security white paper - list of canon productsdownloads.canon.com/nw/pdfs/solutions/mds_cloud... ·...

Canon

SecurityWhitePaper2014R3Edition

MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.

1

TableofContents1. IntroductiontotheMDSCloudService.....................................................................................................................2

2. AboutCanonBusinessImagingOnline.....................................................................................................................2

3. MDSCloudServiceOverview..........................................................................................................................................3

4. InformationHandlingandNetworkCommunications....................................................................................5

DataContents..........................................................................................................................................................................5

DatafromtheMDSCCAgenttotheMDSCloud........................................................................................................6

DatafromtheMDSCloudtotheMDSCCAgent........................................................................................................7

DataimportedtoMDSCloudbyaWebbrowser......................................................................................................7

DatawhichcanbeexportedfromMDSCloudfromawebbrowser.................................................................8

DatastoredbytheMDSCCAgent...................................................................................................................................8

DataimportedfromtheUGWtoMDSCloud..............................................................................................................9

DataimportfromBackendSystemstoMDSCloud..................................................................................................9

DataretrievedbyaServiceProvidersBackendSystemsfromMDSCloud...................................................9

DataRetentionPeriod........................................................................................................................................................10

DataretentiononMDSCloud..........................................................................................................................................10

DataretentionfortheMDSCCAgent..........................................................................................................................10

NetworkProtocols...............................................................................................................................................................11

CommunicationbetweentheMDSCCAgentandmanageddevices...............................................................11

CommunicationbetweentheMDSCCAgentandMDScloud............................................................................12

CommunicationbetweentheWebbrowserandtheWebUIoftheMDSCCAgent:................................13

CommunicationbetweentheMDSCCAgentandtheNetaphorlicenseserver:........................................13

NetworkTraffic.....................................................................................................................................................................13

DataCapturedfromdevicesbytheMDSCCAgent................................................................................................13

DatasentfromtheMDSCCAgenttoMDSCloud....................................................................................................14

DatafromMDSCloudtoMDSCCAgent......................................................................................................................15

DatabetweentheMDSCCAgentandtheNetaphorLicensingServer...........................................................15

5. MDSCloudServiceSecurityElements.....................................................................................................................16

6. CBIOInfrastructureArchitecture..............................................................................................................................19

7. CBIOCoreServicesOverview.......................................................................................................................................22

8. CBIOSecurityOverview...................................................................................................................................................23


2

1. IntroductiontotheMDSCloudServiceMDSCloudServiceisacloudbaseddevicemanagementofferinghostedat“CanonBusinessImagingOnline”(CBIO).

TheMDSCloudServicecollectsandstoresinformationfromEnd‐userdevicessuchasmultifunctionalcopiersand/orprintersviatheInternet.ServiceProviders(i.e.,CanonU.S.A.,Inc.[CanonUSA]andCanonAuthorizedRetailDealers)usetheMDSCloudServicetoofferdevicemanagementservicestotheirEnd‐users.

TheMDSCloudServiceallowstheServiceProviderandEnd‐Usersto:

Displaydevicestatus

Managedeviceconfiguration

Gatherdeviceusagestatistics(printvolume,copyvolume)inordertoproposeimprovementstotheEnd‐userenvironment

2. AboutCanonBusinessImagingOnlineCanonBusinessImagingOnline(“CBIO”)isaPAAScloudplatformforCanon’sbusinessapplications.CBIOprovidesEnd‐userswithaccesstoCanon’slatesttechnologyonthecloud,includingservicesthatareintegratedwithMFD(multi‐functiondevices),suchasCanonimageRUNNERAdvancedevices,andprinters.

CBIOprovidesmanybenefitstoEnd‐users:

Affordable:Withouthavinglargeup‐frontcosts,End‐userscanusecloudbasedserviceswithasubscriptionmodel.

Stable:Applicationsareinstalledonapowerful,secure,redundanthardwareinfrastructure.

QuickDeployment:Sincetheapplicationsarecloudbased,End‐userscanstartusingtheservicesrightaway.

Compatible:SincetheapplicationsareWeb‐based,servicescanbeaccessedfromanywhere.Inaddition,upgradesarehandledinthecloud,soEnd‐usersdon’thavetoworryaboutversioncontrol.

SeeSection6,“CBIOInfrastructureArchitecture,”towardstheendofthispaperforadditionaldetailsonCanonBusinessImagingOnline.


3

3. MDSCloudServiceOverviewTheMDSCloudServicecollectsandstoresinformationfromEnd‐userdevicessuchasmultifunctionalcopiersand/orprintersviatheInternet.

MDSCloudServiceDiagram

TheMDSCloudServiceiscomprisedofthefollowingsystemelements:

3.1. MDSCollection&ConfigurationAgent(MDSCCAgent)–TheMDSCCAgentisaPCapplicationthatisinstalledlocallyattheEnd‐usersite.ItisresponsibleforcollectingandaggregatingdeviceinformationattheEnd‐usersitebeforesendingittotheMDSCloud.TheCCAgentwillaccessMDSCloudonceadaytocheckforupdatestoitselfandautomaticallyupdatewhenavailable1.Whennon‐Canondevicesareinvolved,theMDSCCAgentwillautomaticallydownloadandinstallanadditionalsoftwaremodulewhichCanonlicensesfromNetaphorSoftware,Inc.ThisNetaphormodulewillperiodicallyaccessaNetaphorLicenseServerinordertoverifyitslicensestatus.TheNetaphormodulewillonlyprovidetheNetaphorserverwiththetotalquantityofdevicesmanaged;nootherinformationissenttotheNetaphorserver.SOAP/HTTPSareusedasthecommunication


4

protocols,andthedataamountisapproximately4‐6kbytespertransmission.1. Automaticupdatesareoptional.Seesection4.4.3“DatafromMDSCloudtoMDSCC

Agent.”

TheMDSCCAgentcommunicateswithNetaphor’sLicenseServerusingHTTPS

3.2. MDSCloud–TheMDSCloudstoresandmanagesEnd‐userdeviceinformationthatiscapturedviatheMDSCCAgent.

3.3. UniversalGateway(UGW)‐UniversalGateway(UGW)isaserverthatstoresinformationcollectedbyCanon’simageWARERemotesystem.TherearetwointegrationsbetweenMDSCloudandtheUGW.Bothareoptional.TheseintegrationsareforServiceProviderswhoalreadyuseimageWARERemoteandwouldliketokeepcollectingdata(onCanonDevicesonly)throughthatsystemforservice.

OneintegrationisbetweenMDSCloudandtheUGW.MDSCloudcanreceiveinformation(onCanonDevicesonly),suchascounterdatafromtheUGWandmanageitforreporting.Theinformationtransferredisbillingandpapersizecounters(seesec.4.1.7DataimportedfromtheUGWtoMDSCloud)andtheyaretransferredonceaday.

TheotherintegrationisbetweenTheMDSCCAgentandtheUGW.TheCCAgentcanpulldiagnosticserviceinformationfromCanondevicesandtransmitittotheUGWdirectlytobemanagedbythatsystem.Thepollingintervalis10minutesanddataisonlysentwhenanerror,jamoralarmoccursonthedevice.

ForadditionalinformationonimageWARERemoteandUGW,pleaserefertotheimageWARERemotesecuritywhitepaper.

3.4. ServiceProvider’sBackendSystem–TheServiceProvider(CanonSalesCompanyorAuthorizedCanonDealer)canlinktheirbackendbusinesssystemtotheMDSCloudinordertoretrieveorupdateEnd‐userinformation.

3.5. Othersystems–MDSCloudiscapableofintegrationwithcertainotherfleetmanagementdatacollectionagentsavailabletoServiceProviders.InthecasethattheServiceProviderselectsanapproved


5

non‐Canondatacollectionagent,datafromthatagentcanbestoredonMDSCloudforthepurposeofreporting.

TheMDSCloudgeneratesauniquedatabaseschema(tablediagram)foreachEnd‐userandServiceProvider.

Thetablediagramgroupstheboxesandsectorsthatdividesthetables.EachuniquetablediagramstoresdataforeachEnd‐user.Asaresult,thedataisisolatedfromothertablediagrams,andcanneverbecommingled.

Accesstodataoneachtablediagramisrestricted.AccesstoatablediagramisallowedonlyifboththerelationshipbetweenEnd‐userandServiceProviderisverified,andtheEnd‐user’stenants/rolesareverifiedbyCanonBusinessImagingOnline.Ifanyoftheseareunverified,accesstothetablediagramisprohibited.

MDSCloudDatabase

4. InformationHandlingandNetworkCommunicationsIntheMDSCloudService,theMDSCCAgentisthemainconduitforcapturingdeviceinformationattheEnd‐usersiteandsendingittoMDSCloud.MDSCloudcanalsoreceivedatafromsystemintegrationwiththeimageWARERemoteUGWserver,ServiceProvider’sback‐endsystemsandothernon‐Canonfleetmanagementsystems.ThissectiondescribesthedatahandledbytheMDSCCAgent,aswellasthenetworkprotocolsusedforcommunicationsandinformationonthenetworktrafficgeneratedbytheMDSCCAgent.

4.1. DataContents

MDSCloudServicehandles(sends,receives,stores)thefollowingdata:SetupInformationItincludeslogininformationtologintotheMDSCCagent,andalsoMDSCCagent’ssetupinformationtoconnectwithMDScloud.


6

ManagementInformationItincludesidentificationinformation,controlinformation,andthedebuglogsfortheMDSCCAgent.

DeviceconfigurationItincludesconfigurationandidentificationinformationforeachofthedevices.

DevicemanagementinformationItincludesdataabouttheoperationalstatusofdevices.Thisinformationiscollecteddirectlyfromthedevices,oritisenteredbytheserviceprovider.

JobInformationJobLoginformationmayincludethepropertiesoftheprintjobs,suchaswhichapplicationwasused,whetherthejobwasduplexed,pagelayout(2‐up/4‐up),andwhethertheprintjobwascolororblackandwhite.

End‐usermanagementinformationInformationforidentifyingEnd‐usertenantIDs.

PCconfigurationinformationIncludesinformationabouttheconfigurationofthePCwheretheMDSCCAgentisinstalled.

4.1.1. DatafromtheMDSCCAgenttotheMDSCloudDatacategory Datacontents

MDSCCAgentSetupandManagingInformation

MDSCCAgentID(ClientID)DebugLogID

End‐usermanagementInformation

End‐user tenantID

DeviceConfiguration IPaddress/MACaddressDeviceID(SerialNo.)ProductNameDeviceNameLocationSiteOption(s)Color/MonoFirmwareversion

DevicemanagementInformation

Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob

Counterinformation- BillingCounters

Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel- Paperlevel

PCconfigurationinformation - HDDwhereCCAgentisinstalledFreeSpace- SystemHDDFreeSpace- InstalledMemory- Processor- ThelatestdateofWindowsUpdateinstallation- OSinformation(Thenameandversionnumber)


7

4.1.2. DatafromtheMDSCloudtotheMDSCCAgentDatacategories Datacontents


MDSCCAgent controlinformation- ThetimewhentheMDSCCAgentaccessedMDSCloud- ClientID(TenantID)- Listofmanageddevices- Setupinformationforsendingjobhistory

(Identifieswhichportionsofthejoblogwillbesentandwhichwillnot)

- SNMPconnectionsettingDevicesettingsinformation DepartmentalIDsettings

WebbrowsersettingAddressbookUser‐modesettings

4.1.3. DatafromMDSCCAgenttotheNetaphorLicenseserverTheMDSCCAgentonlyprovidesinformationtotheNetaphorlicenseserver1thatcanbeusedtoprovidethecorrectnumberofmanagedthirdpartydevices.Nootherinformationaboutthedevicesorusers,ortheirrespectiveusages,areprovidedtotheserver.Theinformationisprovidedonceaday.1.ThelicensedsoftwareserversarelocatedonpremisesofNetaphor.

4.1.4. DataimportedtoMDSCloudthroughaWebbrowser

ThefollowingDatacanbeimportedintoMDSCloudusingaCSVfile(ororiginalfile,asapplicable)viaawebbrowser.

Datacategory Datacontents

DeviceconfigurationInformation

DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)Color/MonoFirmwareversion



CounterInformation- Billingcounter- Papersizecounter

Devicesettings

Information

Basicregisteredsetting(Aboutnetworkconnection,security)PapertypesSending

BothDeviceConfigurationandDeviceManagementinformationareimportedasCSV.DeviceSettingsinformationisimportedinCanon’soriginalformat.


8

4.1.5. DataexportedfromMDSCloudfromawebbrowserThefollowingDatacanbeexportedfromMDSCloudaviawebbrowser.

Datacategory Data contents

DeviceconfigurationInformation

DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)Color/MonoFirmwareversion



Devicesettings

Information

Basicregisteredsetting(Aboutnetworkconnection,security)PapertypesSendingBoxsettingDepartmentalIDmanagementMainmenuWebbrowserCommonly‐usedsettingAddressbookAdvancedboxCustommenuMEAPapplicationsettingUsersettingWorkflowComposersetting

4.1.6. DatastoredbytheMDSCCAgentThefollowingDataisstoredintheMDSCloudCCAgentformanagementpurposes.

Datacategories Datacontents

MDSCCAgentSetupandManagementInformation

DebuglogIDofMDSCCAgentProxysetupInformationMDSCCAgentAdministratorInformation

End‐usermanagementInformation

End‐user tenantID(IDforaccessingEnd‐userdatainMDSCloud)



Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel- Paperlevel

UGWConnectionInformation ConnectedURL


9

4.1.7. DataimportedfromtheUGWtoMDSCloudTheMDSCloudmaybeconfiguredtoimportthefollowingdatafromtheUGW:


Devicemanagementinformation

Counterinformation- Billingcounter- Papersizecounter

4.1.8. DataimportfromBackendSystemstoMDSCloudTheMDSCloudcanreceivethefollowinginformationfromtheServiceProvider’sbackendsystem.


Customerinformation Includesdataenteredforeachcustomerinthe“CustomerInformation”tab

Deviceconfigurationinformation

IPaddressMACaddressSerialnumberProductnameDevicenameLocationOptionalinformationColor/Mono

DeviceManagementInformation

Jobhistory(joblog,printvolume,copyvolume)- Printjob- Copyjob- Scanjob- Faxjob- Sent/ReceivedJob

Counterinformation- Billingcounter

Incidentinformation(inquiries,claims/callsfromcustomers,maintenancerecords)Devicestatusmonitoringinformation

- Statusofdevice- Tonerlevel


MDSCCAgentsetup informationDevicediscoverysetupinformation

MDSCloudsettinginformation IncludesMDS Cloud settings data available in the “Settings” tab foreachcustomer

4.1.9. DataretrievedbyaServiceProvider’sBackendSystemsfromMDSCloudThefollowingDataisavailabletoServiceProviderbackendsystemsbyusingawebserviceinterfacefromMDSCloud.


Deviceconfigurationinformation

DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)


10

Color/MonoDevicemanagementInformation


CounterInformation- Billingcounter

CustomerInformation Includesdataenteredforeachcustomerinthe“CustomerInformation”tab


Pastsummarizedandaggregateddata- Joblogs

Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel

4.2. DataRetentionPeriod

4.2.1. DataRetentiononMDSCloud

End‐userdataisstoredonMDSCloudinordertoprovideservicessuchasreporting,automatedbilling,etc.WhenanEnd‐userstopsusingtheMDSservice(contractualtermination),theServiceProvidermaydeletetheregisteredEnd‐userinformation.Then,whendeleted,thedatawillbeerasedfromthedatabasewithin24hoursusingabatchprocess.Asaresult,allofthetenantinformationrelatingtotheEnd‐userisdeleted,andtheEnd‐user’sscheme(table)willbewipedoutfromtheMDSClouddatabase.

Whilethecontractisactive,thedataiskeptforthespecifiedretentionperiodforcontractedEnd‐users.Theretentionperiodforcontractedcustomersislistedinthefollowingtable.

DataCategory DataContent TimingofdeletionDeviceManagementInformation1

CollectedbyMDSCloudCCAgent:JobhistoryCounterinformation

- Billing counter(Service mode counter,Allassetcounter,Summarycounter)

- PapersizecounterDevicestatusmonitoringinformation

- Statushistories

After100days thedataisdeleted.

ImportedthroughtheWebPortal:IncidentinformationCounterinformation

- Billingcounter- Papersizecounter

After3monthsthedataisdeleted.

SummarizedData2

Dataforreportingbasedonrawdata After3yearsthedataisdeleted.

Devicesettingsinformation

DeviceSettingsInformation MDSCloudstoresamaximumof4setsofconfigurationsettings.

1. DatathatiscollectedfromtheMDSCloudCCAgentorimportedthroughtheWebPortalandSystemIntegrationisconsidered“RawData.”

2. "SummarizedData"meanscalculateddatafrom"RawData"forreportinganddisplayontheDashboard,e.g.monthlyusageperdevice/user,monthlyuptimeperdevice,etc.


11

4.2.2. DataRetentionfortheMDSCCAgentDataistemporarilystoredbytheMDSCCAgentonthelocalPCitrunsonuntilitforwardsittoMDSCloud.DatahandledbytheMDSCCAgentisdeletedateachintervalbelow:


MDSCCAgentmanagementinformation

ItisautomaticallydeletedwhentheMDSCCAgentisuninstalled.

DeviceConfiguration Itisautomaticallydeletedwhenmanagementofthedeviceisstopped.

Jobhistory ItisautomaticallydeletedwhenitisforwardedtoMDSCloud.

Counterinformation Itisautomatically deletedwhenitisforwardedtoMDSCloud.

Devicestatusmonitoringinformation

AutomaticallydeletedwhenitisforwardedtoMDSCloud.It isalsoautomaticallydeletedwhenmanagementof thedevice isstopped.

4.2.3. DataRetentionforbackendsystem/externalsystemdataDatacanbeimportedintoMDSCloudfromDealer’sbackendsystemoranotherexternalsystemtheymayusetohandlecustomerdata.

DataCategory

DataContent Timingofdeletion


JobhistoriesCounterinformation

- Servicemodecounter- Summarycounter

Devicestatusmonitoringinformation

- StatushistoriesIncidentinformation

This dataisstoredinMDSCloudfor36months(UTC basis). After 36 months, the data isdeletedbyadailybatchprocess.

4.3. NetworkProtocolsSeveralportsandprotocolsareusedintheoperationofservicesthataresupportedbyMDSCloud.ThefollowingprotocolsandportsareusedforcommunicationbetweentheMDSCCAgentandmanageddevicesandbetweentheMDSCCAgentandMDSCloud:

4.3.1. CommunicationbetweentheMDSCCAgentandmanageddevicesProtocol PortNo. Source Purpose

SNMP UDP/161 Device AcquisitionofMIB(devicemonitoringanddeviceconfigurationinformation)

SLP UDP/427 Device Acquisitionofdeviceconfiguration

CanonProprietary(1) UDP/47545 Device Acquisitionofjoblogs/counterinformation


12

CanonProprietary(1) TCP/47546 Device Acquisitionofjoblogs/counterinformation

CanonProprietary(1) TCP/9007 Device Acquisitionofjoblogs/counterinformation

CanonProprietary(1) UDP/50700(IPv4)2

UDP/50701(IPv6)2

MDSCCAgent Receivingeventinformationfromdevices

SLP UDP/11427 MDSCCAgent Receivingdevicestatus

HTTP TCP/80(*5) Device

/MDSCCAgent

Receivingandforwardingdeviceinformation

HTTP TCP/8000 MDSCCAgent Receivingandforwardingdevicesettings

HTTP TCP/18080 MDSCCAgent Receivingandforwardingdevicesettings

HTTPS TCP/443 MDSCCAgent Forwardingdeviceconfigurations

HTTPS TCP/8443 MDSCCAgent Receivingandforwardingdevicesettings

HTTPS TCP/18443 MDSCCAgent Receivingandforwardingdevice(EFIDevice)settings

HTTPS TCP/Vacantportbetween44301‐44399

Device Acquisitionofdeviceconfiguration

1Canonproprietaryprotocolsareusedforacquiringjoblogsandeventinformationdata.TheyareusedforCanondevicesonly.2Iftheportisoccupied,itisautomaticallyallocatedtoanotherunusedport

4.3.2. CommunicationbetweentheMDSCCAgentandMDScloudProtocols Port No. Server

HTTPS TCP/4431 MDSCloud

1 Theportisspecifiedbyproxy.


13

4.3.3. CommunicationbetweenaWebbrowserandWebUIoftheMDSCCAgentProtocols PortNo. Server

HTTP VacantTCPportbetween44300and44399

MDSCCAgent

HTTPS Vacant TCPportbetween44300and44399

MDSCCAgent

4.3.4. CommunicationbetweentheMDSCCAgentandthelicenseserver:Protocol PortNo. Server

HTTPS TCP/443 NetaphorLicenseserver

4.4. NetworkTrafficTheMDSCloudServicegeneratesthreetypesofdatatrafficwithinanEnd‐user’snetwork.

DatacapturedfromdevicesbytheMDSCCAgent. DatatransferredfromtheMDSCCAgenttoMDSCloud. InformationreceivedbyMDSCCAgentfromMDSCloud.

*Inadditiontothethreetypesofdatatrafficlistedabove,trafficbetweentheMDSCloudServiceandtheServiceProvider’sbackendsystemisalsopossibleifthatintegrationisconfigured.Eachtypeofdatatrafficisdescribedindetailbelow.

4.4.1. DataCapturedfromdevicesbytheMDSCCAgentIf100jobs(74printjobs,6scanjobs,10faxjobs,10sendjobs)occurinaday,thetotalamountofdatatransferredfromaCanondevicetoMDSCCAgentisestimatedtobe1.9MB.Fromanon‐Canondevice,theestimatedamountis1.6MB.(Theamountofdatadependsondevicetype,configurationandjobcontent.)

Theamountandfrequencyofeachtypeofdataisshowninthefollowingtable.Contents Dataamounts CapturingfrequencyJobHistory

Canondevice

Dependenton thenumberofjobsPrintjob：Approx.4KBScanjob：Approx.3KBFaxjob：Approx.2KBSendjob：Approx.2KB

MDSCCAgentperiodicallypollsdevicesandpullsdataatthefollowingintervals:‐Every10min.(Fordevicesthatcannotstoremorethan1,000jobs)‐Every60min.(Fordevicesthatcanstoremorethan1,000jobs)

‐Onceaday1

(Evendevicesinsleepmodearewokenandhavedatacapturedonceaday)

Non‐Canondevice

Notcaptured Notcaptured


14

CounterInformation

Canondevice

Approx.19.1KB

Every12hours(polling).(Ifadevicehasbeenasleepfor24hourssinceitscounterdatawaslastcaptured,thedeviceiswokenandthecounterdataiscaptured.)

Non‐Canondevice

Approx.1.7KB Every12hours(Polling).

Statusofdevice

Canondevice Approx.0.8KB Every5minNon‐Canondevice

Approx.0.6KB Every5min

Tonerlevel Canondevice Approx.2.4KB Every5minNon‐Canondevice

Paperlevel Canondevice Approx.2.7KB Every5minNon‐Canondevice

Configuration

Canondevice Approx.10KB Onceaday2(Whenpowerison3)Non‐Canon

deviceDevicesettings

Information

Canondevice Approx.1MB Specifiedbyserviceprovider

Non‐Canondevice

Noncaptured

1.Foralldevices.2.Fordevicesundersleepmodeorotherthanpower‐off.3.Fordevicescapableofsendingthe“power‐on”event.

4.4.2. DatasentfromtheMDSCCAgenttoMDSCloudTheamountofdatasentfromtheMDSCCAgenttoMDSCloudperdayisestimatedtobeapproximately170.9Kbytes(perCanondevice)/approx.25.5Kbytes(pernon‐Canondevice).Thisestimationisbasedontheassumptionthateachdevicegenerates100jobsaday,thestatusofeachdevicechangestwiceaday,thetonerlevelchangesonceaday,anddataisforwardedfromtheCCAgenttoMDSCloudwith35%compression.Thedataamounts1andforwardingfrequenciesfromtheMDSCCAgentareshowninthetablebelow.Contents Dataamounts Forwardingfrequency2

(Timing)Jobhistory3

Canondevice Approx.70KB Every8hours

Non‐Canondevice Notcaptured Notcaptured

Counterinformation Canondevice Approx.3.KB Every12hoursNon‐Canondevice Approx.1.KB

Statusofdevice

Canondevice Approx. 1.KB Whenachangeisdetectedinthedevicestatus.Non‐Canondevice Approx. 1.KB

Tonerlevel Canon Approx. 2.KB Whenachangeisdetectedinthetonerlevel.

Non‐Canondevice

Paperlevel Canondevice Approx. 2.KB Whenachangeisdetectedinthepaperlevel.Non‐Canondevice

Configuration Canon Approx.5KB Onceaday


15

Non‐Canondevice

Devicesettings

Information3

Canon Approx.1MB Specifiedbyserviceprovider

Non‐Canondevice ‐ ‐

EventdetectionCanon Approx0.1KB 480timesinaday

Non‐Canondevice ‐ ‐

DebuglogID3Canon Approx.230KB Onceaday

Non‐Canondevice ‐ ‐1.Dataamountsareforindividualdevices.2.Sendingisattemptedeveryfiveminutes.3.Jobhistory,DevicesettingandDebuglogIDarenotcapturedfromnon‐Canondevices.

4.4.3. DatafromMDSCloudtoMDSCCAgentTheMDSCCagentreceivesapproximately2.5kBofdataperdevice/perdayfromMDSCloud.Thecontent,amountandthereceivingfrequenciesareshowninthetablebelow.Contents Data

amounts(*1)Receivingfrequency

Listofmanageddevices

Approx.0.40kB1 Onceaday

Devicediscoverysettings Approx.0.63kB Every8hoursMDSCCAgentManagementInformation.

Approx.0.25kB Onceaday

Devicesetting Approx.1MB SpecifiedbyeachofServiceProviders

Eventoccurrenceinformation Approx.1kB Incaseaneventoccurs suchas:

- Deviceaddition,deletionanddata‐update(SerialNo.,IPaddress,hostname,MACaddress)

- Updateonclientinformation- Updateondevicesearchsetting- Settingsaboutdelivery/capturing

scheduleofdevicesettinginformation- Delivery/CapturingDevicesetting

information

ThemostrecentversionnumberoftheMDSCCAgent

A fewkB Onceaday

1.Thedataamountsonthetableareperdevice.Thetotaldataamountwillvarydependingonthenumberofdeviceslisted.

4.4.4. DatabetweentheMDSCCAgentandtheNetaphorLicensingServerTheMDSCCAgentonlyprovidesthetotaldevicecounttotheNetaphorlicensingServertoensurethecorrectnumberofmanageddevices.Nootherinformationaboutthedevicesorusersortheirrespectiveusagesareprovidedtotheserver.Content Data amount Frequency

Numbersofmanageddevicesandinformationabout Approx.4‐6kB Onceaday


16

licensevalidation

5. MDSCloudServiceSecurityElements

5.1. MDSCloudServicePortalAuthentication

TogainaccesstotheMDSCloudPortal,ausermustbeproperlyauthenticated.Additionally,usersareassignedrolesspecifiedbyEnd‐Useradministratorsthatcontrolthefeaturesthatcanbeaccessed.Thisensuresthatuserscanonlyaccessdataandfeaturesthatareappropriateforthespecificrolesthattheyhavebeenassigned.UsersarealsopreventedfromaccessingdatafromothertenantsorEnd‐usersonMDSCloud.

5.2. MDSCCAgentAuthentication

MutualauthenticationisusedforcommunicationbetweentheMDSCCAgentandtheMDSCloud.Duringtheinstallationprocess,auniquekeyisprovidedtotheagent.Subsequentconnectionsmustbeauthenticatedusingtheuniqueagentkey.

TheMDSCCAgentcanbemanagedfromauserinterfaceviaaWebbrowser.TheconnectionrequiresauthenticationandisprotectedusingSSL/TLS.

5.3. UniversalGateway(UGW)Authentication

IntegrationwiththeUniversalGateway(UGW)requiresauthenticationwiththeUGWservice.ToenablethesecureestablishmentofcommunicationwiththeUGWService,theappropriateUGWcredentialsareconfiguredontheMDSCloudsystem,viaasecureWebbrowserinterface.

5.4. DataTransmissionSecurity

ThecommunicationprotocolbetweenaWebbrowserandCanonBusinessImagingOnlineserverisviaHTTPS(HTTPoverSSL/TLS)protocol.Additionally,communicationbetweentheWebbrowserandtheprintdevicethatisdoneaspartoftheDirectPrintcaseandcanalsobesecuredviaSSL/TLS(optional).TheCBIOServerCertificateissignedbyVeriSignandinstalledinCanonBusinessImagingOnlineserverenablingdataencryptionthroughSSLconnection.TheCanondeviceshavetherootVeriSigncertificatepre‐installedandanymodernWebbrowserusedbytheclientPCshouldaswell–thusnoadditionalconfigurationisneededforSSLcommunicationstoCBIO.

5.5. Validationofreceiveddata

MDSCloudServiceperformsthefollowingvalidationproceduresforthereceiveddata:SourceconfirmationIfthedatadidnotoriginatefromaregistereddevice,thedataisnotcaptured.

ConfirmationforreceiveddatacontentsThereceiveddataisalsocheckedforadequacyoftheformat.Inaddition,thecontentsarealsocheckedastowhethersufficientinformationisincludedornot.Thisincludesdatafrombackendorexternalsystems.


17

5.6. End‐userDataSecurity

SecurityisprovidedfordatathatisstoredonCBIO.FortheMDSCloudService,onlyinformationrelatedtotheoperationandmanagementofdevicesisstoredonCBIO.Nevertheless,thesecurityofthedataisimportant,soitisencryptedbothintransitandinstorage.AllcommunicationswithCBIOareprotectedusingtheSSL/TLSprotocol.ThisprotectionisprovidedbothforcommunicationfromtheclientPCbrowserandthecommunicationwithCBIO‐enabledprintingdevices.Strongencryptionisprovidedfordatainstorage,viatheAES256algorithm.

SegmentationisprovidedbetweenEnd‐usersintheMDSCloudsystem.ACBIOEnd‐userortenantisacorporationorgroupwithincorporationsthatuseCanonBusinessImagingOnline.OnlyusersthatbelongtoacontractedgroupandhavecreatedaCanonBusinessImagingOnlineaccountinthatgroupcanuseCanonBusinessImagingOnline.

CanonBusinessImagingOnlineimplementsanintermediaryvirtualpartitionlayerbetweenatenantanduserdatathatmakesitappeartothetenantasthoughitsdataistheonlydataintheuserdatastorage.Tenantsettingsuseaccesscontrolliststodeterminewhocanaccessdataandwhattheycandowithit.Userprintdataisencryptedwithauniqueencryptionkeyforeachtenant/End‐userusingtheAES256encryptionalgorithm.

5.7. Accesscontrolforhierarchicalschemes(End‐usertenants)data

TheMDSCloudServicesupportshierarchicalschemes(End‐usertenants)andsupportsfeaturessuchas“ServiceDelegation”and“ServiceforGlobal/Regionalaccounts.”Forexample,ABCCompanyisregisteredasanupperlevel,whileeachofthebranchessuchasA‐Disregisteredasalowerlevel(Seediagrambelow).


18

WhenaconfirmationcodeissetupbytheServiceProviderthatisinitiallylinkedwiththeupperlevel,thespecificlowerlevelEnd‐usertenantcanbelinkedwithanotherServiceProvider.Then,thelowerleveltenant’sdatacanbesharedbetweentwoServiceProviders.1Thismeansthatallofinformation,excludingreportsthataremadebytheoriginalServiceProvideraboutthetenant,canbesharedwithanotherServiceProvider.1. Allinformationthatislistedin“DatafromtheMDSCCAgenttotheMDSCloud”(Sec.4.1.1)isshared.

TheotherServiceProvidercannotstartthedata‐sharingwithouttheEnd‐user’sacceptancewithaclickfromitsownEnd‐userportal.ServiceProviderswhodonothavetheconfirmationcodecannotaccessanyoftheEnd‐user’sdata.(Seediagrambelow)

(InformationsharingbetweendifferentServiceProviders)

ABC branchA ABC branchB ABC branchC

Service provider a. Service provider z.

ABC Co.

ABC branchC’sTenantID.

Confirm.code

ABC is initially linked with service provider a.

ABCbranch.C is linked(shared) withservice provider z.

Information about ABC branchC can be shared only between service provider a. and z.

Table Table Table


19

5.8. AvailabilityTheCanonMDSCloudisdesignedtoprovide99%annualuptime,providing24hours/day,7days/week.Thesystemisdesignedwithfail‐overcapability,sothatintheeventthataWebserver,applicationserver,ordatabaseserverisdown,thesystemwillcontinuetooperatenormallyandwillbeavailablewhenneeded.

6. CBIOInfrastructureArchitectureCBIOoffersenterprise‐classsecurityandreliabilitybyleveragingservicesfromarecognizedthird‐partycloudinfrastructureprovider.ThedatacentersthathostCBIOareTierIIIcertified,andofferhighlevelsofdataprotection,reliabilityofservice,andsecurity.AuthorizeduseraccesstotheMDSCloudbyEnd‐users(designatedcontact)orServiceProvidersisperformedviaasecureMDSwebportal.

OurdatacenterimplementsthefollowingmeasurestoprovideredundancyofEnd‐user'sdata.

Server Description

(Configuration) (System Disk) (Additional Disks) (NIC) WebServer ‐ Loadbalanced

‐VMfailoveronpartialhardwarefailure

Quadruplebackuponseparatedisks


Duplex

APServer - Loadbalanced‐VMfailoveronpartialhardwarefailure



Duplex

DatabaseServer

Mirroredbackedup Quadruplebackuponseparatedisks


Duplex

DNSServer

Duplex(primary/secondary)

RAIDoflocaldisksintheserver.

‐ Duplex

MonitoringServer

Coldstandby Quadruplebackuponseparatedisks

‐ Duplex

BackupServer

Single Quadruplebackuponseparatedisks

RAIDdisks Duplex

Disasterrecovery(Recoveryfromnaturaldisasters)Thisservicekeepsdailybacked‐updatainanotherremotelocation.Incasethedataisdamagedfromanaturaldisaster,itcouldberestoredfromtheremotebackup.BelowaresomeofthekeyarchitecturaldesignpointsfortheCBIOInfrastructure.

6.1. SharedInfrastructureResponsibilityModel

InfrastructureresponsibilitiesaresharedbetweenCanonandthecloudinfrastructureprovider.

ThecloudinfrastructureproviderisresponsibleforallaspectsofthephysicalsecurityofthedatacentersthathostCBIO,aswellasthevirtualizationlayersrelatedtosharedinfrastructurecomponents,suchasphysicalstoragefordata.Encryption(AES128)isusedbythecloudinfrastructureprovidertoprotectdatapartitionswithinphysicalstorageareas.

CanonUSAisresponsibleforthevirtualservers,operatingsystems(includingsecurityupdates)andapplicationsthatprovideCBIOservices.CBIOapplications,suchastheAuthenticationServicesandPrintServices,furtherenhancedatasecuritybyencryptingEnd‐userdatautilizingAES256usinguniquekeysforeachEnd‐user.


20

6.2. PhysicalandEnvironmentalSecurity

ThefacilitiesusedtodeliverCBIOservicesarelocatedinJapan,incutting‐edgeearthquakeresistantdatacenters.Inthefuture,datacenterswillalsobelocatedintheU.S.

Thesefacilitiesareprotectedbythefollowingrangeoftechnologies:

Strictrestrictionsimposedonsections,serverrooms,andotherlocations.

CentralizedIDmanagementforemployeesandvisitors,includingwhereaboutstrackingviaRFID.

PalmandVeinAuthenticationisassociatedwithemployeeandvisitorIDsandisusedforaccesscontrol.

Tailgatedetectiontoensurethataccesstoasecuredareaisgrantedtoasinglepersonforeachvalidsecuritycardpresented.

Associationofsurveillancevideowitheventlogs,andlongtermstorageofsecurityvideoandeventlogs.

6.3. SystemsSecurity

ThefollowingpracticesandtechnologiesareutilizedonCBIOrelatedhostsystems:

Patchmanagementforsecurityupdates

Useofantivirussoftwareformalwaredetection

Useofhost‐basedfirewalls

Logmanagement

Independentsecurityassessments


21

6.4. BusinessContinuityandDataManagement

CBIOemploysnumerouslevelsofredundancyformajorcomponentssuchasservers,storage,networkdevicesandpowersupplyequipmentinordertoeliminatesinglepointsoffailure.

Backupsofinfrastructurecomponentsarehandledbytheserviceprovider.Further,CanonUSAperformsbackupsofCBIOsystems,applicationsandEnd‐userdatainordertoachievebusinesscontinuitymanagement.

6.5. MonitoringandLogManagement

CBIOsystemsareconfiguredtostoreeventlogslocally,aswellasforwardeventstocentralizedlogmanagementservers.AllsystemssynchronizetimeviaNTPtoensureaccuratetimestampsofevents,andenableeventcorrelationbetweenvarioussecuritysystems.Forexample,videosurveillancelogscanbematchedwithsystemaccessentries.Logsaresavedforaperiodof5years.

6.6. IncidentManagement

Policies,processesandproceduresareestablishedtorapidlyandaccuratelymanageinformationsecurityincidents.Further,CanonUSAoritsaffiliateconstantlymonitorssecurityrelatedinformationfornewdevelopmentsandpotentialissuesinordertomaintainthehighestlevelsofsecurity.

6.7. RelatedCertifications

ThefollowingcertificationshavebeenattainedbyCanonUSAoritsaffiliateand/orit’sServiceProviderforCBIOrelatedinfrastructure:ISO9001/ISO14001//ISO20000/ISO27001/Privacymark(JISQ15001).

6.8. IndependentSecurityAssessments

Priortolaunch,theCBIOInfrastructureandsystemsunderwentextensiveinternalandexternalpenetrationtestingbyanindependentsecuritycompany.Independentsecurityassessmentsarealsoperformedonperiodicbasistoensurethehighestsecuritystandardsaremaintained.


22

7. CBIOCoreServicesOverviewCanonBusinessImagingOnline(CBIO)providesasetofcoreserviceswhichMDSCloudisbuiltupon.ThissetofservicesincludesManagementServices(suchasUserandTenant),anAuthenticationServiceandaLogService.UserscanlogintoCBIOviaaWebbrowserandCanonmulti‐functiondevices.

7.1. AuthenticationandAuthorizationServices

AuthenticationandAuthorizationServicesareusedtoenableaccesstoCBIObasedonaUserIDandpasswordandmanageduserroles.TheunifiedauthenticationprocessdetersmalicioususersfromaccessingCBIOservices.

AuthenticationandAuthorizationServicesareusedbyallCBIOservices.

AuthenticationServicesupportstheSAML2.0protocolandcanprovideSingleSignOn(SSO)withotherprovider’scloudservicestoprovideseamlessconnections.

7.2ManagementandLogServices

ManagementandLogServicesareusedtomanageCBIOIDinformation(subscriptions)aswellasoperationinformation.CBIOmanagesthefollowingusersandusageactivities: Tenantinformation UserID/passwordinformation Userroles Alluseractivities(useroperations)aretrackedandmanagedbyLogServices.


23

8. CBIOSecurityOverviewAhigh‐levelsummaryofsecurityfeaturesforCanonBusinessImagingOnlineisdescribedinthechartbelow.

Item HowSecured

DatacenterCertification ISO9001/ISO14001/ISO20000/ISO27001

Networkprotocol https（SSL3.0）

Authentication ID,passwordrequiredtologin

Singlesignonprotocol SAML2.0

Datacentersecurity DataSeparation,AccessControl,Encryptionofprintdata(AES256)

DataCenterfacilitysecurity Palmandveinauthenticationforentrance 24hourmonitoring WhereaboutstrackingusingRFIDtagsmonitorsallemployeesandvisitors

Lockedracks

8.1SingleSignOn

InordertousetheservicesofCanonBusinessImagingOnline(CBIO),usersmustbeauthenticated.CanonBusinessImagingOnlinesupportsSAML2.0(SecurityAssertionMarkupLanguage)andprovidesSingleSign‐OnfunctionalityviatheWebbrowser.

8.1.1SAML

SAMLisanXMLstandardestablishedbytheinformationstandardsassociationOASIS,andisusedforexchangingauthenticationinformationbetweendifferentsitessafelyandinsuchawaythatitenablessinglesign‐on.

security white paper - list of canon productsdownloads.canon.com/nw/pdfs/solutions/mds_cloud... ·...

Documents