Skip to Main Content
Levi, Ray & Shoup, Inc.

Protect Print Data "In Motion" and "At Rest" | LRS Secure Printing

In This Section

Print Architectures and Data Encryption

Data encryption is a critical part of ensuring the security of your document-based data. But where and when the data is encrypted depends on the overall structure of the print environment. When it comes to data security, there are two major print architectures supported by modern print/output management software:

  • Direct IP printing, in which documents (print jobs) are created and sent immediately to a network printer, without the involvement of a print server and a spool. This is beneficial in organizations where most printing comes from users on personal computing devices such as traditional and virtual desktops, laptops, notebooks, tablets and smartphones. Some of these users work in large office environments while others work in remote, branch offices or from home, and it is crucial to protect data in transit from these various devices. Because of network topology and bandwidth considerations, it makes sense to deploy a Direct IP print solution for remote locations to minimize WAN traffic, improve printer throughput, and eliminate the need for a local print server.
  • Spool-based printing, which involves a print server that receives and stores print jobs on a spool before delivering them to the appropriate destination printers. This is primarily useful in large enterprises that not only need end user printing but also have mission-critical business applications that employees, partners, and customers depend on every day (e.g., ERP, SCM, CRM, EMR, etc.). These applications run on a variety of server platforms and create documents that must be delivered to the required hardcopy and softcopy destinations in the correct format. It is vital to protect data in transit and failure is simply not an option. 

Each of these architectures offers a unique value proposition for a large enterprise environment and both present challenges for secure network storage of data. LRS software supports both of these approaches to help you establish a comprehensive print security environment.

Print Security Video

Securing your print queues

Having a secure print queue is critical since printing plays a key role in many business processes. A server-based print architecture is needed to support important capabilities such as dynamic data transforms, retention of print files, rerouting of documents to an alternate printer, and providing IT staff with end-to-end visibility of the entire printing process. This requires a reliable, high-performance print spool, ideally running on a central server to minimize complexity. 

In the Direct IP print model, one might assume there can be no “data at rest” because there is no spool. Or, is there? In the case of a Windows desktop, the print job is created locally and then immediately sent to the printer, assuming the printer is online and accessible over the network. If it is not, the print job is held on the desktop until it can successfully print or is cancelled (deleted) by the user. If pull printing is used in conjunction with Direct IP printing, then print jobs must be held on the local desktop until the user authenticates at a device and releases them for immediate printing. Held where?  A local desktop spool of sorts. 

The net effect is that it is possible to have “data at rest” in the Direct IP printing model. However, since the user (and owner of local print jobs) presumably had authorized access to the content in question, the potential security exposure would mainly come from an unauthorized third party that was able to access the contents in the event of a lost/stolen computer (e.g., laptop). The risk of leaving data vulnerable to unauthorized use can be greatly minimized or eliminated by implementing full-disk encryption across employee desktops (e.g., BitLocker for Windows systems). 

Securing your Print Server

In the case of a print server with a spool, your business may deem it important to restrict or eliminate access to spool files while they reside on the print server. This includes print jobs awaiting delivery to a destination and also print jobs in held/retained status (e.g., error condition, pull printing scenario, etc.). Your IT organization can take several steps to minimize risk and eliminate security breaches in this area. 
Some examples of ensure data security are as follows: 

  • Restrict spool file viewing privileges to a limited number of trusted IT administrators. This can be controlled by the print/output management software. For example, help desk personnel may have an operational requirement to see that user ”XYZ” has spool files (print jobs) waiting to be delivered to printer “PRT001.” However, help desk personnel likely do not need to view the contents of the spool files in order to perform their job responsibilities. 
  • Utilize any event logs generated by the print/output management software. These logs can contain useful information such as which authorized user viewed specific spool files. In the event of a security incident, this information can be useful to determine potential sources and eliminate security breaches. 
  • Leverage Encrypting File System (EFS) if you are running your print/output management software on a Windows server. With EFS, you can encrypt the folders used to store spool files (print jobs) while they reside on the server. It is possible to limit access to a single login user id, which the print software runs under. Since an IT administrator must set everything up, only that individual could see information in non-encrypted format. Similar file system encryption capabilities may also be supported on other OS platforms such as Linux. 
  • Utilize your print/output management software if it supports the encryption of spool files on the print server. You should be mindful that this functional capability may impact other features of your print/output management software. For example, it may affect the ability to accurately track and report printed pages; transform data from one format to another; or dynamically modify the contents (such as watermarks, timestamps, etc.). The print/output management software may be configured to support these functions by temporarily decrypting the spool files for a brief period of processing time. 

In short, there are multiple approaches to consider for secure network storage and protecting data at rest. Since many IT personnel are “trusted” to some degree, some organizations do not consider this a major security concern. However, the encryption and other security features of the LRS solution help you protect against even unlikely security breaches. 

LRS Solutions for Secure Printing

How will you assure safe delivery and handling of print output in your enterprise environment?

Find out more about how LRS customers have used our solutions to Secure their printing. 

LRS Secure Printing Customer Stories

Case study

Cloud Printing

SaaS, PaaS or to run your own Cloud Printing Solution on Premise

View More

Managed Services

Print Scan and Output Management Cloud Service

View More

SAP Output Management

SAP Certified Scan, Print and Output Management

View More

EMR Output

Improving healthcare printing & document delivery for faster, better patient care

View More

Back to Top