Choose your language

Choose your login

Support

Security considerations

This page applies to:

Anytime someone mentions ‘cloud’, the word ‘security’ is not far behind it - and with good reason. No-one wants to become part of the next ‘leak’ mentioned in the press, and everyone is skeptical of things getting stored ‘up in the cloud’.

PaperCut has a long history with print security and application security, ensuring our current print management products are watertight against hackers, students, PEN testers, accidents, and everything in between.

We’ve carried this security experience and knowledge into our cloud offerings and augmented them, treating them as seriously as a double-espresso. Our ethos has been to build the cloud and on-prem components of the solution with a default starting point of ‘always verify’ - to satisfy the most skeptical of cloud-avoiders.

The print job path

Let’s get this out of the way right away. If you’re not using the Cloud Node in your Edge Mesh, then your print jobs never go up to the cloud. It’s that simple!

Printing from PaperCut Pocket and Hive without a Cloud Node, showing the path of metadata and job data

A simplified view of the PaperCut Pocket and Hive printing process when not using the Cloud Node. The blue lines indicate metadata or instructions, and the green lines indicate the actual print job path.

If you’re not using the Cloud Node, when you print a document, the job travels from the PaperCut Printer to one or more of the edge nodes on your local network. The edge nodes co-ordinate the job movements with the cloud, but importantly, they only ever transmit the metadata for the print job to the cloud - for example, the number of pages, who printed it, and the document name. The printed document itself is never uploaded to the cloud.

If you are using the Cloud Node in PaperCut Pocket or Hive - then the print job will always travel up to the cloud (outside of your local network). However, the document is encrypted from the start. PaperCut Pocket and Hive use secure HTTPS protocols with strong encryption (similar to what you use when you’re doing online banking) for all communications between the Edge Mesh and the cloud.

Printing from PaperCut Pocket and Hive with a Cloud Node, showing the path of metadata and job data

A simplified view of the PaperCut Pocket and Hive printing process if you are using the Cloud Node. The blue lines indicate metadata or instructions, and the green lines indicate the actual print job path. Note that in this path the actual print job is sent up to the cloud.

How do you know if you’re using the Cloud Node? Hop over to Manage -> Edge Mesh, and see if Include in Mesh is switched on for the Cloud Node. In short, the Cloud Node is just like one of your regular edge nodes, but instead of it being on one of your users machines on your network, it’s using PaperCut’s cloud infrastructure.

To learn details about how the edge node works, take a read through the Edge Mesh and edge nodes .

In short, whether you’re using the Cloud Node or not, you can rest easy that no-one can snoop on your documents (or any of your document’s metadata) traveling around your network or up to the cloud - it’s all encrypted. If you want extra extra peace of mind, disabling the Cloud Node will mean that your actual printed documents are never sent to the cloud, and will always remain on your local network devices.

Start with Always Verify

PaperCut has designed PaperCut Pocket and Hive with ‘Always Verify’ in mind. We don’t want to leave things to chance, so there isn’t a concept of ‘authenticate once’ - we check the validity of the user, and their client, and any edge nodes, every time they communicate.

Securing your data at rest

Print jobs waiting to be printed (sitting on an edge node for example) are securely encrypted. That means if someone steals an entire edge node (a bit like making off with the whole ATM by ripping it out of the wall), they still can’t get to the contents of the documents.

We use 3-part encryption, made up from the 3 keys needed to decrypt the document:

  • User key
  • Organization key
  • Random key

So for example if the edge node is no longer part of the organization, or if the user is no longer part of the organization, the edge node can no longer decrypt the document.

Securing your data in motion

You wouldn’t see a jeweler waltzing around Oxford Circus or the Diamond District with a suitcase full of gems - you are more likely to see armored trucks carrying their sparkling cargo safely to stores.

We’re equally paranoid about secure and reliable transport of your data, so we use HTTPS when transferring your print documents or your metadata around the network and between your local network and the cloud.

When it comes time to send the document to its least-secure phase of its life - the printed page* - we use the secure printing protocol, IPPS (assuming the printer in question supports IPPS).

* Did you know that PaperCut Pocket and Hive can even secure the printed page to a certain extent? Check out the Watermarking and Digital Signatures features for more information.

Eliminating impersonators

Phishing emails have become an art form - scammers are getting astonishingly crafty at trying to get you to believe that they’re your bank and they really really need your password right now.

In the same way that you eye them with suspicion, we’ve built in digital signatures (a printer fingerprint of sorts) to thwart printer impersonation. If someone pretends they’re a printer on the network and pretends that it’s definitely safe to send them your document to print, PaperCut Pocket or Hive will be on to it and block the job.

Sadly, with encryption getting stronger, security protocols getting more robust, and system designs getting more fortress-like every day, the weakest link in security can often land up being the humans. Here’s where PaperCut Pocket and Hive can strengthen that link:

  • Users - the good news is that by using PaperCut Pocket or Hive, you’re already thinking about print security, and you already have a head start. Features like Secure Print Release can help stop sensitive documents from being printed on unattended MFPs. Watermarking and Digital Signature usage can also encourage responsible document ownership, and help people track down leaked documents.
  • Administrators - we’ve made it easy (and hopefully fun!) for IT departments to configure PaperCut Pocket and Hive securely - even giving the organization a ‘Security Score’ so that SysAdmins can see how they’re doing. While SysAdmins have access to see the document names, print times, and printer names of documents being printed, and might have access to see a print job thumbnail of the first page of the job - they will not be able to see the actual content of the print job or make changes to the print job. They also cannot redirect a job to print out at their chosen location. A print job is secure, encrypted, and only available to be released by the user who printed the job.
  • PaperCut Support - at PaperCut we have always treated security as a top priority, whether it’s 2FA login protection for all our staff, or ensuring strict access controls around our source code. When it comes to our cloud products, the same applies - only the staff who need to access the support tools to support our products actually have the extended access - and when that access is needed, it’s logged so that we can audit who’s done what and when.

Data that’s uploaded to the cloud

Job metadata (like page counts, color information, owner information, page size information etc) and edge node / Client instructions (edge nodes reporting they are online or the PaperCut Printer client asking which edge nodes to use etc.).

To be more precise, here’s a full list of data uploaded to the cloud:

  • document name
  • owner (email address)
  • date/time of print
  • page size
  • file size
  • file format
  • number of pages (total and number of color vs grayscale)
  • number of copies
  • color mode (black and white vs color)
  • duplex mode (duplex vs one-sided)
  • thumbnail of the first page (unless you have Print Job Thumbnails set to Disabled)
  • host name (of originating client)
  • IP address (of originating client)
  • operating system (of originating client)

In addition to the above, if you’re using the Cloud Node, full document contents get uploaded to the cloud and are stored for 7 days from the day it is submitted by a user.

If you have the Cloud Node disabled (under Manage > Edge Mesh) then your actual print documents (print document data) is never uploaded to the cloud. Your print job will always remain on your local network. The only information that gets uploaded to the cloud is job metadata (like page count, page size info, job owner information, and optionally a thumbnail image of the first page of the document). The only other information that travels between your network and the cloud is process instructions (edge nodes reporting that they’re online or the cloud instructing an edge node to print a job etc).

If you have the Cloud Node enabled (under Manage > Edge Mesh), not only will job metadata and process instructions travel to the cloud, but the actual print document data (the contents of the print job) will be uploaded to the cloud too. If you have extremely strict data laws, or if you’re at all worried - keep the Cloud Node disabled (it’s disabled by default).

Security frequently asked questions (FAQs)

Where are PaperCut Pocket and PaperCut Hive hosted?

Sadly the Cloud isn’t magical - ultimately it lives in the form of wires and chips in a data center somewhere. In the case of PaperCut Pocket and Hive, the cloud instances are all over the world enabling geographical regions options so that your organization can select which geographical region your PaperCut Pocket or Hive instance is hosted on. PaperCut Pocket and Hive can be hosted in the following regions:

  • Australia (AU)
  • United States (US)
  • European Union (EU)
  • United Kingdom (UK)

 

​​​​​

Comments