HDD, data security, enterprise IT, data storage

Practice Your Peripheral Vision

The proliferation of next-generation printing and imaging devices comes with a caveat: On-board storage makes these machines a trove of sensitive corporate data.

It’s common knowledge in corporate IT that the hard disk drives lurking in outdated and out-of-service PCs, laptops and servers can be a trove of critical corporate data if improperly discarded. But what about all of those peripherals?

Take a look around most offices today and you’re likely to see dozens of modern imaging devices all connected to the network and dutifully processing — and storing — print jobs, scans, copies and faxes. Like their PC counterparts, those smart printers and multi-function devices from Canon, Hewlett-Packard, Xerox, Ricoh and many others sport HDDs of their own. And they’re just waiting to spill company secrets if the CIO decides to toss them in the dumpster like so much office trash or, worse yet, tries to hawk them on eBay.

It’s a growing problem as enterprises increasingly turn over their printing infrastructures to managed print providers promising improved document management efficiency through the use of fewer, more powerful and more intelligent network-connected MFPs. Xerox officials say managed print is one of the fastest growing segments in its product portfolio, gaining close to 35 percent year over year. Gartner now estimates that more than 70 percent of large businesses now contract managed print services.

That trend means a proliferation of next-generation printing and imaging devices with built-in, industry-standard storage media from manufacturers like Western Digital and Seagate that is indistinguishable from the HDDs in any desktop computer or data-center server.

In 2010, a CBS News investigative report combed the HDDs from several discarded photocopiers and made some shocking discoveries. Among the items they found:

  • A list of targets in a major drug raid, detailed domestic violence complaints and a list of wanted sex offenders from the Buffalo (N.Y.) Police Department.
  • A New York construction company’s design plans for a building near Ground Zero in Manhattan along with 95 pages of pay stubs with names, addresses and Social Security numbers and $40,000 in copied checks.
  • More than 300 pages of individual medical records with everything from drug prescriptions to blood test results to a cancer diagnosis from a New York-based medical insurance company.

It’s not just gigabytes of documents filled with intellectual property and corporate secrets these new peripherals are holding onto. The print management systems at the heart of networked imaging devices collect and store reams of user credentials, job logs, performance data and document-management protocols, making the loss of such information a multiple threat to the organization.

The simple disclosure of a file name such as “Smith_Hepatitis_Results.doc” could mean significant brand damage and hefty fines to a healthcare organization, for example. Fax logs tell the competition who your business partners are (and often leak long-distance access codes). Printer access rosters betray your workforce and their duties along with their contact information and passwords.

For IT executives and the growing number of IT service providers with managed print practices, all of this means that Job One when taking printers and other peripherals out of service is ensuring the internal hard drives are handled properly and that sensitive corporate data is erased beyond recoverability.

Many MFPs today include utility programs built into their operating systems that purport to erase existing data. However, none of the apps available from any of the major printer manufacturers will ensure the HDDs are sanitized to the industry-recognized NIST 800-88 standards used for drives from computing devices.

Some of the marquee printer vendors market a “security kit” add-on that reduces the amount of information being stored locally based on parameters set by the user. But even those systems fail to account for the data that remains when a multi-function peripheral is taken out of service. The only sure way to safeguard the sensitive data stored on printers, copiers and MFPs is to engage the services of a trusted and certified ITAD partner who can decommission storage assets safely and responsibly.

And remember that the integrity of the data goes beyond the actual HDD processing at the ITAD provider’s facility. Chain of custody for printing and imaging peripherals and their components in transit should be assured and documented.

Even the SANS Institute, the recognized leader in information-security training, has sounded the alarm on the vulnerability of critical data in printers and other peripherals. “Given the fact that they contain an embedded operating system, run popular services such as HTTP, FTP and SMTP, and store gigabytes of data, multi-function devices should be treated like servers,” A SANS report warns. “By following a hardening strategy similar to that which you use on your servers, many of the risks these devices present can be mitigated.”