Transcription
Xerox Standardizeson Mocana SecuritySolutionsBy partnering withMocana, Xerox advancedmultifunction printerproducts are protected fromexisting threats as wellas unforeseen zero-dayexploits.
Today’s multifunction printer(MFP) is not the simplebackroom office copier of thepast. Instead, MFPs combine thefunctionality of printers, copiers,scanners, fax machines, andnetwork storage for completedigital workflow management.Connectivity extends seamlesslyto wired and wireless companynetworks as well as to the globalInternet. Wearables, cell phones,tablets, and other IoT devicesdeliver access to office printersanytime, anywhere.Third-party applications can beinstalled to provide a significantenhancement in capability andfeatures. Indeed, these officeproductivity machines are aspowerful as high-end computerworkstations and networkservers, featuring advancedmicroprocessor control, HD/SSDstorage, integration with emailservices, and connectivity toexternal networks, the cloud, webservers, and storage.1
The access range of thesetechnologically sophisticatedmachines can extend well beyondthe protective cocoon of networkfirewalls, and they process andstore highly sensitive, proprietaryinformation. That’s why MFPs areat increased risk as high-valuedata exfiltration attack vectorsfor cybercriminals, ransomwareextortionists,and nationstate actorsbent ondisruptingbusiness,military, andgovernmentoperations.XeroxCorporation,a leading global manufacturerand industry pioneer in thedevelopment of multifunctionprinters and technologies,has long recognized that theoffice printer ecosystem mustbe protected against myriadcyber threats, including externalinfiltration attacks as well asunintentional or criminal insidercompromises.As a result, the company deploysa variety of data and networkprotection features in its products,including Mocana’s IoT securityplatform, featuring an embeddedsoftware solution optimized foruse inindustrialcontrolsystemsand ectly into the printer’sfirmware, effectively welding ina seamless protective barriercomparable to the high levelsof protection achieved whenembedding security in devicemicroprocessors.2
Protecting technologically sophisticatedprintersAs Xerox continues to innovateits multifunction printers withnew features, it also strives toprotect them from cyberattacks.Companies with customers infinancial services, legal, andgovernment have raised concernsabout global cyber risks ofbusiness operations disruption,data theft, and ransomwareextortion.And for good reason. The securityrisks to office printers have grownwith the expansion of capabilitiesenabled by the internet and thewidescale use of connected IoTdevices. In addition, the threat tomultifunction office printers mayhave been underestimated withChallenges Minimize integration and implementationobstacles for the OpenSSL replacement. Maximize business opportunities viaa fast track for updating products tothe most current security standardrequirements.Goals Replace OpenSSL internetcommunications security with a solutionthat can support the Xerox ecosystem ofthird-party application developers. Stay current with new regulatorycompliance standards to assuremaximum protection for the company’scustomer base.the primary focus on attacks ondesktops and laptops, handhelddevices, computer networks,operational technology, and criticalinfrastructure.Forbes magazine has estimatedthat more than 1 millionnetworked office printers maybe at risk of cyberattack. Toprove the vulnerability of today’ssophisticated printers, “white hat”security experts at CyberNewsscoured the internet for accessibledevices using standard printerports and protocols.Of the 800,000 printers foundwith network printing features3
enabled that were accessible overthe internet, the security teamsuccessfully hijacked 28,000unsecured printers worldwide.As a call to action to the printerowners, the team directed eachmachine to print a five-step guideon how to secure their printers.Mocana solutions vital to privacy & datasecurityMocana’s NanoSec IPsecand IKEv1/v2 solution withintegrated certificate managementis vital to protecting Xerox’sapplication ecosystem sincethird-party developers can createadd-on applications designedto enhance the hardware andsoftware capabilities of itsmultifunction printer products. Forexample, customers can installapplications designed to automatespecifically targeted workflowsfor sectors such as healthcare,retail, legal and financial services,as well as printer enhancementsfor government organizations,the military, and educationalinstitutions.As Xerox evolved its multifunctionprinter ecosystem to incorporatethe benefits of third-partyapplications, the companyinitially relied on the OpenSSLMocana Security Solutions Mocana OpenSSL connector Mocana NanoSec , a comprehensive IPsec and IKEv1/v2 solution with integratedcertificate management and extended authentication Mocana NanoSSL , a comprehensive, standards-based SSL developers’ suite,with support for TLS v1.3 and certificate management supporting secure printercommunications Support for the NIST FIPS 140-3 compliance standard Compliance with FIPS 186-4 RSA key generation requirements Mocana NanoTAP supports TPM 2.0, integrating key protection and attestation Support for quantum safe cryptographic ciphers4
Software Foundation’s applicationvalidation was not advancingsoftware library for secure networkto FIPS 186-4, a new securitycommunications. OpenSSLrequirement for business andsupported different types ofgovernment. Xerox also had toworkflows required by customersengage a third-party company toinstalling third-party What is FIPS and why is it important for the certify its openprotection of connected devices and data?applications. At the The Federal Information Processing Standards (FIPS) was source softwareestablished by the U.S. to safeguard government data assame time, Xeroxofferings to meetwell as millions of devices and systems. The mandatorystandards are designed to provide rules and guidelines forused Mocana’sthe demand forencryption algorithms, methods for generating encryptionIoT securitykeys, and ways computers and remote devices communicate compliance withwith each other via secure methods.platform to secure FIPS standards are developed and published by the National this standard.Institute of Standards and Technology, or NIST. Though theprinter IPsec VPNSeveral yearsgovernment-certified standards were developed for nonmilitary federal applications, financial institutions, companies ago, thecommunications.and other private sector organizations seeking businessConcernscompany alsowith government departments and agencies have opted toimplement FIPS standards for their products and services.increased aboutrecognized thatThe current FIPS 140-2 standard, which expires in 2026,is being superseded by FIPS 140-3 encryption protocols.the open-sourceTLS v1.3 wouldThe new standard expands on existing cryptographicimplementation for specifications to include a wider range of potentialbecome thecomputing environments and applications as well as U.S.adoption of an existing international security standard: ISO/ new encryptionSecure SocketsIEC 19790.Layer (SSL) andstandard requiredTransport Layer Security (TLS)by the government. Open-sourceprotocols.community support for a newversion of OpenSSL supportingAt the time, the OpenSSL SoftwareTLS v1.3 was unclear, and theFoundation’s RSA key generationcompany couldn’t wait.was not FIPS compliant. FIPS5
Replacing OpenSSLccording to Marc Rocas,principal engineeringmanager at Xerox, the companywas at a crossroads. It neededto replace open source TLSstack to compete for governmentcontracts or any commercialbusiness that required the latestAto port all their applications toMocana’s NanoSSL encryptedcommunications software overOpenSSL. We asked if Mocanacould ‘impersonate’ OpenSSL sothat all third-party applicationsdependent on OpenSSL would benone the wiser, and we’d thus havecryptographic certification. “Weinitiated conversations withMocana on how we could use thecompany’s security expertise inmore places, initially addressingthe dependency on OpenSSL,”he said. “We realized we couldn’ttell the open-source communitya viable solution to this problem.Mocana developed a personalitylayer, if you will, that couldmasquerade as OpenSSL.”Mocana’s solution enabled anOpenSSL replacement with asecurity update roadmap toensure compliance with the6
latest regulatory requirementsand the security of documentstransmitted to and from its printers,and protection for secure datastorage. In addition, Mocana’sOpenSSL connector enabledXerox to maintain and grow itslibrary of OpenSSL-based thirdparty developer applicationswhile delivering the mostcurrent standards fordevice protection andsecure networkcommunications.“A keyadvantageof Mocana’ssecurityproduct offeringsis support for industrystandards and regulatorycompliance,” noted JonMills, chief revenue officer atMocana. “For example, Mocanaalready supports NIST’s FIPS140-2, the computer securitystandard for cryptographicmodules, and 186-4. In addition,the Mocana product line is nowFIPS 140-3 compliant (officialNIST certification is projectedfor December 2021), which is acurrent security requirement bythe U.S. government and manydevice vendors. Plus, with theadvanced protection features ofMocana’s security software, Xeroxmultifunction printers are amongthe highest-speed devicesin the industry to receiveCommon CriteriaCertification.”Xerox alsoaddedTPM 2.0hardwarebased securitychips to theirproducts. Mocana’ssolution provides preintegrated APIs to fully utilizeTPM to secure and protect theprivate keys (a root of trust) in thehardware security chip, locallyattesting and validating the bootsequence, software versions, andother protections for data in transitand at rest.7
Achieving Triple CIPS compliance is thecritical ingredient toachieve ‘Triple C’ or CommonCriteria Certification, theinternational standard for computersecurity,” Rocas said. “For Xeroxto sell its products to governmentand defense organizations or“Fthat Xerox is a leader by stayingahead of the curve on meetingor exceeding compliancerequirements for our line ofmidrange multifunction printers,which are most commonly usedin Fortune 500 companies,government offices, andsecurity-conscious customers,Triple C is your ticket to theballgame. If you don’t have it,you’re absent from the list ofcompanies considered for arequest for proposal or bid queryfrom a purchasing manager.multinational corporations.”Mocana has always ensuredMocana FIPS-certifiedalgorithms are used for all datacommunications. They are bidirectionally encrypted usingMocana NanoSSL, a fast, lowmemory footprint SSL/TLS solutionproviding best-in-class device8
security services that authenticatesendpoints and encrypts channelsto provide session privacy andsecurity on the internet.The Mocana solution securescommunications betweenprinters and applications suchas Microsoft Word or PowerPointand the Microsoft Outlook emailclient. Secure communicationsalso protect Xerox printers whenconnected to independent externalcloud storage server services,such as Google Drive, MicrosoftOneDrive, and Dropbox.“When the Microsoft Outlookserver fetches email or engageswith a printer, those networkcommunications also have tobe protected,” Rocas said.“Xerox delivers multiple layers ofprotection, including at the lowestlevel of the operating systemthrough Mocana’s NanoSec IPsecsolution. Communications thatoccur above at the applicationlayer are protected and encryptedby Mocana NanoSSL.”9
Preparing for future, zero-day threatsData theft or business disruptionresulting from unauthorizedinternal access or external criminalcyberattack is not the only securityrisk facing multifunction printers.“Typically, a hopscotch attackwould be the result of a bug insome aspect of the softwareunrelated to the crypto andwould be outside of the Mocanaprotection layers,” Rocas noted.Since these devices are often“It’s something we are alwaysintegrated with company networks,monitoring in terms of the highthey can potentially be used as alevel ofhopscotchprotectionattackwe havevector for Replaced OpenSSL with Mocana’s NanoSSL using thebuiltcorporateMocana OpenSSL connector with a simple recompileinto theor nationand replace eliminating product risks, and not requiringoperatingrewriting of third-party applicationsstatecode toespionage, Integrate FIPS 140-3 compliant cryptographic module, arequirement for doing business with the U.S. government preventexecutionprintersof arbitrary Path to add complete TPM 2.0 support and integrationfrom beingmaliciousused ascode,intermediary devices to reachdenial-of-service attacks, or asother targets in a corporatea conduit to other computers,network.servers, systems, and devices.By partnering with Mocana, XeroxA compromised printer also couldis assured that its advancedserve as a backdoor for disruptingprinter products will be protectedoperational technology that runsfrom existing threats as well asmanufacturing, HVAC equipment,unforeseen zero-day exploits thatfacility power plants, and smartcause many to lose sleep.”building management systems.Results10
About MocanaAbout XeroxMocana helps device operators bridge theadoption challenge between device vendorsand service providers, and enables digitaltransformation with the emerging 5G network,edge cloud and SD-WAN. The companyprotects the content delivery supply chain anddevice lifecycle for tamper-resistance fromwomb-to-tomb, with root-of-trust and chain-oftrust anchors. Mocana measures the devicefor persisted integrity and for trustworthiness ofoperations and data to power AI/ML analytics.For more than 100 years, Xerox has continuallyredefined the workplace experience.Harnessing our leadership position in officeand production print technology, we’veexpanded into software and services tosustainably power today’s workforce. Fromthe office to industrial environments, ourdifferentiated business solutions and financialservices are designed to make every day workbetter for clients — no matter where that workis being done.The company’s team of security professionalswork with semiconductor vendors andcertificate authorities to integrate with emergingtechnologies in order to comply with dataprivacy and protection standards. The goal ofcyber protection as a service is to eliminate theinitial cost of modernization for device vendorsand empower service providers to offersubscription-based services for effective andefficient digital transformation of things.Today, Xerox scientists and engineersare continuing our legacy of innovationwith disruptive technologies in digitaltransformation, augmented reality, roboticprocess automation, additive manufacturing,Industrial Internet of Things and cleantech.Learn more at xerox.com.Mocana’s core technology protects more than100 million devices and is trusted by over200 of the largest industrial manufacturing,aerospace, defense, utility, energy, medicaland transportation companies globally. Learnmore at: mocana.com.Copyright 2021 Mocana CorporationXerox is a trademark of Xerox Corporation in the United States and/or other countries.11
“A key advantage of Mocana’s security product offerings is support for industry standards and regulatory compliance,” noted Jon Mills, chief revenue officer at Mocana. “For example, Mocana already supports NIST’s FIPS 140-2, the computer security standard for cryptographic modules, and 186-4. In
