Trusted Extensions software does not leave labeling decisions up to the discretion of computer users. All printer output from print servers that are configured with Trusted Extensions is automatically labeled according to the site's requirements.
Even though security was not yet fully understood at the company, the manager in charge of information protection knew that Trusted Extensions could implement the following features immediately:
Automatic labeling of print jobs
Printers with restricted access by label
Email with restricted access by label
In Trusted Extensions, each print job is automatically assigned a label. The label corresponds either to the level at which the user is working or to the user's level of responsibility.
For example, when an employee works at the level of INTERNAL_USE_ONLY, the work should be accessible only by people who have signed nondisclosure agreements with SecCompany. When this employee sends email to the printer, the print job is automatically assigned the label INTERNAL_USE_ONLY.
The following figure shows the user's working label, INTERNAL_USE_ONLY, printed at the top and bottom of a body page of the email.
Figure 6-1 Label Automatically Printed on Body Pages
Banner and trailer pages can include handling instructions. Printed below the sensitivity label, handling instructions provides distribution instructions for the printed material. The following example shows the text on the banner page of a print job. The sensitivity level of the print job is NEED_TO_KNOW in the department of HUMAN_RESOURCES.
NEED_TO_KNOW HR DISTRIBUTE_ONLY_TO HUMAN RESOURCES (NON-DISCLOSURE AGREEMENT REQUIRED)
The instructions state that the information is only for human resources personnel who need to know the information. Also, the human resources personnel must have signed a nondisclosure agreement.
To retrieve a labeled printout, users must have access to a printer that prints at the label of the print job. A printer can be configured to print jobs at every label. For security, printers are configured to print only jobs within a restricted label range.
For example, Figure 6–2 illustrates that the legal department's printer has been set up to print only jobs that have been assigned one of three labels:
NEED_TO_KNOW LEGAL – Can be viewed only by permanent employees of SecCompany with a need to know within the legal department
INTERNAL_USE_ONLY – Can be viewed only by permanent employees of SecCompany and customers who have signed nondisclosure agreements
PUBLIC – Can be viewed by anyone
This printer setup excludes jobs that are sent at any other label. For example, this printer would reject jobs at the labels NEED_TO_KNOW MARKETING and REGISTERED.
Figure 6-2 How a Printer With a Restricted Label Range Handles Print Jobs
Printers in locations that are accessible to all employees can be similarly restricted. For example, printers can be configured to print jobs only at the two labels that all employees can view, INTERNAL_USE_ONLY and PUBLIC.
Similar to how the printer label range controls which jobs can be printed on a particular printer, a user's account label range limits which email the person can handle. The following figure shows email that is being labeled at the sensitivity label of the user's mail application. The email is sent to the mail application at that label.
Figure 6-3 User Receiving Email Within the Account Label Range
At SecCompany, gateways to the Internet are configured to screen email so that emails at inappropriate labels cannot be sent outside of the company. Inappropriate labels are any labels except PUBLIC.