Xerox
Security Guide
Xerox
®
Connect App for Google Drive™
Additional information, if needed,
on one or more lines
Month 00, 0000
<Part Number>
© 2021 Xerox Corporation. All rights reserved. Xerox
®
is a trademark of Xerox Corporation in the
United States and/or other countries. BR32731
Other company trademarks are also acknowledged.
Document Version: 1.0 (February 2021).
Xerox Security Guide for Xerox® Connect App for Google Drive™ i
Contents
1. Introduction ................................................................................................................................... 1-1
Purpose ........................................................................................................................................... 1-1
Target Audience .............................................................................................................................. 1-1
Disclaimer ....................................................................................................................................... 1-1
2. Product Description ...................................................................................................................... 2-2
Overview ......................................................................................................................................... 2-2
App Hosting ................................................................................................................................. 2-2
Components ................................................................................................................................ 2-3
Architecture and Workflows ............................................................................................................ 2-5
Data flow Diagram ....................................................................................................................... 2-5
User Data Protection ....................................................................................................................... 2-8
Application data stored in the Xerox cloud .................................................................................. 2-8
Application data stored in the ABBYY Cloud OCR service ......................................................... 2-8
Local Environment ...................................................................................................................... 2-8
3. General Security Protection ......................................................................................................... 3-9
User Data Protection within the products........................................................................................ 3-9
Document and File Security ........................................................................................................ 3-9
Hosting - Microsoft Azure ............................................................................................................ 3-9
Cloud Storage – Microsoft Azure ................................................................................................ 3-9
Xerox
®
Workplace Suite/Cloud and Single Sign-On Services .................................................... 3-9
User Data in transit ....................................................................................................................... 3-10
Secure Network Communications ............................................................................................. 3-10
Xerox Workplace Suite/Cloud and Single Sign-On Services .................................................... 3-10
4. Additional Information & Resources ......................................................................................... 4-11
Security @ Xerox .......................................................................................................................... 4-11
Responses to Known Vulnerabilities ............................................................................................. 4-11
Additional Resources .................................................................................................................... 4-11
Xerox Security Guide for Xerox® Connect App for Google Drive™ 1-1
1. Introduction
Purpose
The purpose of the Security Guide is to disclose information for Xerox
®
Apps with respect to device
security. Device security, in this context, is defined as how data is stored and transmitted, how the
product behaves in a networked environment, and how the product may be accessed, both locally
and remotely. This document describes design, functions, and features of the Xerox
®
Apps relative
to Information Assurance (IA) and the protection of customer sensitive information. Please note
that the customer is responsible for the security of their network and the Xerox
®
Apps do not
establish security for any network environment.
This document does not provide tutorial level information about security, connectivity or Xerox
®
App features and functions. This information is readily available elsewhere. We assume that the
reader has a working knowledge of these types of topics.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT
security. It is assumed that the reader is familiar with the apps; as such, some user actions are not
described in detail.
Disclaimer
The content of this document is provided for information purposes only. Performance of the
products referenced herein is exclusively subject to the applicable Xerox
®
Corporation terms and
conditions of sale and/or lease. Nothing stated in this document constitutes the establishment of
any additional agreement or binding obligations between Xerox
®
Corporation and any third party.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-2
2. Product Description
Overview
The Xerox
®
Connect App for Google Drive™ consists of two primary workflows. The two workflows
are:
• Print files from a Google Drive account
• Scan files to a Google Drive account
The app and two workflows facilitate a combination of the following steps:
• Single Sign-On
• Authentication
• App Hosting
• Repository Navigation
• Scanning
• Printing
• Document Format Conversion
• Emailing
• SNMP & Device Webservice Calls
Application
What can I do?
Xerox
®
Connect App for
Google Drive
• Login to my Google account
• Select Print or Scan workflow
• Navigate to a folder in my Google Drive account
• Scan a hard copy document to a folder in my Google Drive
account with standard scan settings along with option to
email the scanned document
• Select one or more files in my Google Drive account and
Print hard copies with standard print settings
Table 1 Xerox
®
App user benefits
APP HOSTING
The Xerox
®
Connect App for Google Drive depends heavily on cloud hosted components. A brief
description of each can be found below.
The Xerox
®
Connect App for Google Drive
The Xerox
®
App consists of two key components, the device weblet and the cloud-hosted web
service. The device weblet is a Xerox
®
App/EIP web app that enables the following behavior on a
Xerox
®
Device:
• Presents the user with an application UI that executes functionality in the cloud.
• Interfaces with the EIP API, which delegates work, such as document scanning and printing.
The weblet communicates with the cloud-hosted web service, which executes the business logic of
the app.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-3
GoogleDrive Storage Service
In order for the app to communicate and interact with the correct storage location, the user needs
to establish a connection with their Google Drive repository. This connection process utilizes the
authentication dialog provided by the storage service, which requests the username and password
for the storage service account. An OAuth login token is returned to the device from the storage
service. This token is used for further interactions. The account credentials are not stored by the
device. Once authenticated, the Google Drive API is utilized to access the Google Drive
repository.
Single Sign-On via Xerox
®
Workplace Suite/Cloud and SSO Manager
In order to improve user experience, by removing the need to log in to the Xerox
®
App each time
Xerox offers an optional Single Sign-On (SSO) capability. Users can log into the printer and are
then able to launch the app without the need to provide additional credentials.
Xerox Extensible Interface Platform
®
During standard usage of the Xerox
®
App, calls to the device web services are used to initiate and
monitor scan functions and to pull relevant details related to device properties and capabilities.
COMPONENTS
MFD with Xerox
®
Connect App for Google Drive – ConnectKey App
This is an EIP capable device that can print, scan and execute ConnectKey Apps installed from the
Xerox
®
App Gallery. In this case, the device has the Xerox
®
Connect App for Google Drive
installed.
Xerox
®
Connect App for Google Drive – Web UI
The Web UI component is a service hosted on the Microsoft Azure Cloud System. The Web UI
component is responsible for hosting the web pages, which display on the UI of the printer.
Xerox
®
Connect App for Google Drive – Service Interface
The Service Interface component is a service hosted on the Microsoft Azure Cloud System. The
Service Interface provides the business logic service and interfaces with the Xerox Cloud
Repository Middleware.
Xerox Cloud Repository Middleware
The Cloud Repository Middleware component is a service hosted on the Microsoft Azure Cloud
System. The Cloud Repository Middleware interfaces with the Google Drive REST APIs to access
the Google Drive repository.
Xerox Document Conversion Engine
The Document Conversion Engine component is a service hosted on the Microsoft Azure Cloud
System. The Document Conversion Engine converts a variety of document formats to a format that
is printable by Xerox
®
Devices.
Xerox App Gallery
The App Gallery component is a web application, with services, hosted on the Microsoft Azure
Cloud System. The App Gallery is accessed to ensure the Application is entitled to run. The
application can only be run when a “Trial” license has not expired OR a “Purchased” license has
not expired.
ABBYY Cloud OCR API
The ABBYY Cloud OCR API is a, 3
rd
Party, cloud hosted service. The Cloud OCR API is used to
convert a scanned document into one of the following Microsoft
®
Office document formats: Word
(DOCX), Excel (XLSX), PowerPoint (PPTX).
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-4
SendGrid API
The SendGrid API is a, 3
rd
Party, cloud hosted service. The SendGrid API is used to email scanned
documents as attachments.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-5
Architecture and Workflows
DATA FLOW DIAGRAM
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-6
Workflows
App Printing Workflow
Step 1:
User Launches the App on the Xerox
®
Device.
Step 2:
User authenticates to the Google Drive repository. (If first
login, user can agree to save credentials to XWS/C storage
for future use. On subsequent logins, credentials are
automatically retrieved and applied.)
Step 3:
User navigates the folder structure to locate the file to be
printed.
Step 4:
User optionally selects to Preview the document to be
printed.
Step 5:
User selects a file and modifies the print options (ie; single
sided, etc…).
Step 6:
User selects the Print button to print their file at the device.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-7
App Scanning Workflow
Step 1:
User Launches the App on the Xerox
®
Device.
Step 2:
User authenticates to the Google Drive repository. (If first
login, user can agree to save credentials to XWS/C storage
for future use. On subsequent logins, credentials are
automatically retrieved and applied.)
Step 3:
User navigates to and selects the destination folder for the
scanned document.
Step 4:
User modifies the scanning options (ie; single sided,
resolution, output format, preview, email, etc…).
Step 5:
User selects the Scan button to scan the document to the
selected folder.
Step 6:
If the Preview option was selected in Step 4, the user views
the scanned document before deciding to allow the document
to be saved to the selected destination folder.
Step 7:
If the Email option was selected in Step 4, the scanned
document is emailed to the specified recipients.
Step 7:
The document is saved to the selected destination folder.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 2-8
User Data Protection
APPLICATION DATA STORED IN THE XEROX CLOUD
User data related to the categories below are stored in cloud persistent storage until a delete
event occurs.
• Login to Google Drive account
• Scanned image preview
• Print preview image
The following activities will trigger a delete event, for digital document files that meet the
associated criteria.
• A delete occurs when the system detects intermediate processing files exist after a job
has completed.
The balance of data stored in the cloud, that is unrelated to user Personally Identifiable Information,
may be stored indefinitely for event reporting purposes.
APPLICATION DATA STORED IN THE ABBYY CLOUD OCR SERVICE
User documents that have been requested to be converted to a Microsoft
®
Office format are stored
in cloud persistent storage until a delete event occurs.
The following activities will trigger a delete event, for the original digital document files and the
converted document file.
• A delete occurs when the system detects that the document conversion job has completed and
the converted document has been downloaded.
LOCAL ENVIRONMENT
Application data transmitted
Application data related to the categories below are transmitted to/from the Xerox
®
Device.
• Account data
• Session data
• Job data
Application data stored on the Xerox
®
Device
The following app data is stored on the device, in persistent storage, until the App is uninstalled
from the device.
• Device’s SNMP V2 public community string
HTTP Cookies
The Xerox
®
Connect App for Google Drive does not store any cookies on the device.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 3-9
3. General Security Protection
User Data Protection within the products
DOCUMENT AND FILE SECURITY
File content is protected during transmission by standard secure network protocols at the channel
level. Since document source content may contain Personally Identifiable Information (PII) or other
sensitive content, it is the responsibility of the user to handle the digital information in accordance
with information protection best practices.
HOSTING - MICROSOFT AZURE
The cloud services are hosted on the Microsoft Azure Network. The Microsoft Azure Cloud
Computing Platform operates in the Microsoft
®
Global Foundation Services (GFS) infrastructure,
portions of which are ISO27001-certified. Microsoft has also adopted the new international cloud
privacy standard, ISO 27018. Azure safeguards customer data in the cloud and provides support
for companies that are bound by extensive regulations regarding the use, transmission, and
storage of customer data.
The Apps hosted in the cloud are scalable so that multiple instances may be spun up/down as
needed to handle user demand. The service is hosted both in the US and Europe. Users will be
routed to the closest server geographically based on server load and network speed.
CLOUD STORAGE – MICROSOFT AZURE
All Azure Storage data is secured when at rest using AES-256 encryption.
For a full description, please follow these links:
Azure Storage
https://azure.microsoft.com/en-us/blog/announcing-default-encryption-for-azure-blobs-files-table-
and-queue-storage/
XEROX
®
WORKPLACE SUITE/CLO UD AND SINGLE SIGN-ON SERVICES
The Xerox
®
ConnectKey App Single Sign-On feature integrates with the Xerox
®
Workplace
Suite/Cloud authentication solution to store user access information for SSO-compatible Xerox
Gallery Apps. After the user enters their storage service credentials the first time, the XWS/C
solution acts a storage vault where the login information is securely stored.
All content to be stored in the vault is encrypted with AES 256 by the SSO Manager server before
being given to the SSO vault that resides on the XWS/C solution. This ensures that the SSO vault
can never view or use the contents being stored in the vault. Only the SSO Manager infrastructure
knows how to decrypt the content stored in the vault and only the App knows how to use it.
The SSO Manager service manages the encryption key exchange required for secure
communications and encrypts/decrypts the content saved in the vault.
For a full description, please review the Xerox
®
Workplace Suite/Cloud Information Assurance
Disclosure: https://security.business.xerox.com/en-us/products/xerox-workplace-suite/
Xerox Security Guide for Xerox® Connect App for Google Drive™ 3-10
User Data in transit
SECURE NETWORK COMMUNICATIONS
The web pages and app services that constitute the Xerox
®
Solutions are deployed to Microsoft
Azure App Services. All web pages are accessed via HTTPS from a web browser. All
communications are over HTTPS. Data is transmitted securely and is protected by TLS security for
both upload and download. The default TLS version used is 1.2.
The Xerox
®
App requires the user to provide proper/valid credentials in order to gain access to the
application’s features. Authenticated users are allowed to access the features and data using
HTTPS.
At launch, the apps must get an authentication/session token through the solution’s authentication
process. The access token acquired is used for that session of the app.
When using the Xerox
®
Connect App for Google Drive installed on a Xerox
®
Device, if the
customer environment includes an Authentication solution (e.g., Xerox
®
Workplace Suite/Cloud)
with Single Sign-On functionality enabled, the user can agree to have their user credentials
securely stored and automatically applied during subsequent app launches.
All communication is done via HTTPS and the data is transmitted securely and is protected by TLS
security. The default TLS version used is 1.2. Xerox App Gallery supplies a link to a Certificate
Authority root certificate for validation with the cloud web service. It is the responsibility of the
customer to install the certificate on their devices and to enable server certificate validation on the
devices.
For more information related to Azure network security, please follow the link:
https://docs.microsoft.com/en-us/azure/security/azure-network-security
XEROX WORKPLACE SUITE/CLOUD AND SINGLE SIGN-ON SERVICES
The Xerox
®
Workplace Suite/Cloud server accepts credential storage requests from the App via the
SSO Manager service (the Xerox
®
App retrieves a vault key from the SSO Manager and uses it to
retrieve login credentials from the XWS/C service). All communication is via HTTPS and the data is
transmitted securely and is protected by TLS security. The default TLS version used is 1.2.
Xerox Security Guide for Xerox® Connect App for Google Drive™ 4-11
4. Additional Information & Resources
Security @ Xerox
Xerox maintains an evergreen public web page that contains the latest security information
pertaining to its products. Please see https://www.xerox.com/security.
Responses to Known Vulnerabilities
Xerox has created a document which details the Xerox Vulnerability Management and Disclosure
Policy used in discovery and remediation of vulnerabilities in Xerox software and hardware. It can
be downloaded from this page: https://www.xerox.com/information-security/information-security-
articles-whitepapers/enus.html.
Additional Resources
Security Resource
URL
Frequently Asked Security
Questions
https://www.xerox.com/en-us/information-security/frequently-
asked-questions
Bulletins, Advisories, and
Security Updates
https://www.xerox.com/security
Security News Archive
https://security.business.xerox.com/en-us/news/
Table 2 Additional Resources
