Scanned documents sent as emails, faxes received and re-distributed electronically as well as print data being sent to a printer when not encrypted can be intercepted, listened to and sent off to other networks for crypto jobs remote analysis or being analyzed by a spy within an organization.
There is a definitive vulnerability in almost any organization and sometimes a bad guy will exploit that for malice, for excitement or for money.
A good way to protect your organization is to deploy encrypting switches that will exchange security certificates therefore listening to any data going between the switches will yield nothing to a wannabe intruder.
If data is stored unencrypted on the disk of the print server there is the potential of malware being exposed. Normally print data cannot contain malware and if it did, it most likely would have no consequences.
However, a bad side effect of a print server with anti-virus software installed is that it will automatically scan newly generated files, quarantine them and keep a log. Malware embedded in a print job will then not be printed as the virus checker removes or quarantines it depending on the rules set up for the virus checker.
The better way of managing this particular threat is to encrypt the data to the disk, eliminating the risk of the print data to be stolen from the print queue and allowing files with images that may legitimately contain the signature of malware to be printed, as they should. Comprehensive output management systems do that, so the encrypted malware will not pose a threat nor will sending it encrypted to a printer. No threat, no log – no IT or security management overhead, the kind of solution I prefer.
If data is really valuable in whatever respect you may want to install encryption from the workstation to the switch, this will obsolete the need to have a special print- encrypting client at the workstation that protects all your data to and from the PC or laptop.
If you can’t afford the expense of an encrypting network card or module and you are mainly concerned about the print data, a print-stream encrypting client can be the answer. There are established secure printing system vendors that provide end-to-end encryption for a number of years including encryption following FIPS 140-1, 2 and 3 recommendations. Generally a print server, like any other server, should be located in a physically secure perimeter of your infrastructure, secured by firewalls and other methods to harden it from outside or user network attack.
To make your network and your printing a lot more secure may not be as bad as you thought. There is software from reputable vendors that can make any print server platform a Secure Document Server that receives encrypted print jobs from a workstation client, encrypts its disk storage from the server to the printer, once the user has authenticated their identity on the printer.
There are many fearmongers out there, and to the ones that talk about a device being able to get out of crypto-sync I’d like to say: “I wrote the code for the first public key encryption schemes used on the early ATM machines, re-wrote RSA and Novell compatible public key encryption from published principles and for a number of processors.