Key Strategies for Data Security

Hello. Welcome to the session on data security. Solimar’s Chemistry platform processes many millions of highly confidential documents every day as part of the infrastructure of some of the most locked down, secure environments available. Our support for data security isn’t really a product, but more of a combination of features and processes that can help to protect sensitive data and prevent data loss through unauthorized access.

You really don’t want to deal with the breach of information and the costs associated with remediation and legal expenses, in addition to the reputation consequences that can occur. This session will overview concepts about how our solutions can help you to keep your data safe related to removing sensitive information, how long documents are kept, and encrypting the data at various stages in the workflow, along with controlling the back-end processes.

The first category for security is removing information from the data that you don’t want exposed, which has three parts.

The first part is hiding data by placing opaque objects on top of the content. But this is really only recommended when the output is printed and not for electronic delivery. Since the data is still there, it just won’t show up on the printed output. If electronic output is needed with this method, you could convert the output into a raster image so the hidden information doesn’t show up, but then the output isn’t searchable and the file size is larger. So, we have a better solution than this with redaction.

With redaction, the content can be completely removed, so it’s the ideal way to protect sensitive information, since if it’s not there, it can’t be accessed. You might not be able to remove all the personal information if it needs to be accessed, but where possible, this is an excellent approach. Redaction doesn’t just mask the data in the documents, it removes it from the documents permanently and can optionally replace it with other information such as zeros. The more sensitive information you can remove, the less exposure there is at risk.

The third part of removing content is with our ability to obfuscate the output by smartly replacing it with random characters. You can specify words you want to skip, such as headings and labels, so the document layout still makes sense. The content is replaced with the same object types, such as numbers being replaced with random numbers to ensure that the tables and other data maintains the basic format. This method makes it possible to see text and formatting, but can completely remove sensitive information while maintaining the structure of the document. This feature is especially useful in working with software hardware vendors when you need to provide output for testing or troubleshooting purposes, but you can’t because it contains sensitive data.

A related topic to protecting data is methods to protect information after it’s been printed as a physical document. This includes strategies such as micro text printing, where text is printed that’s too small to read, but it’s clear when viewed with magnification, and becomes blurred when copied. You add layers of personalize or corporate specific watermarks into the output that’s visible or semi visible, so your brand stays protected in your documents stay authentic. Using masking techniques and overlays of patterns and security tints can make unauthorized replication or altercation exponentially harder.

We can add barcodes and QR code to the output, which can extend security beyond what I can see by tying each document to a secure database, giving you complete traceability and authentication for every piece you produce. Pantograph is a hidden security feature embedded in the background of a document. When you print the original under controlled conditions, it looks completely normal to the naked eye, but when someone copies or scans that document, a hidden message like void, not official, or any warning you choose shows clearly in the reproduction. Each of these features addresses vulnerabilities from different angles, and together they create a three-layer defense that catches counterfeiters at multiple checkpoints. Here are a couple examples of the pantograph on the original print. The background appears clean and when copied, the hidden message of not official or void becomes visible. This provides a clear deterrent against unauthorized reproduction.

Pantograph exploit how scanners and copiers process background screens, halftones and fine patterns. By designing patterns with specific frequencies and contrast, your legitimate prints maintain clean backgrounds, while unauthorized reproduction reveals the embedded warning. These are commonly used with documents that matter the most, such as checks and financial documents, diplomas and education tickets and passes for event organizers and government agencies with outputs such as licenses and permits. Implementing paragraphs doesn’t require specialized inks or exotic substrates, so it’s a low cost, highly effective deterrent for protecting the original output. With our Rubika solution, you can make modifications to your composed print streams to easily introduce these strategies to help build a complete security ecosystem.

The next category for security is managing how long documents remain accessible in the workflow components. The solutions in our Chemistry platform have configurable options for retaining the job related data, so you can help to ensure that the data isn’t hanging around unless it’s absolutely needed. As a best practice, we encourage you to be intentional about data retention and remove files with sensitive data as quickly as you can. Since data that you don’t have is data that can’t be breached. You may need to retain files for several years for compliance and others just until the shift ends for reprints. In either case, as soon as the retention period is met, the files should be purged. For example, a major part of records management is determining retention periods, such as with financial and documents that may have a legal retention period. In our solutions, there are flexible options for controlling the retention period, which helps to mitigate risk and recover storage space.

If you can’t remove data, another great way to protect it is with encrypting the data when it’s stored at rest or being transferred. Which brings us to our third and fourth topics. Encryption of data at rest is where you encrypt files that are stored on your production servers, printers, database, and basically everywhere in your environment where the files are being stored. Our Chemistry platform supports several methods to encrypt data at rest, such as when creating PDF files. You can use PDF encryption, which requires users to key in a password to control what users can do with the PDF content. For example, there are controls for printing, modifying, and copying content, and even an additional owner or user password. Once encrypted, PDF files are almost impossible to break and the encryption method supported by PDF continues to advance.

Our SOLsearcher Enterprise archive system can be secured using many encryption options for the data at rest, including encryption for the index information stored in the database, as well as various disk encryption options for the documents themselves, such as Encrypted File System or EFS, BitLocker and Transparent Data Encryption or TDE.

Next is the encryption of data when it’s being transferred between machines and devices, so that they can be protected from applications that would sniff those packets of data with malintent. Encrypting data in flight entails encrypting the data before transmission, authenticating the endpoint, and decrypting and verifying the data upon arrival. For example, our SOLsearcher archive system achieves this using COM packet privacy, IPSEC, and HTTPS with SSL certificates when presenting files to users. The topic of encryption related to data transmission, typically not considered, is a transfer of output to the printers. Many times, these systems live inside very controlled network security environments, but many times they don’t. Or you may want an added layer of security for printers that can support encrypted IPP. We can spool encrypted print streams directly to the printer, providing in-flight encryption all the way to the printer.

One of the most important considerations with archive systems, dashboards, and portals is controlling access to the content in the first place. Key features related to this are, supporting data security by creating users and groups, each with specific access rights for the archives and the production job categories. The goal is to provide a zero-trust environment when it comes to controlling access to content based on individual, user and specified groups, along with implementing the document security settings down to the final report and index field levels. For example, SSE has this covered with many features that help to enable a zero-trust environment with a centralized document repository that allows information to remain here, yet accessible only for the intended recipients, which is key to help support a variety of industry compliance regulations. The solution will also capture detailed user access, document utilization, and system event information that can be analyzed in support of a variety of compliance initiatives.

Our highly flexible security mechanisms support authenticating users through existing network methods, or you can create internal social structure only identities. For example, the frontline defense for restricting access to data can be controlled with requiring a login to the application archive system or the portal. This is especially useful for hosting files on SSE, or exposing the SOLitrack dashboard to your internal or external customers. For convenience and standardization, these solutions support authenticating against external identity providers using OpenID connect. So, once configured, users can log in with their Google account for a single sign on.

Controlling user access into the back-end systems, and what users can configure or change in the systems, is an additional layer of security to implement. Throughout our solutions you can define the security rules for your users and groups to control who has access to the configuration settings and what they can do with them, as well as print jobs and what actions can be taken with them. The multi-level security enables administrators to set rules that limit access and actions for the objects in the configuration, and to determine what interfaces are available to each user. For example, an administrator could prevent a group from accessing a job queue, prohibit a user from making configuration changes, and allow others to fully control some queues, but only monitoring processing activity for others and deny access to others. Your printer operators could be limited to only see the information related to their areas of production, and users that are just want to see the summary report data can be limited to reports they are interested in, with no access to the back-end system configuration settings at all. The information contained here and much more, is available in our white paper on security and zero-trust environments.

This paper is available on our Solimar University Online platform, where you can request a copy from our team. Thank you very much for your time. If you have any questions, we’re easy to reach and look forward to hearing from you.