Xerox® Workplace Cloud 5.6.1
Security Guide
© 2021 Xerox® Corporation. All rights reserved. Xerox®, AltaLink®, ConnectKey®, Global Print Driver®, and VersaLink® are trademarks of Xerox® Corporation in the United States and/or other countries. BR32181
Apache OpenOffice™ is a trademark of the Apache Software Foundation in the United States and/or other countries.
Apple® and Mac® are trademarks of Apple, Inc. registered in the United States and/or other countries.
Chrome™is a trademark of Google Inc.
Firefox® is a registered trademark of Mozilla Corporation.
Intel® Core™ is a trademark of the Intel Corporation in the United States and/or other countries.
IOS® is a trademark or registered trademark of Cisco in the United States and other countries and is used under license.
Microsoft®, SQL Server®, Microsoft®.NET, Windows®, Windows Server®, Windows 8®, Office®, Excel® and Internet Explorer® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Xerox® PDF Reader Powered by Foxit Software Company (http://www.foxitsoftware.com).
This product includes software developed by Aspose (http://www.aspose.com). Other company trademarks are also acknowledged.
Document Version: 1.0 (March 2021). BR32181
Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory or judicial law or hereinafter granted including without limitation, material generated from the software programs which are displayed on the screen, such as icons, screen displays, looks, etc.
Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions.
Conventions in this Document
Throughout this document, you will find tags that will indicate when the content is unique to a specific solution of the platform. These tags will include:
|
[PMM] |
Content applies only to Print Management and Mobility |
|
[FM] |
Content applies only to Fleet Management |
These tags will typically be found on section titles; however, they may be found at other points in the documentation.
NOTE: Any section not showing a tag should be assumed to follow the tags of any higher-level sections. If there are no tags on the section or on the higher-level sections then the section applies to all solutions.
For example, if you are implementing just Fleet Management, you will want to read sections tagged [FM] and all untagged sections (but you can skip the [PMM] tagged sections)
Xerox® Workplace Cloud 5.6.1 – Security Guide |
i |
Table of Contents
1. |
Introduction ....................................................................................................................................... |
6 |
|
Purpose............................................................................................................................................... |
6 |
|
Target Audience.................................................................................................................................. |
6 |
|
Disclaimer ........................................................................................................................................... |
6 |
2. |
Product Description.......................................................................................................................... |
7 |
|
Overview ............................................................................................................................................. |
7 |
|
Printing and Print Management .......................................................................................................... |
7 |
|
Submission Methods....................................................................................................................... |
7 |
|
Release Methods ............................................................................................................................ |
7 |
|
Combined Submission/Release Methods....................................................................................... |
7 |
|
Printer Authentication Methods....................................................................................................... |
8 |
|
Xerox® @PrintByXerox................................................................................................................... |
8 |
|
Xerox® Workplace Cloud Printing and Print Management........................................................... |
10 |
|
Xerox® Workplace Cloud (Agentless) [PMM]............................................................................... |
11 |
|
Description of System Components [PMM] .................................................................................. |
11 |
|
Xerox® Workplace Cloud Fleet Management (with an Agent) [FM].............................................. |
13 |
|
Xerox® Workplace Cloud Fleet Management (Agentless) [FM].................................................... |
14 |
|
Description of System Components [FM] ..................................................................................... |
14 |
3. |
System Architecture....................................................................................................................... |
16 |
|
Xerox® Workplace Cloud................................................................................................................... |
16 |
|
Xerox® Workplace Cloud Volatile Memory.................................................................................... |
16 |
|
Xerox® Workplace Cloud Non-Volatile Memory............................................................................ |
16 |
|
Workplace Cloud Agent .................................................................................................................... |
17 |
|
Workplace Cloud Agent Volatile Memory ..................................................................................... |
17 |
|
Workplace Cloud Agent Non-Volatile Memory.............................................................................. |
17 |
|
Desktop Print Client [PMM]............................................................................................................... |
18 |
|
Desktop Print Client Volatile Memory ........................................................................................... |
18 |
|
Desktop Print Client Non-Volatile Memory.................................................................................... |
18 |
|
Xerox® Workplace App [PMM] .......................................................................................................... |
19 |
|
Workplace App Volatile Memory................................................................................................... |
19 |
|
Workplace App Non-Volatile Memory........................................................................................... |
19 |
|
Open-Source Components ............................................................................................................... |
19 |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
ii |
4. System Interaction.......................................................................................................................... |
20 |
System Components......................................................................................................................... |
20 |
Xerox® Workplace App [PMM] ...................................................................................................... |
20 |
Xerox® Workplace Cloud............................................................................................................... |
20 |
LDAP/ADS Server......................................................................................................................... |
25 |
Azure AD....................................................................................................................................... |
25 |
OKTA............................................................................................................................................. |
27 |
Third Party Public Print Provider [PMM] ....................................................................................... |
29 |
Workplace Cloud Agent ................................................................................................................ |
30 |
Server Based Print Queues .......................................................................................................... |
31 |
Printer............................................................................................................................................ |
32 |
Xerox® @PrintByXerox App [PMM].............................................................................................. |
33 |
Customer Email Server................................................................................................................. |
33 |
User Workstation (Workplace Cloud Client) [PMM]...................................................................... |
33 |
Microsoft Office 365 – Email Service............................................................................................ |
36 |
Network Appliance [PMM]............................................................................................................. |
36 |
Xerox® Services Manager............................................................................................................. |
36 |
Content Delivery Network (CDN) [PMM]....................................................................................... |
36 |
App in the Gallery [PMM] .............................................................................................................. |
37 |
App Server [PMM]......................................................................................................................... |
37 |
Xerox® Device Agent [FM] ............................................................................................................ |
37 |
Xerox Auto Update Service [FM]................................................................................................... |
37 |
System Component Interfaces.......................................................................................................... |
38 |
Communication between the Workplace App and Workplace Cloud [PMM]................................ |
38 |
Communication between the Workplace App and the Customer Email Server [PMM]................ |
38 |
Communication between the Customer Email Server and Workplace Cloud .............................. |
38 |
Communication between Workplace Cloud and the Workplace Cloud Agent.............................. |
38 |
Communication between the Workplace Cloud Agent and the Printer......................................... |
39 |
Communication between the Workplace Cloud Agent and a Third-Party Print Queue [PMM]..... |
40 |
Communication between the Workplace Cloud Client and Workplace Cloud [PMM]................... |
40 |
Communication between the Workplace Cloud Client and the Printer [PMM] ............................. |
42 |
Communication between the Workplace Cloud Client and the Azure IoT Hub [PMM]................. |
42 |
Communication between the Workplace Cloud Agent and the Customer ADS (LDAP) Server... |
42 |
Communication between Workplace Cloud and Xerox® Services Manager................................. |
42 |
Communication between LPR or Shared Windows Print (SMB) Clients and the Workplace Cloud |
|
Agent [PMM].................................................................................................................................. |
43 |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
iii |
|
Communication between the App from the Gallery, the App Server, and Workplace Cloud [PMM] |
|
|
...................................................................................................................................................... |
43 |
|
Communication between Workplace Cloud and the Printer ......................................................... |
43 |
|
Communication between the Printer and the IoT Hub.................................................................. |
44 |
|
Communication between the Xerox® Device Agent and Workplace Cloud [FM].......................... |
44 |
|
Communication between the Xerox® Device Agent and the Xerox Auto Update Service [FM].... |
44 |
5. Logical Access, Network Protocol Information........................................................................... |
45 |
|
|
Protocols and Ports........................................................................................................................... |
45 |
|
Xerox® Workplace App Ports [PMM]............................................................................................. |
45 |
|
Workplace Cloud Agent Ports....................................................................................................... |
45 |
|
Xerox® @PrintByXerox App Ports [PMM] .................................................................................... |
46 |
|
Printer Ports .................................................................................................................................. |
47 |
|
Workplace Cloud Client Ports [PMM]............................................................................................ |
48 |
|
Network Appliance Ports [PMM] ................................................................................................... |
48 |
|
Xerox® Device Agent Ports [FM]................................................................................................... |
49 |
|
Firewall Rules.................................................................................................................................... |
49 |
|
Port Diagrams ................................................................................................................................... |
50 |
|
Print Management Port Diagram [PMM]....................................................................................... |
50 |
|
Fleet Management Port Diagram [FM].......................................................................................... |
52 |
6. |
System Access................................................................................................................................ |
54 |
|
User Accounts................................................................................................................................... |
54 |
|
Web Portal ........................................................................................................................................ |
54 |
|
Workplace Cloud Agent .................................................................................................................... |
54 |
|
Xerox® Workplace App [PMM] .......................................................................................................... |
55 |
|
Workplace Cloud Client for Windows and Mac [PMM] ..................................................................... |
55 |
|
Printer................................................................................................................................................ |
56 |
|
Xerox® @PrintByXerox App [PMM].................................................................................................. |
56 |
|
Content Delivery Network (CDN) [PMM]........................................................................................... |
57 |
7. |
Additional Security Items............................................................................................................... |
59 |
|
Xerox® Workplace Cloud Endpoint Table ......................................................................................... |
59 |
|
Cloud Endpoints............................................................................................................................ |
59 |
|
Cloud Endpoint Descriptions......................................................................................................... |
60 |
|
Certificate Validation ......................................................................................................................... |
62 |
|
Connection Details........................................................................................................................ |
62 |
|
Auto Release Using Network Appliance Workflow [PMM]................................................................ |
63 |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
iv |
Models........................................................................................................................................... |
63 |
Audit Log ........................................................................................................................................... |
63 |
Azure Data Centers........................................................................................................................... |
64 |
Usage Tracking and Reporting [PMM].............................................................................................. |
64 |
Single Sign-On [PMM]....................................................................................................................... |
65 |
User Import via CSV File................................................................................................................... |
66 |
Packet Inspection.............................................................................................................................. |
66 |
File Encryption using Keys [PMM] ................................................................................................... |
66 |
Content Security [PMM] ................................................................................................................... |
67 |
Microsoft Azure Universal Print [PMM] ............................................................................................ |
68 |
8. Additional Information and Resources......................................................................................... |
70 |
Security @ Xerox® ............................................................................................................................ |
70 |
Responses to Known Vulnerabilities................................................................................................. |
70 |
Additional Resources ........................................................................................................................ |
70 |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
v |
1.Introduction
Xerox® Workplace Cloud (WC) is a workflow solution that connects a corporation mobile workforce to new productive ways of printer management, printing, and controlling user access to Xerox® Multifunction Printers (MFP). Customers can manage the configuration of their printers and ensure settings are consistent across their fleet of devices. Printing is easy and convenient from any mobile device without needing standard drivers and cables. This solution also supports Desktop Printing, allowing printing to a common queue with the ability to release jobs to any printer. This reduces waste from uncollected jobs and provides security for sensitive information, since jobs are only printed when the user is standing at the printer.
WC provides a Single Sign-On (SSO) infrastructure. Apps in the Xerox App Gallery which have been modified to support this new infrastructure may use WC as a storage vault for user login information (e.g., credentials or tokens). After logging into WC, a user may select an SSO enabled Gallery App, which queries WC to obtain the user’s login information for that app. If available (and valid – e.g., not expired), the app uses that information to log the user into the Gallery App without the need to provide additional login credentials.
Purpose
The purpose of the Security Guide is to disclose information for Xerox® Workplace Cloud with respect to application security. Application security, in this context, is defined as how data is stored and transmitted, how the product behaves in a networked environment, and how the product may be accessed, both locally and remotely. This document describes design, functions, and features of the Xerox® Workplace Cloud relative to Information Assurance (IA) and the protection of customer sensitive information. Please note that the customer is responsible for the security of their network and the Xerox® Workplace Cloud does not establish security for any network environment.
This document does not provide tutorial level information about security, connectivity or Xerox® Workplace Suite features and functions. This information is readily available elsewhere. We assume that the reader has a working knowledge of these types of topics.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT security. It is assumed that the reader is familiar with the solution; as such, some user actions are not described in detail.
Disclaimer
The content of this document is provided for information purposes only. Performance of the products referenced herein is exclusively subject to the applicable Xerox Corporation terms and conditions of sale and/or lease. Nothing stated in this document constitutes the establishment of any additional agreement or binding obligations between Xerox Corporation and any third party.
Xerox® Workplace Cloud 5.6.1 – Security Guide |
6 |
2.Product Description
Overview
Workplace Cloud supports two different cloud solutions:
1.Printing and Print Management – Includes mobile and desktop printing, printer authentication / access and reporting.
2.Fleet Management – Which includes the ability to configure and manage settings on a set of devices.
Printing and Print Management
This workflow can be limited to just mobile printing, or it can be extended to include desktop printing, printer authentication (such as badge access) and advanced reporting.
The workflow of mobile printing is quite simple. A user using a mobile device such as a smart phone, tablet, or laptop sends a document to the Workplace Cloud. Depending on the submission method, the job is either printed without any further user action or the user manually releases the job to print.
For desktop printing, the user installs the Workplace Cloud Client. The client will help with printer install and also manages communication with the Workplace Cloud solution. With this service in place, users can submit pull-print jobs as well as direct print jobs.
Workplace Cloud provides a Single Sign-On (SSO) infrastructure. The Apps in the Xerox App Gallery, which were modified to support this new infrastructure, can use Workplace Cloud as a storage vault for user login information. User login information can be user credentials or tokens. After logging into the Workplace Cloud, a user can select an SSO enabled Gallery App, which queries Workplace Cloud to obtain the login information of the user for that app. If the login information is available and valid, the app uses that information to log in the user into the Gallery App without the need to provide additional login credentials.
There are several methods for a user to submit or release a job to print. The Submission method is technically decoupled from the release method. However, certain submission/release pairs make more sense than other pairs.
SUBMISSION METHODS
Workplace App
Desktop Print Client (upload)
RELEASE METHODS
Printing device UI (using EIP)
Workplace App
Auto Release using Authentication
Auto Release using Network Appliance
COMBINED SUBMISSION/RELEASE METHODS
Note: Job will print without any explicit user action after submission.
Xerox® Workplace Cloud 5.6.1 – Security Guide |
7 |
Workplace App
Web Portal (Web browser interface to Workplace Cloud)
Desktop Print Client (upload and print)
Desktop Print Client (direct print)
PRINTER AUTHENTICATION METHODS
Card Access (Proximity Cards, Magnetic Stripe Cards, NFC on Android)
Alternate Login (Cloud Authentication, LDAP or PIN) [Note: OKTA and Azure AD do not support this method]
Mobile Phone Unlock (using the Xerox® Workplace App for iOS or Android: NFC, QR Code, or Manual Code Entry)
The common link between all submission and release methods is the Xerox® Workplace Cloud. Documents are stored in the cloud until they are deleted or until an administrative timeout has passed.
With release 5.6, Xerox® Workplace Cloud added the ability to support an Agentless method of Printer Authentication. This feature makes use of the Azure IoT Hub capability to provide this functionality and is supported by Xerox AltaLink devices (A special firmware release is required).
XEROX® @PRINTBYXEROX
The Xerox® @PrintByXerox App, available using the Xerox App Gallery and included as an “In-Box” App on some devices is designed to give customers an introduction to the Workplace Cloud system. Users are able to submit jobs using Email, by sending them to print@printbyxerox.com, and then release them using the Xerox® @PrintByXerox App. Below is a diagram outlining the different components used as part of this workflow.
Xerox® Workplace Cloud 5.6.1 – Security Guide |
8 |
Figure 2–1: @PrintByXerox
Xerox® Workplace Cloud 5.6.1 – Security Guide |
9 |
XEROX® WORKPLACE CLOUD PRINTING AND PRINT MANAGEMENT
Xerox® Workplace Cloud (with an Agent) [PMM]
The following diagram shows the system components used for the full Xerox® Workplace Cloud for Printing and Print Management solution using an Agent.
Figure 2–2: Xerox® Workplace Cloud with an Agent
Xerox® Workplace Cloud 5.6.1 – Security Guide |
10 |
XEROX® WORKPLACE CLOUD (AGENTLESS) [PMM]
The following diagram shows the system components used for the full Xerox® Workplace Cloud (Printing and Print Management) without an Agent.
Figure 2–3: Xerox® Workplace Cloud Agentless
DESCRIPTION OF SYSTEM COMPONENTS [PMM]
Component |
Description |
User |
A user of the Xerox® Workplace Cloud. |
Xerox® Workplace App |
Mobile application for iOS, Android, and Chrome that allows the user to |
|
find printers and upload / send print jobs to Workplace Cloud. |
Xerox® Workplace Cloud |
The Azure hosted cloud service that provides the Workplace Cloud |
|
functionality. |
Customer ADS/LDAP Server |
Used for user authentication. |
Azure AD |
[Optional] May be used for user authentication. Microsoft’s Azure AD |
|
may in turn forward authentication requests to the customer’s hosted |
|
AD system. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
11 |
Component |
Description |
Azure IoT Hub |
[Optional] Is used for the desktop client “Local Print Optimization” feature |
|
and for Agentless Authentication. |
OKTA |
[Optional] May be used for user authentication. |
Third-Party Public Print Provider |
Allows print jobs to be submitted to Third-Party Providers. |
Workplace Cloud Agent |
On-premise application that runs on customer provided hardware, which |
|
supports Printer Discovery, Print transmission, Convenience |
|
Authentication and Network Accounting. Also provides LPR and |
|
Windows printer listening ports for systems that do not support a desktop |
|
client (e.g. Linux). |
Server Based Print Queues |
Allows print jobs to be forwarded to other 3rd Party Solutions for added |
|
job tracking, accounting, and so on. |
Printer |
Any printing device (Xerox or Non-Xerox) that is enabled to support |
|
Workplace Cloud. |
Customer Email Server |
The Customer Email Server is used to get print jobs to the |
|
Workplace Cloud. |
User Workstation |
User’s system on which the Workplace Cloud Client can be installed, |
|
which allows print jobs to be submitted to Workplace Cloud Printers from |
|
a PC or Mac. Also supports the Home Worker Print Tracker feature |
|
which monitors a user’s print history, even when printing to printers not |
|
enabled in Workplace Cloud. |
Microsoft Office 365 Email Service |
Used to send email responses back to users of Workplace Cloud. |
Network Appliance |
External hardware device that supports card-based document release at |
|
Non-Xerox or Non-EIP Devices. |
Xerox® Services Manager |
External Xerox application used in managed service accounts. |
Content Delivery Network (CDN) |
Enabled high-bandwidth print job streaming from Azure to local printers |
|
in the customer environment. |
App from Gallery |
An App found in the Xerox App Gallery that is modified to support SSO. |
App Server |
A backend system that handles the browser-based calls and processing |
|
needed by the App. Maintains knowledge and information about the |
|
SSO server. |
Microsoft Azure Universal Print |
Microsoft’s Universal Print infrastructure hosted in Azure. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
12 |
Fleet Management
The Fleet Management functionality allows the administrator to define configuration sets, push these to a printer and monitor the configuration of devices to ensure settings do not change. Different configurations can be defined for different sets of printers. Customers that use the Fleet Management feature can link their account to Xerox® Services Manager. This allows the same set of devices being monitored using Xerox® Device Agent(s) to also be managed using Workplace Cloud Fleet Management.
XEROX® WORKPLACE CLOUD FLEET MANAGEMENT (WITH AN AGENT) [FM]
The following diagram shows the system components used for the Xerox® Workplace Cloud Fleet Management only functionality using an Agent.
Figure 2–4: Xerox® Workplace Cloud Fleet Management – With an Agent
Xerox® Workplace Cloud 5.6.1 – Security Guide |
13 |
XEROX® WORKPLACE CLOUD FLEET MANAGEMENT (AGENTLESS) [FM]
The following diagram shows the system components used for the Xerox® Workplace Cloud Fleet Management only functionality without an Agent.
Figure 2–5: Xerox® Workplace Cloud Fleet Management – Agentless
DESCRIPTION OF SYSTEM COMPONENTS [FM]
Component |
Description |
User |
A user of the Xerox® Workplace Cloud. |
Xerox® Workplace Cloud |
The Azure hosted cloud service that provides the Workplace Cloud |
|
functionality. |
Azure IoT Hub |
Is used for Fleet Management requests sent to the Agent. |
Workplace Cloud Agent |
On-premise application that runs on customer provided hardware, which |
|
supports Printer Discovery, and Fleet Management. |
Printer |
Any printing device (Xerox or Non-Xerox) that is enabled to support |
|
Workplace Cloud. |
Microsoft Office 365 Email Service |
Used to send email responses back to users of Workplace Cloud. |
Xerox® Services Manager |
External Xerox application used in managed service accounts. |
Xerox® Device Agent |
External Xerox application for device monitoring that has been extended |
|
to support the installation of the WC Agent for managed print service |
|
environments using Xerox® Services Manager. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
14 |
Component |
Description |
Xerox Auto Update Service |
External Xerox application hosted by Xerox (internet accessible). Used |
|
to update the Device Agent. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
15 |
3.System Architecture
Xerox® Workplace Cloud
The Xerox® Workplace Cloud consists of number of different services that run as an Azure role (Web Role or Worker Role). The type of role used depends upon the function of the service. If the service is interfacing externally using some type of API or interface, it’s typically a Web Role and if the service performs internal processing, then it’s typically a Worker Role. Each role runs on its own Azure VM instance, and the number of such instances will vary based on the system load. Each service is assigned a fixed size set of RAM and HDD for the given VM, which varies based on the service and its needs.
XEROX® WORKPLACE CLOUD VOLATILE MEMORY |
|
|
|||
Type (SRAM, |
Size |
User Modifiable |
Function or Use |
Contains |
Process to |
DRAM, etc.) |
|
(Y/N) |
|
Customer Data |
Clear: |
Azure |
Varies |
N |
Executable code, |
Y |
Power Off |
storage – |
Based on |
|
temporary storage |
|
or Exit of |
System |
Service |
|
for messages |
|
the Service |
Memory |
|
|
processing |
|
|
|
|
|
related data, |
|
|
|
|
|
variables, state |
|
|
|
|
|
information, and |
|
|
|
|
|
so on. |
|
|
XEROX® WORKPLACE CLOUD NON-VOLATILE MEMORY |
|
|
|||
Type (Flash, |
Size |
User |
Function or Use |
Contains |
Process to |
EEPROM, |
|
Modifiable |
|
Customer |
Clear: |
etc.) |
|
(Y/N) |
|
Data |
|
HDD |
Varies |
N |
Storage of |
Y |
Requires |
|
Based on |
|
binaries, libraries, |
|
removal of |
|
Service |
|
graphic images, |
|
Xerox roles |
|
|
|
HTML pages, |
|
|
|
|
|
JavaScript pages, |
|
|
|
|
|
certs, |
|
|
|
|
|
configuration, logs, |
|
|
|
|
|
user documents, |
|
|
|
|
|
print drivers, |
|
|
|
|
|
installers, |
|
|
|
|
|
templates, job |
|
|
|
|
|
metadata |
|
|
Xerox® Workplace Cloud 5.6.1 – Security Guide |
16 |
Workplace Cloud Agent
WORKPLACE CLOUD AGENT VOLATILE MEMORY |
|
|
|||
Type |
Size |
User Modifiable |
Function or Use |
Contains |
Process to |
(SRAM, |
|
(Y/N) |
|
Customer Data |
Clear: |
DRAM, etc.) |
|
|
|
|
|
RAM |
Customer |
N |
Executable code, |
Y |
Power Off |
|
Provided |
|
temporary |
|
or Exit of |
|
|
|
storage for |
|
the Service |
|
|
|
processing |
|
|
|
|
|
related data, |
|
|
|
|
|
variables, state |
|
|
|
|
|
information, and |
|
|
|
|
|
so on. |
|
|
WORKPLACE CLOUD AGENT NON-VOLATILE MEMORY |
|
|
|||
Type (Flash, |
Size |
User |
Function or Use |
Contains |
Process to |
EEPROM, |
|
Modifiable |
|
Customer |
Clear: |
etc.) |
|
(Y/N) |
|
Data |
|
HDD |
Customer |
N |
Storage of |
N |
Removal / |
|
Provided |
|
binaries, |
|
Un-install of |
|
|
|
libraries, logs, |
|
the Agent. |
|
|
|
printer |
|
Data may be |
|
|
|
information |
|
manually |
|
|
|
|
|
deleted by |
|
|
|
|
|
users with |
|
|
|
|
|
access rights |
|
|
|
|
|
to the PC on |
|
|
|
|
|
which the |
|
|
|
|
|
Agent is |
|
|
|
|
|
running. |
|
|
|
|
|
Periodic |
|
|
|
|
|
removal of |
|
|
|
|
|
some data |
|
|
|
|
|
based on |
|
|
|
|
|
time. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
17 |
Desktop Print Client [PMM]
DESKTOP PRINT CLIENT VOLATILE MEMORY |
|
|
|
||
Type |
Size |
User Modifiable |
Function or Use |
Contains |
Process to |
(SRAM, |
|
(Y/N) |
|
Customer Data |
Clear: |
DRAM, etc.) |
|
|
|
|
|
RAM |
Customer |
N |
Executable code, |
Y |
Power Off |
|
Provided |
|
temporary |
|
or Exit of |
|
|
|
storage for |
|
the Service |
|
|
|
processing |
|
|
|
|
|
related data, |
|
|
|
|
|
variables, state |
|
|
|
|
|
information, and |
|
|
|
|
|
so on. |
|
|
DESKTOP PRINT CLIENT NON-VOLATILE MEMORY |
|
|
|||
Type (Flash, |
Size |
User |
Function or Use |
Contains |
Process to |
EEPROM, |
|
Modifiable |
|
Customer |
Clear: |
etc.) |
|
(Y/N) |
|
Data |
|
HDD |
Customer |
N |
Storage of |
N |
Removal / |
|
Provided |
|
binaries, |
|
Un-install of |
|
|
|
libraries, logs, |
|
the Agent. |
|
|
|
printer |
|
Data may be |
|
|
|
information |
|
manually |
|
|
|
|
|
deleted by |
|
|
|
|
|
users with |
|
|
|
|
|
access rights |
|
|
|
|
|
to the PC on |
|
|
|
|
|
which the |
|
|
|
|
|
Agent is |
|
|
|
|
|
running. |
|
|
|
|
|
Periodic |
|
|
|
|
|
removal of |
|
|
|
|
|
some data |
|
|
|
|
|
based on |
|
|
|
|
|
time. |
Xerox® Workplace Cloud 5.6.1 – Security Guide |
18 |
Xerox® Workplace App [PMM]
WORKPLACE APP VOLATILE MEMORY |
|
|
|
||
Type |
Size |
User Modifiable |
Function or Use |
Contains |
Process to |
(SRAM, |
|
(Y/N) |
|
Customer Data |
Clear: |
DRAM, etc.) |
|
|
|
|
|
RAM |
Customer |
N |
Executable code, |
Y |
Power Off |
|
Provided |
|
temporary |
|
|
|
|
|
storage for |
|
|
|
|
|
processing |
|
|
|
|
|
related data, |
|
|
|
|
|
variables, state |
|
|
|
|
|
information, and |
|
|
|
|
|
so on. |
|
|
WORKPLACE APP NON-VOLATILE MEMORY |
|
|
|
||
Type (Flash, |
Size |
User |
Function or Use |
Contains |
Process to |
EEPROM, |
|
Modifiable |
|
Customer |
Clear: |
etc.) |
|
(Y/N) |
|
Data |
|
ROM |
Customer |
N |
Storage of |
Y |
Removal / |
|
Provided |
|
binaries, |
|
Un-install of |
|
|
|
libraries, printer |
|
the App. |
|
|
|
information, print |
|
|
|
|
|
job data |
|
|
Open-Source Components
Xerox® Workplace Cloud uses Open-Source software modules in its different components, such as the Cloud hosted Workplace Cloud, the Desktop Client, and so on. An up-to-date bill of materials for this solution is available upon request from Xerox.
Xerox® Workplace Cloud 5.6.1 – Security Guide |
19 |
4.System Interaction
System Components
XEROX® WORKPLACE APP [PMM]
The Xerox® Workplace App is the main user interface to the Xerox® Workplace Cloud.
The application requires users to authenticate with the Workplace Cloud before using the application. When authenticated, the user’s credentials and authentication token are stored in the application until they log out. For more information about authentication and communicationsrelated security information, refer to Communication between the Workplace App and Workplace Cloud.
The Xerox® Workplace App does not provide the capability to remotely wipe the mobile device.
It is ultimately the responsibility of the user to secure their mobile device. Users can enable device level passwords and manage physical access to the device. If the mobile device is lost or stolen, the user can access the webpage to change their password making the device unable to access the Workplace Cloud solution.
XEROX® WORKPLACE CLOUD
The Workplace Cloud runs in the Microsoft® Windows Azure Platform and utilizes the SQL Azure Database for storage. There are a number of considerations for security based on this architecture as follows:
Windows Azure Platform specific security information
SQL Azure Database specific security information
Workplace Cloud specific security
Workplace Cloud Printer Client Application specific security
Workplace Cloud Client
Workplace Cloud Web Portal
Workplace Cloud Email Service
Each consideration is covered below.
Windows Azure Platform Specific
The Windows Azure Platform operates in the Microsoft® Global Foundation Services (GFS) infrastructure, portions of which are ISO27001-certified.
Windows Azure Security Highlights:
Built-in Identity Management for administrator access
Dedicated hardware firewall
Stateful packet inspection technology employed
Application-layer firewalls
Hypervisor firewalls
Host-based firewalls
SSL termination / load balancing / application layer content switching
Each deployed hosted service is segmented in its own VLAN, preventing compromised node access
Xerox® Workplace Cloud 5.6.1 – Security Guide |
20 |