cloud workflows security white paper - ricoh cloud workflows...the si-cloud system consists of the...

Version 1.0

1 | P a g e R I C O H U S A I N C

t

Scan to

Cloud Workflows

Security White

Paper

Version 1.0


Copyright © 2018 Ricoh USA INC

It is the reader's responsibility when discussing the information contained this document to maintain a level of confidentiality that is in the best interest of Ricoh USA INC and its member companies.

NO PART OF THIS DOCUMENT MAY BE REPRODUCED IN ANY FASHION AND/OR DISTRIBUTED WITHOUT THE PRIOR PERMISSION OF RICOH USA INC

All product names, partner’s brands and their products, domain names or product illustrations, including desktop images used in this document are trademarks, registered trademarks or the property of their respective holders and should be noted as such.

Any trademark or registered trademark found in this support manual is used in an informational or editorial fashion only and for the benefit of such companies. No such use, or the use of any trade name, or web site is intended to convey endorsement or other affiliation with Ricoh products.

Version 1.0


Table of Contents

Table of Contents .................................................................................................................................... 3

1 Preface ................................................................................................................................................ 5

2 Introduction ........................................................................................................................................ 6

3 Functional Description ..................................................................................................................... 7

Concept of SI-Cloud .................................................................................................................................. 7

User Site .................................................................................................................................................... 8

System Tools ............................................................................................................................................. 8

WF (workflow) Application (print / distribution) ...................................................................................... 8

WF Application Development Tool ........................................................................................................... 8

SI-Cloud Core............................................................................................................................................. 8

4 System Configuration ....................................................................................................................... 9

Overall Structure ....................................................................................................................................... 9

Use Case .................................................................................................................................................. 10

Data Flow ................................................................................................................................................ 11 General Users ........................................................................................................................................... 11

Tenant Administrator ............................................................................................................................... 12

Regional Administrator ............................................................................................................................ 13

Regional Developers ................................................................................................................................ 14

Port and Protocol Information ................................................................................................................ 15 Communication from customer environment to SI-Cloud ...................................................................... 15

Communication from SI-Cloud to External Cloud Services ...................................................................... 16

Multi-tenant support .............................................................................................................................. 16

5 Security Measures for the General System .............................................................................. 17

Monitoring operation, fault and performance ....................................................................................... 17

Regular collection of vulnerability information and patching ................................................................ 17

Vulnerability diagnosis ............................................................................................................................ 17

Logging .................................................................................................................................................... 19 System overall .......................................................................................................................................... 19

WF application (Web Browser NX) .......................................................................................................... 19

WF application (server application） ........................................................................................................ 20

6 Data Security Measures ............................................................................................................... 21

Data access control ................................................................................................................................. 21 User authentication ................................................................................................................................. 24

Access control between roles and tenants .............................................................................................. 25

Version 1.0


Device use ................................................................................................................................................ 25

Storage service connection ...................................................................................................................... 26

WF application ......................................................................................................................................... 26

Data management .................................................................................................................................. 26 Device (multifunction printer) ................................................................................................................. 26

Distribution data ...................................................................................................................................... 27

Storage service connection ...................................................................................................................... 27

Data deletion .......................................................................................................................................... 27 Print data ................................................................................................................................................. 27

Scan data .................................................................................................................................................. 27

Termination of service or tenant ............................................................................................................. 28

Antivirus .................................................................................................................................................. 28

Backup ..................................................................................................................................................... 28

7 Network Security Measures ......................................................................................................... 29

Access control ......................................................................................................................................... 29 Network access control ........................................................................................................................... 29

Server (OS) access control ....................................................................................................................... 29

Encryption of communication path ........................................................................................................ 30

Receiving email ....................................................................................................................................... 30 SI job print ................................................................................................................................................ 30

Email transmission .................................................................................................................................. 30 Common ................................................................................................................................................... 30

8 Data Center Security Measures ............................................................................................................ 32

9 Trademark ............................................................................................................................................ 33

Version 1.0


1 Preface

This guide provides the details of Security related information of Cloud

Workflows, which is developed on Smart Integration Cloud Platform. Here

after in this document Smart Integration Cloud is referred as SI-Cloud.

About This Guide

This Guide is divided into following primary sections:

1. Preface

This Section

2. Introduction

This section lays the foundation for understanding the security related

information.

3. Functional Description

This section describes concept of SI-Cloud

4. System Configuration

This section describes overall SI-Cloud System Configuration

5. System General Security Measures

This section contains information on Security measures for SI-Cloud

platform

6. Data Security Measures

This section contains Information on Security measures for data managed

in SI-Cloud

7. Network Security Measures

This section contains information on Network Security Measures

8. Data Center Security Measures

This section contains link to Data Center Security Measures

9. Trademark

Trademarks used in this document

Version 1.0


2 Introduction

Scope

This document covers the security functions of the SI-Cloud1 application

used by SI-Cloud's center server and device (multifunction printer).

Regarding the implementation of information security measures for cloud

services, the following guidelines are published.

With reference to JIS Q 27001 (ISMS) and 27002 (norm for practice), ① and

② below are information security measures to be implemented by cloud

providers.

① Information security countermeasure guideline in ASP · SaaS2

② Information security management guidelines for using cloud services3

③ Reference guide for disclosing information by cloud providers4

The Ricoh Group is engaged in information security management as an

indispensable element for providing products and services that customers

can use with confidence5. As the result of this effort, many of the measures

of organizational and operational aspects of the above guidelines are

covered. These are out of the scope of this document which focuses on

physical and technical measures.

1 Scope of this document is the SI-Cloud center server version. 2 Ministry of Internal Affairs and Communications、2008/1/30、

http://www.soumu.go.jp/main_sosiki/joho_tsusin/policyreports/chousa/asp_saas/ 3 Ministry of Economy, Trade and Industry、

http://www.meti.go.jp/press/2013/03/20140314004/20140314004-2.pdf 4 IPA、2011/4/25、

http://www.ipa.go.jp/security/cloud/tebiki_guide.html 5 Ricoh Group Information Security、（Update at appropriate timings）

http://jp.ricoh.com/security/management/

Version 1.0


3 Functional Description

Concept of SI-Cloud

SI-Cloud forms the foundation of Print / Scan workflow applications (here in

after WF application(s)) working principally with Ricoh's multifunction

devices. Each WF application and tool is provided using a common

framework called SI-Cloud Core.

SI-Cloud provides customers with convenience of Identity (ID) Management

and customization and provides service usage through a secure

environment. In addition, Ricoh provides development capabilities of WF

applications to each region which enables quick development tailored for

local needs

Figure 1 Overall schematic diagram of services provided by SI-Cloud based on cloud

service infrastructure

Version 1.0


User Site

The SI-Cloud user site provides functionality to display / set application

lists, user management, personal settings and screen customization.

System Tools

The system tools of SI-Cloud provide functionality to register (issuing) tenant

ID’s and creating packages (products).

WF (workflow) Application (print / distribution)

SI-Cloud provides WF applications for printing and distribution (scan) that

can be used on multifunction devices. In the case of printing, SI-Cloud is

able to provide a printing system application that, from a multifunctional

device, can select and print files from an external cloud storage service

(see 6.3). Also, in the case of distribution, SI-Cloud is able to provide a

distribution system application that can store documents scanned using

multifunction printers to cloud storage services (see 6.3) and additionally

distribute them via email.

WF Application Development Tool

In the WF application development tool of SI-Cloud, regional developers

can develop WF applications such as those described above by

configuring workflows.

SI-Cloud Core

SI-Cloud Core provides authentication services (ID management,

authentication, and verification functions), image conversion services and

workflow services to the user site, the system tool, the WF applications and

the WF application development tool.

Version 1.0


4 System Configuration

Overall Structure

The SI-Cloud system consists of the customer environment, the PC in

regional environment, the multifunction device and SI-Cloud in the Internet.

SI-Cloud consists of application server (user site, system tool, WF application

development tool, WF applications) and SI-Cloud core server (ID

management, authentication, and conversion server).

Web Browser NX is required in order to use the application(s)_ from the

multifunction device, which is standard on the multifunction devices.

Figure 2 SI-Cloud System Configuration Diagram

Version 1.0

1 0 | P a g e R I C O H U S A I N C

Use Case

⚫ General users

➢ Configure user settings, authentication settings, and verification

setting using the user site from a PC browser.

➢ Select the document to be printed on the operation panel of the

multifunction device, and print the document.

➢ Select the destination and scan setting of the document on the

operation panel of the multifunction device, and scan the paper

document. The document scanned by the device is transmitted to

the SI-Cloud, converted into the specified format, and transmitted to

the cloud storage service, or transmitted via email.

⚫ Tenant administrator

➢ Register the multifunction device from the operation panel of the

device.

➢ Manage users and tenant information, configure WF application

settings and customize SI-Cloud home screen using the user site from

a PC browser.

⚫ Region administrator

➢ Access the system tool from a PC browser, open tenants and create

user accounts.

➢ Access the system tools from a PC browser and build packages.

➢ Access the system tool from a PC browser and assign a package to a

tenant.

⚫ Region developers

➢ Access the WF application development tool from a PC browser and

develop WF applications.

Version 1.0


Data Flow

In the previous section, some typical use cases are explained. The data

flows between each component are shown in this section. "Authentication

information" is the information, such as a user ID, a password and the like,

required for authenticating to the connected systems.

General Users

Figure 3 shows the flow of data between each component when using SI-

Cloud.

In this figure, “selecting print files and printing at the multifunction device “,

“scanning documents and distribution at the multifunction device” and

“user setting” are described as typical use cases.

Figure 3 Data Flow between Components

Version 1.0


Tenant Administrator

Figure 4 shows the flow of data when a tenant administrator uses SI

Cloud. In this figure, "device registration", "user management", "tenant

information management", "WF application configuration", and "SI-Cloud

home screen customization" are described as typical use cases.

Figure 4 Data Flow Between Components (Tenant Administrator)

Version 1.0


Regional Administrator

Figure 5 shows the flow of data when the regional administrator uses SI-Cloud. In

this figure, "tenant registration" and "package (product) registration" are described

as typical use cases.

Figure 5 Data flow between Components (Regional administrator)

Version 1.0


Regional Developers

Figure 6 shows the flow of data when the regional developers use SI-Cloud. In

this figure, "development (registration) of WF application" is described as a typical

use case.

Figure 6 Data Flow between Components (Regional developers)

Version 1.0


Port and Protocol Information

Communication from customer environment to SI-Cloud

Table 1 Communication from customer environment to SI-Cloud

Function Destination host Port Protoc

ol

Connecting to SI Cloud

(PC)

(Including

administration /

development)

www.na.smart-

integration.ricoh.com

api.na.smart-


www.eu.smart-


api.eu.smart-


443/T

CP

HTTPS

Connection when

installing on device

www.na.smart-


api.na.smart-


www.eu.smart-


api.eu.smart-


443/T

CP

HTTPS

Download print

document

www.na.smart-


api.na.smart-


www.eu.smart-


api.eu.smart-


443/T

CP

HTTPS

Upload document www.na.smart-


api.na.smart-


www.eu.smart-


api.eu.smart-


443/T

CP

HTTPS

Version 1.0


Communication from SI-Cloud to External Cloud Services

The connection with an external cloud service follows the specification of the

external service. Connection is established via HTTPS (443 / TCP). If the external

service does not support HTTPS, communication is performed using HTTP (80 / TCP).

In addition, NTP (123 / UDP), DNS (53 / TCP, 53 / UDP) and SMTP (25 / TCP)

communications are used.

Multi-tenant support

SI-Cloud provides services to multiple companies and organizations. Target

entities for providing services to, such as companies and organizations, are called

tenants6, and in the case of multi-tenancy support, the information of multiple

tenants is managed on the same hardware. The system logically separates data

between tenants and ensures the independence between tenants7. Data access

is described in section 5.1 Data access control.

There are two types of tenants, namely, customer tenants and region tenants.

Customer tenants are for end users to use applications on SI-Cloud and cannot

access the information of other tenants.

Region tenants are for developing WF applications, creating packages, and

setting up customer tenants. The region tenants are able to access the tenant

information and license information of their customer tenants as well as issue new

licenses for their customers.

6 There could be a type of tenant which is contracted by multiple companies, thus it is called

“tenant” instead of “company”. 7 Such a system configuration is called "multi-tenant architecture".

Version 1.0


5 Security Measures for the General System

Monitoring operation, fault and performance

The operation status and performance of the network, servers (OS, middleware),

Database, applications, are monitored 24 hours a day, 365 days a year, and

prompt actions are taken in an event of a fault. In addition, capacity

management8 is conducted in order to ensure adequate availability.

Regular collection of vulnerability information and patching

Collection and actions for vulnerability information are conducted according to

the process defined in Ricoh. Security patches for OS, middleware, OSS are firstly

judged by their importance and influences on the system, secondly tested in the

development environment, and finally implemented in the production

environment.

And we use Vuls to detect vulnerabilities automatically in packages running on

all servers. We check the vulnerability information of running package by JVNDB,

and investigate and manage the degree of influence on service and

correspondence for each package.

Vulnerability diagnosis

We use IBM’s AppScan as the web application vulnerability assessment tool every

three month. We check that there are no harmful vulnerability remaining. Typical

examples of items to be inspected with AppScan are as follows.

Table 2. Inspection classification and corresponding of AppScan

Category Inspection Items Authentication ・ Brute force attack

・ Inappropriate authentication

Authorization ・ Indexing

・ Session guessing

・ Session fixation

・ Inappropriate session deadline

・ Inappropriate permission

8 Allocate adequate storage for tenants, users, devices, licenses and expected amount of jobs

and monitoring usage in real-time.

Version 1.0


Application ・ Privacy test

・ Quality test

Client Side attack ・ Cross-Site Scripting

・ Content Spoofing

Command

Execution

・ LDAP injection

・ OS command

・ SQL injection

・ SSL injection

・ XPath injection

・ Buffer overflow

・ Format String attack

Information

disclosure

・ Directory indexing

・ Path traversal

・ Information leak

・ Location of inferable resources

Logical attack ・ Denial of Service

・ Function overuse

Furthermore, Information Security department uses QualysGuard of Qualys Inc, as

the web application vulnerability assessment tool every three month and we

confirm that there is no known vulnerability left.

Typical examples of items to be inspected with QualysGuard are shown in Table 3.

Table 3 Inspection classification and corresponding item example of QualysGuard

Category Inspection items

General remote services ・ Search SSL server information

・ Information of SSL session caching

・ Consistency of SSL certificate

common name

・ Allow incorrect SSL / TLS protocol

version

・ SSL / TLS server uses

TLS_FALLBACK_SCSV

・ Information for secure re-negotiation

extension supported of TLS

・ Block size in TLS cipher

Web server ・ Web server version

・ SSL Web server version

・ Information of SSL certificate

・ Directory list of web page

・ HTTP request pipeline supported by

Version 1.0


Web server

・ HTTP protocol version of web server

・ Vulnerabilities of internal IP address

disclosed

・ Vulnerabilities of internal network

name disclosed

・ Form-based authentication has auto-

complete attributes

TCP/IP ・ List of public TCP services (port scan)

・ Randomness of TCP initial sequence

number

・ Randomness of ID value of IP header

・ Estimated uptime based on TCP

Timestamp option

・ Whether an ICMP Timestamp request

can be made

Computer Gateway

Interface

・ Display default web page

・ HTTP response includes security

header

Mail services ・ Banner of SMTP

・ Detect SMTP service

Firewall ・ Existence of firewall

Logging

System overall

The application logs of the servers are centrally collected for the collective

analysis of illegal access and system failure. Ricoh regularly backs up each server,

including system logs. Time synchronization of all servers is conducted with NTP. The

information is properly output after judging the contents according to Ricoh

internal rules, and password information is never taken out in any logs.

WF application (Web Browser NX)

WF application settings and the results of print / scan jobs are sent to the server.

The WF application stores error logs in the log information of Web Browser NX on

the multifunction printer device in the case of events such as initialization and

printing/scanning errors.

Version 1.0


WF application (server application）

The server holds the application logs and all of the executed job logs (print,

scan, folder acquisition of storage service, etc.). These logs include the jobs

executed date and time, tenant ID, user ID, application name, status,

communication result with the external services, execution result of the

intermediate processing and the document name. The print / scan settings are

included for the printing / distribution applications. The folder ID and the email

address are also included for troubleshooting.

Log information is secured from unauthorized access inside and outside of Ricoh

by properly restricting access to the server (see section 6.1.1.4).

Version 1.0


6 Data Security Measures

Data access control

Data managed in SI-Cloud (shown in Table 4) is separated by the units of each

user and tenant. In order to access each data, an authentication ticket issued by

user authentication is required. Because it our service controls the accessible data

by the authentication ticket, it is impossible see the print document of another user

or the user information of another tenant.

The data is stored in the Data layer of Fig.7 or Amazon S3. The data cannot be

accessed directly from Internet and cannot be accessed without going through

the endpoint in the SI-Cloud.

Table 4. The data list managed in SI-Cloud

Data type How to get

data

Storage

location

Who can see

data Name Input by user

own

Input by

administrator

Data layer of

Fig.7

development

Mail address Input by user

own

Input by

administrator

Data layer of

Fig.7

Log on S3

development

Password Input by user

own

Data layer of

Fig.7

No one can

see

PIN code Automatically

issue by System

Input by user

own

Data layer of

Fig.7

development

Browser type,

version, OS

Automatically

acquired when

user used

Log on S3 Development

support

IP address Automatically

acquired when

user used

Log on S3 development

Date of use Automatically

acquired when

user used

Log on S3 Development

support

Version 1.0


Serial of

multifunction

device

Input by

administrator

Input by CE

Data layer of

Fig.7

Development

Scan image Automatically

acquired when

user used

S3 Development*1

Print file Automatically

acquired when

user used

S3 development

Scan settings Automatically

acquired when

user used

Data layer of

Fig.7

Log on S3

Development

support

Print settings Automatically

acquired when

user used

Data layer of

Fig.7

Log on S3

Development

support

OAuth token of

the external

service (ex. Box,

Google,

DropBox,

Office365

Input by user

own

Data layer of

Fig.7

Development

Account name

and password

of external

service

(Docuware)

Input by user

own

Data layer of

Fig.7

Development*2

License

information

Input by

administrator

Input by CE

Data layer of

Fig.7

Development

*1 It is possible not to leave data on the server depending on the setting of the

work flow application.

*2 Although it is encrypted, it is technically decodable because encrypt keys is

managed on another server.

Version 1.0


Fig.7 Infrastructure of SI-Cloud

Version 1.0


User authentication

Login

In order to access SI-Cloud, it is necessary to log in (user authentication) using

tenant ID, user name, and password or email address and password. The

subsequent operations cannot be executed without a successful authentication.

A tenant ID consists of a 10-digit numeric string issued by the system tool and

assigned to each customer tenant upon application for the SI-Cloud service. A

user name is a character string of 1 to 128 characters.

A password can be set as arbitrary ASCII strings of up to 128 characters

(minimum 6 characters), and can have sufficient resistance to brute-force attacks

and dictionary attacks. In addition, account information such as tenant ID, user

name, mail address, and the like which are registered does not leak, so it also has

resistance against reverse brute force attack. A user can change their password

from the user site. Only the hash value of the password is saved on the center

server of SI-Cloud, thus Ricoh cannot obtain the customer's password and the

password string does not leak from the center server of SI-Cloud. Regarding the

data access of password hash value and user information, proper access

restriction is also implemented to prevent illegal access from inside and outside

Ricoh (see section 6.1). If a user inputs a wrong password five times in a row during

login, their account will be locked. When their account is locked, the user needs to

request their administrator to re-activate their account in the user management

setting, reset their password, or wait for the automatic unlock by the system after

24 hours.

It also supports the single sign-on function using an account of external service.

Login on a multifunction device

In addition to the methods described in Login, it is possible to log in with a PIN

code or an account registered in the address book of the multifunction device. A

PIN code consists of a numeric string of 4 to 16 digits, and is issued at the time of

user registration. These login methods can be used only from registered

multifunction devices and cannot be used from other client devices such as PCs.

In order to use SI-Cloud on a multifunction device, it is necessary to log in with an

administrator account for registering the device in the SI-Cloud center server the

first time of starting an application. The registered device checks the tenants of

login users upon the user authentication, thus users of other tenants cannot use

them. When it is configured by the administrator, some functions excluding

personal information are able to be used by the information common for a tenant

without login.

Version 1.0


Single sign-on

SI-Cloud supports the single sign-on function with external services. Single sign-on

can be activated by a user when registering a user or by configuring External

Service Connections from My Page of the User site.

When configuring External Service Connections for the first time, the

authentication is required for SI-Cloud to acquire the basic profile information of

the external service account. Once it is authenticated, single sign-on using the

account of the external service becomes possible.

Single sign-on is safely processed according to the standard protocol called

OpenID Connect. Moreover, SI-Cloud associates the account of the external

service with the account of SI-Cloud, thus it is impossible to be impersonated by

other accounts.

OpenID Connect uses the information which is authorized by the customer on

the external service as the login information of SI-Cloud, thus the password of the

external service is not sent to SI-Cloud.

Access control between roles and tenants

Users of SI-Cloud are always associated with only one tenant, and there is no

privileged user who can access multiple tenants.

There are two types of roles used in customer tenants: administrator role and user

role. One or more administrator roles are set per tenant. The administrator role can

add, change, or delete users to its tenant, and can configure applications.

There are five types of roles used in region tenants: administrator role, user role,

developer role, product designer role, setup user role.

Developer role can develop WF applications using the WF application

development tool. The product designer role can create packages of the WF

applications developed by the developer as products. Setup user role can set up

customer tenants and assign package licenses to customer tenants.

Device use

When registering devices and/or using WF applications, it is verified that they are

Ricoh multifunction devices. Therefore, it is unable to register devices and/or use

WF applications on the devices of other companies or other terminals.

Version 1.0


Storage service connection

Storage services perform user ID management differently from that of SI-Cloud,

thus linking user IDs is necessary. A user can configure the service connections from

the My Page of the user site. The service connection setting is managed in

association with the user, and cannot be seen by other users. There is no interface

to extract authentication information required for the connection, and the system

internally uses it for the service connection.

WF application

Application usage

- The WF application can only be accessed by the user of the tenant in which

the application is installed.

Workflow usage

- Parameters of each workflow that can be customized by each tenant are

checked for access privileges per tenant, and the information of another

tenant cannot be seen.

- When using an external cloud service in a workflow, credentials such as

OAuth9 token are managed not in the workflow but properly managed by

the authentication service in the same way as the applications come with

Ricoh multifunction printers as standard feature, and credentials are not

given for unauthorized users.

- Detailed information (such as output files) of the workflow result can be

accessed only by the user who executed the workflow.

- The result of a workflow’s intermediate processing is deleted when the

workflow is completed unless there is any special designation. The final

process result is automatically deleted when the holding period specified at

the time of execution of the workflow has passed. (Holding period up to 72

hours)

Edit workflow

- Editable workflows are restricted to ones developed by the tenant, and the

workflow(s) developed by other tenants cannot be accessed.

Data management

Device (multifunction printer)

When registering a device in the SI-Cloud center server, the tenant ID,

administrator’s user name and password issued at the time of contract needs to

be entered. The tenant ID is stored in the device. The administrator's user name

and password are not stored in the device.

9 The OAuth 2.0 Verification Framework, http://tools.ietf.org/rfc/rfc6749.txt

Version 1.0


Distribution data

Documents scanned at the multifunction device are temporarily stored in the SI-

Cloud center server. Documents are stored inside the firewall of AWS, and access

to the storage is restricted to either from the inside of the SI-Cloud system or from

the Ricoh’s company LAN, thus there is no way for users to access scanned

documents externally. Hence no data leaks.

The database where the information of temporary files is saved, is not encrypted,

however unauthorized access from inside and outside Ricoh is prevented by

making appropriate access restrictions on data access (see section 6.1).

Storage service connection

Due to specifications of the API provided by storage services, there are cases

that the SI-Cloud system logs in to the external storage service by the ID and

password of the external service that are encrypted and stored in the center

server of SI-Cloud. When scanned documents are stored in external storage

services this way, this is called using proxy authentication method. When the

password of the storage service is changed, it is necessary to change the

password stored in the SI-Cloud.

When the storage service provides the verification function of OAuth 2.0, this is

used for the service connection (not proxy authentication method). Since the

token without the password information is stored in the center server of SI-Cloud,

the security risk is low. Even if the password of the storage service is changed, it is

not necessary to update the password stored in SI-Cloud.

Data deletion

Print data

Document data acquired for printing are deleted from the center server after

printing. The same applies to files generated in the process of format conversion.

Scan data

The data of a document scanned at the multifunction device is deleted from

the SI-Cloud center server after the data is transmitted to the storage service. The

same applies to intermediate files generated in OCR process.

Version 1.0


Termination of service or tenant

When only a service of a tenant is terminated, no data is deleted.

When terminating a tenant, the information deleted from the center server is as

follows:

・ Tenant information

・ User information associated with the tenant

・ Device information associated with the tenant

Information that is not deleted even when a tenant is terminated is as follows10:

・ Application setting information

・ Job log information

・ License information

・ Logs such as related system logs etc

Antivirus

Regular collection of vulnerability information and patching described in 4.2 shall

be implemented. In addition, anti-virus software (TrendMicro Server Protect 5) is

installed in all Windows servers and virus check is carried out for files processed on

SI-Cloud using the latest pattern in order to prevent infection. Infected documents

are not used.

Backup

In preparation for malfunction of device or operation errors etc., the setting

information and log information in the server are backed up periodically, and the

restoration procedure is confirmed. Print data temporarily stored on the server,

data of documents scanned on device, and document data after conversion are

deleted after a certain period of time. (Refer to 5.3 Data Delete)

10 Delete the tenant information during the tenant contract / after cancellation according to

the explicit deletion request from the customer. Log information remains, but log information

does not include confidential information such as personal information.

Version 1.0


7 Network Security Measures

Access control

Network access control

Confidential information such as documents uploaded by customers and

passwords is not placed in servers that can be accessed directly from the Internet,

as described in Section 5.1, files are stored in Amazon S3, other data are stored in

Amazon RDS, and they are kept in places accessible only by SI - Cloud 's AWS

account. When accessing the Web server from the Internet, packets are filtered

by AWS Application Load Balancer, so that it cannot log in directly to the server.

Also, unauthorized access from the outside is prevented by setting a port number

that allows communication on AWS security group (virtual firewall).

Maintenance is carried out by connecting to the SI-Cloud center server from

Ricoh internal LAN via the internet line. By setting the IP address and port number

to allow communication on AWS security group (virtual firewall), the SI-Cloud

center server can be accessed by encrypted communication from Ricoh’s

company LAN via specific protocols. Maintenance cannot be carried out by

connecting from the Internet. In addition, connection to the center server uses the

SSH secret key, not password, and by limiting the connection from inside the Ricoh

Company to the parties who created the public key, leakage of customer

information in maintenance work and attack is prevented.

Server (OS) access control

The accounts registered in the server is limited to a minimum number of people.

The accounts are updated when an authorized person changes, and an inventory

count is performed every six months to prevent illegal access from unauthorized

persons. In addition, password policies are set so that account passwords are not

easily guessed.

For the data stored in the server, the appropriate access ranges are allocated

according to the types of data and access authority is set for each account and

server in AWS IAM, so that access to data outside the scope necessary for business

cannot be accessed. There is the data access procedure and the access is done

after getting approval according to the procedure. The server administrators take

security education in advance and are regularly informed about the procedure.

Version 1.0


Encryption of communication path

Communications between the SI-Cloud center server and PC (browser), iOS

application for SI-Cloud, Android application for SI-Cloud and the multifunction

device are encrypted by HTTPS except for email service. The server certificate of

the SI-Cloud center server uses a public key RSA 2048 bits and the certificate of the

thumbprint algorithm SHA - 2 issued by a third party certificate body. The protocols

and versions used for HTTPS support the following:

⚫ TLS 1.0、TLS1.1、TLS 1.2

The encryption protocols are handled according to the browser compatibility.

Receiving email

SI job print

Emails received in the system use SendGrid as the relay server and runs virus

checks using the latest definition file. Spam filter is also applied, and the print

document will not be uploaded when it is detected as a spam. The

communication between the device where emails are sent and SendGrid is

performed using the SMTP protocol, and the communication path and contents

are not encrypted. The communication between SendGrid and SI-Cloud uses

HTTPS, making it secure to receive the email information (including attachments).

Email receipt when sending print document by email

When sending a print document by email, the encrypted email is not supported.

Also, it is sent to SI-Cloud via SendGrid server. Therefore, before sending print

documents by email, customers need to make decisions according to their

security policy11.

Email transmission

Common

All emails from the system use SMTP and are not encrypted. SPF (Sender Policy

Framework) is applied to prevent spoofing of sent mail, and DKIM (Domain Keys

Identified Mail) is applied as domain authentication technology. All DNS records

used in SPF and DKIM are managed by AWS Route 53 having high security.

11 Send Grid Security Policy http://www.kke.co.jp/security_policy/

http://www.kke.co.jp/security_policy/

Version 1.0


Notice emails for provisional user registration, email address change, and

password change

When the administrator registers a user provisionally or changes an email

address, emails are sent to the email address of the registered user. The user who

received the email needs to input their email address and password to complete

the user registration or the change.

Notification emails for tenant registration and user registration

When a tenant or a user registration is completed, an email is sent to the

registered user's email address. A password and a PIN are included in the

notification email for user registration.

Notification email for PIN code reissue

Upon the request for the reissue of a PIN code, an email containing the PIN

code issued by the system is sent.

Delivery of scan documents by email

Even when the destination of the email is inside a company, it is sent via the SI-

Cloud center server. When emails are sent with scanned documents attached, the

system may receive sending error emails when there are errors such as there is no

recipient email address, however the system does not save the error emails.

Sending error email when distributing scanned document

When delivering the scanned document to the external storage or sending via

an email, an email notifying the error is sent to the designated destination in case

delivery failure is detected by the error notification email from the external storage,

email capacity over limit or timeout.

Version 1.0


8 Data Center Security Measures

The SI-Cloud server group is configured on the AWS. Data center security

measures conform to AWS.12

12 AWS Security process overview：

https://d0.awsstatic.com/International/ja_JP/Whitepapers/AWS%20Security%20Whitepaper.pd

f

Version 1.0


9 Trademark

・ Google®, Google Apps ™, Android ™ are the trademarks or the registered

trademarks of Google Inc. in the United States and other countries.

・ iOS® is the trademark or the registered trademark of Cisco in the USA and other

countries.

・ Amazon Web Services, the "Powered by Amazon Web Services" logo, and other

AWS trademarks used in such materials are trademarks of Amazon.com, Inc. or

its affiliates in the United States and other countries.