Xerox Security Guide

Xerox® Connect App for DocuShare® Go

1. Introduction

Purpose

The purpose of the Security Guide is to disclose information for Xerox® Apps with respect to device security. Device security, in this context, is defined as how data is stored and transmitted, how the product behaves in a networked environment, and how the product may be accessed, both locally and remotely. This document describes design, functions, and features of the Xerox® Apps relative to Information Assurance (IA) and the protection of customer sensitive information. Please note that the customer is responsible for the security of their network and the Xerox® Apps do not establish security for any network environment.

This document does not provide tutorial level information about security, connectivity or Xerox® App features and functions. This information is readily available elsewhere. We assume that the reader has a working knowledge of these types of topics.

Target Audience

The target audience for this document is Xerox field personnel and customers concerned with IT security. It is assumed that the reader is familiar with the apps; as such, some user actions are not described in detail.

Disclaimer

The content of this document is provided for information purposes only. Performance of the products referenced herein is exclusively subject to the applicable Xerox® Corporation terms and conditions of sale and/or lease. Nothing stated in this document constitutes the establishment of any additional agreement or binding obligations between Xerox® Corporation and any third party.

2. Product Description

Overview

The Xerox® Connect App for DocuShare® Go consists of two primary workflows. The two workflows are:

Print files from a DocuShare® Go account
Scan files to a DocuShare® Go account

The app and two workflows facilitate a combination of the following steps:

Single Sign-On
Authentication
App Hosting
Repository Navigation
Scanning
Printing
Document Format Conversion
Emailing
SNMP & Device Webservice Calls

Xerox® App User Benefits

Application	What can I do?
Xerox® Connect App for DocuShare® Go	Login to my DocuShare® Go account Select Print or Scan workflow Navigate to a folder in my DocuShare® Go account Scan a hard copy document to a folder in my DocuShare® Go account with standard scan settings along with option to email the scanned document Select one or more files in my DocuShare® Go account and Print hard copies with standard print settings

App Hosting

The Xerox® Connect App for DocuShare® Go depends heavily on cloud hosted components. A brief description of each can be found below.

The Xerox® App consists of two key components, the device weblet and the cloud-hosted web service. The device weblet is a Xerox® App/EIP web app that enables the following behavior on a Xerox® Device:

Presents the user with an application UI that executes functionality in the cloud.
Interfaces with the EIP API, which delegates work, such as document scanning and printing.

The weblet communicates with the cloud-hosted web service, which executes the business logic of the app.

DocuShare® Go Storage Service

In order for the app to communicate and interact with the correct storage location, the user needs to establish a connection with their DocuShare® Go repository. This connection process utilizes the authentication dialog provided by the storage service, which requests the username and password for the storage service account. An OAuth login token is returned to the device from the storage service. This token is used for further interactions. The account credentials are not stored by the device. Once authenticated, the DocuShare API is utilized to access the DocuShare® Go repository.

Single Sign-On via Xerox® Workplace Suite/Cloud and SSO Manager

In order to improve user experience, by removing the need to log in to the Xerox® App each time Xerox offers an optional Single Sign-On (SSO) capability. Users can log into the printer and are then able to launch the app without the need to provide additional credentials.

Xerox Extensible Interface Platform®

During standard usage of the Xerox® App, calls to the device web services are used to initiate and monitor scan functions and to pull relevant details related to device properties and capabilities.

Components

MFD with Xerox® Connect App for DocuShare® Go – ConnectKey App: An EIP capable device that can print, scan and execute ConnectKey Apps installed from the Xerox® App Gallery.
Xerox® Connect App for DocuShare® Go – Web UI: A service hosted on the Microsoft Azure Cloud System, responsible for hosting the web pages displayed on the printer's UI.
Xerox® Connect App for DocuShare® Go – Service Interface: A service hosted on the Microsoft Azure Cloud System, providing business logic and interfacing with the Xerox Cloud Repository Middleware.
Xerox Cloud Repository Middleware: A service hosted on the Microsoft Azure Cloud System, interfacing with the DocuShare REST APIs to access the DocuShare® Go repository.
Xerox Document Conversion Engine: A service hosted on the Microsoft Azure Cloud System, converting various document formats to a format printable by Xerox® Devices.
Xerox App Gallery: A web application hosted on the Microsoft Azure Cloud System, accessed to ensure application entitlement, requiring a valid 'Trial' or 'Purchased' license.
ABBYY Cloud OCR API: A 3rd Party, cloud hosted service used to convert scanned documents into Microsoft® Office formats (Word, Excel, PowerPoint).
SendGrid API: A 3rd Party, cloud hosted service used to email scanned documents as attachments.

3. Architecture and Workflows

Data Flow Diagram

The data flow diagram illustrates the interaction between clients, device services, web tier, service tier, and partner tier. Clients interact with the Xerox® Connect App via the device. Device services use EIP Device Web Services and Internal Device Functions. The Web Tier hosts the Xerox® Connect App UI. The Service Tier includes the Xerox® Connect App Service Interface. The Partner Tier comprises components like App Gallery, SSO Manager, XWS/XWC, Xerox Microservice Functions, ABBYY Cloud OCR API, SendGrid API, Document Conversion Engine, Xerox Cloud Repository Middleware, DocuShare OAuth2 API, and Xerox DocuShare REST API, all interacting with the Xerox DocuShare Repository.

Workflows

App Printing Workflow

Step 1: User Launches the App on the Xerox® Device.
Step 2: User authenticates to the DocuShare® Go repository. (If first login, user can agree to save credentials to XWS/C storage for future use. On subsequent logins, credentials are automatically retrieved and applied.)
Step 3: User navigates the folder structure to locate the file to be printed.
Step 4: User optionally selects to Preview the document to be printed.
Step 5: User selects a file and modifies the print options (e.g., single sided, etc.).
Step 6: User selects the Print button to print their file at the device.

App Scanning Workflow

Step 1: User Launches the App on the Xerox® Device.
Step 2: User authenticates to the DocuShare® Go repository. (If first login, user can agree to save credentials to XWS/C storage for future use. On subsequent logins, credentials are automatically retrieved and applied.)
Step 3: User navigates to and selects the destination folder for the scanned document.
Step 4: User modifies the scanning options (e.g., single sided, resolution, output format, preview, email, etc.).
Step 5: User selects the Scan button to scan the document to the selected folder.
Step 6: If the Preview option was selected in Step 4, the user views the scanned document before deciding to allow the document to be saved to the selected destination folder.
Step 7: If the Email option was selected in Step 4, the scanned document is emailed to the specified recipients.
Step 7: The document is saved to the selected destination folder.

4. User Data Protection

Application Data Stored in the Xerox Cloud

User data related to the categories below are stored in cloud persistent storage until a delete event occurs:

Login to DocuShare® Go account
Scanned image preview
Print preview image

The following activities will trigger a delete event for digital document files that meet the associated criteria:

A delete occurs when the system detects intermediate processing files exist after a job has completed.

The balance of data stored in the cloud, that is unrelated to user Personally Identifiable Information, may be stored indefinitely for event reporting purposes.

Application Data Stored in the ABBYY Cloud OCR Service

User documents that have been requested to be converted to a Microsoft® Office format are stored in cloud persistent storage until a delete event occurs. The following activities will trigger a delete event for the original digital document files and the converted document file:

A delete occurs when the system detects that the document conversion job has completed and the converted document has been downloaded.

Local Environment

Application Data Transmitted

Application data related to the categories below are transmitted to/from the Xerox® Device:

Account data
Session data
Job data

Application Data Stored on the Xerox® Device

The following app data is stored on the device, in persistent storage, until the App is uninstalled from the device:

Device's SNMP V2 public community string

HTTP Cookies

The Xerox® Connect App for DocuShare® Go does not store any cookies on the device.

5. General Security Protection

User Data Protection within the Products

Document and File Security

File content is protected during transmission by standard secure network protocols at the channel level. Since document source content may contain Personally Identifiable Information (PII) or other sensitive content, it is the responsibility of the user to handle the digital information in accordance with information protection best practices.

Hosting - Microsoft Azure

The cloud services are hosted on the Microsoft Azure Network. The Microsoft Azure Cloud Computing Platform operates in the Microsoft® Global Foundation Services (GFS) infrastructure, portions of which are ISO27001-certified. Microsoft has also adopted the new international cloud privacy standard, ISO 27018. Azure safeguards customer data in the cloud and provides support for companies that are bound by extensive regulations regarding the use, transmission, and storage of customer data.

The Apps hosted in the cloud are scalable so that multiple instances may be spun up/down as needed to handle user demand. The service is hosted both in the US and Europe. Users will be routed to the closest server geographically based on server load and network speed.

Cloud Storage – Microsoft Azure

All Azure Storage data is secured when at rest using AES-256 encryption.

For a full description, please follow these links:

Azure Storage

Xerox® Workplace Suite/Cloud and Single Sign-On Services

The Xerox® ConnectKey App Single Sign-On feature integrates with the Xerox® Workplace Suite/Cloud authentication solution to store user access information for SSO-compatible Xerox Gallery Apps. After the user enters their storage service credentials the first time, the XWS/C solution acts a storage vault where the login information is securely stored.

All content to be stored in the vault is encrypted with AES 256 by the SSO Manager server before being given to the SSO vault that resides on the XWS/C solution. This ensures that the SSO vault can never view or use the contents being stored in the vault. Only the SSO Manager infrastructure knows how to decrypt the content stored in the vault and only the App knows how to use it.

The SSO Manager service manages the encryption key exchange required for secure communications and encrypts/decrypts the content saved in the vault.

For a full description, please review the Xerox® Workplace Suite/Cloud Information Assurance Disclosure: https://security.business.xerox.com/en-us/products/xerox-workplace-suite/

User Data in Transit

Secure Network Communications

The web pages and app services that constitute the Xerox® Solutions are deployed to Microsoft Azure App Services. All web pages are accessed via HTTPS from a web browser. All communications are over HTTPS. Data is transmitted securely and is protected by TLS security for both upload and download. The default TLS version used is 1.2.

The Xerox® App requires the user to provide proper/valid credentials in order to gain access to the application's features. Authenticated users are allowed to access the features and data using HTTPS.

At launch, the apps must get an authentication/session token through the solution's authentication process. The access token acquired is used for that session of the app.

When using the Xerox® Connect App for DocuShare® Go installed on a Xerox® Device, if the customer environment includes an Authentication solution (e.g., Xerox® Workplace Suite/Cloud) with Single Sign-On functionality enabled, the user can agree to have their user credentials securely stored and automatically applied during subsequent app launches.

All communication is done via HTTPS and the data is transmitted securely and is protected by TLS security. The default TLS version used is 1.2. Xerox App Gallery supplies a link to a Certificate Authority root certificate for validation with the cloud web service. It is the responsibility of the customer to install the certificate on their devices and to enable server certificate validation on the devices.

For more information related to Azure network security, please follow the link: https://docs.microsoft.com/en-us/azure/security/azure-network-security

Xerox Workplace Suite/Cloud and Single Sign-On Services

The Xerox® Workplace Suite/Cloud server accepts credential storage requests from the App via the SSO Manager service (the Xerox® App retrieves a vault key from the SSO Manager and uses it to retrieve login credentials from the XWS/C service). All communication is via HTTPS and the data is transmitted securely and is protected by TLS security. The default TLS version used is 1.2.

6. Additional Information & Resources

Security @ Xerox

Xerox maintains an evergreen public web page that contains the latest security information pertaining to its products. Please see https://www.xerox.com/security.

Responses to Known Vulnerabilities

Xerox has created a document which details the Xerox Vulnerability Management and Disclosure Policy used in discovery and remediation of vulnerabilities in Xerox software and hardware. It can be downloaded from this page: https://www.xerox.com/information-security/information-security-articles-whitepapers/enus.html.

Additional Resources

Security Resource	URL
Frequently Asked Security Questions	https://www.xerox.com/en-us/information-security/frequently-asked-questions
Bulletins, Advisories, and Security Updates	https://www.xerox.com/security
Security News Archive	https://security.business.xerox.com/en-us/news/

Google Docs
Google Drive
Download [pdf]

File Info : application/pdf, 14 Pages, 283.33KB

Xerox-Connect-App-for-DocuShare-Go-Security-Guide Microsoft Word 2019

	Xerox Translate and Print App Security Guide This document provides a comprehensive overview of the security features and considerations for the Xerox Translate and Print App, including data protection, hosting environments, and operational workflows.
	Xerox FreeFlow Core Security Guide: Best Practices for Secure Workflow Management This guide provides essential security information for Xerox FreeFlow Core and FreeFlow Core Cloud, detailing how data is stored, transmitted, and accessed in networked environments. Learn about security features, network connections, user roles, and best practices for protecting sensitive information.
	Xerox® Workplace Cloud 5.6.1 Security Guide This document provides comprehensive security information for Xerox® Workplace Cloud version 5.6.1, detailing its architecture, system interactions, network protocols, and access controls to ensure the security and protection of customer sensitive information.
	Xerox FreeFlow Print Server: Advanced Workflow Solutions for Print Production Discover the Xerox FreeFlow Print Server, a powerful workflow solution that streamlines print production, enhances quality, and automates processes. This brochure details its key modules like Web Services, Makeready, Process Manager, Output Manager, Print Manager, and Variable Information Suite, highlighting features such as ConfidentColor Technology, advanced security, and high performance for businesses.
	Xerox Product Security: Data Protection, Image Overwrite, Encryption, and Disk Removal Guide Comprehensive guide from Xerox detailing product security features such as image overwrite, disk encryption, and disk removal procedures for various Xerox devices to protect sensitive data.
	Xerox Quick-Start Guide to Print Security: Maximize Your Environment, Minimize Threats Learn how to enhance print security and mitigate risks with Xerox's Quick-Start Guide. Discover essential strategies for protecting sensitive documents and your network from common threats.
	Xerox AltaLink C8030/C8035/C8045/C8055/C8070 Color Multifunction Printer - Getting Started This document provides an overview of the Xerox AltaLink C8030/C8035/C8045/C8055/C8070 color multifunction printer, covering its control panel, device applications, billing and usage information, printer overview, paper handling, copying, scanning and emailing, faxing, printing from USB flash drives, and printing stored jobs.
	Xerox Smart Start User Guide A user guide for Xerox Smart Start software, detailing its features, installation process, and troubleshooting for Xerox printers.