With COVID-19 and the rush to remote work, many organizations are finding their remote work plans do not properly consider the technologies and techniques used in remote printing. While it is possible to print remotely from some systems, it is not possible to do so from others. Moreover, it can be difficult to prevent remote printing from certain systems. Organizations should consider these issues and their risk tolerances as they revamp their remote work strategies. They should also evaluate the use of virtual data rooms and zero trust designs for the future of remote work.
The security team for an organization in the transportation sector would like some guidance around secure printing and shredding capabilities for remote workers. Specifically, the team asks:
- Are companies enabling users to use their home printers, and if so, how is that done? Do they allow split tunneling on the virtual private network (VPN) so employees can access their home printer while connected to the office?
- How are companies handling the issue of shredding? Do they ask employees to store everything in a box and bring it in for shredding once everyone is back on-site, or should employees handle disposal themselves?
- What are some other options in a remote scenario?
Paperless Processes? Not So Much
Prior to COVID-19, many organizations did not allow remote workers to use their home printers, but with a majority of people working remotely, it is becoming apparent that some workflows do not adopt to paperless processes as easily as people once believed. In the past, remote work has often either been:
- Short-term, in which case printing issues could just wait a day or two.
- Extended, but focused on a small number of people, in which case individuals in the office could take on the additional printing work.
Several strategies can address these issues, but which ones work best will depend on the type of work and the environment itself.
The Problem with VPNs
Before we get to printing issues, we first must understand the issue with VPNs. Traditional security advice for VPNs is to avoid split tunneling and to place the workers’ systems on the corporate network – directly or within a remote connection DMZ, depending on program maturity. However, this very design also prevents workers from accessing any resources they may have in their home, because split tunneling is required to split the traffic so the home network may be accessed. In fact, even when split-tunneling is allowed, it’s primarily designed as a way to offload the VPN system by providing direct local access to the internet, not the home network.
Additionally, many legacy systems cannot handle remote/home printing. They are hard-coded with specific printing sources built directly into the system, with no printing allowed via the workstation. This design pattern means that even if a remote workstation were able to connect to the legacy system, it would not be able to print to any home network printers because those printers not only aren’t configured, but likely cannot be configured, since the legacy system doesn’t have access over the unidirectional VPN.
As is often the case when security controls interfere with operations, people do their best to circumvent them. Classically, in this situation, people tend to leverage native print-drivers to “print” to a PDF or XPS file, which can be saved to their local system. They will then disconnect from the VPN and print to their local printer, and then reconnect to continue with their work. Workers with multiple systems may even use two different computers, one to work from and another to print from, using USB drives to copy the data between the systems.
These approaches, of course, present security risks. Uncontrolled printing can result in the proliferation of sensitive data in:
- Printouts, which will require an additional new process around shredding of those documents (see the sidebar, “Work-from-Home Shredding Strategies”).
- PDF files on the workers’ work system, home system, any number of USB drives and the local printer.
The potential for malware to migrate from the home system to the work system via USB or across the VPN also exists.
Additionally, the advent of cloud printing can allow workers to link their home printer to their Google account, then log into that account from both the home machine and the work machine and print from work using Google as an intermediary – which ends up sending sensitive data to Google as well.
At present, most companies are simply loosening security controls, figuring that allowing workers to work outweighs the risks they face. This approach is untenable and will not last for long as an industry trend, but in the middle of a pandemic, it is the approach that works for many.
Once business as usual resumes, it will be possible to more objectively review risk levels, allowing some companies to simply accept these new looser controls and others to address the security issues through fundamental workflow reinvention.
There are many elements to such workflow re-invention, including:
- Eliminating or simplifying the printing process. Companies should determine whether printing is even needed and adjust practices to eliminate the requirement. This approach may involve eliminating or changing legacy systems. Other approaches may involve identifying how people use paper and leveraging automation processes to streamline workflows to push any needed printing to a single point in a process – reducing the complexity of the printing process.
- Eliminate the need for VPNs. This approach relies on both web services and zero trust designs, so that remote workers have a similar experience wherever they happen to work. This style of work is transformative and will require both new technologies and, for workforces that have difficulty adapting to new processes, potentially new personnel as well.
- Virtual data rooms. Virtual data rooms have been used for years to share information with individuals who may not have the technical skill to keep it protected. By uploading documents to a data room service, groups like board members and mergers and acquisitions (M&A) teams can review documents, but the documents and any annotations stay within the data room. Currently, such data rooms exist as applications for most common operating systems, but as paper is phased out of business processes, it would be wise to standardize on a single paper replacement type. Apple’s iPad and Google’s Pixel Slate would be leading contenders, although the upcoming reMarkable 2 shows promise as a potential and more secure force of disruption. The use of virtual data rooms will almost certainly expand post-pandemic.
Remote Printing Strategies for Today
Recommendations for the future are useful, but most organizations need to know what to do right now. To get a handle on the remote printing issue:
- Poll workers to find out who is printing, and who needs to print and cannot.
- Work with business and system experts to remove a need for printing wherever possible.
- Identify which document types should never be printed, and educate the workforce.
- Only after the above is complete, consider relaxing printing rules to allow workers to perform essential jobs.
- Create a document storage plan for future shredding and convey it to existing workers.
In particularly risk-adverse organizations, consider reviewing print logs for critical systems and any remote-print technologies (Google, Citrix, VDI, etc.) to verify the accuracy of the polling data prior to following the plan above.
Dealing with Vampires: Securing Legacy Systems that Can’t Be Upgraded, Jan. 9, 2019
10 Steps to Successful Data Loss Prevention (DLP), Aug. 13, 2018
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.