Security Solutions Guide

Restrict Unauthorized Device Access

User Codes
User Codes enable system administrators to manage and track the use of digital output devices. A User Code can be assigned to an individual based on which function(s) they have permission to access. This level of control enables you to monitor system usage (e.g., generate print counter reports by function and User Code).

Control Device Output

Locked Print
Locked Print (available through advanced print drivers) maintains confidentiality by suspending document printing until the authorized user (author/creator) enters the correct PIN (Personal Identification Number) from the device control panel. This eliminates the possibility of anyone viewing or removing a document from the paper tray. (Locked Print requires a hard drive that may be optional, depending on model.)

Enhanced Locked Print
Enhanced Locked Print lets you capture all the benefits of shared, centralized MFPs without compromising document security. Users store, release and manage confidential documents with the security of user ID and password authorization. It's a fast and simple solution for protecting your organization's confidential and proprietary data.

Users can safely send documents to printers where they are securely held until released by the authorized user
Documents cannot be picked up at the printer by another user, protecting information confidentiality
Documents stored at the printer are encrypted (information cannot be compromised if hard drive is stolen)
Enhanced Locked Print is installed to the Multifunctional-printing device either via embedded firmware (SD Card) or remotely via Web Interface
Administrators and users can configure Enhanced Locked Print through a simple web browser-based interface

RAM-based Security
Some digital systems use RAM (Random Access Memory) for document processing tasks, not a hard disk drive. Though a hard drive is available as an option, there is security benefit to the base configuration in that jobs processed though RAM are volatile, i.e., when the system is turned off, data is immediately erased. Without a means to permanently store data, such as a hard drive, the security threat is eliminated.

Secure Network Devices

SmartDeviceMonitor (for Admin*)
SmartDeviceMonitor is utility software bundled with all printers, print-enabled MFPs and the Printer/Scanner Kit options. This versatile software suite simplifies all aspects of installation, monitoring and management of network output systems, while supporting key security features.

Change Community Name
To address SNMP (Simple Network Management Protocol) vulnerability, the system administrator can change the Community Name of hardware devices from “Public” to another more secure name. If this security measure is taken, the Community Name (for the software) must have the identical name as the connected output device.
Restrict User Access
System administrators can control user privileges through the User Management Tool. This activates a menu for review of the peripherals authorized for use by User Code and User Name. All supported peripherals on the network are listed, and a simple click on the device, accesses a menu that restricts or enables access to the device for individual users.

WebImageMonitor
WebImageMonitor is an integrated Web-based utility for device management.

Set IP Address Range (IP Filtering)
System administrators can restrict authorized connections to the print controller from those hosts whose IP addresses fall into a particular IP range. Commands or jobs sent from non-authorized IP addresses are ignored by the print controller.
Network Protocol/Port Security
The system administrator can enable or disable IP ports, thus controlling the different network services provided by the print controller to an individual user.

*Note: SmartDeviceMonitor for Admin resides on the client desktop and allows users to determine the status and availability of networked peripherals. Once installed, an icon is placed on each user’s desktop in the Windows Taskbar, which shows system status at a glance.

Add on Mac/IP (Media Access Control/Internet Protocol) Address filtering, job logs/access logs, WPA support (WiFi Protect Access), address book encryption

Encrypted PDF Transmission
Drive Encryption Key
PDF password encryption

Secure Network Print Data

Data Encryption via IPP
Another effective way to achieve data security is through encryption. Using SmartDeviceMonitor for Client utility, print data can be encrypted by means of Secure Sockets Layer/Transport Layer Security (SSL/TLS) via Internet Printing Protocol (IPP), thus securing data between workstations and network printers/MFPs. (TLS is a protocol that guarantees privacy and data integrity between client/server applications communicating over the Internet.) This means that any attempt to tap print data will fail, i.e., the intercepted data is indecipherable. Please see the attached product specification charts for model support.

Destroy Latent Data

DataOverwriteSecurity System (DOSS):
To further thwart data loss, an organization’s information security measures should incorporate technology that destroys latent digital images on the MFP’s hard drive. DataOverwriteSecurity System achieves that goal as it destroys temporary data stored on the MFP’s hard drive by writing over the latent image with random sequences of “1’s” and “0’s.”

Three-pass data overwrite process makes any effort to access and reconstruct stored print/copy files virtually impossible
Operates in conjunction with the Removable Hard Drive Security Systems, providing a multi-layered approach to securing sensitive documents
A simple display panel icon provides visual feedback regarding the overwrite process, e.g., completed or in-process
Conforms to National Security Agency (NSA) recommended methods of managing classified information
Assists in compliance with HIPAA, GLBA and FERPA requirements
ISO 15408 Certified to an EAL 3

Security Acts Compliance Requirements
By employing DataOverwriteSecurity and/or Removable Hard Drive Systems, companies involved in the collection and dissemination of medical records, e.g., hospitals, healthcare organizations, and human resources protect patient privacy. Specifically, data regarding an individual’s medical condition cannot be retrieved or stolen, thus assisting with necessary HIPAA-compliance requirements. HIPAA (Health Insurance Portability and Accountability Act) is a law designed to protect working Americans and their families from discrimination based on pre-existing medical conditions. In addition, DOSS and RHD options also assists in compliance with financial privacy (Gramm-Leach-Bliley Act) and student privacy (Family Education Rights Privacy Act).

Physically Secure Data/Ports

Removable Hard Drive Security (RHD) Systems
Convenient and easy to use, Removable Hard Drive Systems interface with a digital system’s standard hard drive. This solution secures the system’s internal hard drive within an external rigid housing using a key lock system. A numbered labeling system ensures the Removable Hard Drive is easy to identify while in storage or when being replaced in the system. Also provided is a cushioned static-free case to protect the Removable Hard Drive while in transit or storage.

To provide even more security and flexibility when dealing with both classified and non-classified documents, an optional additional Removable Hard Drive is available. This allows digital systems to handle two separate interchangeable Removable Hard Drives; one RHD for classified documents and the other RHD for unclassified documents. After the classified documents have been copied or printed, the classified drive can be removed and placed in a secure location and the unclassified drive can be reinserted for unclassified copying or printing.

The Removable Hard Drive is placed in a strategically accessible area for easy authorized removal and storage
Maximizes security by allowing the physical separation of data from the input/output device, preventing access to remnant data
Removable Hard Drive-enabled MFP systems operate seamlessly with the device’s robust copy, print and scan features
Operates in conjunction with DataOverwriteSecurity System, providing a multi-layered approach to securing sensitive documents
All functions are available (copy, print, scan, fax and Document Server*) when the Removable Hard Drive is installed

Network Protocol/Port Security
Typically, network-enabled systems are shipped to the customer with all the network ports “open,” making the addition of these systems to different networks as easy as possible. Although making the network-enabled systems easy to install, opened unused network ports pose a security risk.

*Document Server, a capability of select output systems that stores jobs (scan, print, fax or copy) on the system’s hard drive, also supports Secure Document Release.

Encrypt Data Communication

128-bit Encryption over SSL
GlobalScan and DocumentMall both support 128-bit encryption over SSL. SSL (Secure Sockets Layer) technology works by using a private key to encrypt data that’s scanned from the MFP to the GlobalScan or DocumentMall server, creating a secure connection. Any URL (Uniform Resource Locator) that requires an SSL connection, such as GlobalScan and Document Mall, will start with https:, with “s” standing for “secure.”

GlobalScan is a Web-based Content and Document Management Solution that enables select MFP systems to perform network scanning functions, specifically, scan to e-mail or folder, as well as perform OCR, fax and document management functions via optional plug-ins. This powerful, yet easy-to-use, paper document capture and distribution system integrates seamlessly with your existing mail infrastructure to significantly boost workgroup productivity by combining scanning functionality within an accessible copier platform.

DocumentMall, a low cost, low risk host application provides secure Internet access to your documents from anywhere in the world, 24 hours a day, 7 days a week, enabling easy sharing and collaboration across dispersed geographic boundaries.

Authenticate Users

Prevent Unauthorized System Usage: Authentication is an MFP security feature that restricts unauthorized users, or a group of users, from accessing system functions or changing machine settings. This important capability enables the system administrator to employ “Access Limitation Management,” helping to protect your MFP installed base from unapproved usage or tampering.

User Authentication enables you to restrict machine access so that only those with a valid user name and password can access MFP functions. Four User Authentication methods are available, one of which can be employed to address specific security needs.

Windows Authentication verifies the identity of the MFP user by comparing login credentials (user name/password) against the database of authorized users on the Windows Network Server, thus granting or denying access to MFP functions.

LDAP Authentication validates a user against the LDAP (Light-weight Directory Access Protocol) server, so only those with a valid user name/password can access your global address book, i.e., search and select e-mail addresses stored on the LDAP Server.

Administrator Authentication – A registered administrator manages system settings and user access to MFP functions. Up to four Administrators can share the administrative tasks, enabling the workload to be spread and limit unauthorized operation by a single administrator, though the same individual can assume all roles. In addition, a separate Supervisor can be established for setting or changing the administrator passwords.

Basic Authentication – Authenticates a user utilizing the user name/password registered locally in the MFP’s Address Book. No one without a valid user name/password can access the machine.

User Code Authentication – Utilizes Ricoh’s standard User Code system to authenticate the user. The MFP operator simply enters their User Code, which is compared to the registered data in the MFP’s address book. No one without a valid User Code can access the machine. Basic Authentication and User Code Authentication can be utilized in non-Windows and/or non-networked office environments.

Monitor and Control Resources

Secure Network Devices
SmartDeviceMonitor (for Admin*)

SmartDeviceMonitor is utility software bundled with all printers, print-enabled MFPs and the Printer/Scanner Kit option. This versatile software suite simplifies all aspects of installation, monitoring and management of networked output systems, while supporting key security features.

Change Community Name To address SNMP (Simple Network Management Protocol) vulnerability, the system administrator can change the Community Name of hardware devices from “Public” to another more secure name. If this security measure is taken, the Community Name (for the software) must have the identical name as the connected output device.

Restrict User Access System administrators can control user privileges through the User Management Tool. This activates a menu for review of the peripherals authorized for use by User Code and User Name. All supported peripherals on the network are listed, and a simple click on the device, accesses a menu that restricts or enables access to the device for individual users.

Job Logs/Access Logs
A complete listing of every job executed by the device is stored in memory. This list may be viewed via Web SmartDevice-Monitor to track and trace device usage by job and/or user. When used in conjunction with external user authentication modes, it will be possible to determine which specific users may be abusing a device, or whom and which device was used to send an unauthorized transmission to trace the source of leaks.

Job Log Reports
Smart Accounting creates individual and/or department reports for all print/copy/fax and scan activity on the device based on the internal job logs. In addition to security, the solution can also associate costs to the usage for budgetary or bill-back purposes.br> WebImageMonitor

WebImageMonitor is an integrated Web-based utility for device management.

Set IP Address Range (IP Filtering) System administrators can restrict authorized connections to the print controller from those hosts whose IP addresses fall into a particular IP range. Commands or jobs sent from non-authorized IP addresses are ignored by the print controller.

Network Port Security The system administrator can enable or disable IP ports, thus controlling the different network services provided by the print controller to an individual user.

General Office Commercial Facsimile Security Features

Standalone Commercial Fax

Restricted Access
Restricted Access allows you to keep close track of machine usage and deters passers-by from using the machine. Authorized users must enter a code before they can use the machine. Furthermore, this function can be linked to the Night Timer feature so that Restricted Access is turned on/off at certain hours, preventing after-hours access.

Server Domain Authentication
When security and user tracking are an issue for IT Managers. Authentication limits access to the fax system increasing security by monitoring machine usage. Machine access is given only to users with a Windows domain controller account. Server Authentication will limit access to the Fax system not only for scan to e-mail, but also for standard faxing, IP faxing and LAN Faxing. (Available on select models)

Security PIN Code Protection
To prevent exposure of a PIN Code or Personal ID, any character after a certain position in the destination’s dial number will be concealed both in the display and Communications Report.

Closed Network
With Closed Networks, the ID codes of the communicating machines are checked. If they are not identical, the communication is terminated, thus preventing possibly confidential documents from being transmitted to intentionally or accidentally to the wrong location(s), i.e., outside the network. (Note: Closed Network requires all fax systems be systems with closed network capability.)

Confidential Transmission/Reception
This feature enables the user to transmit/receive to a mailbox that is passcode-protected. Messages are only printed after the recipient enters the proper passcode, providing an enhanced level of security when communicating between machines.

Memory Lock
When Memory Lock is enabled, documents from all senders (or specific senders) are retained in memory. When the Memory Lock ID is entered from the control panel, the documents print, another form of security that prevents documents from sitting on a receive tray for passers-by to read.

Networked Commercial Fax
ITU-T Sub-address Routing
Using a Sub-address, appended to a fax number, makes it possible to route a fax directly to the recipient’s PC, via their e-mail address. When received to a PC, confidentiality is maintained, i.e., only the recipient can view the message.

IP-fax
Facsimile Systems, with NIC FAX Unit installed, support secure T.38 real-time IP-fax over a corporate Intranet, not only bypassing costly phone lines, but also operating securely behind the firewall.