Most of the talk about document and hardware security — at least in the imaging industry — tends to center around the multifunction printer. With so much focus on document security, hardware vulnerability and hacking, the MFP has become just as much of a target (or a suspect, depending on your perspective) as the computer.
MFPs, of course, are nearly ubiquitous in the office, and the main reason for that is the “MF” part of the name — that multifunction device means it’s not just a printer, but it can do other things like copy, occasionally fax and, of course, scan. And MFPs have earned their place in some cases. For the occasional walk-up job, it’s certainly convenient to be able to use the nearest workgroup input device and know that your document will be fed into the email system or whatever document repository it needs to go to.
However, this is not an article about the use case for standalone scanners. I could write — and have written — volumes on that. What is important to think about at this point is what happens to those documents once they are scanned into the MFP?
Hackable hard drives
An interesting resource on data security can be found directly from the federal government, in the FTC’s “Digital Copier Data Security: A Guide for Businesses.” It reminds users that today’s digital copiers (or MFPs) are computers — smart machines that require hard drives to manage their workloads. “The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed,” cautions the document, which goes on to ensure users are aware of their organization’s information security policies before acquiring the hardware, that they understand how it functions while they are using it, and that they know of the security functions available.
Most MFPs available today offer numerous built-in security features. Encryption will encode or scramble the data on the hard drive, preventing it from being read by anyone or anything other than the intended recipient or software — hopefully. Overwriting will do what the name suggests — write over the disk space occupied by the document, removing traces so the file can’t be reconstructed as easily. Many devices also offer password locks on hard drives. Some have built-in security tools just like one would find on a computer hard drive. All of these resources combine to protect a hard drive from hacking or even out-and-out physical theft. The FTC even recommends a contract that ensures your company retains ownership of the hard drive at the end of life, or at least that the provider will overwrite the hard drive.
All of these measures are advisable and should be heeded for anyone using an MFP. But here’s a thought — what if your scanning device didn’t have a hard drive?
All about memory
Most document scanners, unlike their multifunction cousins, do not use a hard drive. At all. So all the warnings and precautions regarding the security of the hard drive just don’t apply.
Scanners, to use the most simplistic explanation, capture images by feeding paper across a camera (typically a CCD or CMOS cell), then send those images somewhere. A document scanner that does not have a hard drive utilizes random access memory, or RAM, to do that. If you don’t spend your days around computers or it’s been a long time since you took Computers 101, here’s a refresher on the different types of memory.
A typical computing device uses three types of memory. The hard drive is the primary storage device — consider it long-term memory. On a computer, it’s where you’ll keep all the things that would require storage, like the operating system and apps, as well as saved documents. Read-only memory, or ROM, is non-volatile memory, meaning that even if the power supply is shut down or removed, it will retain data. It typically stores hardwired data, like firmware. And finally, there is RAM. RAM is what stores information being used by the CPU in real time — it’s designed for quick access to in-use programs, which is why it’s such a critical factor when evaluating computer power. On the computer I’m using now, for example, I have 16GB of RAM, which allows me to have open this document, a dozen internet browser windows, Photoshop, Twitter, a calendar and Outlook — all running without any noticeable lag. I have another computer with just 4GB of RAM that would become sluggish with even half of those programs running, because it simply can’t manage that many active processes.
OK, Computers 101 class dismissed. What does the RAM have to do with the scanner? Well, if the hard-drive is long-term memory, RAM is short-term memory designed to be read, written on and erased over and over. RAM is volatile memory, meaning that as soon as the power supply is turned off, the data stored — the most recent document scanned, for example — is erased. RAM is fast and efficient, but it is not permanent — which makes it ideal for scanning documents.
If I haven’t mentioned it often enough, let me reiterate — in general, scanners do not have a hard drive. All scanned image information is stored in that temporary, volatile memory that is overwritten after each scan. Even if someone hacked into a networked scanner, there would be nothing to retrieve — the document or image is gone. You can’t take a discarded, end-of-life scanner and retrieve data that has been scanned, because it’s not there. It is literally wiped as clean as a slate — the old-fashioned kind that you washed off with an eraser — leaving no residual trace behind.
Security is only as good as your policies and your enforcement of those policies. After all, the whole point of scanning a document is to create a file that goes somewhere — usually to a PC. And then we come right back around to necessary security policies, how well you’re policing them, and ultimately, whether your employees are adhering to them.
The good news is once we’re talking about computers and networks, we’re typically talking about more robust security and more heavily-enforced policies. You’ll find any number of articles about the critical nature of securing networks and educating employees, so we won’t rehash that issue here — except to say that you absolutely must ensure that you are securing your network and educating your employees about the importance of security. Because let’s face it, if an employee has a document with sensitive information in their hand to feed into a scanner, the highest potential security risk is not the scanner.
Other security considerations
If the biggest security risk when it comes to a document scanner is users, should authentication protocols be a requirement? Once again, the lack of a hard drive renders that point a bit moot. There’s very little a user could get from the scanner, and since it’s an input-only device, the issue of orphaned print jobs common to MFPs doesn’t exist. Assuming the document’s destination is properly secured, there is little damage that can be done at the scanner itself — although I suppose you could always install a security camera (I know of a manufacturer of those, too) over the scanner.
When we talk about networked scanners we again begin getting into the larger picture of network security issues, and any organization using an internal network (which is most organizations of any size these days) should have security protocols in place. Ethernet is preferred in true high-security locations; Wi-Fi enabled devices can utilize LDAP network authentication to restrict user access.
The bottom line in scanner security
If foolproof security solutions existed, we wouldn’t be talking about hackers or cyberattacks or security risks. The truth is nothing is 100 percent secure, but some devices are more secure than others. When we talk about a technology in which one of the primary risks is the hard drive, can there be a simpler solution than using a form of that technology that eliminates that risk entirely? If you’re not sure about your scanner, read the manual — it will say something like “no scanned data is stored on the unit.”
Nothing in life is guaranteed — except for the fact that a document scanner without a hard drive cannot have its hard drive hacked. I’ll take that one to the bank.