Scan Management security overview

YSoft Workflow scanning allows user seamlessly transfer data from MFP/scanner to defined destination.

The scan process is divided into several parts.


Scanning Overview

Workflow Scanning (scan to home) Diagram

This workflow is typically used for Workflow scanning or Scan Tracking.

Card / PIN based authentication and scan to network folder

images/download/attachments/21955352/scan-card.png

PKI (SmartCard based) or Login/Password based authentication and scan to network folder

images/download/attachments/21955352/scan-pki.png

Scan to own email

images/download/attachments/21955352/scan-email.png

  1. User information is typically replicated from LDAP server using secured (server-authenticated) LDAP/S connection. This step is however purely optional. See Identity management for additional details.

  2. User swipes/inserts the card and/or enters the PIN code. The information is transferred to SafeQ using TLS based secure protocol (with client only authentication - server verifies identity of terminal). Sever looks up the internal SQL database to find the user record connected with the entered PIN code or card ID.

    1. if Smart Card authentication or login/password authentication is used SafeQ server uses Kerberos v5 protocol to get the Ticket Granting Ticket information (TGT) form Kerberos server.

    2. Kerberos sends encrypted information back to the server

    3. Server uses the secured connection to decipher the data

    4. Server gets the deciphered data and looks up the internal database for respective user record

  3. If the user is authorized to scan, the device panel is unlocked (either using serial smart blocking cable from terminal or internal mechanism in case of MFP panel integrated (embedded) terminal.

  4. User scans the data. MFP transfers the data using configured protocol (differs per MFP capabilities).

    1. The most common option is data transfer via unsecured SMB of FTP protocol. (Target IP address and folder is pre-configured at the MFP during initial MFP configuration).

    2. Some devices allows data transfer using secured WebDAV protocol with server authentication.

  5. SafeQ gathers the accounting data using several mechanisms (see Print tracking methods). If the online accounting method is used, SNMP protocol is used to gather the current page meter information from the printer.

  6. In case of vender provided accounting, the accounting information is transferred to SafeQ from printer using SOAP or HTTPS POST message.

  7. SafeQ server transfers the data using administrator-configured protocol.

    • In case of scanning to owner's email, data are transferred as email attachment. SafeQ server accesses the email server using configured account with secured password authentication. Data are transferred in plain form.

    • In case of scanning to the network folder, the scan is delivered to the home folder specified in user record (inside SafeQ SQL database). Authentication to the network folder is based on privileges of the system account that runs SafeQ to access the folder. The system account MUST have the write access to all network home folders.

    • (7.a) In case of PKI based or login/password authentication used with:

      • Terminal Professional, SafeQ users Kerberos Ticket Granting Ticket (TGT) service and impersonates the user to access the home folder. In such a case, no special privileges for the system account that runs SafeQ are needed. Configuration can be done by following description at Smart Card support

      • Terminal Embedded, SafeQ service must have full access to write to the home folders of the users. Kerberos Ticket Granting Ticket (TGT) cannot be used.

      • NOTE: When a user is a member of the Administrators group and this workflow is used, the job will be stored under the Administrators context, not the original user.

Session Authentication

Both scan collection and scan delivery processes require authenticated user session to be established prior the operation starts. User authenticates at terminal and selects scanning mode. Server receives the authentication request (i.e. card swipe, SmartCard certificate verification, user credentials) via secured network connection and verifies with configured data source (i.e. Active Directory) . If the verification is successful SafeQ establishes a session, including all user information (i.e. user email, login name, home folder, ...) . These information are used as a metadata for data delivery process.

Data Collection

SafeQ can be configured to receive data from source MFP in many ways. There is no special or additional security level for the data collection part. The most common methods are data reception via email (SMTP) or hot folder (SMB or FTP). The data flow is following:

  1. User scans the document at the MFP.

  2. MFP stores the document to the configured destination (repository).

  3. SafeQ server service monitors the configured repository for new data.

  4. SafeQ server service collects the data, verifies if there is related user session available and transfers the data to Data Delivery process.

    1. if the user session is not established, the data is dropped and deleted.

Data Delivery

SafeQ collects the data from the hot folder and delivers it to ONE defined destination. The delivery process is limited by several items:

  1. The delivery is only executed, if there is an authentication user session associated with the collected document (i.e. the creator of the document is known).

  2. For scan to email workflow, SafeQ server uses configured SMTP server to deliver the email. Connection to SMTP server can be authenticated using service account defined in SafeQ configuration file.

  3. For scan to folder / home folder, SafeQ server tries to access to the destination folder using Windows file access or SMB protocol.

    1. By default, service account used for running SafeQ service at the server (or SafeQ daemon for Linux environments) must have write access to the target directory - Authentication to the target directory is managed on the Operating System Level. For scan to home feature, this means, the service account must have the write access to ALL user home directories. Home directory information is associated with the authenticated user's record in SafeQ Identity Database.

    2. In case of configured Kerberos5 authentication (and login by Domain Credentials or Smart Card) SafeQ uses Kerberos TGT to access the network folder (using SMB/CIFS protocol)

  4. For scan to script feature, the command line script is executed for every scanned (collected) file. SafeQ passes several parameters to the script - authenticated user's name, user's home directory, path to collected file, source device information. The script is executed with the credentials of the Service account used for running SafeQ service at the servers.