Start using ezeep Blue for free now!
Just create a ezeep Blue account and you’re ready to start printing. ezeep Blue is free for up to ten users.
Print Security
ezeep Blue runs industry standard security measures for its infrastructure and software as well as security features around document confidentiality for administrators and users. Our service is GDPR compliant.
Cloud-Managed Printing with ezeep Blue is secure. Files sent to our server are sent over an encrypted connection. Files are deleted from our server as soon as a printout is successful. Nobody in ezeep’s office can access or see files printed via ezeep Blue’s cloud. All files are sent over https, which means the communication is encrypted from an end user’s computer or mobile device to the server, and from the server to the client.
Security features in detail
Basic security measures
Penetration Testing: ezeep conducts annual penetration tests and on customer request.
Server Location: Microsoft Azure – North Europe region (Ireland)
Data Center Certifications from Microsoft:
Organizational Measures
No internal team has access to login credentials that allow unrestricted access. Instead, the relevant access data is securely stored in a special authentication repository, so that it can be retrieved and used in a controlled manner when needed.
Encryption during Data Transfer
Encryption Standards: All ezeep Blue components support TLS 1.3 and are backward compatible with TLS 1.2 (minimum standard 1.2).
A solution that employs TLS 1.3 encryption provides enhanced security through stronger cryptographic algorithms and perfect forward secrecy, which reduces the risk of eavesdropping and data interception, thus bolstering the confidentiality and integrity of data communication. Additionally, the reduced handshake latency minimizes vulnerability to potential attacks during the connection establishment phase, which further improves the overall security posture.
Protection against Man-in-the-Middle (MITM) Attacks
The use of public certificates helps to fend off Man-in-the-Middle attacks by enabling secure communication through the cryptographic verification of a trusted third party, making it very difficult for malicious actors to intercept and manipulate the data exchanged between two parties undetected.
Use of Cloudflare
Securing connections to the cloud is done with Cloudflare. Cloudflare acts as a Layer 7 proxy. IP packets are decrypted, analyzed, and then re-encrypted. Only then are they forwarded to the ezeep Blue servers.
Encryption in the cloud
- Data encryption during transmission, secured by TLS 1.3, as described above.
- Data Encryption at Rest: Azure Blob Storage uses Microsoft-managed keys.
Two-Factor Authentication (2FA) for printer access via the ezeep Blue service
Two-factor authentication requires two different methods of identity verification before access is granted. Typically, it combines something the user knows (e.g., a password) with something the user has (e.g., a code from a smartphone app or a hardware token), or with something inherent to the user (e.g., a fingerprint). This dual-layer of authentication makes it significantly more difficult for unauthorized individuals to gain access to the printer, thereby reducing the risk of unauthorized document access or data breaches.
Integration with Directory Services (Azure AD, Google): ezeep supports login via Azure AD and Google. Users therefore have the option to sign in with both their Microsoft and Google credentials. Thus, the user does not have to remember additional login information.
Avoid Direct Access to Printer Hardware
Manufacturers typically enable common communication protocols and interfaces such as Wi-Fi, Ethernet, and sometimes Bluetooth, SNMP, Bonjour, etc., by default on printers. It is advisable to disable any protocols, like Bluetooth, that are not essential for your specific use case because each enabled protocol represents a potential entry point for hacks and malware. With the cloud printing solution ezeep Blue, printers are only accessible through the ezeep Hub or the ezeep Connector.
Replace Print Servers with ezeep Hub
In terms of maintenance and security, central and local print servers typically pose a challenge for the IT department. In addition to regular security updates of the operating system, printer drivers must also be kept up to date and checked for compatibility with each other. Moreover, local print servers must be accessible over VPN in order to print from the cloud or a central on-site infrastructure. Often, these VPNs are maintained solely for the purpose of printing.
In this way, the ezeep Hub increases security in printing:
- The ezeep Hub only requires outgoing connections to the ezeep Cloud (HTTPS/Secure Websocket)
- Unused ports and protocols are disabled
- Placement in a VLAN with the printers is possible
- Support for zero-trust concepts in printer connectivity
- No local printer drivers: The rendering of print jobs takes place in the ezeep Cloud, thus eliminating maintenance and setup efforts, and malware cannot be introduced through manipulated printer drivers.
Avoiding Incoming Connections
We have already mentioned above the risks that incoming connections, i.e., direct access to printers from the Internet, pose. Our printing solution eliminates this risk, as printers are only accessible via the ezeep Hub or the ezeep Connector.
ezeep Solutions for Security
ezeep solutions use only outbound, secure connections, including for remote hub management. Outbound connections minimize the exposure of internal resources to external threats, reduce the potential attack surface, and make it more difficult for malicious actors to infiltrate the network. IT administrators can also manage and monitor outbound connections more effectively, ensuring that only authorized traffic leaves the network, thus achieving better control over data flow and security policies.
Handling the storage of print jobs on the printers’ hard drives
The temporary storage of print jobs is typically due to the manufacturer’s firmware. It must be ensured that built-in hard drives are physically secured or encrypted, so that the data cannot be read if the hard drives are removed. Most manufacturers have solutions for this that usually only need to be activated.
Reduction of Protocols for Printer Communication
By default, all protocols are active, as already explained.
ezeep solutions for secure printer communication include:
With ezeep, communication to the printer is via TCP/IP RAW Port 9100. Additionally, up to four USB printers can be connected directly to the ezeep Hub. This makes it possible to network-enable pure USB printers. Separating the printers and the hub into VLANs isolates the printers from the rest of the network. The only access point is then the hub.
Addressing the PrintNightmare Issue
Background and Issues:
https://blog.thinprint.com/printnightmare-how-to-protect-your-it-environment/
and
How ezeep solves the problem:
With the ezeep PrintApp, the virtual printer driver ThinPrint Output Gateway is installed. When assigning printers, this driver is used by default. Thus, no extended rights for the users or interventions by administrators are necessary. The risk of installing malware through manipulated printer drivers or exploiting security vulnerabilities in the same is thereby minimized or excluded.
Secure Printing Function
Identification of Users
Secure Secure-Pull-Printing is an integral part of ezeep Blue and is activated by the administrator through policy. As a result, users receive a print object (AnyPrinter) that stores print jobs until authentication at the printer. The same user login that is used generally for ezeep Blue is utilized for this print option. The selection of the printer is done by scanning a QR code in the app. The administrator can download the QR code from the ezeep portal.
Authentication Methods
Authentication for secure Secure-Pull-Printing can be done through a smartphone app (iOS/Android). Logging into the app is the same as logging into ezeep. Alternatively, authentication with common RFID/chip cards is possible. The user can register this themselves. Upon the first use of the card, the user receives a registration page at the printer that contains a unique token for the card. After logging in, this token is entered into the user’s account in the ezeep portal. This uniquely associates the card with the user’s account.
Advantages
- Relax with peace of mind: We apply strict security rules and best practices for the entire software development and distribution process and place the utmost importance on internal network security.
- ezeep Blue offers additional document security through its Pull-Printing-Feature with user authentication.