Xerox
®
Security Guide and Information Assurance Disclosure
for Connect for DocuSign Application
Xerox
®
Security Guide
Connect for DocuSign App
Additional
information, if
needed, on
one or more
lines
Month 00,
0000
<Part
Number>
© 2019 Xerox Corporation. All rights reserved. Xerox®, ConnectKey® and Xerox Extensible
Interface Platform® are trademarks of Xerox Corporation in the United States and/or other
countries. BR26472
Other company trademarks are also acknowledged.
Document Version: 1.0 (April 2019).
Xerox
®
Security Guide for Connect for DocuSign Application i
Preface
Purpose
The purpose of the Security Guide is to disclose information for Xerox
®
apps with respect to device
security. Device security, in this context, is defined as how data is stored and transmitted, how the
product behaves in a networked environment, and how the product may be accessed, both locally
and remotely. This document describes design, functions, and features of the Xerox
®
apps relative
to Information Assurance (IA) and the protection of customer sensitive information. Please note
that the customer is responsible for the security of their network and the Xerox
®
apps do not
establish security for any network environment.
This document does not provide tutorial level information about security, connectivity or Xerox
®
app
features and functions. This information is readily available elsewhere. We assume that the reader
has a working knowledge of these types of topics.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT
security. It is assumed that the reader is familiar with the apps; as such, some user actions are not
described in detail.
Disclaimer
The content of this document is provided for information purposes only. Performance of the
products referenced herein is exclusively subject to the applicable Xerox
®
Corporation terms and
conditions of sale and/or lease. Nothing stated in this document constitutes the establishment of
any additional agreement or binding obligations between Xerox
®
Corporation and any third party.
Xerox
®
Security Guide for Connect for DocuSign Application ii
Contents
1. General Security Protection ............................................................................................................. 1
User Data Protection within the products............................................................................................ 1
Document and File Security ............................................................................................................ 1
Hosting Microsoft Azure ............................................................................................................... 1
Cloud Storage Microsoft Azure .................................................................................................... 1
Xerox
®
Workplace Suite/Cloud and Single Sign-On Services ........................................................ 2
User Data in transit ............................................................................................................................. 2
Secure Network Communications ................................................................................................... 2
Xerox
®
Workplace Suite/Cloud and Single Sign-On Services ........................................................ 2
2. Xerox
®
Connect for DocuSign App Xerox
®
ConnectKey App ................................................... 3
Description .......................................................................................................................................... 3
Overview ......................................................................................................................................... 3
App Hosting ..................................................................................................................................... 3
Components .................................................................................................................................... 4
Architecture and Workflows ............................................................................................................ 4
User Data Protection ........................................................................................................................... 8
Application data stored in the Xerox cloud ...................................................................................... 8
Local Environment .......................................................................................................................... 9
3. Additional Information Resources ............................................................................................... 10
Security @ Xerox .............................................................................................................................. 10
Responses to Known Vulnerabilities ................................................................................................. 10
Additional Resources ........................................................................................................................ 10
Xerox
®
Security Guide for Connect for DocuSign Application 1
1. General Security Protection
User Data Protection within the products
Document and File Security
File content is protected during transmission by standard secure network protocols at the channel
level. Since document source content may contain Personally Identifiable Information (PII) or other
sensitive content, it is the responsibility of the user to handle the digital information in accordance
with information protection best practices.
Hosting Microsoft Azure
The cloud services are hosted on the Microsoft Azure Network. The Microsoft Azure Cloud
Computing Platform operates in the Microsoft
®
Global Foundation Services (GFS) infrastructure,
portions of which are ISO27001-certified. Microsoft has also adopted the new international cloud
privacy standard, ISO 27018. Azure safeguards customer data in the cloud and provides support
for companies that are bound by extensive regulations regarding the use, transmission, and
storage of customer data.
The Apps hosted in the cloud are scalable so that multiple instances may be spun up/down as
needed to handle user demand. The service is hosted both in the US and Europe. Users will be
routed to the closest server geographically based on server load and network speed.
Cloud Storage Microsoft Azure
All Azure Storage and Azure SQL data is secured when at rest using AES-256 encryption.
For a full description, please follow these links:
Azure SQL
https://azure.microsoft.com/en-us/updates/newly-created-azure-sql-databases-encrypted-by-
default/
Azure Storage
https://azure.microsoft.com/en-us/blog/announcing-default-encryption-for-azure-blobs-files-table-
and-queue-storage/
Xerox
®
Security Guide for Connect for DocuSign Application 2
Xerox
®
Workplace Suite/Cloud and Single Sign-On Services
The Xerox
®
ConnectKey App Single Sign-On feature integrates with the Xerox
®
Workplace
Suite/Cloud authentication solution to store user access information for SSO-compatible Xerox
Gallery Apps. After the user enters their storage service credentials the first time, the XWS/C
solution acts a storage vault where the login information is securely stored.
All content to be stored in the vault is encrypted with AES 256 by the SSO Manager server before
being given to the SSO vault that resides on the XWS/C solution. This ensures that the SSO vault
can never view or use the contents being stored in the vault. Only the SSO Manager infrastructure
knows how to decrypt the content stored in the vault and only the App knows how to use it.
The SSO Manager service manages the encryption key exchange required for secure
communications and encrypts/decrypts the content saved in the vault.
For a full description, please review the Xerox
®
Workplace Suite/Cloud Information Assurance
Disclosure: https://security.business.xerox.com/en-us/products/xerox-workplace-suite/
User Data in transit
Secure Network Communications
The web pages and app services that constitute the Xerox
®
solution are deployed to Microsoft
Azure App Services. All web pages are accessed via HTTPS from a web browser. All
communications are over HTTPS. Data is transmitted securely and is protected by TLS security for
both upload and download. The default TLS version used is 1.2.
The Xerox
®
app requires the user to provide proper/valid credentials in order to gain access to the
application’s features. Authenticated users are allowed to access the features and data using
HTTPS.
At launch, the apps must get an authentication/session token through the solution’s authentication
process. The access token acquired is used for that session of the app.
When using the ConnectKey App installed on a Xerox device, if the customer environment includes
an Authentication solution (e.g., Xerox
®
Workplace Suite/Cloud) with Single Sign-On functionality
enabled, the user can agree to have their user credentials securely stored and automatically
applied during subsequent app launches.
All communication is done via HTTPS and the data is transmitted securely and is protected by TLS
security. The default TLS version used is 1.2. Xerox App Gallery supplies a link to a Certificate
Authority root certificate for validation with the cloud web service. It is the responsibility of the
customer to install the certificate on their devices and to enable server certificate validation on
the devices.
For more information related to Azure network security, please follow the link:
https://docs.microsoft.com/en-us/azure/security/azure-network-security
Xerox
®
Workplace Suite/Cloud and Single Sign-On Services
The Xerox
®
Workplace Suite/Cloud server accepts credential storage requests from the App via the
SSO Manager service (the ConnectKey App retrieves a vault key from the SSO Manager and uses
it to retrieve login credentials from the XWS/C service). All communication is via HTTPS and the
data is transmitted securely and is protected by TLS security. The default TLS version used is 1.2.
Xerox
®
Security Guide for Connect for DocuSign Application 3
2. Xerox
®
Connect for DocuSign App
Xerox
®
ConnectKey App
Description
Overview
ConnectKey App
The ConnectKey App is a simple document signing solution for your Xerox
®
device that integrates
with DocuSign eSignature workflows. The app assists the user with:
1. Browsing DocuSign envelopes and printing documents.
2. Scanning a hard copy document into their DocuSign account.
3. Selecting recipients and signature placement locations for scanned documents.
Table 1. ConnectKey App user benefits
Application
What can I do?
ConnectKey App
App Hosting
The ConnectKey App depends heavily on cloud hosted components. A brief description of each
can be found below.
ConnectKey App
The ConnectKey App consists of two key components, the device weblet and the cloud-hosted web
service. The device weblet is a ConnectKey/EIP web app that enables the following behavior on a
Xerox device:
1. Presents the user with an application UI that executes functionality in the cloud.
2. Interfaces with the EIP API, which delegates work, such as document scanning and printing.
The weblet communicates with the cloud-hosted web service, which executes the business logic of
the app.
DocuSign eSignature Web Service
The solution depends on the DocuSign eSignature REST API to retrieve the user’s folders,
templates, and documents and to download and/or upload digital documents. All requests are
made over HTTPS.
Xerox
®
Security Guide for Connect for DocuSign Application 4
Single Sign-On via Xerox
®
Workplace Suite/Cloud and SSO Manager
In order to improve user experience, by removing the need to log in to the ConnectKey App each
time Xerox offers an optional Single Sign-On (SSO) capability. Users can log into the printer and
are then able to launch the app without the need to provide additional credentials.
Xerox Extensible Interface Platform
®
Web Services
During standard usage of the ConnectKey App, calls to the device web services are used to initiate
and monitor scan functions and to pull relevant details related to device properties and capabilities.
Components
MFD with Xerox
®
Audio Documents App ConnectKey App
This is an EIP capable device that can scan and execute ConnectKey Apps installed from the
Xerox
®
App Gallery. In this case, the device has the Xerox
®
Connect for DocuSign App installed.
Xerox
®
Connect for DocuSign App Web Services
The Web Service is a service hosted on the Microsoft Azure Cloud System. The service is
responsible for hosting the web pages which are displayed on the UI of the printer and provide the
services support for the Xerox
®
apps. The web service interacts with the DocuSign services using
the DocuSign eSignature APIs and Microsoft services using the Azure APIs.
DocuSign eSignature Web Service
The DocuSign cloud hosted service provides a web API that is used for the eSignature workflow
processes, which support the creation and downloading of digital documents for electronic signing.
Architecture and Workflows
Architecture Diagram
Xerox
®
Security Guide for Connect for DocuSign Application 5
Workflows
Print Select and print document(s) from DocuSign envelope
Step 1:
Launch the App on the Xerox device.
Step 2:
Login with DocuSign account credentials to view the Main
page.
Step 3:
Select the Print workflow.
Step 4:
Browse to target folder, select envelope, select document(s) to
print.
Step 5:
Optionally change the print settings.
Step 6:
Print the document(s) using the Print button.
Xerox
®
Security Guide for Connect for DocuSign Application 6
Scan to Envelope Scan hard copy document into DocuSign envelope
Step 1:
Launch the App on the Xerox device.
Step 2:
Login with DocuSign account credentials to view the Main
page.
Step 3:
Select the Scan workflow.
Step 4:
Enter envelope and document name. Optionally select the
Preview feature.
Step 5:
Optionally specify Recipients (name and email).
Step 6:
Optionally change the scan settings.
Step 7:
Scan the document(s) using the Scan button.
Step 8:
If Preview was selected, view the scanned image.
Step 9:
Optionally specify Signing Field locations.
Step 10:
If Preview is satisfactory, Save to Envelope in DocuSign
account or Send to Recipients (if specified).
Xerox
®
Security Guide for Connect for DocuSign Application 7
Scan with Template Scan hard copy document into DocuSign envelope applying pre-defined
Template which specifies Recipients and/or Signing Fields.
Step 1:
Launch the App on the Xerox device.
Step 2:
Login with DocuSign account credentials to view the Main
page.
Step 3:
Select the Scan with Template workflow.
Step 4:
Enter envelope and document name. Optionally select the
Preview feature.
Step 5:
Browse to target Template folder, select Template.
Step 6:
Optionally change the scan settings.
Step 7:
Scan the document(s) using the Scan button.
Step 8:
If Preview was selected, view the scanned image.
Step 9:
If Preview is satisfactory, Save to Envelope in DocuSign
account or Send to Recipients (if specified).
Xerox
®
Security Guide for Connect for DocuSign Application 8
User Data Protection
Application data stored in the Xerox cloud
User data related to the categories below are stored in cloud persistent storage until a delete
event occurs.
Login to DocuSign account
Create a scanned image file from a paper document and upload to DocuSign account
Download digital document file(s) from DocuSign account
The following activities will trigger a delete event, for digital document files that meet the associated
criteria.
A delete occurs when the system detects intermediate processing files exist after a job
has completed.
The balance of data stored in the cloud, that is unrelated to user Personally Identifiable Information,
may be stored indefinitely for event reporting purposes.
Xerox
®
Security Guide for Connect for DocuSign Application 9
Local Environment
Application data transmitted
Application data related to the categories below are transmitted to/from the Xerox device.
Account data
Session data
Job data
Application data stored on the Xerox device
The following app data is stored on the device, in persistent storage, until the App is uninstalled
from the device.
Device data
Configuration data
HTTP Cookies
The ConnectKey App does not store any cookies on the device.
Xerox
®
Security Guide for Connect for DocuSign Application 10
3. Additional Information Resources
Security @ Xerox
Xerox maintains an evergreen public web page that contains the latest security information
pertaining to its products. Please see http://www.xerox.com/security.
Responses to Known Vulnerabilities
Xerox has created a document which details the Xerox Vulnerability Management and Disclosure
Policy used in discovery and remediation of vulnerabilities in Xerox software and hardware. It can
be downloaded from this page: http://www.xerox.com/information-security/information-security-
articles-whitepapers/enus.html.
Additional Resources
Table 4. Below are additional resources.
Security Resource
URL
Frequently Asked Security
Questions
https://www.xerox.com/en-us/information-security/frequently-
asked-questions
Bulletins, Advisories, and
Security Updates
http://www.xerox.com/security
Security News Archive
https://security.business.xerox.com/en-us/news/