Version 1.0
1 | P a g e R I C O H U S A I N C
t
Scan to
Cloud Workflows
Security White
Paper
Version 1.0
2 | P a g e R I C O H U S A I N C
Copyright © 2018 Ricoh USA INC
It is the reader's responsibility when discussing the information contained this document to maintain a level of confidentiality that is in the best interest of Ricoh USA INC and its member companies.
NO PART OF THIS DOCUMENT MAY BE REPRODUCED IN ANY FASHION AND/OR DISTRIBUTED WITHOUT THE PRIOR PERMISSION OF RICOH USA INC
All product names, partner’s brands and their products, domain names or product illustrations, including desktop images used in this document are trademarks, registered trademarks or the property of their respective holders and should be noted as such.
Any trademark or registered trademark found in this support manual is used in an informational or editorial fashion only and for the benefit of such companies. No such use, or the use of any trade name, or web site is intended to convey endorsement or other affiliation with Ricoh products.
Version 1.0
3 | P a g e R I C O H U S A I N C
Table of Contents
Table of Contents .................................................................................................................................... 3
1 Preface ................................................................................................................................................ 5
2 Introduction ........................................................................................................................................ 6
3 Functional Description ..................................................................................................................... 7
Concept of SI-Cloud .................................................................................................................................. 7
User Site .................................................................................................................................................... 8
System Tools ............................................................................................................................................. 8
WF (workflow) Application (print / distribution) ...................................................................................... 8
WF Application Development Tool ........................................................................................................... 8
SI-Cloud Core............................................................................................................................................. 8
4 System Configuration ....................................................................................................................... 9
Overall Structure ....................................................................................................................................... 9
Use Case .................................................................................................................................................. 10
Data Flow ................................................................................................................................................ 11 General Users ........................................................................................................................................... 11
Tenant Administrator ............................................................................................................................... 12
Regional Administrator ............................................................................................................................ 13
Regional Developers ................................................................................................................................ 14
Port and Protocol Information ................................................................................................................ 15 Communication from customer environment to SI-Cloud ...................................................................... 15
Communication from SI-Cloud to External Cloud Services ...................................................................... 16
Multi-tenant support .............................................................................................................................. 16
5 Security Measures for the General System .............................................................................. 17
Monitoring operation, fault and performance ....................................................................................... 17
Regular collection of vulnerability information and patching ................................................................ 17
Vulnerability diagnosis ............................................................................................................................ 17
Logging .................................................................................................................................................... 19 System overall .......................................................................................................................................... 19
WF application (Web Browser NX) .......................................................................................................... 19
WF application (server application) ........................................................................................................ 20
6 Data Security Measures ............................................................................................................... 21
Data access control ................................................................................................................................. 21 User authentication ................................................................................................................................. 24
Access control between roles and tenants .............................................................................................. 25
Version 1.0
4 | P a g e R I C O H U S A I N C
Device use ................................................................................................................................................ 25
Storage service connection ...................................................................................................................... 26
WF application ......................................................................................................................................... 26
Data management .................................................................................................................................. 26 Device (multifunction printer) ................................................................................................................. 26
Distribution data ...................................................................................................................................... 27
Storage service connection ...................................................................................................................... 27
Data deletion .......................................................................................................................................... 27 Print data ................................................................................................................................................. 27
Scan data .................................................................................................................................................. 27
Termination of service or tenant ............................................................................................................. 28
Antivirus .................................................................................................................................................. 28
Backup ..................................................................................................................................................... 28
7 Network Security Measures ......................................................................................................... 29
Access control ......................................................................................................................................... 29 Network access control ........................................................................................................................... 29
Server (OS) access control ....................................................................................................................... 29
Encryption of communication path ........................................................................................................ 30
Receiving email ....................................................................................................................................... 30 SI job print ................................................................................................................................................ 30
Email transmission .................................................................................................................................. 30 Common ................................................................................................................................................... 30
8 Data Center Security Measures ............................................................................................................ 32
9 Trademark ............................................................................................................................................ 33
Version 1.0
5 | P a g e R I C O H U S A I N C
1 Preface
This guide provides the details of Security related information of Cloud
Workflows, which is developed on Smart Integration Cloud Platform. Here
after in this document Smart Integration Cloud is referred as SI-Cloud.
About This Guide
This Guide is divided into following primary sections:
1. Preface
This Section
2. Introduction
This section lays the foundation for understanding the security related
information.
3. Functional Description
This section describes concept of SI-Cloud
4. System Configuration
This section describes overall SI-Cloud System Configuration
5. System General Security Measures
This section contains information on Security measures for SI-Cloud
platform
6. Data Security Measures
This section contains Information on Security measures for data managed
in SI-Cloud
7. Network Security Measures
This section contains information on Network Security Measures
8. Data Center Security Measures
This section contains link to Data Center Security Measures
9. Trademark
Trademarks used in this document
Version 1.0
6 | P a g e R I C O H U S A I N C
2 Introduction
Scope
This document covers the security functions of the SI-Cloud1 application
used by SI-Cloud's center server and device (multifunction printer).
Regarding the implementation of information security measures for cloud
services, the following guidelines are published.
With reference to JIS Q 27001 (ISMS) and 27002 (norm for practice), ① and
② below are information security measures to be implemented by cloud
providers.
① Information security countermeasure guideline in ASP · SaaS2
② Information security management guidelines for using cloud services3
③ Reference guide for disclosing information by cloud providers4
The Ricoh Group is engaged in information security management as an
indispensable element for providing products and services that customers
can use with confidence5. As the result of this effort, many of the measures
of organizational and operational aspects of the above guidelines are
covered. These are out of the scope of this document which focuses on
physical and technical measures.
1 Scope of this document is the SI-Cloud center server version. 2 Ministry of Internal Affairs and Communications、2008/1/30、
http://www.soumu.go.jp/main_sosiki/joho_tsusin/policyreports/chousa/asp_saas/ 3 Ministry of Economy, Trade and Industry、
http://www.meti.go.jp/press/2013/03/20140314004/20140314004-2.pdf 4 IPA、2011/4/25、
http://www.ipa.go.jp/security/cloud/tebiki_guide.html 5 Ricoh Group Information Security、(Update at appropriate timings)
http://jp.ricoh.com/security/management/
Version 1.0
7 | P a g e R I C O H U S A I N C
3 Functional Description
Concept of SI-Cloud
SI-Cloud forms the foundation of Print / Scan workflow applications (here in
after WF application(s)) working principally with Ricoh's multifunction
devices. Each WF application and tool is provided using a common
framework called SI-Cloud Core.
SI-Cloud provides customers with convenience of Identity (ID) Management
and customization and provides service usage through a secure
environment. In addition, Ricoh provides development capabilities of WF
applications to each region which enables quick development tailored for
local needs
Figure 1 Overall schematic diagram of services provided by SI-Cloud based on cloud
service infrastructure
Version 1.0
8 | P a g e R I C O H U S A I N C
User Site
The SI-Cloud user site provides functionality to display / set application
lists, user management, personal settings and screen customization.
System Tools
The system tools of SI-Cloud provide functionality to register (issuing) tenant
ID’s and creating packages (products).
WF (workflow) Application (print / distribution)
SI-Cloud provides WF applications for printing and distribution (scan) that
can be used on multifunction devices. In the case of printing, SI-Cloud is
able to provide a printing system application that, from a multifunctional
device, can select and print files from an external cloud storage service
(see 6.3). Also, in the case of distribution, SI-Cloud is able to provide a
distribution system application that can store documents scanned using
multifunction printers to cloud storage services (see 6.3) and additionally
distribute them via email.
WF Application Development Tool
In the WF application development tool of SI-Cloud, regional developers
can develop WF applications such as those described above by
configuring workflows.
SI-Cloud Core
SI-Cloud Core provides authentication services (ID management,
authentication, and verification functions), image conversion services and
workflow services to the user site, the system tool, the WF applications and
the WF application development tool.
Version 1.0
9 | P a g e R I C O H U S A I N C
4 System Configuration
Overall Structure
The SI-Cloud system consists of the customer environment, the PC in
regional environment, the multifunction device and SI-Cloud in the Internet.
SI-Cloud consists of application server (user site, system tool, WF application
development tool, WF applications) and SI-Cloud core server (ID
management, authentication, and conversion server).
Web Browser NX is required in order to use the application(s)_ from the
multifunction device, which is standard on the multifunction devices.
Figure 2 SI-Cloud System Configuration Diagram
Version 1.0
1 0 | P a g e R I C O H U S A I N C
Use Case
⚫ General users
➢ Configure user settings, authentication settings, and verification
setting using the user site from a PC browser.
➢ Select the document to be printed on the operation panel of the
multifunction device, and print the document.
➢ Select the destination and scan setting of the document on the
operation panel of the multifunction device, and scan the paper
document. The document scanned by the device is transmitted to
the SI-Cloud, converted into the specified format, and transmitted to
the cloud storage service, or transmitted via email.
⚫ Tenant administrator
➢ Register the multifunction device from the operation panel of the
device.
➢ Manage users and tenant information, configure WF application
settings and customize SI-Cloud home screen using the user site from
a PC browser.
⚫ Region administrator
➢ Access the system tool from a PC browser, open tenants and create
user accounts.
➢ Access the system tools from a PC browser and build packages.
➢ Access the system tool from a PC browser and assign a package to a
tenant.
⚫ Region developers
➢ Access the WF application development tool from a PC browser and
develop WF applications.
Version 1.0
1 1 | P a g e R I C O H U S A I N C
Data Flow
In the previous section, some typical use cases are explained. The data
flows between each component are shown in this section. "Authentication
information" is the information, such as a user ID, a password and the like,
required for authenticating to the connected systems.
General Users
Figure 3 shows the flow of data between each component when using SI-
Cloud.
In this figure, “selecting print files and printing at the multifunction device “,
“scanning documents and distribution at the multifunction device” and
“user setting” are described as typical use cases.
Figure 3 Data Flow between Components
Version 1.0
1 2 | P a g e R I C O H U S A I N C
Tenant Administrator
Figure 4 shows the flow of data when a tenant administrator uses SI
Cloud. In this figure, "device registration", "user management", "tenant
information management", "WF application configuration", and "SI-Cloud
home screen customization" are described as typical use cases.
Figure 4 Data Flow Between Components (Tenant Administrator)
Version 1.0
1 3 | P a g e R I C O H U S A I N C
Regional Administrator
Figure 5 shows the flow of data when the regional administrator uses SI-Cloud. In
this figure, "tenant registration" and "package (product) registration" are described
as typical use cases.
Figure 5 Data flow between Components (Regional administrator)
Version 1.0
1 4 | P a g e R I C O H U S A I N C
Regional Developers
Figure 6 shows the flow of data when the regional developers use SI-Cloud. In
this figure, "development (registration) of WF application" is described as a typical
use case.
Figure 6 Data Flow between Components (Regional developers)
Version 1.0
1 5 | P a g e R I C O H U S A I N C
Port and Protocol Information
Communication from customer environment to SI-Cloud
Table 1 Communication from customer environment to SI-Cloud
Function Destination host Port Protoc
ol
Connecting to SI Cloud
(PC)
(Including
administration /
development)
www.na.smart-
integration.ricoh.com
api.na.smart-
integration.ricoh.com
www.eu.smart-
integration.ricoh.com
api.eu.smart-
integration.ricoh.com
443/T
CP
HTTPS
Connection when
installing on device
www.na.smart-
integration.ricoh.com
api.na.smart-
integration.ricoh.com
www.eu.smart-
integration.ricoh.com
api.eu.smart-
integration.ricoh.com
443/T
CP
HTTPS
Download print
document
www.na.smart-
integration.ricoh.com
api.na.smart-
integration.ricoh.com
www.eu.smart-
integration.ricoh.com
api.eu.smart-
integration.ricoh.com
443/T
CP
HTTPS
Upload document www.na.smart-
integration.ricoh.com
api.na.smart-
integration.ricoh.com
www.eu.smart-
integration.ricoh.com
api.eu.smart-
integration.ricoh.com
443/T
CP
HTTPS
Version 1.0
1 6 | P a g e R I C O H U S A I N C
Communication from SI-Cloud to External Cloud Services
The connection with an external cloud service follows the specification of the
external service. Connection is established via HTTPS (443 / TCP). If the external
service does not support HTTPS, communication is performed using HTTP (80 / TCP).
In addition, NTP (123 / UDP), DNS (53 / TCP, 53 / UDP) and SMTP (25 / TCP)
communications are used.
Multi-tenant support
SI-Cloud provides services to multiple companies and organizations. Target
entities for providing services to, such as companies and organizations, are called
tenants6, and in the case of multi-tenancy support, the information of multiple
tenants is managed on the same hardware. The system logically separates data
between tenants and ensures the independence between tenants7. Data access
is described in section 5.1 Data access control.
There are two types of tenants, namely, customer tenants and region tenants.
Customer tenants are for end users to use applications on SI-Cloud and cannot
access the information of other tenants.
Region tenants are for developing WF applications, creating packages, and
setting up customer tenants. The region tenants are able to access the tenant
information and license information of their customer tenants as well as issue new
licenses for their customers.
6 There could be a type of tenant which is contracted by multiple companies, thus it is called
“tenant” instead of “company”. 7 Such a system configuration is called "multi-tenant architecture".
Version 1.0
1 7 | P a g e R I C O H U S A I N C
5 Security Measures for the General System
Monitoring operation, fault and performance
The operation status and performance of the network, servers (OS, middleware),
Database, applications, are monitored 24 hours a day, 365 days a year, and
prompt actions are taken in an event of a fault. In addition, capacity
management8 is conducted in order to ensure adequate availability.
Regular collection of vulnerability information and patching
Collection and actions for vulnerability information are conducted according to
the process defined in Ricoh. Security patches for OS, middleware, OSS are firstly
judged by their importance and influences on the system, secondly tested in the
development environment, and finally implemented in the production
environment.
And we use Vuls to detect vulnerabilities automatically in packages running on
all servers. We check the vulnerability information of running package by JVNDB,
and investigate and manage the degree of influence on service and
correspondence for each package.
Vulnerability diagnosis
We use IBM’s AppScan as the web application vulnerability assessment tool every
three month. We check that there are no harmful vulnerability remaining. Typical
examples of items to be inspected with AppScan are as follows.
Table 2. Inspection classification and corresponding of AppScan
Category Inspection Items Authentication ・ Brute force attack
・ Inappropriate authentication
Authorization ・ Indexing
・ Session guessing
・ Session fixation
・ Inappropriate session deadline
・ Inappropriate permission
8 Allocate adequate storage for tenants, users, devices, licenses and expected amount of jobs
and monitoring usage in real-time.
Version 1.0
1 8 | P a g e R I C O H U S A I N C
Application ・ Privacy test
・ Quality test
Client Side attack ・ Cross-Site Scripting
・ Content Spoofing
Command
Execution
・ LDAP injection
・ OS command
・ SQL injection
・ SSL injection
・ XPath injection
・ Buffer overflow
・ Format String attack
Information
disclosure
・ Directory indexing
・ Path traversal
・ Information leak
・ Location of inferable resources
Logical attack ・ Denial of Service
・ Function overuse
Furthermore, Information Security department uses QualysGuard of Qualys Inc, as
the web application vulnerability assessment tool every three month and we
confirm that there is no known vulnerability left.
Typical examples of items to be inspected with QualysGuard are shown in Table 3.
Table 3 Inspection classification and corresponding item example of QualysGuard
Category Inspection items
General remote services ・ Search SSL server information
・ Information of SSL session caching
・ Consistency of SSL certificate
common name
・ Allow incorrect SSL / TLS protocol
version
・ SSL / TLS server uses
TLS_FALLBACK_SCSV
・ Information for secure re-negotiation
extension supported of TLS
・ Block size in TLS cipher
Web server ・ Web server version
・ SSL Web server version
・ Information of SSL certificate
・ Directory list of web page
・ HTTP request pipeline supported by
Version 1.0
1 9 | P a g e R I C O H U S A I N C
Web server
・ HTTP protocol version of web server
・ Vulnerabilities of internal IP address
disclosed
・ Vulnerabilities of internal network
name disclosed
・ Form-based authentication has auto-
complete attributes
TCP/IP ・ List of public TCP services (port scan)
・ Randomness of TCP initial sequence
number
・ Randomness of ID value of IP header
・ Estimated uptime based on TCP
Timestamp option
・ Whether an ICMP Timestamp request
can be made
Computer Gateway
Interface
・ Display default web page
・ HTTP response includes security
header
Mail services ・ Banner of SMTP
・ Detect SMTP service
Firewall ・ Existence of firewall
Logging
System overall
The application logs of the servers are centrally collected for the collective
analysis of illegal access and system failure. Ricoh regularly backs up each server,
including system logs. Time synchronization of all servers is conducted with NTP. The
information is properly output after judging the contents according to Ricoh
internal rules, and password information is never taken out in any logs.
WF application (Web Browser NX)
WF application settings and the results of print / scan jobs are sent to the server.
The WF application stores error logs in the log information of Web Browser NX on
the multifunction printer device in the case of events such as initialization and
printing/scanning errors.
Version 1.0
2 0 | P a g e R I C O H U S A I N C
WF application (server application)
The server holds the application logs and all of the executed job logs (print,
scan, folder acquisition of storage service, etc.). These logs include the jobs
executed date and time, tenant ID, user ID, application name, status,
communication result with the external services, execution result of the
intermediate processing and the document name. The print / scan settings are
included for the printing / distribution applications. The folder ID and the email
address are also included for troubleshooting.
Log information is secured from unauthorized access inside and outside of Ricoh
by properly restricting access to the server (see section 6.1.1.4).
Version 1.0
2 1 | P a g e R I C O H U S A I N C
6 Data Security Measures
Data access control
Data managed in SI-Cloud (shown in Table 4) is separated by the units of each
user and tenant. In order to access each data, an authentication ticket issued by
user authentication is required. Because it our service controls the accessible data
by the authentication ticket, it is impossible see the print document of another user
or the user information of another tenant.
The data is stored in the Data layer of Fig.7 or Amazon S3. The data cannot be
accessed directly from Internet and cannot be accessed without going through
the endpoint in the SI-Cloud.
Table 4. The data list managed in SI-Cloud
Data type How to get
data
Storage
location
Who can see
data Name Input by user
own
Input by
administrator
Data layer of
Fig.7
development
Mail address Input by user
own
Input by
administrator
Data layer of
Fig.7
Log on S3
development
Password Input by user
own
Data layer of
Fig.7
No one can
see
PIN code Automatically
issue by System
Input by user
own
Data layer of
Fig.7
development
Browser type,
version, OS
Automatically
acquired when
user used
Log on S3 Development
support
IP address Automatically
acquired when
user used
Log on S3 development
Date of use Automatically
acquired when
user used
Log on S3 Development
support
Version 1.0
2 2 | P a g e R I C O H U S A I N C
Serial of
multifunction
device
Input by
administrator
Input by CE
Data layer of
Fig.7
Development
Scan image Automatically
acquired when
user used
S3 Development*1
Print file Automatically
acquired when
user used
S3 development
Scan settings Automatically
acquired when
user used
Data layer of
Fig.7
Log on S3
Development
support
Print settings Automatically
acquired when
user used
Data layer of
Fig.7
Log on S3
Development
support
OAuth token of
the external
service (ex. Box,
Google,
DropBox,
Office365
Input by user
own
Data layer of
Fig.7
Development
Account name
and password
of external
service
(Docuware)
Input by user
own
Data layer of
Fig.7
Development*2
License
information
Input by
administrator
Input by CE
Data layer of
Fig.7
Development
*1 It is possible not to leave data on the server depending on the setting of the
work flow application.
*2 Although it is encrypted, it is technically decodable because encrypt keys is
managed on another server.
Version 1.0
2 3 | P a g e R I C O H U S A I N C
Fig.7 Infrastructure of SI-Cloud
Version 1.0
2 4 | P a g e R I C O H U S A I N C
User authentication
Login
In order to access SI-Cloud, it is necessary to log in (user authentication) using
tenant ID, user name, and password or email address and password. The
subsequent operations cannot be executed without a successful authentication.
A tenant ID consists of a 10-digit numeric string issued by the system tool and
assigned to each customer tenant upon application for the SI-Cloud service. A
user name is a character string of 1 to 128 characters.
A password can be set as arbitrary ASCII strings of up to 128 characters
(minimum 6 characters), and can have sufficient resistance to brute-force attacks
and dictionary attacks. In addition, account information such as tenant ID, user
name, mail address, and the like which are registered does not leak, so it also has
resistance against reverse brute force attack. A user can change their password
from the user site. Only the hash value of the password is saved on the center
server of SI-Cloud, thus Ricoh cannot obtain the customer's password and the
password string does not leak from the center server of SI-Cloud. Regarding the
data access of password hash value and user information, proper access
restriction is also implemented to prevent illegal access from inside and outside
Ricoh (see section 6.1). If a user inputs a wrong password five times in a row during
login, their account will be locked. When their account is locked, the user needs to
request their administrator to re-activate their account in the user management
setting, reset their password, or wait for the automatic unlock by the system after
24 hours.
It also supports the single sign-on function using an account of external service.
Login on a multifunction device
In addition to the methods described in Login, it is possible to log in with a PIN
code or an account registered in the address book of the multifunction device. A
PIN code consists of a numeric string of 4 to 16 digits, and is issued at the time of
user registration. These login methods can be used only from registered
multifunction devices and cannot be used from other client devices such as PCs.
In order to use SI-Cloud on a multifunction device, it is necessary to log in with an
administrator account for registering the device in the SI-Cloud center server the
first time of starting an application. The registered device checks the tenants of
login users upon the user authentication, thus users of other tenants cannot use
them. When it is configured by the administrator, some functions excluding
personal information are able to be used by the information common for a tenant
without login.
Version 1.0
2 5 | P a g e R I C O H U S A I N C
Single sign-on
SI-Cloud supports the single sign-on function with external services. Single sign-on
can be activated by a user when registering a user or by configuring External
Service Connections from My Page of the User site.
When configuring External Service Connections for the first time, the
authentication is required for SI-Cloud to acquire the basic profile information of
the external service account. Once it is authenticated, single sign-on using the
account of the external service becomes possible.
Single sign-on is safely processed according to the standard protocol called
OpenID Connect. Moreover, SI-Cloud associates the account of the external
service with the account of SI-Cloud, thus it is impossible to be impersonated by
other accounts.
OpenID Connect uses the information which is authorized by the customer on
the external service as the login information of SI-Cloud, thus the password of the
external service is not sent to SI-Cloud.
Access control between roles and tenants
Users of SI-Cloud are always associated with only one tenant, and there is no
privileged user who can access multiple tenants.
There are two types of roles used in customer tenants: administrator role and user
role. One or more administrator roles are set per tenant. The administrator role can
add, change, or delete users to its tenant, and can configure applications.
There are five types of roles used in region tenants: administrator role, user role,
developer role, product designer role, setup user role.
Developer role can develop WF applications using the WF application
development tool. The product designer role can create packages of the WF
applications developed by the developer as products. Setup user role can set up
customer tenants and assign package licenses to customer tenants.
Device use
When registering devices and/or using WF applications, it is verified that they are
Ricoh multifunction devices. Therefore, it is unable to register devices and/or use
WF applications on the devices of other companies or other terminals.
Version 1.0
2 6 | P a g e R I C O H U S A I N C
Storage service connection
Storage services perform user ID management differently from that of SI-Cloud,
thus linking user IDs is necessary. A user can configure the service connections from
the My Page of the user site. The service connection setting is managed in
association with the user, and cannot be seen by other users. There is no interface
to extract authentication information required for the connection, and the system
internally uses it for the service connection.
WF application
Application usage
- The WF application can only be accessed by the user of the tenant in which
the application is installed.
Workflow usage
- Parameters of each workflow that can be customized by each tenant are
checked for access privileges per tenant, and the information of another
tenant cannot be seen.
- When using an external cloud service in a workflow, credentials such as
OAuth9 token are managed not in the workflow but properly managed by
the authentication service in the same way as the applications come with
Ricoh multifunction printers as standard feature, and credentials are not
given for unauthorized users.
- Detailed information (such as output files) of the workflow result can be
accessed only by the user who executed the workflow.
- The result of a workflow’s intermediate processing is deleted when the
workflow is completed unless there is any special designation. The final
process result is automatically deleted when the holding period specified at
the time of execution of the workflow has passed. (Holding period up to 72
hours)
Edit workflow
- Editable workflows are restricted to ones developed by the tenant, and the
workflow(s) developed by other tenants cannot be accessed.
Data management
Device (multifunction printer)
When registering a device in the SI-Cloud center server, the tenant ID,
administrator’s user name and password issued at the time of contract needs to
be entered. The tenant ID is stored in the device. The administrator's user name
and password are not stored in the device.
9 The OAuth 2.0 Verification Framework, http://tools.ietf.org/rfc/rfc6749.txt
Version 1.0
2 7 | P a g e R I C O H U S A I N C
Distribution data
Documents scanned at the multifunction device are temporarily stored in the SI-
Cloud center server. Documents are stored inside the firewall of AWS, and access
to the storage is restricted to either from the inside of the SI-Cloud system or from
the Ricoh’s company LAN, thus there is no way for users to access scanned
documents externally. Hence no data leaks.
The database where the information of temporary files is saved, is not encrypted,
however unauthorized access from inside and outside Ricoh is prevented by
making appropriate access restrictions on data access (see section 6.1).
Storage service connection
Due to specifications of the API provided by storage services, there are cases
that the SI-Cloud system logs in to the external storage service by the ID and
password of the external service that are encrypted and stored in the center
server of SI-Cloud. When scanned documents are stored in external storage
services this way, this is called using proxy authentication method. When the
password of the storage service is changed, it is necessary to change the
password stored in the SI-Cloud.
When the storage service provides the verification function of OAuth 2.0, this is
used for the service connection (not proxy authentication method). Since the
token without the password information is stored in the center server of SI-Cloud,
the security risk is low. Even if the password of the storage service is changed, it is
not necessary to update the password stored in SI-Cloud.
Data deletion
Print data
Document data acquired for printing are deleted from the center server after
printing. The same applies to files generated in the process of format conversion.
Scan data
The data of a document scanned at the multifunction device is deleted from
the SI-Cloud center server after the data is transmitted to the storage service. The
same applies to intermediate files generated in OCR process.
Version 1.0
2 8 | P a g e R I C O H U S A I N C
Termination of service or tenant
When only a service of a tenant is terminated, no data is deleted.
When terminating a tenant, the information deleted from the center server is as
follows:
・ Tenant information
・ User information associated with the tenant
・ Device information associated with the tenant
Information that is not deleted even when a tenant is terminated is as follows10:
・ Application setting information
・ Job log information
・ License information
・ Logs such as related system logs etc
Antivirus
Regular collection of vulnerability information and patching described in 4.2 shall
be implemented. In addition, anti-virus software (TrendMicro Server Protect 5) is
installed in all Windows servers and virus check is carried out for files processed on
SI-Cloud using the latest pattern in order to prevent infection. Infected documents
are not used.
Backup
In preparation for malfunction of device or operation errors etc., the setting
information and log information in the server are backed up periodically, and the
restoration procedure is confirmed. Print data temporarily stored on the server,
data of documents scanned on device, and document data after conversion are
deleted after a certain period of time. (Refer to 5.3 Data Delete)
10 Delete the tenant information during the tenant contract / after cancellation according to
the explicit deletion request from the customer. Log information remains, but log information
does not include confidential information such as personal information.
Version 1.0
2 9 | P a g e R I C O H U S A I N C
7 Network Security Measures
Access control
Network access control
Confidential information such as documents uploaded by customers and
passwords is not placed in servers that can be accessed directly from the Internet,
as described in Section 5.1, files are stored in Amazon S3, other data are stored in
Amazon RDS, and they are kept in places accessible only by SI - Cloud 's AWS
account. When accessing the Web server from the Internet, packets are filtered
by AWS Application Load Balancer, so that it cannot log in directly to the server.
Also, unauthorized access from the outside is prevented by setting a port number
that allows communication on AWS security group (virtual firewall).
Maintenance is carried out by connecting to the SI-Cloud center server from
Ricoh internal LAN via the internet line. By setting the IP address and port number
to allow communication on AWS security group (virtual firewall), the SI-Cloud
center server can be accessed by encrypted communication from Ricoh’s
company LAN via specific protocols. Maintenance cannot be carried out by
connecting from the Internet. In addition, connection to the center server uses the
SSH secret key, not password, and by limiting the connection from inside the Ricoh
Company to the parties who created the public key, leakage of customer
information in maintenance work and attack is prevented.
Server (OS) access control
The accounts registered in the server is limited to a minimum number of people.
The accounts are updated when an authorized person changes, and an inventory
count is performed every six months to prevent illegal access from unauthorized
persons. In addition, password policies are set so that account passwords are not
easily guessed.
For the data stored in the server, the appropriate access ranges are allocated
according to the types of data and access authority is set for each account and
server in AWS IAM, so that access to data outside the scope necessary for business
cannot be accessed. There is the data access procedure and the access is done
after getting approval according to the procedure. The server administrators take
security education in advance and are regularly informed about the procedure.
Version 1.0
3 0 | P a g e R I C O H U S A I N C
Encryption of communication path
Communications between the SI-Cloud center server and PC (browser), iOS
application for SI-Cloud, Android application for SI-Cloud and the multifunction
device are encrypted by HTTPS except for email service. The server certificate of
the SI-Cloud center server uses a public key RSA 2048 bits and the certificate of the
thumbprint algorithm SHA - 2 issued by a third party certificate body. The protocols
and versions used for HTTPS support the following:
⚫ TLS 1.0、TLS1.1、TLS 1.2
The encryption protocols are handled according to the browser compatibility.
Receiving email
SI job print
Emails received in the system use SendGrid as the relay server and runs virus
checks using the latest definition file. Spam filter is also applied, and the print
document will not be uploaded when it is detected as a spam. The
communication between the device where emails are sent and SendGrid is
performed using the SMTP protocol, and the communication path and contents
are not encrypted. The communication between SendGrid and SI-Cloud uses
HTTPS, making it secure to receive the email information (including attachments).
Email receipt when sending print document by email
When sending a print document by email, the encrypted email is not supported.
Also, it is sent to SI-Cloud via SendGrid server. Therefore, before sending print
documents by email, customers need to make decisions according to their
security policy11.
Email transmission
Common
All emails from the system use SMTP and are not encrypted. SPF (Sender Policy
Framework) is applied to prevent spoofing of sent mail, and DKIM (Domain Keys
Identified Mail) is applied as domain authentication technology. All DNS records
used in SPF and DKIM are managed by AWS Route 53 having high security.
11 Send Grid Security Policy http://www.kke.co.jp/security_policy/
Version 1.0
3 1 | P a g e R I C O H U S A I N C
Notice emails for provisional user registration, email address change, and
password change
When the administrator registers a user provisionally or changes an email
address, emails are sent to the email address of the registered user. The user who
received the email needs to input their email address and password to complete
the user registration or the change.
Notification emails for tenant registration and user registration
When a tenant or a user registration is completed, an email is sent to the
registered user's email address. A password and a PIN are included in the
notification email for user registration.
Notification email for PIN code reissue
Upon the request for the reissue of a PIN code, an email containing the PIN
code issued by the system is sent.
Delivery of scan documents by email
Even when the destination of the email is inside a company, it is sent via the SI-
Cloud center server. When emails are sent with scanned documents attached, the
system may receive sending error emails when there are errors such as there is no
recipient email address, however the system does not save the error emails.
Sending error email when distributing scanned document
When delivering the scanned document to the external storage or sending via
an email, an email notifying the error is sent to the designated destination in case
delivery failure is detected by the error notification email from the external storage,
email capacity over limit or timeout.
Version 1.0
3 2 | P a g e R I C O H U S A I N C
8 Data Center Security Measures
The SI-Cloud server group is configured on the AWS. Data center security
measures conform to AWS.12
12 AWS Security process overview:
https://d0.awsstatic.com/International/ja_JP/Whitepapers/AWS%20Security%20Whitepaper.pd
f
Version 1.0
3 3 | P a g e R I C O H U S A I N C
9 Trademark
・ Google®, Google Apps ™, Android ™ are the trademarks or the registered
trademarks of Google Inc. in the United States and other countries.
・ iOS® is the trademark or the registered trademark of Cisco in the USA and other
countries.
・ Amazon Web Services, the "Powered by Amazon Web Services" logo, and other
AWS trademarks used in such materials are trademarks of Amazon.com, Inc. or
its affiliates in the United States and other countries.