Q

How secure are document scanners and other 'scan to email' appliances?

Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices.

It seems that every new copier now has a scan-to-email feature that allows a document to be scanned, converted to a PDF and emailed directly from the copier itself. Since there is no provision for encryption or password protection, even though the attachment isn't in plain text, how secure is the scan-to-email feature and the resulting attachment?

Copiers and document scanners have always posed challenges for information security teams. Currently, professionals use data classification and acceptable usage policies to control these devices. Also, for compliance and audit purposes, log data often shows when a device is being used and who is using it.

As far as I am aware, we haven't reached the point yet where copiers have their own built-in mail servers. So when a document is copied or scanned on a device that has an "email to" feature, the document is attached to a new email message. The client email application then sends the message to the recipient via a mail server. The use of a mail server allows gateway antivirus software and application-layer firewalls to scan the outbound email and its attachment. Also, the mail server will provide the logging service, creating an audit trail of who sent what and when. Many vendors actually now include bundled software packages that give a wide choice of file-distribution options. Canon, for example, has a scanning application called CapturePerfect; its security features allow users to encrypt scanned documents and control viewing, printing and editing privileges of the PDF files that the tool creates.

If you are concerned about the lack of security in your scan-to-email devices, then I would look to upgrade to a product that offers the necessary security features. Keep in mind these features need to be backed up by an enforced data classification policy; that way, users will know which documents and information has to be protected and which can be copied and emailed in the standard way.

Many organizations feel that they do not need to classify data. A typical comment often heard is, "We're not the secret service." However, if you do not classify data and documents in any way, it is impossible to know what needs protection and what does not. Data classification provides employees with a means to evaluate and protect sensitive information. It also minimizes -- or hopefully eliminates -- the risk of data breaches. Scanning the monthly office newsletter obviously poses no risks or concerns regarding security, but scanning a yet-to-be-released press announcement can lead to early and inappropriate disclosure of sensitive corporate information.

For confidential information, a common faxing policy is to only permit sending between approved locations and with the recipient standing by. If such documents are now being scanned to email, then it should only be emailed internally and with a request for confirmation of receipt. For distribution outside of the organization, approved encryption should be used where possible, and, again, a receipt confirmation should be obtained.

For strictly confidential information, the sender should ensure that all copies have been received by direct contact. In this case, transmitted copies should be deleted from a mail system once secured locally. Copying to third parties should be made subject to a non-disclosure agreement.

More on this topic

 

This was first published in May 2007
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close