home_banner

This content is available to the public and does not require IANS login credentials. Questions? Reach out to us at ians@iansresearch.com.

Content Icon

COVID-19: Address Printing and Shredding for Remote Workers

April 14, 2020 | Ask-An-Expert Writeups | Data Loss Prevention (DLP) | By Josh More, IANS Faculty

Download PDF

The Takeaway

With COVID-19 and the rush to remote work, many organizations are finding their remote work plans do not properly consider the technologies and techniques used in remote printing. While it is possible to print remotely from some systems, it is not possible to do so from others. Moreover, it can be difficult to prevent remote printing from certain systems. Organizations should consider these issues and their risk tolerances as they revamp their remote work strategies. They should also evaluate the use of virtual data rooms and zero trust designs for the future of remote work.


The Challenge

The security team for an organization in the transportation sector would like some guidance around secure printing and shredding capabilities for remote workers. Specifically, the team asks:

  • Are companies enabling users to use their home printers, and if so, how is that done? Do they allow split tunneling on the virtual private network (VPN) so employees can access their home printer while connected to the office?

  • How are companies handling the issue of shredding? Do they ask employees to store everything in a box and bring it in for shredding once everyone is back on-site, or should employees handle disposal themselves?

  • What are some other options in a remote scenario?

Paperless Processes? Not So Much

Prior to COVID-19, many organizations did not allow remote workers to use their home printers, but with a majority of people working remotely, it is becoming apparent that some workflows do not adopt to paperless processes as easily as people once believed. In the past, remote work has often either been:

  • Short-term, in which case printing issues could just wait a day or two.

  • Extended, but focused on a small number of people, in which case individuals in the office could take on the additional printing work.

Several strategies can address these issues, but which ones work best will depend on the type of work and the environment itself.

The Problem with VPNs

Before we get to printing issues, we first must understand the issue with VPNs. Traditional security advice for VPNs is to avoid split tunneling and to place the workers’ systems on the corporate network – directly or within a remote connection DMZ, depending on program maturity. However, this very design also prevents workers from accessing any resources they may have in their home, because split tunneling is required to split the traffic so the home network may be accessed. In fact, even when split-tunneling is allowed, it’s primarily designed as a way to offload the VPN system by providing direct local access to the internet, not the home network.

Additionally, many legacy systems cannot handle remote/home printing. They are hard-coded with specific printing sources built directly into the system, with no printing allowed via the workstation. This design pattern means that even if a remote workstation were able to connect to the legacy system, it would not be able to print to any home network printers because those printers not only aren’t configured, but likely cannot be configured, since the legacy system doesn’t have access over the unidirectional VPN.

Security Workarounds

As is often the case when security controls interfere with operations, people do their best to circumvent them. Classically, in this situation, people tend to leverage native print-drivers to “print” to a PDF or XPS file, which can be saved to their local system. They will then disconnect from the VPN and print to their local printer, and then reconnect to continue with their work. Workers with multiple systems may even use two different computers, one to work from and another to print from, using USB drives to copy the data between the systems.

These approaches, of course, present security risks. Uncontrolled printing can result in the proliferation of sensitive data in:

  • Printouts, which will require an additional new process around shredding of those documents (see the sidebar, “Work-from-Home Shredding Strategies”).

  • PDF files on the workers’ work system, home system, any number of USB drives and the local printer.

The potential for malware to migrate from the home system to the work system via USB or across the VPN also exists.

Additionally, the advent of cloud printing can allow workers to link their home printer to their Google account, then log into that account from both the home machine and the work machine and print from work using Google as an intermediary – which ends up sending sensitive data to Google as well.

Risk Acceptance

At present, most companies are simply loosening security controls, figuring that allowing workers to work outweighs the risks they face. This approach is untenable and will not last for long as an industry trend, but in the middle of a pandemic, it is the approach that works for many.

Once business as usual resumes, it will be possible to more objectively review risk levels, allowing some companies to simply accept these new looser controls and others to address the security issues through fundamental workflow reinvention.

Workflow Re-invention

There are many elements to such workflow re-invention, including:

  • Eliminating or simplifying the printing process. Companies should determine whether printing is even needed and adjust practices to eliminate the requirement. This approach may involve eliminating or changing legacy systems. Other approaches may involve identifying how people use paper and leveraging automation processes to streamline workflows to push any needed printing to a single point in a process – reducing the complexity of the printing process.

  • Eliminate the need for VPNs. This approach relies on both web services and zero trust designs, so that remote workers have a similar experience wherever they happen to work. This style of work is transformative and will require both new technologies and, for workforces that have difficulty adapting to new processes, potentially new personnel as well.

  • Virtual data rooms. Virtual data rooms have been used for years to share information with individuals who may not have the technical skill to keep it protected. By uploading documents to a data room service, groups like board members and mergers and acquisitions (M&A) teams can review documents, but the documents and any annotations stay within the data room. Currently, such data rooms exist as applications for most common operating systems, but as paper is phased out of business processes, it would be wise to standardize on a single paper replacement type. Apple’s iPad and Google’s Pixel Slate would be leading contenders, although the upcoming reMarkable 2 shows promise as a potential and more secure force of disruption. The use of virtual data rooms will almost certainly expand post-pandemic.

Remote Printing Strategies for Today

Recommendations for the future are useful, but most organizations need to know what to do right now. To get a handle on the remote printing issue:

  • Poll workers to find out who is printing, and who needs to print and cannot.

  • Work with business and system experts to remove a need for printing wherever possible.

  • Identify which document types should never be printed, and educate the workforce.

  • Only after the above is complete, consider relaxing printing rules to allow workers to perform essential jobs.

  • Create a document storage plan for future shredding and convey it to existing workers.

In particularly risk-adverse organizations, consider reviewing print logs for critical systems and any remote-print technologies (Google, Citrix, VDI, etc.) to verify the accuracy of the polling data prior to following the plan above.

Further Reading

Dealing with Vampires: Securing Legacy Systems that Can’t Be Upgraded, Jan. 9, 2019

10 Steps to Successful Data Loss Prevention (DLP), Aug. 13, 2018

 

Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.


Related Research

Get Started With Remote Workforce DLP

Many organizations struggle to put effective data loss prevention (DLP) policies and procedures in place for their remote employees. In this Ask-an-Expert written response, IANS Faculty Mike Saurbaugh details how to use native Windows and available third-party tools to get some initial controls in place. 

Patching and VPNs: Reduce the Performance Hit

With everyone working remotely and accessing corporate resources via a virtual private network (VPN), what's the best way to keep endpoints up-to-date on security patches? In this Ask-an-Expert written response, IANS Faculty Erik Kuehn explains how a well-configured split tunnel VPN can improve performance and security.

Executive Communications Q1 2020 Recap: A COVID-19 Business Continuity Scorecard

IANS Faculty Wolfgang Goerlich and Founder/CEO Phil Gardner explain how the most impactful crises are the ones we least expect, provide a business continuity scorecard detailing how organizations have fared thus far amid the COVID-19 pandemic, and offer guidance for planning for a post-lockdown environment.

Non-VPN Options for Remote Work: An Overview

VPNs are expensive, unwieldy and difficult to operate and maintain, leading many organizations to consider other options. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford details the pros and cons of several non-VPN alternatives.