Secure Printing with uniFLOW [video]

Let's get started since you're all here. My name is Jeff King. I'm the chief technology officer for Loffler. I've been with the organization about 14 years. I've been in print over 25 years so I've worked in print technologies for a long time.

I'm John Turner, the Director of our Management Print Services Division and I also do our community involvement program and more recently our Customer Success Program. I've been in the industry for 36 plus years, so I started when I was 10. 

So do your companies have a customer success program initiative? Recently, a week ago we just hired a company to survey on our behalf for a Net Promoter Score. Did anybody get an email and fill out a survey? Because we got a bunch from some Laser Systems acquisitions. Thanks for having us today.

-[Jeff] First of all, quick show of hands how many people have a secured print infrastructure today? We're here to talk about the newest secure print ecosystem. Of course this thing worked up until the time that I started the presentation. So kind of a fun little slide, which is can you find the potential security risks below? I know it's a kind of small slide that's up there but I will just kind of tap through this thing, or maybe not. Let's see if I can actually, get this thing to work otherwise I'll make John sit on the floor and go "click, click click". Let's see if it'll hold it together now. So you have documents left on the printer.

[John] He is our chief technology officer. He makes a lot of decisions on what we do in the infrastructure.

And the device access stuff is left open. It's kind of hard to see, but it's true, right? Unauthorized printing of sensitive documents. Visiting staff with mobile devices. Customer files over here sitting out in the open on printers. Those are some of the potential security risks that we have inside of organizations every day. You walk around your own facility you might find these security risks. So how can you address these security risks? This is what we're going to talk about today. Education about and access to your multifunctional devices. Using card authentication on your devices for data security. and securing hard drives. So many of those devices have overwrite technology on them to meet government standards. Audit log, you know nobody likes to play Big Brother right, but we'll talk a little bit about that as we go through the presentation.

Authentication for secure guest printing; printing for mobile devices

Who's got a mobile device on them today? Information management, government information management solutions for documents involves either archiving them or putting them into a secure location so they can't be found.

MPS: Reduce personal printers or include in management. John just left so I can talk about a minute. John and I have a love-hate relationship; he's a director of print management services, selling HPs on contract and managing those HPs. My job is to right-size your organization and secure the organization which includes removing HP printers and consolidating those down. John loves to hate me because my job is to take his printers out and to secure your infrastructure and to help right size your organization from a cost savings perspective. 

[John] It's kind of odd for us as a company that makes money on clicks. But we actually measured a year ago and  our revenue went down by a million dollars on clicks. Customers aren't printing as much anymore so it's a true proven fact. You're probably talking about this 20-30% reduction, and we see it as a company as well.

[Jeff] Here is our strategy. You'd think that part of our business is the click business, driving print, wanting you to print more, but the reality is that what we're trying to do is help you secure your devices and reduce your costs 20-25% through Follow-Me-Print technology, which is that number John just spoke about.

It's really reduced costs, consolidation of vendors and right-sizing devices and processes to increase your productivity where we actually see costs and management on the client end reduce. Of course accelerating business processes improves your workflows on multifunctional devices as well. They can be on-ramps into sub-document workflow pieces which we'll talk a little bit about later.

[John] We've talked a little bit about single function or desktop printers, but what Jeff was just talking about is our goal to look at your total print infrastructure. This includes all your multifunctional devices – it's going to be your desktop and multifunction HP devices. It can be a fax machine, or a scan machine, so we look at all those assets together as a whole in your print eco-structure. I'm going to talk today from a security standpoint as it relates to your single function device.

Here's some new security data from interviewing CIOs across the enterprises; only 3% of organizations are really completely confident about their print infrastructure. Today internal threats are more worrisome than external threats, so a CIO is not that concerned about their printer because they think they're behind the firewall; they think that they can't touch these things but then you start getting phishing emails. I got two of them I didn't bring them to show you, but there they were really, really well done.

One was from Jim Loffler. Well you know I'm going to respond or I'm gonna click on something from Jim, right? Until I saw that his email was wrong and I got another one from ADP. They will say click here for your latest payroll statement. Well, we don't use ADP, but what if we did? You're going to go click on those things and it's going to send some malware into your [system]. It's going to send something into your infrastructure that can attach to single function printers and they take that as a turning point to move on into your network.

There are real threats out there and most of the threats today are coming from internal employees. Have you been getting any phishing emails that everyone's been dealing with? It's really a threat out there. Traditionally data losses are going to be things left on your multifunctional devices. You still have paper piling up on your copiers that you've got to sort through when you go to the printer. You're looking through everybody else's print jobs or you set them aside. We had one client that's in the financial industry, an industry that needs to be very compliant. They used to have a table next to their multifunctional device that they set things on. Oh my gosh, really? They're both threats. Those threats are real, especially if you're in an industry that needs to be very compliant.

From an IT standpoint you're taking measures to secure your PCs and laptops; you wouldn't think twice about not securing those things, would you? But at the same time what about that little printer? Well the printer is no different than your PC or laptop is it? It's got a scanner on it, it can scan to email, they can print, you can copy they have a hard drive. It's just a big risk, as big of a risk sitting on your network as your multifunctional devices or your PCs and laptops, so being able to to come up with a way to secure these is very important. 

This will show you how to hack an HP 4250. I mean it's just that easy. Hackers today, that's what they're doing. They're out there having fun. I was at an HP conference, and remember the guy that watched the attack that brought down Ebates website, and it was like a multi-billion dollar a day? Remember that one? He was 13 years old so he now works for HP and he's doing compliance with companies to say let me come hack you and I'll show you you're not secure. In our presentation, he hacked a printer while we were sitting there. So it's real. It's out there and it's very easy for people to do it.

Have you seen that HP video with the wolf? Anybody see that with Christian Slater, and you know at the end of it they say,"Why am i doing it? Because I can!" So you don't have to have too many reasons to hack somebody. You know the horse and buggies out in New York that take you for a ride? That small business person got hacked. That guy's company got hacked. What would be the rationale of hacking a horse and buggy company? What were they after? It was an animal activist company. So people have different reasons for doing it and one of them is it's just a matter of time before they do it.

HP has specifically started securing each device with t systems so you can't access the BIOS with the Sure Start. So it will boot up if there's been any changes to that, it will shut down automatically and reboot. Same thing with the firmware. It's always looking for a golden copy of it. If it sees that anything's been changed, it will reboot and install that golden copy of the firmware. These are all standard out of the box things from HP. They're really bringing a lot of their security things to the hardware as well as related software. If somebody is trying to hack files it will sense, it will see it coming. On the HP connection inspector it's looking for weird-looking data transmissions coming in and out and it will shut itself down. It's very secure and on all of the new Enterprise series HP devices that have been made in the last two years.

They also have a software called "Security Manager" that they're using, and what that does is look at 250 different printing policies that are available for you to test. When you apply that it will search your entire HP fleet and if there's something going wrong, it will actually remediate it. If it can remediate it, it will send a little back to you to tell you. So it's monitoring all of your print policies that you set forth and when you enter a new device in there it will assign all of those print policies to them automatically. So very good and powerful software that was implemented by a bank system so we have some references for you on that as well. One last thing that we'll talk about that's a tool is firmware. A lot of the new patches, when it comes to the single function and multifunctional HPs, have to do with security. They have a tool that we can install and it just doesn't test, it will look at your entire fleet and tell you what your firmware is like on your different models. It categorizes it into a red, yellow or green area for security bulletins.

It helps keep you up-to-date on your firmware as well because there's more end support. A very cool tool to quickly look at your fleet in terms of its security patching, is firmware issues. This is a free assessment that we can provide for you. It requires an install of one piece of software for us to assess. You just need to show me serial number and the firmware and then we could run that for you.

Switching gears a little bit, you know the HP thing part is not that exciting right? Most IT folks would like to get rid of printers or not manage printers or not talk about printers. It's kind of always the bane of IT's existence to deal with it.

One of the products that we represent is uniFLOW, cloud-based Secure-Follow-Me-Printing. How many people like to move their stuff to the cloud? Yeah, a lot of IT people. That's the number one question we get, which is when can you move this stuff off premise and put it in the cloud? So we're going to talk a little bit about that. PaperCut and YSOFT safeq are the product lines that we currently represent when we start talking about output management.

Let's talk about some of these features such as authentication. How many people use HID readers to get into your buildings today? A lot of us do. We use those HID card authentication technologies to tap into the multifunctional devices. Right, we don't need to talk to your security system. We don't need to integrate with any of that. What we do is we read the magnetic information that's on this card with their HID card readers and we input that into your user profile so you can walk up to any device in your infrastructure and tap your badge and gain access to that device. We'll talk about what that looks like.

Print confidential documents securely

How many people have implemented a Follow-Me-Print strategy? We'll talk a little bit about what that means and what's it looks like architecturally to send print jobs from anywhere. I asked the question at the very beginning about how many people use mobile phones – we all raise our hands. The next thing is we'd all like to be able to print from those mobile phones seamlessly, as much as we possibly can.

We'd even like to actually authenticate from those phones using near field communications and Bluetooth technology. How many people have an iPhone? You just upgraded the latest and greatest iOS 11 right, and now every single time you access an application that says you want to log in using Bluetooth in those type of technologies. Pretty soon we'll be able to use HID card reader technology on multifunctional devices. It should be able to align with your phone, so you put your phone up by the reader to recognize who you are and authenticate you. We carry those things wherever we go. It's like having an extra fingerprint.

Track scan and copy costs

We worked with a company a long time ago, I won't say their name, but I walked by a multifunctional device that was printing. I looked at it and here was someone printing out the contents of CRM. Client information. That individual was getting ready to leave that organization and so that was their way of taking collateral because they were printing that information up. There'd be no way to know if you didn't have something in place to understand where that data breach occurred. 

And why did they do it? Or better yet how many people see their color prints increase around the holidays? Because people are printing out their Christmas letters. They're printing out their Christmas cards and all the other stuff that consumes color. Again knowledge is power in that case, so you call up your sales rep and say, hey you know what our color is kind of out of whack this month. It's our ability to be able to give you some statistical information back that says "here's what your print environment looks like" or as John and I talked about, right-sizing your organization, do I need that printer that's sitting over here in the corner because I have a multifunctional device just a little bit down the way. Do I really need that?

Your users will argue they will right? Do you really know what's happening on that HP? No, because you don't have a managed environment because we're not tracking the print. So you really can't go to that individual and say I see that you print 200 images a month on this HP. This is the kind of printing information you need – do you still need to print or could we just be looking at that electronically? Or why can't you send that to the multifunctional? Because it's confidential?

Using these multifunctional devices as on-ramps into workflows provides better workflow productivity. Processes such as scanning for your accounts payable process, read barcodes, extract database barcodes all of those things are possible with these technology platforms.

So let's talk a little bit about what this means. I'm using uniFLOW as a base example; PaperCut  and YSOFT work in a similar fashion, but I'm just using uniFLOW as the baseline for today's discussion. In the uniFLOW world we've got this thing called the MOM server. Modular Output Management is what it stands for. I always say MOMS control everything right? This MOM server controls the print infrastructure. It's where a single database sits or attaches to your single server. It's where we're doing everything associated with this architecture and so it's a single pane of glass from an IT infrastructure to log into that web-base technology platform, set it up and push it out to all your devices.

One of our target uniFLOW installations which was SpartanNash, everyone knows who they are, because they have a facility here. SpartanNash is one of our largest uniFLOW implementations. We've got print servers all over the US for them and we're managing that seamlessly from Grand Rapids, MI through their main uniFLOW server. That's where we collect all their data. Our second largest implementation, actually it's probably the largest implementation, we just took over from a company in England. The uniFLOW print server sits in the British Isles right off the coast of France. We have print servers all over the world servicing Canon multifunctional devices with uniFLOW, but it's all seamlessly managed and monitored from the British Isles.

That's how extensible the platform can be. We can break it down into something very simple and small, one or two device implementations, all the way up to thousands of devices across the world. So here you have your print server, although today most people want to get rid of their print servers, but that's another story.

In this particular case PC attached to a series of multifunctional devices and/or printers so I as a user today would send my job not to a specific device but to this mobile print queue. From my workstation I go Follow-Me-Print to pick the Follow-Me-Print driver. My job goes to this little print queue and waits. What it is waiting for me to do, is to walk up to a multifunctional device and authenticate and have my job to come to that device. I'll talk a little bit about that here in just a moment in terms of what it looks like. What allows our knowledge workers to do, the people inside of our organization, is to approach any device in the infrastructure, tap their badge, and their job follows them to that device. So I'm no longer tied to the device. I'm tied into the global print queue; from there I go anywhere. I could go halfway across the world and retrieve my job. Seeing a print queue that's sitting in the US, global strategy users love it because they don't like doing the sprint to print.

You're no longer printing your job and rushing to the printer, because it's confidential information, to grab my document off of the printer, in hopes that I didn't grab half of John's job with it. Because that happens – people go up to the printer, shuffle through,  you know take their stuff out that they need and messily stick the rest of it back in the print tray and walk away. If you're lucky right, maybe they shove it on the counter, but who knows?

So what implementing this kind of technology strategy does is a couple things:
A: Secure Prints
B: Stop the sprint to print
C. Reduce abandoned print

How many people today can walk through their office with a box and pick up print jobs off of the printers? Right, think about it. Do it sometime. Take a box and walk through the organization at the end of the day and pick up all the paper that's sitting on your printers. Try it for a week. This is where that 20-25% cost savings comes into play because of abandoned print we don't pick up. We digitally expire this print queue and historically our typical numbers are three days. We allow someone to print a document on Friday afternoon and you can still walk in Monday, tap their badge for jobs waiting for them in the secure print queue.

We have a strategy for single function devices, it's called a little release station that we could put on your single function. If I walked into a life insurance company in Minneapolis you'll find every single one of their devices secure. Including their HPs. I would say we would see a reduction on their HP print cycle. Majority of their uses could migrate onto the multifunctional devices because they like the quality of it better. 

[John] They went from 256 devices to our recommendation of 100, of which six were multifunctional, and 42 were HPs and they were scared so they bought ten more printers and they never used those ten printers. Not only that, of the 40 remaining we're  recommending that they remove about 15 to 20 because there's no volume on them. People are just walking by them because they're printing to the multifunctional devices.

What do I get rid of when I go the Cloud?

I get rid of the MOM server and the print server. The mobile print queue still exists, it just exists elsewhere so I get freedom to get rid of some of this architecture, get rid of some of this infrastructure. We can do a hybrid where we still have some things on your premise and we push some things up into the Cloud. Maybe you've got smaller locations that are out there that have lower bandwidth, or you still want to create a secure print strategy for them. That's the kind of situation where you might have a lot of devices, so we'll still have some infrastructure on site, but then we'll push some of it into our Cloud infrastructure. On the Canon side we can actually use the multifunctional device host's secure print queue in an environment, so people have to go to the Canon.

On this particular Canon we are holding a print queue for them. Even if there are two Canons in that office they can walk over to another and tap their badge. It just references the other Canon device to pull the job across. There are some really cool things that we could do on the cloud-based side now that allows us to begin to reduce infrastructure internally which is what every IT per son I speak with wants to do. They want to get rid of their server management piece, so we can still track it, still scan and still do all that stuff without the need from a cloud perspective, so it's up in AWS. Actually I take that back it's an insured platform. It's extremely resilient and the other really cool part is that updating uniFLOW and updating the application side is that it's all done the cloud level. So from an IT perspective we don't have to say, "hey, we need to shut you down overnight so we can upgrade you or over the weekend". It's all done in the cloud. Let's just talk a little about how this looks and how it functions. If you've never seen this you know here we have the authentication side; we've got the device logged out and we can use pin codes. But if you're not a school or if you're not, you know, if you don't want to manage another set of credentials for users (most of our corporate environments we don't use pin codes), we already talked about each of these HID card authentications. Secondary form of authentication would be your AD credentials, your AD username or password.

On the uniFLOW side you'll notice here, if you've never seen what this looks like before, when we authenticate the device, we immediately take your users to this secure queue screen. Why do we do that? Because users don't want too many clicks; I didn't have to click three or four times to get to what they need. They don't like to do it because it takes too long, right? If you don't implement this, work is going to take longer, and workers will spend more time at the print device.

Let's see how I use the technology. I'm getting ready for a meeting. I want to proof my document to make sure that it looks good, that my thoughts are good, that everything is printing well before I print 10 more sets for the meeting. I try not to print but I still have to, you know, depending on what the meeting looks like, right? So I walk in; I select my job. I hit print and uniFLOW releases the job to the printer and it prints my job. I can now proof it. I can now go to my printed jobs queue and I can change my job options. I look at the device on the fly, maybe I forgot to staple it. Maybe I didn't want a duplex. Maybe now I need 10 more instead of just one so now I can change my job options at the device and go back to my workstation and resend the job. It's about efficiency, right?

In a lot of accounts we did not put this on their hands because they've just learned how to use it, right? It's making them more productive by being able to do that. This is especially important when we start talking about mobile print strategy because I can email a document into the server from my cell phone. I can send the PDF document to mobileprint@loffler.com. We bring that document in and process that document in my secure print queue. So when I walk into the office, tap my badge, that document's waiting in my secure print queue for me from my mobile device. I can go into my job options and see I need five more for that meeting and print, and away we go. Never had to touch my computer.

How many people scan email today? How many people scanned an email that comes from the device and not from your user account? Majority of the organizations that haven't secured their multifunctional devices today, it's coming from the device name. Right, who sees that?

Is that a security breach? Would you ever allow somebody from their workstation to send anonymous email? We don't, do we? Yet we allow our multifunctional devices to do it. Technically, I can walk into any of your organizations, walk up, write a threatening note and email it to the President of the United States. Or to the president of your company? Or you can threaten another employee and nobody would ever know who did it? It's anonymous. No footprint. That's a security breach, right? Right along with phishing. That's a huge security breach.

Did anybody get the Netflix email yesterday saying their user account was expired? Interestingly enough I got one both from Netflix and from Amazon yesterday; same day. Saying that my user account, my credit card on my account was expired you know, so luckily my wife was smart enough to send them to me. I said just look at the email address, you'll see it's phishing. Don't do anything.

Authenticated Scanning

Tapping your badge is the equivalency of single sign-on to a multifunctional device. I have credentials on the devices and on my computer right so now everything I do is registered to me, to my user account, and so my scanned email comes from my user account. I have full access to Outlook.

Better yet, let's scan to OneDrive. How many people have home directories? Directories out of the network where you can store personal documents? Most are going to think about the P Drive, U Drive, H Drives, home drives right? At Loffler our users are not allowed to scan to email. When they authenticated, we mapped the user's home directory. We put a full thread of the user's home directory, called scans, and they can scan documents, then drop it into their scans folder. If they want to email it they can go back to their workstation and email it from their user account.

Now it's not because we couldn't have one-use authenticated email, but once in email always in email. If they email to themselves, they take it out of email and put it in workstation, and they never delete the email. Why? Because it's my hard copy. Just in case I lose that file. So now from an IT perspective with office 365 you know we all have the gig storage; we all have a massive storage and it's all being backed under
the cloud. But there's an inherent risk in having certain information sitting there in email, in amounts that we really don't want in our email accounts because it could be a security breach. So why not drive up the security of the network? We can do that with workflow automation using authentication. So it can be scanned to a user's home directory, could be scanned to OneDrive, could be Sharepoint. It could be that HR needs a very specific workflow scan button to show up so they can scan employee reviews or different employee information.

So when HR taps in we can display the HR buttons on the screen. When somebody from accounting taps in, they see that AP workflow automation button show up and their home directory button show up. They don't care what HR does, so why display the button, right? Those are some cool things that we do with workflow automation as it relates to the multifunctional devices. I can fully search text, I can make a fully searchable PDF, I can read a barcode, I can separate by barcode. I can give a document based upon data that's a barcode. There's a lot of things that we do with workflow automation on the backend when we start talking about this type of technology platform. This little Scan 400 down here, we use this in a lot of shipping/receiving areas and it runs the exact same scan interface that our multifunctional devices do, up to including talking to the same uniFLOW server.

In the cities Twin Cities area, Dakota County, if you wanted to come to Dakota County, you would see these sitting there in our service center with buttons on them that says birth certificate, death certificate, tax statement. Behind the scenes are all specific work laws that we designed for Dakota County so users can walk in, stick their document in and hit the birth certificate button, scan it through and walk out the door. They never have to see anybody. Nobody's making a copy of their marriage certificate. It's all about efficiency from the user perspective. No shipping and receiving; it could be it's a packing list for traveling. Those can all be workflow things that can be set up for users that are in the warehouse working that we just create one touch buttons for them and it hits a workflow automation on the back end. Super cool things that we do. We get excited about this. This is the cool part.

So, again printing a copy in color. Knowledge is power. I've already said that you know it's just understanding what your environment looks like and understanding what your employees are doing. If you want to know who your top 10 color users are in the company we can kick a report out automatically. So, again now knowledge is power when it comes to just printing a copy and the accounting side.

Does anybody here bill back to specific user groups? Is anybody here a project management type, or architectural engineering, those type of things? You know those are all places that you can use the accounting piece of this to account for prints back to specific projects

[John] We have these tools to be able to tell you what your printer did for black and white and color. we tracked these three particular HP colored devices because they were printing like 5,000 color prints per month when they had a colored MFD right over there. We know exactly who did it. They can go right back to the person and have a conversation with them about just reprinting from here to there. Just another tool to help you find out where all the prints come from.

To wrap this thing up: Secure your printers,  looking at those you know, ensuring that they're secure, that necessary ports are closed. Has anybody gotten stuff where they walked in in the morning and there's been print on their printers and it says you've been hacked?

We've had a few cases of that in the Twin Cities. Markets, universities and stuff. There was a specific project by a group of students in University. What they did is they hacked a bunch of people's printers and they just said 'you've been hacked'. It was kind of a joke you know nobody that got it of course thought it was funny. But their point was that the printers are open, right?

You should really close that security gap so that's one of them. Two is the ability to right-size your organization. Look at your printers look at the placement of those printers I always jokingly say, "stick the screwdriver into the printer so it dies and never comes back," type of strategy because sometimes you just can't take them out because you get whiplash from that, especially in IT.

IT is always the big bad guy that comes to take away our stuff or makes it difficult for us to get our jobs done right. Secure those devices by looking at your workflows, looking at your scanning. That's what we're here for; that's what my team is about.