PrinterLogic’s 18.3 Release Brings Added Security, Ease of Use

The release of version 18.3 marks the arrival of many highly anticipated features in PrinterLogic’s enterprise print-management software. Several new features augment the company’s serverless infrastructure with direct and dramatic improvements to secure printing, making PrinterLogic’s next-generation solution as hardened in terms of security as it is flexible in implementation.

Printer-agnostic CAC/PIV authentication
Employees of U.S. federal agencies are issued smart cards as an authentication mechanism. In the Department of Defense (DoD), these are referred to as Common Access Cards (CAC). In other agencies they are called Personal Identity Verification (PIV) cards. Among other purposes, these smart cards are used to securely release print jobs that are being held until the employee is at the printer, ready to receive them.

The primary advantages of PrinterLogic’s optional CAC/PIV solution is that it is serverless and printer agnostic, which means it works without traditional print server infrastructure, and that the PrinterLogic card reader can be used with any printing device, regardless of its make or model. This enables departments or whole agencies to implement secure CAC/PIV print release across their entire printer fleet without having to replace any printers.

As described in our white paper on print security in government agencies, print servers are single points of vulnerability that create attractive attack vectors for malicious actors. PrinterLogic’s serverless infrastructure eliminates the risks associated with print servers and provides a framework for end-to-end print security. In addition, CAC/PIV smart cards are more secure than most civilian employee badges because they require both a swipe and a PIN to complete the authentication.

Even though this degree of print security involves complex technology, the new PrinterLogic feature is easy to use. First, the user logs in using their CAC/PIV reader at their workstation as usual. PrinterLogic Web Stack (formerly Printer Installer) automatically provides a digital signature for print jobs using this authentication process. When the user prints a document, they are prompted to enter their PIN. This creates the signature. The user then goes to the printer and securely releases the job using their CAC/PIV card with a compatible reader.

FIPS 140-2 US government security certification
The cryptographic modules in version 18.3 of PrinterLogic’s software have been hardened to ensure compliance with the Federal Information Processing Standard (FIPS) Publication 140-2. As part of the company’s FIPS certification, the 18.3 release is currently undergoing an evaluation by the National Information Assurance Partnership (NIAP), using the U.S. Government Approved Protection Profile. Final verification testing is underway now, and certification is expected by April, 2019.

Together with CAC/PIV support, FIPS 140-2 certification ensures that PrinterLogic Web Stack is now the ideal print-management solution for use in federal print environments—or indeed any organization that values uncompromising print security.

Canon control panel application (CPA) support (beta)
Currently in beta testing, PrinterLogic’s Canon CPA support for version 18.3 will allow customers with Canon printers to use PrinterLogic’s print-management solution for secure pull printing on those devices. Via the CPA, users can enter a username/password or PIN/ID combination on the printer’s embedded control panel to authenticate themselves and securely release held print jobs.

This also marks the launch of PrinterLogic’s brand-new common CPA platform, which provides a uniform code base for our control panel apps. Along with accelerated speed of development and increased efficiency, the common CPA platform will provide customers with a consistent user experience across printers, faster CPA responsiveness, improved error-handling and added print security.

Public key infrastructure (PKI) encryption for email printing
As part of their security protocols, many enterprise organizations require emails sent from Microsoft Outlook to be encrypted. But that encryption can also prevent those emails from printing correctly. The 18.3 release remedies this with native support for PKI encryption.

When this feature is enabled, encrypted e-mails can be automatically decrypted for printing as long as the administrator has added a valid PKI certificate and key in the PrinterLogic management console.

Faster, more resilient mobile printing
Version 18.3 of PrinterLogic’s software has added “fast lane” technology to its mobile printing system that ensures the highest possible throughput for smartphone, tablet and Chromebook printing. Each mobile print job is assigned its own unique thread so if a previous job in the queue stalls out, the software parallel-processes the jobs and keeps things moving. As a result, mobile users, particularly in large organizations, will enjoy improved print performance.

Smartphone apps for pull-print authentication with PrinterLogic SaaS (beta)
For organizations that want to roll out secure pull printing without having to invest in a badge-release system—or having to invest in expensive control-panel printers—PrinterLogic will offer companion iPhone (iOS) and Android smartphone apps for its PrinterLogic SaaS (formerly PrinterCloud) customers with a pull-print license.

Currently, users who want to authenticate a pull-print job on a smartphone use PrinterLogic’s web-based release portal on their mobile browser. Now, mobile users can simply launch a dedicated app on their device. Their credentials are set once and securely stored within the app, which means they’ll be taken right to their held print jobs the moment they tap on it. From there they can easily release jobs to a desired printer.

Not only does this new feature eliminate the need to purchase expensive badging hardware, it also promotes the use of secure printing by virtue of its convenience. In addition, because the apps work with less expensive network printers that are not equipped with control panels, they make streamlined secure/pull printing practical without having to spend money on new print infrastructure.

Additional features and improvements in version 18.3

  • SNMP alerting enhancements: Customers can now manage alerting and monitoring capabilities via PrinterLogic’s common Service Client as opposed to managing SNMP traffic from individual endpoints. PrinterLogic SaaS customers will be able to manage SNMP alerts locally from behind the firewall. This helps mitigate WAN traffic constraints.
  • Support for MySQL 8: PrinterLogic Web Stack previously supported MySQL 5.5, which recently entered its end-of-life phase. MySQL 8 is the latest version with planned support through 2026.

Availability
In addition to the new functionality in PrinterLogic Web Stack 18.3, here’s a summary of expected timing for other releases or formal certifications discussed in this blog:

  • PrinterLogic Web Stack 18.3: PrinterLogic’s on-prem solution is available now.
  • PrinterLogic SaaS 18.3: A SaaS release that includes most of these features will be available late Q1.
  • Smartphone apps for iOS/Android: These apps are expected to be available from their respective mobile app stores by late Q1. They work with the current version of PrinterLogic SaaS, providing the customer has a pull-print license. They are not hinged to 18.3.
  • Canon CPA support: The new CPA is undergoing testing and certification by Canon, and we expect a final version to be released by late Q1 or early Q2.
  • NIAP certification: PrinterLogic’s application to the National Information Assurance Partnership (NIAP) is now under review. Certification is expected by April, 2019.

Existing customers can download PrinterLogic Web Stack 18.3 from the Product Updates and Release Notes page in the documentation portal. Existing customers who wish to be part of the beta test program for the Canon CPA or the new smartphone apps should contact their sales representative or product support.

If you aren’t yet a customer but would like to test the latest version of PrinterLogic Web Stack free of charge, sign up today for a 30-day trial and experience the benefits of centrally managed direct-IP printing for yourself.

The PrinterLogic CAC/PIV Advantage

In our recent blog, Barriers to CAC/PIV Secure Printing Implementation, we identified reasons why federal agencies have held off implementing CAC/PIV secure printing despite its security benefits. Based on this research, and a careful analysis of other solutions in the market, PrinterLogic has developed a unique, cost-effective CAC/PIV pull-printing approach that works with ANY network printer, requires no print servers, and gives complete visibility into print activity on the network.

PrinterLogic uses a print-management application called PrinterLogic Web Stack (formerly Printer Installer) to manage the enterprise print environment and eliminate or reduce the print-server footprint. We help customers eliminate print servers and migrate their environment to a centrally managed direct-IP printing infrastructure. This infrastructure is the key to achieving a serverless CAC/PIV secure print-release model.

Figure 1. PrinterLogic Serverless CAC/PIV Secure Print Infrastructure

This serverless solution works within the PrinterLogic infrastructure and is managed by the PrinterLogic Web Stack software. It maintains the full functionality of print servers while replacing them. It provides a more manageable print environment that is more friendly for end users. The solution includes printer-driver deployment and management, print-job auditing and reporting, and centralized printer management from a single web-based console.

The Printerlogic platform provides a tangible and timely return on investment due to a reduction in hard costs (eliminating print servers), a reduction in help-desk calls, and an increase in productivity for admins and end users alike. The core benefits of the company’s serverless CAC/PIV solution include:

  • Reduced security risk associated with classified and non-classified printing networks. With PrinterLogic’s serverless CAC/PIV secure print-release solution you can increase security and reduce risk by:
    • Digitally signing all print jobs created by the user using their CAC/PIV card certificate at the point of print job creation (the user’s workstation). The job is then held securely in the user’s local print queue securely until released at any PrinterLogic CAC/PIV-enabled printer or MFP.
    • Moving to a direct-IP print infrastructure, reducing risk from centralized points of failure and security compromise. Print jobs are never held at the MFP, or at any centralized print server.
  • Simplified infrastructure. With PrinterLogic Web Stack you can eliminate all your print servers and dramatically simplify your infrastructure.

Figure 2. PrinterLogic E-241 CAC/PIV Badge Reader

  • Works with any networked printer. PrinterLogic employs a CAC/PIV-enabled E-241 Badge Reader, which connects to existing printers. End users swipe their smart card over the reader to authenticate and release their print jobs. This solution works with any make or model of printer, and is very cost-effective compared with wholesale replacement of your fleet.
  • Improved visibility into printing activities, which can inform cost and waste cutting. Obtain data that helps with cost-reduction initiatives. This includes desktop USB-connected printers. Assign costs to specific printers, paper types and modes (color, B&W, etc.) to help calculate and monitor printing costs. Identify opportunities to consolidate printing devices.
  • Empower your end users. Using PrinterLogic’s Self-service Installation Portal, end users can quickly find and install nearby printers without having to wait for IT staff assistance, using a visual floor-plan map.
  • Streamline printer provisioning management. Manage all printer provisioning in your entire enterprise through a single web-based console without scripts or complicated GPOs.
  • Reduce help-desk calls. Using PrinterLogic’s self-service printer installation means end users are less likely to contact your help desk for printer problems.
  • Achieve a quick return on investment (ROI). Customers typically experience a fast ROI (88% in one year) due to savings related to print-server elimination, dramatic reductions in help-desk calls, and streamlining provisioning tasks for IT admins. ­

Eliminating print servers is compelling, but we realize not every organization can eliminate all of its print servers because some applications require them. PrinterLogic can work in these hybrid environments. We also understand that buying a new printer and MFP fleet every three to five years is not cost effective, which is why our CAC/PIV solution is designed to work with your existing printers.

We’ve shown how PrinterLogic’s research with federal agencies has led to a unique, cost-effective CAC/PIV pull-printing approach that works with ANY network printer, requires no print servers, and gives complete visibility into print activity on the network. To see how PrinterLogic’s secure pull-printing functionality can work for you, call our Federal Sales Desk at 435-216-1939 for more information, or to schedule a WebEx demonstration and a 30-day free trial.

Problems with Current CAC/PIV Secure Printing Solutions

In our recent blog, Barriers to CAC/PIV Secure Printing Implementation, we discussed PrinterLogic’s research into why federal agencies had put off deployment of a CAC/PIV secure-printing solution. Part two of that investigation was to survey agencies who had implemented a CAC/PIV solution to learn more about the pros and cons of their approach, as well as their level of satisfaction with the solution.

We learned that some agencies were not happy with their current CAC/PIV implementation because the solutions were too complicated to maintain, or because they introduced additional risks, or because they invested in a solution that had not paid off.

Most server-based print-management solutions employ one of the three common network printing architectures: centralized print server, distributed print servers, or a combination of both. These packages inherit the associated challenges and security risks of print servers in general, and include:

  • Centralized points of vulnerability for all print jobs at one location
  • Centralized points of failure that delays mission-critical printing
  • Absence of digitally signed print jobs resulting in a lack of document integrity

Each of these risks create new challenges, as outlined below:

  1. Single points of vulnerability. Whether they are centralized and distributed, print-server networks use one location for all print data. Any unauthorized or malicious access compromises every print job on the server. While most of this access is unintentional, malicious access is initiated by an authorized user with detailed system knowledge. Most print-server architectures make it possible for a single actor to access large amounts of sensitive or classified print data. If one document is breached, it’s fair to assume that all print data at that location is compromised. Even when security measures protect data at rest, these server-based systems use centralized document file stores, print-job repositories, or print queues that become high-value targets for malicious actors. By definition, they are a weak link in the security of a network.
  2. Single points of failure. If a print server or communication with that server fails, printing comes to a standstill until the issue is resolved. Even with high-availability failover or clustered print networks, printing of mission-critical data stalls out and negatively affects the productivity of an entire organization.
  3. Lack of document integrity. Most server-based print management packages rely on device-based printer and MFP CAC/PIV solutions. They are single-vendor designs that do not have direct access to the user’s CAC/PIV card when authenticating at the printer. Instead, the CAC/PIV solution passes the user information to the print-management software. Jobs are not digitally signed before release at the printer, which creates a vulnerability in the agency’s print security. These print-management systems have no way of knowing if a print job was altered before appearing on the printer.

Based on this research, PrinterLogic has developed a cost-effective CAC/PIV secure pull-printing system that works with ANY network printer, requires no print servers, and gives complete visibility into print activity on the network. Read about it in our new blog, The PrinterLogic CAC/PIV Advantage, call our Federal Sales Desk at 435-216-1939 for more information, or to schedule a WebEx product demonstration and a 30-day free trial.

Barriers to CAC/PIV Secure Printing Implementation

Federal agencies understand the gravity of a security leak, especially when it comes to sensitive topics. Since HSPD-12 came out in 2004, agencies have been working to secure their desktops, laptops, door access, emails and any sensitive information using FIPS-201 compliant smart cards.

Even so, government agencies struggle to secure their print infrastructure—while maintaining ease of use for employees.

Because printing converts data to physical media, it is considered one of the most vulnerable security areas within an organization. Once data is printed it is difficult to control, and it’s easy to imagine how risky it is to have sensitive information sitting on a printer tray in plain sight. Anyone could pick it up, stash it in their briefcase, and walk out of the building. Once a breach like this occurs, the information is nearly impossible to retrieve.

It’s well known that Common Access Cards (CAC) or Personal Identity Verification (PIV) smart cards can be used for multi-factor authentication at a printer to secure printing and mitigate these risks. The odd thing is that many federal agencies have been slow to implement CAC/PIV secure printing solutions. Therefore, PrinterLogic, a leader in secure pull printing, conducted research with agency IT personnel to find out why.

Our research identified four key reasons why federal agencies are slow to implement CAC/PIV secure printing:

  1. Difficulty justifying replacing the entire printer fleet. Most printers in an agency fleet do not have an integrated CAC/PIV reader. Implementing CAC/PIV solutions across an entire agency is a high-cost scenario that involves lots of expensive devices and massive infrastructure changes. Upgrades of this magnitude require a lot of planning and are accompanied by big incremental budget approvals. Workers and support staff need training on the new printers, as well as the software to manage them. Large deployments can take years to complete, and productivity suffers during the transition period.
  2. Installed base of functioning printers has to be abandoned. Printers that are in service and still work are like the laws of inertia: They tend to stay in service unless acted upon by an opposing force. In most organizations, working printers are used until they break or can no longer be serviced. The installed base of printers includes smaller models that can’t be retrofitted to support CAC/PIV authentication and would be scrapped. This causes some agencies to procrastinate CAC/PIV deployments in order to avoid waste.
  3. Vendor locking is a double-edged sword. Federal agencies are motivated to employ CAC/PIV print solutions, but they prefer vendor-agnostic procurement practices. Most CAC/PIV solutions are tied to one printer manufacturer’s hardware, which means committing to a solution that “locks” the agency into one vendor. This gets in the way of a multi-vendor approach that benefits from competitive offerings. On one hand, agencies want the flexibility of upgrading and switching to better solutions when they are available. On the other hand, they are married to existing hardware and service commitments until those expire.
  4. Complex back-end Infrastructure. Federal agencies have spent the last 10+ years consolidating their network and server infrastructure. Most CAC/PIV solutions require an extensive server implementation. One agency we surveyed said they would need 2,000+ pull-print servers to facilitate secure print authentication using their PIV cards. The sheer cost, software training, and incremental support staff needed for this kind of investment has slowed adoption.

Based on this research, PrinterLogic has developed a cost-effective CAC/PIV secure pull-printing system that works with ANY network printer, requires no print servers, and gives complete visibility into print activity on the network. Read about it in our new blog, The PrinterLogic CAC/PIV Advantage, call our Federal Sales Desk at 435-216-1939 for more information, or to schedule a WebEx product demonstration and a 30-day free trial.