Tuesday, October 19, 2021

Universal Print support for Zero Trust networks

Supporting Microsoft's vision for modern, secure cloud services, Universal Print simplifies deployment of a print solution in Zero Trust networks.

What is Zero Trust?

Zero Trust is the modern security model that solves some of the complexity of today’s cloud-centered IT environment, enabling organizations to embrace a mobile and hybrid workforce while protecting people, devices, applications, and data wherever they are located.

At the core, a Zero Trust network applies this modern security model and assumes that no device or connection is trusted by default. Instead, each connection needs to be verified, regardless of whether the connection is coming from the Internet or an internal network.  Everything can ultimately be breached, and the goal is to minimize and contain the breach.

To learn more about Zero Trust networks, visit the Zero Trust Guidance Center.  

Why is Zero Trust important?

Historically, the internal network of an organization has been treated as a fortress and connecting to network devices such as printers did not require much security. Today, many, if not most, network devices such as think smart thermostats, TVs, security cameras, and many others, can be managed remotely or connect to the Internet for many reasons. Printers are no different.

Organizations can keep their internal networks safe by following Zero Trust guidelines. Implementing the Zero Trust networking model requires each connection to be validated by an authorization and permission scope. When hackers breach a device, they cannot use it to elevate their access rights or use the device as a jumping point to access other resources. This contains the breach to only what the breached device was originally granted access. With the right services in place, such as Microsoft Defender for Endpoint, a breach can easily be detected and mitigated by removing the device’s access rights and preventing impersonation of the device.

How does Zero Trust networking apply to Universal Print?

Universal Print is a cloud service that is integrated with Azure AD. Communication between client and the printer flows through the Universal Print cloud service. This architecture enables network isolation of printers, including the Universal Print connector software, from the rest of the organization’s resources.

Jimmy_Wu_0-1634679216748.png

As shown in the diagram above, Universal Print supports and enables Zero Trust networking as follows:

  1. Each connection to Universal Print cloud service requires authentication that has been validated by Azure AD. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service.
  2. Every connection established by the client, the printer, or another cloud services, to the Universal Print cloud service uses TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data.
  3. Each acting client app must register with Azure AD and specify the set of permission scopes it requires. Microsoft’s own acting client apps, for example the Universal Print connector, are registered with the Azure AD service and customers consent to the required permission scopes as part of onboarding the app.
  4. Each authentication with Azure AD from an acting client app cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions when the app is breached.

Universal Print ready printers

Universal Print ready printers offers an easy solution when deploying a Zero Trust network.  Universal Print ready printers include new printer models and existing printer models running updated firmware. Each printer is assigned an identity by Azure AD when it is registered with Universal Print. The printer uses this assigned identity to authenticate to establish a TLS 1.2 connection to Universal Print. Printer manufacturer registers their acting client app with Azure AD with a required set of permission scopes and thereby ensuring that even if a physical printer is breached, the connections to Universal Print cannot elevate access rights beyond what was in the app registration.

Visit https://aka.ms/upintegrations to find a list of Universal print ready printers. Some printers have upgradeable software and can be upgraded to support Universal Print natively

Printers using the Universal Print connector software

Printers that do not have firmware with direct support for Universal Print can be supported using the Universal Print connector software to communicate with Universal Print. Like Universal Print ready printers, these printers are each assigned an identity by Azure AD. The connection between the Universal Print connector and Universal Print cloud service is protected by TLS 1.2 and uses the printer assigned identity for authentication. The permission scope is based on the Universal Print connector’s app registration.

In terms of Zero Truest networking, the key steps in the deployment are:

  1. Install the Universal Print connector software on a host machine connected to the same network used by the physical printers. This network should be different from the network used by client devices.
  2. Update proxy server settings as appropriate to ensure the connector software can connect to Universal Print cloud service over HTTPS with TLS 1.2.
  3. Configure a SSL certificate on the physical printer and configure the connection between the host PC and the printer to be over SSL.
  4. Prevent user access to the host PC running the Universal Print connector.

Note: Universal Print connector requires appropriate printer drivers to be installed on the host PC. Make sure the printer drivers used are from a trusted source, such as directly from the printer manufacturer or use Windows Update to install drivers.

To learn more about installing the Universal Print connector, see our Universal Print service documentation. Before installing the connector, make sure that you update the firmware for the printers and MFP devices you are using. The list of supported devices that are Universal Print ready is constantly growing.

Learn more

Universal Print can greatly simplify the print infrastructure of your Zero Trust network deployment and is especially easy when using Universal Print ready printers.

For more information about the Zero Trust security model and how Windows 11 improves security, visit the Zero Trust Guidance Center and download the Windows 11 Security Book.

 

Posted at https://sl.advdat.com/3vwngKj