When businesses first began to formulate policies to integrate mobile devices into corporate IT, printing was, as a rule, completely neglected – either forgotten about altogether, or treated as a mere “nice to have” – but not essential – function.
Users eventually began to give up, and searches for “mobile printing” started trailing off in 2007. That changed dramatically with the invention of the iPad in 2010, which heralded new possibilities for working with mobile devices. No longer satisfied with simply consuming content on a small screen, users expected more. Many began clamoring for printing as part of a complete productivity solution, and when AirPrint was announced in the fall of 2010, Steve Jobs received a standing ovation from a packed auditorium. The “missing print feature” was finally here, or so it seemed.
The optimism was short-lived, as AirPrint turned out to be incomplete. It required a direct Wi-Fi connection between the printer and mobile device, supported only a subset of apps and file types, it couldn’t integrate with enterprise print management systems and of course it worked only with devices running Apple’s iOS.
Meanwhile, multiple vendors continued to develop various kinds of mobile printing solutions, including:
- Email – email the document to a printer on the corporate network or a public print network for printing.
- Wi-Fi – transmit data wirelessly from a mobile device to a printer that is connected to a subnet of the corporate network or a public print network.
- Cloud – public, hybrid, or on-premise clouds (with widely varying security capabilities).
Within these options, different vendors have tried both peer-to-peer and cloud printing solutions. In a peer-to-peer scenario, data is transferred from the mobile device to a PC, or to a print server located on the network. Cloud printing options can render the print job in either a public or private cloud. Cost, complex set-up procedures, access problems and limited rendering fidelity have often been cited as problems in peer-to-peer mobile print solutions, while security concerns and a lack of IT control are usually cited as the problem with cloud solutions for mobile device printing.
The terms “mobile printing” and “cloud printing” are sometimes used interchangeably when the subject of printing from tablets and smart phones is discussed. IDC Vice President Holly Muscolino considers cloud printing a subset of mobile printing since while all cloud printing is mobile printing, not all mobile printing involves a cloud implementation.
Nevertheless, the industry appears to be converging toward a cloud-based approach, with vendors and buyers alike generally recognizing that a cloud approach is the only way to provide
the full range of flexibility users require – which means that security has attained critical status as when evaluating mobile print providers.
Is On-Device Encryption Necessary? Yes!
Once a decision is reached to use the Cloud, the first question on the evaluator’s mind should be: “How secure is my document as it moves to the printer?” Within the overall category of cloud-based mobile print solutions, there are widely varying methods of document transport, and many different levels of security.
On-device encryption should be considered the Holy Grail of mobile print security for the simple reason that it’s the only way to protect sensitive company information both at rest (being stored on the mobile device) and in transit to another device (such as a printer).
Data that isn’t encrypted on the mobile device where it is stored is subject to man-in-the-middle attacks when it is “in transit” between the mobile device and the printer. And while nearly every vendor uses some form of encryption, many use only “transport layer” encryption, rather than performing full encryption on the mobile device.
Defining On-Device Encryption
The term on-device encryption means that the document is encrypted by the mobile device before it is transmitted to the printer. In a cloud printing system employing on-device encryption, each printer will have an associated keypair allowing asymmetric-key encryption. In
simple terms, this means that each printer will have a private key that is kept secret, and a public key that can be advertised. The keys are linked such that when an encryption algorithm is applied to a data stream and the public key, the data stream can only be decrypted by an entity in possession of the private key.
Before a document is sent to a printer, an app using on-device encryption will obtain the public key associated with that printer, and use it to encrypt the document before transmission.
Consider the following scenario:
1) A vendor sells a cloud printing app that lacks on-device encryption but touts the app’s use of HTTPS as a security measure, possibly using terms such as bank-level encryption or the like. The vendor relies on the HTTPS protocol to protect the document on its transit to the vendor’s cloud, and from there to the client’s infrastructure (this is known as “transit layer” encryption).
2) A user prints a sensitive document using the app. The app dutifully sends the document to the vendor’s cloud via HTTPS.
3) Even though the app behaved appropriately, there is a surprise: unbeknownst to the vendor or the user, a man-in-the-middle attack has compromised the app’s connection to the vendor’s
cloud – or, worse yet, the vendor’s cloud itself has been compromised. In either case, the attacker is able to retrieve the document – and because the document is not encrypted, the attacker has full access to its contents.
On-device encryption is the only solution that protects company data in this kind of attack, which is why Breezy built it into all Breezy secure mobile printing products. For more information on secure mobile printing, watch this video from Breezy, or download The Definitive Guide to Mobile Printing, a free ebook from Breezy.