security white paper - list of canon productsdownloads.canon.com/nw/pdfs/solutions/mds_cloud... ·...
TRANSCRIPT
![Page 1: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/1.jpg)
Canon
SecurityWhitePaper2014R3Edition
![Page 2: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/2.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
1
TableofContents1. IntroductiontotheMDSCloudService.....................................................................................................................2
2. AboutCanonBusinessImagingOnline.....................................................................................................................2
3. MDSCloudServiceOverview..........................................................................................................................................3
4. InformationHandlingandNetworkCommunications....................................................................................5
DataContents..........................................................................................................................................................................5
DatafromtheMDSCCAgenttotheMDSCloud........................................................................................................6
DatafromtheMDSCloudtotheMDSCCAgent........................................................................................................7
DataimportedtoMDSCloudbyaWebbrowser......................................................................................................7
DatawhichcanbeexportedfromMDSCloudfromawebbrowser.................................................................8
DatastoredbytheMDSCCAgent...................................................................................................................................8
DataimportedfromtheUGWtoMDSCloud..............................................................................................................9
DataimportfromBackendSystemstoMDSCloud..................................................................................................9
DataretrievedbyaServiceProvidersBackendSystemsfromMDSCloud...................................................9
DataRetentionPeriod........................................................................................................................................................10
DataretentiononMDSCloud..........................................................................................................................................10
DataretentionfortheMDSCCAgent..........................................................................................................................10
NetworkProtocols...............................................................................................................................................................11
CommunicationbetweentheMDSCCAgentandmanageddevices...............................................................11
CommunicationbetweentheMDSCCAgentandMDScloud............................................................................12
CommunicationbetweentheWebbrowserandtheWebUIoftheMDSCCAgent:................................13
CommunicationbetweentheMDSCCAgentandtheNetaphorlicenseserver:........................................13
NetworkTraffic.....................................................................................................................................................................13
DataCapturedfromdevicesbytheMDSCCAgent................................................................................................13
DatasentfromtheMDSCCAgenttoMDSCloud....................................................................................................14
DatafromMDSCloudtoMDSCCAgent......................................................................................................................15
DatabetweentheMDSCCAgentandtheNetaphorLicensingServer...........................................................15
5. MDSCloudServiceSecurityElements.....................................................................................................................16
6. CBIOInfrastructureArchitecture..............................................................................................................................19
7. CBIOCoreServicesOverview.......................................................................................................................................22
8. CBIOSecurityOverview...................................................................................................................................................23
![Page 3: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/3.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
2
1. IntroductiontotheMDSCloudServiceMDSCloudServiceisacloudbaseddevicemanagementofferinghostedat“CanonBusinessImagingOnline”(CBIO).
TheMDSCloudServicecollectsandstoresinformationfromEnd‐userdevicessuchasmultifunctionalcopiersand/orprintersviatheInternet.ServiceProviders(i.e.,CanonU.S.A.,Inc.[CanonUSA]andCanonAuthorizedRetailDealers)usetheMDSCloudServicetoofferdevicemanagementservicestotheirEnd‐users.
TheMDSCloudServiceallowstheServiceProviderandEnd‐Usersto:
Displaydevicestatus
Managedeviceconfiguration
Gatherdeviceusagestatistics(printvolume,copyvolume)inordertoproposeimprovementstotheEnd‐userenvironment
2. AboutCanonBusinessImagingOnlineCanonBusinessImagingOnline(“CBIO”)isaPAAScloudplatformforCanon’sbusinessapplications.CBIOprovidesEnd‐userswithaccesstoCanon’slatesttechnologyonthecloud,includingservicesthatareintegratedwithMFD(multi‐functiondevices),suchasCanonimageRUNNERAdvancedevices,andprinters.
CBIOprovidesmanybenefitstoEnd‐users:
Affordable:Withouthavinglargeup‐frontcosts,End‐userscanusecloudbasedserviceswithasubscriptionmodel.
Stable:Applicationsareinstalledonapowerful,secure,redundanthardwareinfrastructure.
QuickDeployment:Sincetheapplicationsarecloudbased,End‐userscanstartusingtheservicesrightaway.
Compatible:SincetheapplicationsareWeb‐based,servicescanbeaccessedfromanywhere.Inaddition,upgradesarehandledinthecloud,soEnd‐usersdon’thavetoworryaboutversioncontrol.
SeeSection6,“CBIOInfrastructureArchitecture,”towardstheendofthispaperforadditionaldetailsonCanonBusinessImagingOnline.
![Page 4: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/4.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
3
3. MDSCloudServiceOverviewTheMDSCloudServicecollectsandstoresinformationfromEnd‐userdevicessuchasmultifunctionalcopiersand/orprintersviatheInternet.
MDSCloudServiceDiagram
TheMDSCloudServiceiscomprisedofthefollowingsystemelements:
3.1. MDSCollection&ConfigurationAgent(MDSCCAgent)–TheMDSCCAgentisaPCapplicationthatisinstalledlocallyattheEnd‐usersite.ItisresponsibleforcollectingandaggregatingdeviceinformationattheEnd‐usersitebeforesendingittotheMDSCloud.TheCCAgentwillaccessMDSCloudonceadaytocheckforupdatestoitselfandautomaticallyupdatewhenavailable1.Whennon‐Canondevicesareinvolved,theMDSCCAgentwillautomaticallydownloadandinstallanadditionalsoftwaremodulewhichCanonlicensesfromNetaphorSoftware,Inc.ThisNetaphormodulewillperiodicallyaccessaNetaphorLicenseServerinordertoverifyitslicensestatus.TheNetaphormodulewillonlyprovidetheNetaphorserverwiththetotalquantityofdevicesmanaged;nootherinformationissenttotheNetaphorserver.SOAP/HTTPSareusedasthecommunication
![Page 5: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/5.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
4
protocols,andthedataamountisapproximately4‐6kbytespertransmission.1. Automaticupdatesareoptional.Seesection4.4.3“DatafromMDSCloudtoMDSCC
Agent.”
TheMDSCCAgentcommunicateswithNetaphor’sLicenseServerusingHTTPS
3.2. MDSCloud–TheMDSCloudstoresandmanagesEnd‐userdeviceinformationthatiscapturedviatheMDSCCAgent.
3.3. UniversalGateway(UGW)‐UniversalGateway(UGW)isaserverthatstoresinformationcollectedbyCanon’simageWARERemotesystem.TherearetwointegrationsbetweenMDSCloudandtheUGW.Bothareoptional.TheseintegrationsareforServiceProviderswhoalreadyuseimageWARERemoteandwouldliketokeepcollectingdata(onCanonDevicesonly)throughthatsystemforservice.
OneintegrationisbetweenMDSCloudandtheUGW.MDSCloudcanreceiveinformation(onCanonDevicesonly),suchascounterdatafromtheUGWandmanageitforreporting.Theinformationtransferredisbillingandpapersizecounters(seesec.4.1.7DataimportedfromtheUGWtoMDSCloud)andtheyaretransferredonceaday.
TheotherintegrationisbetweenTheMDSCCAgentandtheUGW.TheCCAgentcanpulldiagnosticserviceinformationfromCanondevicesandtransmitittotheUGWdirectlytobemanagedbythatsystem.Thepollingintervalis10minutesanddataisonlysentwhenanerror,jamoralarmoccursonthedevice.
ForadditionalinformationonimageWARERemoteandUGW,pleaserefertotheimageWARERemotesecuritywhitepaper.
3.4. ServiceProvider’sBackendSystem–TheServiceProvider(CanonSalesCompanyorAuthorizedCanonDealer)canlinktheirbackendbusinesssystemtotheMDSCloudinordertoretrieveorupdateEnd‐userinformation.
3.5. Othersystems–MDSCloudiscapableofintegrationwithcertainotherfleetmanagementdatacollectionagentsavailabletoServiceProviders.InthecasethattheServiceProviderselectsanapproved
![Page 6: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/6.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
5
non‐Canondatacollectionagent,datafromthatagentcanbestoredonMDSCloudforthepurposeofreporting.
TheMDSCloudgeneratesauniquedatabaseschema(tablediagram)foreachEnd‐userandServiceProvider.
Thetablediagramgroupstheboxesandsectorsthatdividesthetables.EachuniquetablediagramstoresdataforeachEnd‐user.Asaresult,thedataisisolatedfromothertablediagrams,andcanneverbecommingled.
Accesstodataoneachtablediagramisrestricted.AccesstoatablediagramisallowedonlyifboththerelationshipbetweenEnd‐userandServiceProviderisverified,andtheEnd‐user’stenants/rolesareverifiedbyCanonBusinessImagingOnline.Ifanyoftheseareunverified,accesstothetablediagramisprohibited.
MDSCloudDatabase
4. InformationHandlingandNetworkCommunicationsIntheMDSCloudService,theMDSCCAgentisthemainconduitforcapturingdeviceinformationattheEnd‐usersiteandsendingittoMDSCloud.MDSCloudcanalsoreceivedatafromsystemintegrationwiththeimageWARERemoteUGWserver,ServiceProvider’sback‐endsystemsandothernon‐Canonfleetmanagementsystems.ThissectiondescribesthedatahandledbytheMDSCCAgent,aswellasthenetworkprotocolsusedforcommunicationsandinformationonthenetworktrafficgeneratedbytheMDSCCAgent.
4.1. DataContents
MDSCloudServicehandles(sends,receives,stores)thefollowingdata:SetupInformationItincludeslogininformationtologintotheMDSCCagent,andalsoMDSCCagent’ssetupinformationtoconnectwithMDScloud.
![Page 7: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/7.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
6
ManagementInformationItincludesidentificationinformation,controlinformation,andthedebuglogsfortheMDSCCAgent.
DeviceconfigurationItincludesconfigurationandidentificationinformationforeachofthedevices.
DevicemanagementinformationItincludesdataabouttheoperationalstatusofdevices.Thisinformationiscollecteddirectlyfromthedevices,oritisenteredbytheserviceprovider.
JobInformationJobLoginformationmayincludethepropertiesoftheprintjobs,suchaswhichapplicationwasused,whetherthejobwasduplexed,pagelayout(2‐up/4‐up),andwhethertheprintjobwascolororblackandwhite.
End‐usermanagementinformationInformationforidentifyingEnd‐usertenantIDs.
PCconfigurationinformationIncludesinformationabouttheconfigurationofthePCwheretheMDSCCAgentisinstalled.
4.1.1. DatafromtheMDSCCAgenttotheMDSCloudDatacategory Datacontents
MDSCCAgentSetupandManagingInformation
MDSCCAgentID(ClientID)DebugLogID
End‐usermanagementInformation
End‐user tenantID
DeviceConfiguration IPaddress/MACaddressDeviceID(SerialNo.)ProductNameDeviceNameLocationSiteOption(s)Color/MonoFirmwareversion
DevicemanagementInformation
Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob
Counterinformation- BillingCounters
Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel- Paperlevel
PCconfigurationinformation - HDDwhereCCAgentisinstalledFreeSpace- SystemHDDFreeSpace- InstalledMemory- Processor- ThelatestdateofWindowsUpdateinstallation- OSinformation(Thenameandversionnumber)
![Page 8: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/8.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
7
4.1.2. DatafromtheMDSCloudtotheMDSCCAgentDatacategories Datacontents
MDSCCAgentSetupandManagingInformation
MDSCCAgent controlinformation- ThetimewhentheMDSCCAgentaccessedMDSCloud- ClientID(TenantID)- Listofmanageddevices- Setupinformationforsendingjobhistory
(Identifieswhichportionsofthejoblogwillbesentandwhichwillnot)
- SNMPconnectionsettingDevicesettingsinformation DepartmentalIDsettings
WebbrowsersettingAddressbookUser‐modesettings
4.1.3. DatafromMDSCCAgenttotheNetaphorLicenseserverTheMDSCCAgentonlyprovidesinformationtotheNetaphorlicenseserver1thatcanbeusedtoprovidethecorrectnumberofmanagedthirdpartydevices.Nootherinformationaboutthedevicesorusers,ortheirrespectiveusages,areprovidedtotheserver.Theinformationisprovidedonceaday.1.ThelicensedsoftwareserversarelocatedonpremisesofNetaphor.
4.1.4. DataimportedtoMDSCloudthroughaWebbrowser
ThefollowingDatacanbeimportedintoMDSCloudusingaCSVfile(ororiginalfile,asapplicable)viaawebbrowser.
Datacategory Datacontents
DeviceconfigurationInformation
DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)Color/MonoFirmwareversion
DevicemanagementInformation
Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob
CounterInformation- Billingcounter- Papersizecounter
Devicesettings
Information
Basicregisteredsetting(Aboutnetworkconnection,security)PapertypesSending
BothDeviceConfigurationandDeviceManagementinformationareimportedasCSV.DeviceSettingsinformationisimportedinCanon’soriginalformat.
![Page 9: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/9.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
8
4.1.5. DataexportedfromMDSCloudfromawebbrowserThefollowingDatacanbeexportedfromMDSCloudaviawebbrowser.
Datacategory Data contents
DeviceconfigurationInformation
DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)Color/MonoFirmwareversion
DevicemanagementInformation
Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob
Devicesettings
Information
Basicregisteredsetting(Aboutnetworkconnection,security)PapertypesSendingBoxsettingDepartmentalIDmanagementMainmenuWebbrowserCommonly‐usedsettingAddressbookAdvancedboxCustommenuMEAPapplicationsettingUsersettingWorkflowComposersetting
4.1.6. DatastoredbytheMDSCCAgentThefollowingDataisstoredintheMDSCloudCCAgentformanagementpurposes.
Datacategories Datacontents
MDSCCAgentSetupandManagementInformation
DebuglogIDofMDSCCAgentProxysetupInformationMDSCCAgentAdministratorInformation
End‐usermanagementInformation
End‐user tenantID(IDforaccessingEnd‐userdatainMDSCloud)
DevicemanagementInformation
Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob
Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel- Paperlevel
UGWConnectionInformation ConnectedURL
![Page 10: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/10.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
9
4.1.7. DataimportedfromtheUGWtoMDSCloudTheMDSCloudmaybeconfiguredtoimportthefollowingdatafromtheUGW:
Datacategories Datacontents
Devicemanagementinformation
Counterinformation- Billingcounter- Papersizecounter
4.1.8. DataimportfromBackendSystemstoMDSCloudTheMDSCloudcanreceivethefollowinginformationfromtheServiceProvider’sbackendsystem.
Datacategories Datacontents
Customerinformation Includesdataenteredforeachcustomerinthe“CustomerInformation”tab
Deviceconfigurationinformation
IPaddressMACaddressSerialnumberProductnameDevicenameLocationOptionalinformationColor/Mono
DeviceManagementInformation
Jobhistory(joblog,printvolume,copyvolume)- Printjob- Copyjob- Scanjob- Faxjob- Sent/ReceivedJob
Counterinformation- Billingcounter
Incidentinformation(inquiries,claims/callsfromcustomers,maintenancerecords)Devicestatusmonitoringinformation
- Statusofdevice- Tonerlevel
MDSCCAgentSetupandManagingInformation
MDSCCAgentsetup informationDevicediscoverysetupinformation
MDSCloudsettinginformation IncludesMDS Cloud settings data available in the “Settings” tab foreachcustomer
4.1.9. DataretrievedbyaServiceProvider’sBackendSystemsfromMDSCloudThefollowingDataisavailabletoServiceProviderbackendsystemsbyusingawebserviceinterfacefromMDSCloud.
Datacategories Datacontents
Deviceconfigurationinformation
DeviceIPaddress/MACaddressDeviceID(=serialNo.)ProductnameDevicenameLocationSiteOption(s)
![Page 11: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/11.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
10
Color/MonoDevicemanagementInformation
Jobhistory(Joblogs;PrintVolume,CopyVolume)- PrintJob- ScanJob- FaxJob- Sent/ReceivedJob
CounterInformation- Billingcounter
CustomerInformation Includesdataenteredforeachcustomerinthe“CustomerInformation”tab
DeviceManagementInformation
Pastsummarizedandaggregateddata- Joblogs
Devicestatusmonitoringinformation- Statusofdevice- Tonerlevel
4.2. DataRetentionPeriod
4.2.1. DataRetentiononMDSCloud
End‐userdataisstoredonMDSCloudinordertoprovideservicessuchasreporting,automatedbilling,etc.WhenanEnd‐userstopsusingtheMDSservice(contractualtermination),theServiceProvidermaydeletetheregisteredEnd‐userinformation.Then,whendeleted,thedatawillbeerasedfromthedatabasewithin24hoursusingabatchprocess.Asaresult,allofthetenantinformationrelatingtotheEnd‐userisdeleted,andtheEnd‐user’sscheme(table)willbewipedoutfromtheMDSClouddatabase.
Whilethecontractisactive,thedataiskeptforthespecifiedretentionperiodforcontractedEnd‐users.Theretentionperiodforcontractedcustomersislistedinthefollowingtable.
DataCategory DataContent TimingofdeletionDeviceManagementInformation1
CollectedbyMDSCloudCCAgent:JobhistoryCounterinformation
- Billing counter(Service mode counter,Allassetcounter,Summarycounter)
- PapersizecounterDevicestatusmonitoringinformation
- Statushistories
After100days thedataisdeleted.
ImportedthroughtheWebPortal:IncidentinformationCounterinformation
- Billingcounter- Papersizecounter
After3monthsthedataisdeleted.
SummarizedData2
Dataforreportingbasedonrawdata After3yearsthedataisdeleted.
Devicesettingsinformation
DeviceSettingsInformation MDSCloudstoresamaximumof4setsofconfigurationsettings.
1. DatathatiscollectedfromtheMDSCloudCCAgentorimportedthroughtheWebPortalandSystemIntegrationisconsidered“RawData.”
2. "SummarizedData"meanscalculateddatafrom"RawData"forreportinganddisplayontheDashboard,e.g.monthlyusageperdevice/user,monthlyuptimeperdevice,etc.
![Page 12: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/12.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
11
4.2.2. DataRetentionfortheMDSCCAgentDataistemporarilystoredbytheMDSCCAgentonthelocalPCitrunsonuntilitforwardsittoMDSCloud.DatahandledbytheMDSCCAgentisdeletedateachintervalbelow:
Datacategories Datacontents
MDSCCAgentmanagementinformation
ItisautomaticallydeletedwhentheMDSCCAgentisuninstalled.
DeviceConfiguration Itisautomaticallydeletedwhenmanagementofthedeviceisstopped.
Jobhistory ItisautomaticallydeletedwhenitisforwardedtoMDSCloud.
Counterinformation Itisautomatically deletedwhenitisforwardedtoMDSCloud.
Devicestatusmonitoringinformation
AutomaticallydeletedwhenitisforwardedtoMDSCloud.It isalsoautomaticallydeletedwhenmanagementof thedevice isstopped.
4.2.3. DataRetentionforbackendsystem/externalsystemdataDatacanbeimportedintoMDSCloudfromDealer’sbackendsystemoranotherexternalsystemtheymayusetohandlecustomerdata.
DataCategory
DataContent Timingofdeletion
DeviceManagementInformation
JobhistoriesCounterinformation
- Servicemodecounter- Summarycounter
Devicestatusmonitoringinformation
- StatushistoriesIncidentinformation
This dataisstoredinMDSCloudfor36months(UTC basis). After 36 months, the data isdeletedbyadailybatchprocess.
4.3. NetworkProtocolsSeveralportsandprotocolsareusedintheoperationofservicesthataresupportedbyMDSCloud.ThefollowingprotocolsandportsareusedforcommunicationbetweentheMDSCCAgentandmanageddevicesandbetweentheMDSCCAgentandMDSCloud:
4.3.1. CommunicationbetweentheMDSCCAgentandmanageddevicesProtocol PortNo. Source Purpose
SNMP UDP/161 Device AcquisitionofMIB(devicemonitoringanddeviceconfigurationinformation)
SLP UDP/427 Device Acquisitionofdeviceconfiguration
CanonProprietary(1) UDP/47545 Device Acquisitionofjoblogs/counterinformation
![Page 13: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/13.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
12
CanonProprietary(1) TCP/47546 Device Acquisitionofjoblogs/counterinformation
CanonProprietary(1) TCP/9007 Device Acquisitionofjoblogs/counterinformation
CanonProprietary(1) UDP/50700(IPv4)2
UDP/50701(IPv6)2
MDSCCAgent Receivingeventinformationfromdevices
SLP UDP/11427 MDSCCAgent Receivingdevicestatus
HTTP TCP/80(*5) Device
/MDSCCAgent
Receivingandforwardingdeviceinformation
HTTP TCP/8000 MDSCCAgent Receivingandforwardingdevicesettings
HTTP TCP/18080 MDSCCAgent Receivingandforwardingdevicesettings
HTTPS TCP/443 MDSCCAgent Forwardingdeviceconfigurations
HTTPS TCP/8443 MDSCCAgent Receivingandforwardingdevicesettings
HTTPS TCP/18443 MDSCCAgent Receivingandforwardingdevice(EFIDevice)settings
HTTPS TCP/Vacantportbetween44301‐44399
Device Acquisitionofdeviceconfiguration
1Canonproprietaryprotocolsareusedforacquiringjoblogsandeventinformationdata.TheyareusedforCanondevicesonly.2Iftheportisoccupied,itisautomaticallyallocatedtoanotherunusedport
4.3.2. CommunicationbetweentheMDSCCAgentandMDScloudProtocols Port No. Server
HTTPS TCP/4431 MDSCloud
1 Theportisspecifiedbyproxy.
![Page 14: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/14.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
13
4.3.3. CommunicationbetweenaWebbrowserandWebUIoftheMDSCCAgentProtocols PortNo. Server
HTTP VacantTCPportbetween44300and44399
MDSCCAgent
HTTPS Vacant TCPportbetween44300and44399
MDSCCAgent
4.3.4. CommunicationbetweentheMDSCCAgentandthelicenseserver:Protocol PortNo. Server
HTTPS TCP/443 NetaphorLicenseserver
4.4. NetworkTrafficTheMDSCloudServicegeneratesthreetypesofdatatrafficwithinanEnd‐user’snetwork.
DatacapturedfromdevicesbytheMDSCCAgent. DatatransferredfromtheMDSCCAgenttoMDSCloud. InformationreceivedbyMDSCCAgentfromMDSCloud.
*Inadditiontothethreetypesofdatatrafficlistedabove,trafficbetweentheMDSCloudServiceandtheServiceProvider’sbackendsystemisalsopossibleifthatintegrationisconfigured.Eachtypeofdatatrafficisdescribedindetailbelow.
4.4.1. DataCapturedfromdevicesbytheMDSCCAgentIf100jobs(74printjobs,6scanjobs,10faxjobs,10sendjobs)occurinaday,thetotalamountofdatatransferredfromaCanondevicetoMDSCCAgentisestimatedtobe1.9MB.Fromanon‐Canondevice,theestimatedamountis1.6MB.(Theamountofdatadependsondevicetype,configurationandjobcontent.)
Theamountandfrequencyofeachtypeofdataisshowninthefollowingtable.Contents Dataamounts CapturingfrequencyJobHistory
Canondevice
Dependenton thenumberofjobsPrintjob:Approx.4KBScanjob:Approx.3KBFaxjob:Approx.2KBSendjob:Approx.2KB
MDSCCAgentperiodicallypollsdevicesandpullsdataatthefollowingintervals:‐Every10min.(Fordevicesthatcannotstoremorethan1,000jobs)‐Every60min.(Fordevicesthatcanstoremorethan1,000jobs)
‐Onceaday1
(Evendevicesinsleepmodearewokenandhavedatacapturedonceaday)
Non‐Canondevice
Notcaptured Notcaptured
![Page 15: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/15.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
14
CounterInformation
Canondevice
Approx.19.1KB
Every12hours(polling).(Ifadevicehasbeenasleepfor24hourssinceitscounterdatawaslastcaptured,thedeviceiswokenandthecounterdataiscaptured.)
Non‐Canondevice
Approx.1.7KB Every12hours(Polling).
Statusofdevice
Canondevice Approx.0.8KB Every5minNon‐Canondevice
Approx.0.6KB Every5min
Tonerlevel Canondevice Approx.2.4KB Every5minNon‐Canondevice
Paperlevel Canondevice Approx.2.7KB Every5minNon‐Canondevice
Configuration
Canondevice Approx.10KB Onceaday2(Whenpowerison3)Non‐Canon
deviceDevicesettings
Information
Canondevice Approx.1MB Specifiedbyserviceprovider
Non‐Canondevice
Noncaptured
1.Foralldevices.2.Fordevicesundersleepmodeorotherthanpower‐off.3.Fordevicescapableofsendingthe“power‐on”event.
4.4.2. DatasentfromtheMDSCCAgenttoMDSCloudTheamountofdatasentfromtheMDSCCAgenttoMDSCloudperdayisestimatedtobeapproximately170.9Kbytes(perCanondevice)/approx.25.5Kbytes(pernon‐Canondevice).Thisestimationisbasedontheassumptionthateachdevicegenerates100jobsaday,thestatusofeachdevicechangestwiceaday,thetonerlevelchangesonceaday,anddataisforwardedfromtheCCAgenttoMDSCloudwith35%compression.Thedataamounts1andforwardingfrequenciesfromtheMDSCCAgentareshowninthetablebelow.Contents Dataamounts Forwardingfrequency2
(Timing)Jobhistory3
Canondevice Approx.70KB Every8hours
Non‐Canondevice Notcaptured Notcaptured
Counterinformation Canondevice Approx.3.KB Every12hoursNon‐Canondevice Approx.1.KB
Statusofdevice
Canondevice Approx. 1.KB Whenachangeisdetectedinthedevicestatus.Non‐Canondevice Approx. 1.KB
Tonerlevel Canon Approx. 2.KB Whenachangeisdetectedinthetonerlevel.
Non‐Canondevice
Paperlevel Canondevice Approx. 2.KB Whenachangeisdetectedinthepaperlevel.Non‐Canondevice
Configuration Canon Approx.5KB Onceaday
![Page 16: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/16.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
15
Non‐Canondevice
Devicesettings
Information3
Canon Approx.1MB Specifiedbyserviceprovider
Non‐Canondevice ‐ ‐
EventdetectionCanon Approx0.1KB 480timesinaday
Non‐Canondevice ‐ ‐
DebuglogID3Canon Approx.230KB Onceaday
Non‐Canondevice ‐ ‐1.Dataamountsareforindividualdevices.2.Sendingisattemptedeveryfiveminutes.3.Jobhistory,DevicesettingandDebuglogIDarenotcapturedfromnon‐Canondevices.
4.4.3. DatafromMDSCloudtoMDSCCAgentTheMDSCCagentreceivesapproximately2.5kBofdataperdevice/perdayfromMDSCloud.Thecontent,amountandthereceivingfrequenciesareshowninthetablebelow.Contents Data
amounts(*1)Receivingfrequency
Listofmanageddevices
Approx.0.40kB1 Onceaday
Devicediscoverysettings Approx.0.63kB Every8hoursMDSCCAgentManagementInformation.
Approx.0.25kB Onceaday
Devicesetting Approx.1MB SpecifiedbyeachofServiceProviders
Eventoccurrenceinformation Approx.1kB Incaseaneventoccurs suchas:
- Deviceaddition,deletionanddata‐update(SerialNo.,IPaddress,hostname,MACaddress)
- Updateonclientinformation- Updateondevicesearchsetting- Settingsaboutdelivery/capturing
scheduleofdevicesettinginformation- Delivery/CapturingDevicesetting
information
ThemostrecentversionnumberoftheMDSCCAgent
A fewkB Onceaday
1.Thedataamountsonthetableareperdevice.Thetotaldataamountwillvarydependingonthenumberofdeviceslisted.
4.4.4. DatabetweentheMDSCCAgentandtheNetaphorLicensingServerTheMDSCCAgentonlyprovidesthetotaldevicecounttotheNetaphorlicensingServertoensurethecorrectnumberofmanageddevices.Nootherinformationaboutthedevicesorusersortheirrespectiveusagesareprovidedtotheserver.Content Data amount Frequency
Numbersofmanageddevicesandinformationabout Approx.4‐6kB Onceaday
![Page 17: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/17.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
16
licensevalidation
5. MDSCloudServiceSecurityElements
5.1. MDSCloudServicePortalAuthentication
TogainaccesstotheMDSCloudPortal,ausermustbeproperlyauthenticated.Additionally,usersareassignedrolesspecifiedbyEnd‐Useradministratorsthatcontrolthefeaturesthatcanbeaccessed.Thisensuresthatuserscanonlyaccessdataandfeaturesthatareappropriateforthespecificrolesthattheyhavebeenassigned.UsersarealsopreventedfromaccessingdatafromothertenantsorEnd‐usersonMDSCloud.
5.2. MDSCCAgentAuthentication
MutualauthenticationisusedforcommunicationbetweentheMDSCCAgentandtheMDSCloud.Duringtheinstallationprocess,auniquekeyisprovidedtotheagent.Subsequentconnectionsmustbeauthenticatedusingtheuniqueagentkey.
TheMDSCCAgentcanbemanagedfromauserinterfaceviaaWebbrowser.TheconnectionrequiresauthenticationandisprotectedusingSSL/TLS.
5.3. UniversalGateway(UGW)Authentication
IntegrationwiththeUniversalGateway(UGW)requiresauthenticationwiththeUGWservice.ToenablethesecureestablishmentofcommunicationwiththeUGWService,theappropriateUGWcredentialsareconfiguredontheMDSCloudsystem,viaasecureWebbrowserinterface.
5.4. DataTransmissionSecurity
ThecommunicationprotocolbetweenaWebbrowserandCanonBusinessImagingOnlineserverisviaHTTPS(HTTPoverSSL/TLS)protocol.Additionally,communicationbetweentheWebbrowserandtheprintdevicethatisdoneaspartoftheDirectPrintcaseandcanalsobesecuredviaSSL/TLS(optional).TheCBIOServerCertificateissignedbyVeriSignandinstalledinCanonBusinessImagingOnlineserverenablingdataencryptionthroughSSLconnection.TheCanondeviceshavetherootVeriSigncertificatepre‐installedandanymodernWebbrowserusedbytheclientPCshouldaswell–thusnoadditionalconfigurationisneededforSSLcommunicationstoCBIO.
5.5. Validationofreceiveddata
MDSCloudServiceperformsthefollowingvalidationproceduresforthereceiveddata:SourceconfirmationIfthedatadidnotoriginatefromaregistereddevice,thedataisnotcaptured.
ConfirmationforreceiveddatacontentsThereceiveddataisalsocheckedforadequacyoftheformat.Inaddition,thecontentsarealsocheckedastowhethersufficientinformationisincludedornot.Thisincludesdatafrombackendorexternalsystems.
![Page 18: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/18.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
17
5.6. End‐userDataSecurity
SecurityisprovidedfordatathatisstoredonCBIO.FortheMDSCloudService,onlyinformationrelatedtotheoperationandmanagementofdevicesisstoredonCBIO.Nevertheless,thesecurityofthedataisimportant,soitisencryptedbothintransitandinstorage.AllcommunicationswithCBIOareprotectedusingtheSSL/TLSprotocol.ThisprotectionisprovidedbothforcommunicationfromtheclientPCbrowserandthecommunicationwithCBIO‐enabledprintingdevices.Strongencryptionisprovidedfordatainstorage,viatheAES256algorithm.
SegmentationisprovidedbetweenEnd‐usersintheMDSCloudsystem.ACBIOEnd‐userortenantisacorporationorgroupwithincorporationsthatuseCanonBusinessImagingOnline.OnlyusersthatbelongtoacontractedgroupandhavecreatedaCanonBusinessImagingOnlineaccountinthatgroupcanuseCanonBusinessImagingOnline.
CanonBusinessImagingOnlineimplementsanintermediaryvirtualpartitionlayerbetweenatenantanduserdatathatmakesitappeartothetenantasthoughitsdataistheonlydataintheuserdatastorage.Tenantsettingsuseaccesscontrolliststodeterminewhocanaccessdataandwhattheycandowithit.Userprintdataisencryptedwithauniqueencryptionkeyforeachtenant/End‐userusingtheAES256encryptionalgorithm.
5.7. Accesscontrolforhierarchicalschemes(End‐usertenants)data
TheMDSCloudServicesupportshierarchicalschemes(End‐usertenants)andsupportsfeaturessuchas“ServiceDelegation”and“ServiceforGlobal/Regionalaccounts.”Forexample,ABCCompanyisregisteredasanupperlevel,whileeachofthebranchessuchasA‐Disregisteredasalowerlevel(Seediagrambelow).
![Page 19: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/19.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
18
WhenaconfirmationcodeissetupbytheServiceProviderthatisinitiallylinkedwiththeupperlevel,thespecificlowerlevelEnd‐usertenantcanbelinkedwithanotherServiceProvider.Then,thelowerleveltenant’sdatacanbesharedbetweentwoServiceProviders.1Thismeansthatallofinformation,excludingreportsthataremadebytheoriginalServiceProvideraboutthetenant,canbesharedwithanotherServiceProvider.1. Allinformationthatislistedin“DatafromtheMDSCCAgenttotheMDSCloud”(Sec.4.1.1)isshared.
TheotherServiceProvidercannotstartthedata‐sharingwithouttheEnd‐user’sacceptancewithaclickfromitsownEnd‐userportal.ServiceProviderswhodonothavetheconfirmationcodecannotaccessanyoftheEnd‐user’sdata.(Seediagrambelow)
(InformationsharingbetweendifferentServiceProviders)
ABC branchA ABC branchB ABC branchC
Service provider a. Service provider z.
ABC Co.
ABC branchC’sTenantID.
Confirm.code
ABC is initially linked with service provider a.
ABCbranch.C is linked(shared) withservice provider z.
Information about ABC branchC can be shared only between service provider a. and z.
Table Table Table
![Page 20: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/20.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
19
5.8. AvailabilityTheCanonMDSCloudisdesignedtoprovide99%annualuptime,providing24hours/day,7days/week.Thesystemisdesignedwithfail‐overcapability,sothatintheeventthataWebserver,applicationserver,ordatabaseserverisdown,thesystemwillcontinuetooperatenormallyandwillbeavailablewhenneeded.
6. CBIOInfrastructureArchitectureCBIOoffersenterprise‐classsecurityandreliabilitybyleveragingservicesfromarecognizedthird‐partycloudinfrastructureprovider.ThedatacentersthathostCBIOareTierIIIcertified,andofferhighlevelsofdataprotection,reliabilityofservice,andsecurity.AuthorizeduseraccesstotheMDSCloudbyEnd‐users(designatedcontact)orServiceProvidersisperformedviaasecureMDSwebportal.
OurdatacenterimplementsthefollowingmeasurestoprovideredundancyofEnd‐user'sdata.
Server Description
(Configuration) (System Disk) (Additional Disks) (NIC) WebServer ‐ Loadbalanced
‐VMfailoveronpartialhardwarefailure
Quadruplebackuponseparatedisks
Quadruplebackuponseparatedisks
Duplex
APServer - Loadbalanced‐VMfailoveronpartialhardwarefailure
Quadruplebackuponseparatedisks
Quadruplebackuponseparatedisks
Duplex
DatabaseServer
Mirroredbackedup Quadruplebackuponseparatedisks
Quadruplebackuponseparatedisks
Duplex
DNSServer
Duplex(primary/secondary)
RAIDoflocaldisksintheserver.
‐ Duplex
MonitoringServer
Coldstandby Quadruplebackuponseparatedisks
‐ Duplex
BackupServer
Single Quadruplebackuponseparatedisks
RAIDdisks Duplex
Disasterrecovery(Recoveryfromnaturaldisasters)Thisservicekeepsdailybacked‐updatainanotherremotelocation.Incasethedataisdamagedfromanaturaldisaster,itcouldberestoredfromtheremotebackup.BelowaresomeofthekeyarchitecturaldesignpointsfortheCBIOInfrastructure.
6.1. SharedInfrastructureResponsibilityModel
InfrastructureresponsibilitiesaresharedbetweenCanonandthecloudinfrastructureprovider.
ThecloudinfrastructureproviderisresponsibleforallaspectsofthephysicalsecurityofthedatacentersthathostCBIO,aswellasthevirtualizationlayersrelatedtosharedinfrastructurecomponents,suchasphysicalstoragefordata.Encryption(AES128)isusedbythecloudinfrastructureprovidertoprotectdatapartitionswithinphysicalstorageareas.
CanonUSAisresponsibleforthevirtualservers,operatingsystems(includingsecurityupdates)andapplicationsthatprovideCBIOservices.CBIOapplications,suchastheAuthenticationServicesandPrintServices,furtherenhancedatasecuritybyencryptingEnd‐userdatautilizingAES256usinguniquekeysforeachEnd‐user.
![Page 21: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/21.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
20
6.2. PhysicalandEnvironmentalSecurity
ThefacilitiesusedtodeliverCBIOservicesarelocatedinJapan,incutting‐edgeearthquakeresistantdatacenters.Inthefuture,datacenterswillalsobelocatedintheU.S.
Thesefacilitiesareprotectedbythefollowingrangeoftechnologies:
Strictrestrictionsimposedonsections,serverrooms,andotherlocations.
CentralizedIDmanagementforemployeesandvisitors,includingwhereaboutstrackingviaRFID.
PalmandVeinAuthenticationisassociatedwithemployeeandvisitorIDsandisusedforaccesscontrol.
Tailgatedetectiontoensurethataccesstoasecuredareaisgrantedtoasinglepersonforeachvalidsecuritycardpresented.
Associationofsurveillancevideowitheventlogs,andlongtermstorageofsecurityvideoandeventlogs.
6.3. SystemsSecurity
ThefollowingpracticesandtechnologiesareutilizedonCBIOrelatedhostsystems:
Patchmanagementforsecurityupdates
Useofantivirussoftwareformalwaredetection
Useofhost‐basedfirewalls
Logmanagement
Independentsecurityassessments
![Page 22: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/22.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
21
6.4. BusinessContinuityandDataManagement
CBIOemploysnumerouslevelsofredundancyformajorcomponentssuchasservers,storage,networkdevicesandpowersupplyequipmentinordertoeliminatesinglepointsoffailure.
Backupsofinfrastructurecomponentsarehandledbytheserviceprovider.Further,CanonUSAperformsbackupsofCBIOsystems,applicationsandEnd‐userdatainordertoachievebusinesscontinuitymanagement.
6.5. MonitoringandLogManagement
CBIOsystemsareconfiguredtostoreeventlogslocally,aswellasforwardeventstocentralizedlogmanagementservers.AllsystemssynchronizetimeviaNTPtoensureaccuratetimestampsofevents,andenableeventcorrelationbetweenvarioussecuritysystems.Forexample,videosurveillancelogscanbematchedwithsystemaccessentries.Logsaresavedforaperiodof5years.
6.6. IncidentManagement
Policies,processesandproceduresareestablishedtorapidlyandaccuratelymanageinformationsecurityincidents.Further,CanonUSAoritsaffiliateconstantlymonitorssecurityrelatedinformationfornewdevelopmentsandpotentialissuesinordertomaintainthehighestlevelsofsecurity.
6.7. RelatedCertifications
ThefollowingcertificationshavebeenattainedbyCanonUSAoritsaffiliateand/orit’sServiceProviderforCBIOrelatedinfrastructure:ISO9001/ISO14001//ISO20000/ISO27001/Privacymark(JISQ15001).
6.8. IndependentSecurityAssessments
Priortolaunch,theCBIOInfrastructureandsystemsunderwentextensiveinternalandexternalpenetrationtestingbyanindependentsecuritycompany.Independentsecurityassessmentsarealsoperformedonperiodicbasistoensurethehighestsecuritystandardsaremaintained.
![Page 23: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/23.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
22
7. CBIOCoreServicesOverviewCanonBusinessImagingOnline(CBIO)providesasetofcoreserviceswhichMDSCloudisbuiltupon.ThissetofservicesincludesManagementServices(suchasUserandTenant),anAuthenticationServiceandaLogService.UserscanlogintoCBIOviaaWebbrowserandCanonmulti‐functiondevices.
7.1. AuthenticationandAuthorizationServices
AuthenticationandAuthorizationServicesareusedtoenableaccesstoCBIObasedonaUserIDandpasswordandmanageduserroles.TheunifiedauthenticationprocessdetersmalicioususersfromaccessingCBIOservices.
AuthenticationandAuthorizationServicesareusedbyallCBIOservices.
AuthenticationServicesupportstheSAML2.0protocolandcanprovideSingleSignOn(SSO)withotherprovider’scloudservicestoprovideseamlessconnections.
7.2ManagementandLogServices
ManagementandLogServicesareusedtomanageCBIOIDinformation(subscriptions)aswellasoperationinformation.CBIOmanagesthefollowingusersandusageactivities: Tenantinformation UserID/passwordinformation Userroles Alluseractivities(useroperations)aretrackedandmanagedbyLogServices.
![Page 24: Security White Paper - List of Canon productsdownloads.canon.com/nw/pdfs/solutions/MDS_Cloud... · 3. MDS Cloud Service Overview The MDS Cloud Service collects and stores information](https://reader035.vdocuments.mx/reader035/viewer/2022071012/5fcadace42fb327cc80d785c/html5/thumbnails/24.jpg)
MDS Cloud – Security White Paper (c) 2014 Canon U.S.A. Inc., All rights reserved.
23
8. CBIOSecurityOverviewAhigh‐levelsummaryofsecurityfeaturesforCanonBusinessImagingOnlineisdescribedinthechartbelow.
Item HowSecured
DatacenterCertification ISO9001/ISO14001/ISO20000/ISO27001
Networkprotocol https(SSL3.0)
Authentication ID,passwordrequiredtologin
Singlesignonprotocol SAML2.0
Datacentersecurity DataSeparation,AccessControl,Encryptionofprintdata(AES256)
DataCenterfacilitysecurity Palmandveinauthenticationforentrance 24hourmonitoring WhereaboutstrackingusingRFIDtagsmonitorsallemployeesandvisitors
Lockedracks
8.1SingleSignOn
InordertousetheservicesofCanonBusinessImagingOnline(CBIO),usersmustbeauthenticated.CanonBusinessImagingOnlinesupportsSAML2.0(SecurityAssertionMarkupLanguage)andprovidesSingleSign‐OnfunctionalityviatheWebbrowser.
8.1.1SAML
SAMLisanXMLstandardestablishedbytheinformationstandardsassociationOASIS,andisusedforexchangingauthenticationinformationbetweendifferentsitessafelyandinsuchawaythatitenablessinglesign‐on.