MyQ X and NIS2
The Directive (EU) 2022/2555, better known as the NIS2, is a significant stride towards establishing a common level of cybersecurity across the European Union. This directive, which came into force on January 16, 2023, aims to bolster the resilience of essential services and digital service providers against cyber threats by introducing consistent cybersecurity standards and practices.
The printing industry, alongside many others, falls under the scope of the NIS2 Directive. Therefore, entities in the printing industry must understand the implications of the NIS2 Directive and take the necessary steps to meet the security standards. By October 17, 2024, Member States are required to adopt and publish the measures essential for complying with the NIS2 Directive.
This article will explore the details of the NIS2 Directive and its implications for MyQ X distributors and customers.
If you are a MyQ X end customer, discuss the NIS2 Directive requirements and recommendations with your MyQ X provider/distributor. MyQ Partners are trained to deliver top-tier support and will assist you in implementing the necessary measures.
Main Areas of the NIS2 Directive
Risk Management and Cybersecurity
Adopt a risk management approach to cybersecurity. This includes identifying and assessing risks to network and information systems, implementing measures to mitigate these risks, and regularly reviewing these measures.
Ensure that your server and associated software are up-to-date with the latest security patches to mitigate vulnerabilities. Additionally, implement and regularly test backup and disaster recovery plans to ensure the availability and integrity of data. MyQ provides patch releases to its products regularly. It is highly recommended to stay informed, follow these releases, and design your update strategy and procedure ahead of time. MyQ generates a Software Bill of Materials (SBOM) for each release, which can be obtained through your MyQ provider/distributor, enabling organizations to analyze the components used in the software for security vulnerabilities.
Network segmentation is an essential tool for implementing a Zero Trust policy in practice. It gives organizations ways to control their networks with more granular security policies. It ensures that even if an attacker compromises one part of the network, they cannot easily move laterally to other areas. However, organizations with segmented environments face challenges in making print readily available.
With MyQ X, print queues can be propagated in segmented networks with Mobile Print Agents, and documents hosted in the cloud can be downloaded and released immediately from the device’s screen with Easy Print. Support for Microsoft Universal Print or Application Proxy in the Mobile Client can significantly help organizations with the enablement of print services across their environment while making sure access to such resources is protected.
SSL certificates for secure connections help meet NIS2’s requirement for secure data transmission across networks. MyQ X, out-of-the-box, comes with secure communication enabled with the built-in Certificate Authority. Organizations utilizing Enterprise PKI can achieve an even greater level of communication security by providing custom certificates directly.
Whenever possible, enforce TLS for communication with other systems. Secure the connection to the Active Directory or other user directories with LDAPS. Ensure that email transmission goes over SMTPS and review all settings on the MyQ X’s Network page and the Easy Config’s Security tab (e.g., that the Web Server allows only secure connections).
MyQ also provides the ability to encrypt databases, scans, and print jobs. Data encryption is vital for ensuring the confidentiality and integrity of sensitive information, which is a key aspect of NIS2 compliance.
For device communication, it is essential to implement communication protocols that provide the highest level of security. Using SNMPv3 instead of v1 or v2(c) to monitor and manage device status and functionality on a network is strongly recommended.
Business Continuity and Crisis Management
Organizations must ensure that their operations can continue in the event of a significant disruption.
Implement redundant servers or failover systems to ensure that printing services remain available during an incident. MyQ X allows for the implementation of failover measures using several methods.
MyQ supports a Windows Server Failover Clustering for high availability, ensuring that services are automatically transferred to a backup node in the event of a failure.
If the connection to the MyQ server is lost, the Fallback Printing feature allows users to continue printing via a backup device. MyQ Desktop Client sends print jobs directly to a backup device when server connectivity is down. This guarantees that printing operations can continue uninterrupted during server outages, which is crucial for maintaining business continuity. Similarly, the Device Spooling feature supported on selected vendors can be combined with Offline Login for offline operation, and further increases the uptime of printing services.
Regular database backups and the ability to restore MyQ data comply with NIS2’s requirement for ensuring data availability and resilience in the face of cyberattacks or system failures. Database and log backups can be scheduled with MyQ X and performed automatically, including the backups of the Central Server’s SQL database.
Read more:
Least-privilege Access Model
Users should be granted only the minimum level of access or permissions needed to perform required operations.
NIS2 encourages segregation of duties to prevent unauthorized access to critical systems.
By assigning specific rights for access to system and user management, job management, reporting, or logs, it is possible to grant certain users high-privilege access to particular areas of the MyQ environment, while limiting the access rights of others. Similarly, rights can be assigned per a site server, and thus administrators of a local site server will not gain high-privilege access in other locations and branches of the organization where not desired.
When the administrator utilizes group-based management of users (security groups), they can decrease the number of steps needed to configure access rights while still benefiting from user provisioning and de-provisioning. Read more below in the User Provisioning and Deprovisioning section.
Granular access permissions should be enforced across the entire organizational infrastructure, including all components within the MyQ X ecosystem. Access should be restricted exclusively to administrators and authorized personnel, ensuring that only those with appropriate privileges can manage and interact with these systems. This involves physical devices, physical servers and their OS (Windows Server), SQL Servers, storage, and more.
Read more:
Incident Response and Auditing
To handle incidents, establish and practice procedures regularly. In case of suspicious activity, restrict or terminate user access to prevent further damage. Proper implementation of these measures can mitigate the impact of unexpected events.
MyQ’s logging and auditing capabilities (MyQ Logs and MyQ Audit Log) can be extremely useful for incident response and tracking. These logs help detect, investigate, and respond to suspicious activities, which is a mandatory aspect of NIS2.
Logs should be monitored regularly, and notifications enabled for incidents that the organization deems critical. To achieve this, the Log Notifier utility built in MyQ X can be configured to monitor events in the MyQ environment and responsible personnel can be notified to take immediate action. Scheduled Tasks running (such as User Synchronization, Printer Discovery, and more) can also send warnings to predetermined contacts. Administrators can also configure MyQ X to send automated alerts when print jobs fail or critical errors occur.
Log management can be centralized by exporting and processing logs through the Windows Event Log and can be further processed by SIEM systems when required. Make sure that the periods for keeping history, log, and audit log are sufficient for your needs. This is configured in Settings – System Management.
Establishing strong SLAs is essential for managed services like MyQ, especially under NIS2 regulations. To guarantee swift incident response times, organizations should consider opting for Premium Support offerings.
Read more:
Secure Authentication
Secure authentication ensures only authorized users access systems. Two-factor authentication (2FA) enhances this by requiring two types of credentials, increasing security significantly.
Password and PIN requirements, two-factor authentication on the Embedded terminals, or the use of Sign in with Microsoft on the Web interfaces or Embedded terminals (with the MyQ X Mobile Client) provide alternatives for securing access to the MyQ X environment.
The MyQ X Mobile Client can be configured to require biometric verification, further enhancing the security of the MyQ X user account by requiring an additional factor during authentication to devices.
Implementing user account lockout mechanisms after several failed login attempts enhances security and reduces the risk of brute-force attacks.
Read more:
User Provisioning and Deprovisioning
Provisioning and deprovisioning guarantee that users are promptly denied access to the MyQ environment upon their removal from the source user directory.
MyQ supports automatic schedule user synchronization with external systems such as LDAP, Microsoft Entra ID (formerly Azure AD), Google Workspace, and CSV files. This ensures that newly added users are automatically imported into the MyQ X environment without manual input. By regularly syncing user data, MyQ X helps maintain an updated list of users with correct access rights, reducing the risk of unauthorized access.
Group-based management and the use of security groups in the source user directory can assist in assigning and removing access automatically to parts of the MyQ X environment for newly provisioned or removed users.
MyQ X provides an automatic registration feature, allowing users to self-register by sending print jobs, swiping an ID card, or creating an account through the web interface. This feature is particularly useful for environments with frequent external users, like guest employees. Users of the system can be provided with a temporary PIN that expires after the set period, ensuring that access is automatically revoked once the user no longer requires access.
MyQ supports the anonymization of user data to comply with privacy regulations. This process irreversibly removes all personal identifiers, making user accounts both unusable and untraceable, while still allowing for system reporting and auditing without compromising privacy.
Read more:
Awareness and Training
NIS2 emphasizes the need for staff awareness and training on cybersecurity practices.
It is recommended you provide training sessions for IT personnel and administrators on the secure management of the MyQ X environment, with an emphasis on NIS2 compliance. The best choice is to consult the management of the MyQ X ecosystem with your provider/distributor. MyQ Partners are trained to provide the highest quality of support.
Additionally, awareness programs should be developed to help end-users identify threats and instruct them on the use of the MyQ X ecosystem, as well as the steps to take in the event of security and other incidents.
Security Whitepaper and Secure Deployment
To learn more about achieving the best security standards with MyQ X, continue to the rest of this guide that covers MyQ X Security.
Updated 16/9/2024