.com The connection built by the local DCA can be restricted to above
target exclusively.
This data transmission fully respects customer’s security environment like Proxy-Servers, Content-Scan and filtering,
Anti-Virus and Anti- Malware Solutions, IPS/IDS Systems, Firewalls including authentication to these systems.
The location and number of DCAs to be utilized is depending on the individual structure of the customer’s IT network.
The recommended number of devices for each is a maximum of 2,000 devices.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 9 of 15
Data collection and transmission methods
The DCA collects imaging device metrics at a specified interval using SNMP, ICMP, and HTTP; it then transmits the data
to the centralized database via FTP (port 21/port 20), HTTP (port 80), or HTTPS (port 443).
Data is transmitted using HTTPS, because this provides SSL 128-bit encryption of the data during transmission. FTP
and HTTP do not provide encryption.
To protect the data, the OPS software uses encryption from end to end. The printer DCA files are never stored in plain text. The only time the data is “in the clear” is when it has been processed and stored in the Konica Minolta OPS database. There are two purposes of encryption:
To protect the data from interception and viewing/use without authorisation
To authenticate the Printer DCA and ensure integrity of the data (i.e. that it hasn’t been tampered with).
Each Printer DCA has its own encryption key, which must match the encryption key on the OPS server to verify the data
is actually coming from that Printer DCA. It makes it difficult to tamper with the data, because an attacker would need to
know the encryption keys, algorithms used, and be able to re-create the checksums.
The data that is being transmitted can be checked at any time for a client network administrator.
The files that contain the data are stored in C:\Program Files (x86)\Printer DCA\data_archive (default location). The
files have the “pfd” extension. The data in these files is encrypted, however can be viewed at any time by using the DCA
software’s inbuilt “file viewer”.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 10 of 15
Scanning locally attached printers
The DCA software can be installed on PC’s and laptops to monitor print volumes on locally attached printers, and to then
push this information back to the server based DCA software for reporting on the whole printer fleet.
The software can be installed directly on the PC, or can be pushed out from the server based DCA. If using this method,
it is recommended that the push be done after hours, depending on how many PCs are being pushed out to. Depending
on the number of travelling laptops you may need to push this out a number of times in order to push the software out to
all devices.
IP Ranges
IP ranges can be fully configured to only scan those ranges where print devices reside.
Alternatively, specific IP addresses of specific print devices can be specified instead. Please note, that every time a new
printer is installed on the network, that the DCA software will have to be configured with the new device IP address.
It is recommended to allow the scan to take place over as broad a range as possible, to be able to capture any new
devices that appear over time, and to reduce the workload when changes to the print environment occur over time.
IP ranges or specific IP addresses can be configured before doing your first scan of the network with the DCA software,
by not select the “Start Service” option during initial installation. Once the software is installed, configure the IP
addresses as required and then do a “Force Scan”.
If you have already done a full scan of your network, devices can be hidden from “Views”, by contacting your Konica
Minolta Account Manager, who will alter the setting appropriately. A historic record of that device will still remain in the
database from the initial scan, however no additional information will be captured.
Please note – that by hiding a device from Views, both parties (Konica Minolta and the Client) will not be able to see the
device. This may distract from the value of the service to the Client as they will lose the ability to remotely monitor their
devices.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 11 of 15
Masking Private Data
For privacy reasons, the following types of information that the software collects, can be masked in the transmission file
to the central server:
IP Address of devices included in the scan
Telephone numbers collected from devices (masked by default) – used mainly for fax machines
DCA host system information (IP address, MAC address, subnet, etc)
DCA Submission Authentication
The OPS DCA has to be activated on the Konica Minolta OPS server prior to the DCA installation. This activation
process includes:
• Creation of a DCA account on the Konica Minolta OPS Server • Association of a clients DCA Installation and the DCA Account based on a unique PIN • Generation of a unique Shared Key used to encrypt data exchange between the Konica Minolta OPS Server
and the DCA Installation
DCA Accounts can have an Expiration Date when their credentials to submit data to the PFE Server are revoked
automatically; The Konica Minolta OPS Server Administrator can also revoke these credentials at any time by de-
activating the DCA. Data submissions from a DCA start being rejected by the Konica Minolta OPS server immediately
after the DCA Expiration Date comes or the DCA is de-activated.
The Konica Minolta OPS Server checks if the submitting DCA has an Active account on the Server prior to data
acceptance. If the DCA account exists and is Active, the data is saved in a file on the Server for further processing;
otherwise, the submission is ignored and no data is saved on the Server.
The Shared Key that is used to encrypt data exchange between the Konica Minolta OPS Server and a DCA is stored in
the Konica Minolta OPS Server database and is protected by security means of MS Windows Server and MS SQL
Server.
The DCA Installation stores the Shared Key in an encrypted local storage. The encryption algorithm uses hardware
parameters and Windows® Product ID of the DCA Host; this ensures that the Shared Key will not be used on DCA
Installations other that the one where it was stored during DCA Activation.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 12 of 15
The OPS Web Portal
The OPS Web Portal is the online interface used to access the collected information.
Permissions based user management
Access to the OPS Web Portal is controlled with permissions-based user management. Users must log in to OPS Web
Portal using a designated username and password getting from the Service Provider.
HTTPS access
The website is accessed using HTTPS as our web server is installed with an SSL security certificate. This provides a
128-bit encryption when data is being transferred over the Internet.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 13 of 15
The Konica Minolta OPS Server
The Konica Minolta OPS Server is hosted within the Konica Minolta network.
Backup Procedures
A full backup of the server is taken weekly.
A differential backup is taken daily.
Server Upgrades
Upgrades are tested before being released on the live server.
Notifications are sent out when the server is planned to be down during the upgrade.
System Access
Only a limited number of administrators have full access to the server.
Physical access to the server is key-lock restricted.
The room where the server is stored is secured with an ID card based system to ensure only authorised personnel have
access to the server, and to provide audit tracking of those that have accessed the room.
Account Information Storage
User account names and passwords are stored as a one-way MDF5 hash to ensure the details are secured.
Security
The server uses Verisign’s SecureServerID.
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 14 of 15
Regulatory Requirements
Health Insurance Portability & Accountability Act (HIPAA)
Compliance with HIPAA is not affected by usage of the OPS software.
Because the software does not collect, house or transmit any information regarding the content of the print jobs, there is
no risk to any electronic protected health information (ePHI) as defined by HIPAA, even if this information is printed or
otherwise sent to print devices that are monitored by the OPS software.
For more information about HIPAA, visit: http://www.hhs.gov/ocr/hipaa/
Sarbanes-Oxley (SOx)
Compliance with SOx is not affected by usage of the OPS software.
Because the software is not intended to be used as part of an internal control structure as outlined in Section 404:
Management Assessment of Internal Control, there is no interference with these controls.
Information Technology controls are an important part of complying with Sarbanes-Oxley. Under this Act, corporate
executives become responsible for establishing, evaluating and monitoring the effectiveness of internal control over
financial reporting. The OPS software is not designed or intended as an IT control system, and will not interfere or put at
risk other systems that are.
For more information about SOx, visit: http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
Gramm-Leach-Bliley Act (GLBA)
Compliance with GLBA is not affected by usage of the OPS software.
Because the software does not collect, house or transmit any information regarding the content of the print jobs, there is
no risk to any customers personal financial information, even if this information is printed or otherwise sent to print
devices that are monitored by the OPS software.
For more information about the GLBA, visit: www.ftc.gov/privacy/privacyinitiatives/glbact.html
Konica Minolta Australia
Optimised Print Services
OPS Security Whitepaper
Commercial in Confidence
Page 15 of 15
Federal Information Security Management Act (FISMA)
Compliance with FISMA is not affected by usage of the OPS software.
Because the software is not intended to be used as part of an internal control structure, there is no interference with
these controls.
Because the software does not collect, house or transmit any information regarding the content of the print jobs, there is
no risk to any customers personal financial information, even if this information is printed or otherwise sent to print
devices that are monitored by the OPS software.
For more information about the FISMA, visit: http://csrc.nist.gov/groups/SMA/fisma/index.html