Cloud Print Security in Mobility Print

At PaperCut we take data security seriously to help your organization comply with regulations like General Data Protection Regulation (GDPR). PaperCut’s full GDPR compliance guide covers how other areas of PaperCut NG/MF can help you with GDPR compliance.

Mobility Print’s Cloud Print feature is no different.

How does Cloud Print work?

Cloud Print is built using well-established and trusted WebRTC, peer-to-peer communication technology. This is the same technology currently used in popular conferencing software and audio communication platforms.

WebRTC provides an encrypted connection from the user’s device to the Mobility Print server. This establishes trust between the client and the Mobility Print server, and an encrypted channel is created for all communication between the two.

No-one on the internet, including PaperCut, can access any user data, print job data, or metadata sent over this secure channel.

STUN and TURN

WebRTC prefers to connect the client to the Mobility Print server as directly as possible.

The first approach is for each party to find their own public IP address from a STUN (Session Traversal Utilities for NAT) server and share it with the other party using the secure connection to PaperCut Cloud Services.

If the direct connection method is not possible using that method, there is a fallback option utilizing an encrypted channel between the peers over a TURN (Traversal Using Relays around NAT) server. The TURN server is a relay that both the client and the Mobility Print server can reach, and this simply allows data from the peers to reach each other.

The first question many would ask is whether print jobs and metadata are safe when traversing the TURN server connection. The answer is yes, they are safe. The key reason is that TURN doesn’t process any data. Cloud Print using this method is still a peer-to-peer trust created between the client and the Mobility Print server, and all data is encrypted end to end between the client and the Mobility Print server. The TURN server doesn’t need to decode the application data layer to route the packets.

So any data sent via Cloud Print is not accessible by anyone other than the end user’s Mobility Print client and your Mobility Print server; not even PaperCut.

So how secure does that make Cloud Print?

Cloud Print is completely end-to-end encrypted. It uses the DTLS protocol to encrypt all data sent, and trust is established between the Mobility Print client and Mobility Print server, not any third party or intermediary server.

If packets go out of a country where regulations restrict the sending of personal information out of the country, it doesn’t matter—the data isn’t being stored or processed out of the country, it’s not being stored or processed anywhere.

It’s similar to opening a banking website from a browser. The trust is created between the website and the browser, and the TLS encryption avoids anyone on the internet accessing the data. Technically the TCP packets transmitted between the website and browser could traverse any number of countries without breaking any rules on data sovereignty. It is simply how the internet works.

The same is true of Cloud Print. While the UDP packets can traverse the internet, the data is totally encrypted, cannot be accessed, and is not processed anywhere but the Mobility Print Server.