You can’t move at the moment without someone mentioning “Zero Trust” networks; According to Microsoft, 96% of security decision makers state that Zero Trust is critical to their organization’s success with 76% already adopting Zero Trust security measures1.
Why? Well one reason is because the news has been highlighting the rising number of Ransomware attacks, a recent high-profile example being the attack against Colonial Pipeline2 where hackers managed to gain a foothold in the network then moved laterally throughout the company systems at will. Microsoft and others show how adopting Zero Trust principles can protect against this kind of attack3 and the US Government is now demanding that all its agencies move to a Zero Trust architecture.
Therein lies the problem - Zero Trust isn’t a fixed model. Every company can and will implement the ideas of Zero Trust in a way that suits their organization at the time. This may mean that the customer will start with one network and security architecture then slowly transition to their final implementation model over time.
Despite what many software providers will have you believe, just saying “we support Zero Trust” isn’t nearly enough. Supporting Zero Trust isn’t a “one size, fits all” solution. It needs to be able to adapt to the security architecture implemented by the customer whilst they progress along their journey towards a Zero Trust network. It certainly won’t happen overnight; it will be a managed process over many months or years.
uniFLOW Online follows the Zero Trust principles defined by Microsoft:
How these principles are implemented by each customer will be different. One method of implementing a cloud-based print management system may work fine in the lab, but not in the real world. The worst-case scenario is for the network security team to have to compromise on their Zero Trust vision because the users can’t print.
uniFLOW Online, however, provides many different implementation options which allows the customer to decide which one works for their network regardless of where they are on the Zero Trust journey.
So, let's look at how uniFLOW Online’s Zero Trust architecture works:
Firstly, let's look at the parts which are consistent regardless of how it will be implemented. uniFLOW Online is built with a “security first” focus so all communication is authenticated before any functions can be carried out. Users log in, using their existing company credentials such as Microsoft 365, Google Workspace, OKTA and many more, in line with any multi-factor authentication policies defined by the IT department. This is part of the “Verify Explicitly” Zero Trust principle.
Once the user has been authenticated, they can only perform actions which they are entitled to do as part of their job. Most users will only be allowed to print, scan and copy on the devices to which they have been granted access. A fleet manager will be given privileged access to able to manage the printers themselves but maybe not personal details as this function is reserved for other network admins. In a school, college or university environment, some staff may also be allowed to handle cash and oversee users’ budgets. Other people can be granted a mix of rights, depending on what their job requires. This is part of the “Use Least Privileged Access” principle.
Now the security foundations are laid, we can look at the networks themselves.
For some customers, it may be that users' computers and printers are on the same network and can all talk to each other. This will not prevent lateral movement from one device to another so may not follow the “assume breach” principle. On the other hand, it might because the company hasn’t moved to a more secure level of network isolation yet or simply that it is a really small office with only a few network points. Whatever the reason, uniFLOW Online can work with this customer network type by storing the jobs on the user’s PC and releasing them directly to the printer when required.
For a more secure implementation, there might be a firewall or virtual network restrictions between the PCs and the printers. uniFLOW Online can work with this network implementation by storing the jobs on the Canon imageRUNNER hard disk itself so the job is sent directly from MFD to MFD should the user choose to release it on a different device. This also gets around the problem of the print job not being available if the user’s PC is turned off when they want to release their job.
The final, most secure, and increasingly more common approach, is to have every network point isolated from each other regardless of the type of device. In this network configuration, each device can only “talk” to the Internet i.e. there is no lateral movement of any form on the local network. This “micro segmentation” of the network is the best form of “assume breach” Zero Trust principle. Naturally, uniFLOW Online can work seamlessly in this customer environment as well; all secure print jobs are stored in the cloud and the Canon devices then pull the jobs down directly once the user has identified and selected which jobs they want to release. The only thing the Canon device needs is a power supply and a network cable. No other infrastructure or services of any kind are required.
So, no matter where you are on the Zero Trust journey and no matter where you or your security department have decided you will end up, uniFLOW Online will work “Any way you want it”.
My father always said to me “If something is worth doing, it’s worth doing properly”. I am lucky in that NT-ware shares this attitude when it comes to the functionality in uniFLOW Online. It is very easy to only do the minimum necessary to ensure a “tick in the box” on a marketing sheet while the functionality itself remains far from perfect. uniFLOW Online does it properly each time.
There are many examples to support this claim – users are able to submit secure print jobs via email, scanning users are able to navigate through the directory structure of their document management system rather than just dumping the file in the root folder, support for micro-segmented Zero Trust networks are just a few amongst many, many others. That said, I want to focus here on one particularly important piece of functionality for the education market: Budget and Quota control
With a server-based print management system, it is quite easy to ensure students have enough money to print and copy to complete the job they want to do. The MFD can talk to the server and make any changes necessary while blocking users who do not have sufficient funds available. This can be done using an external terminal or software embedded on the copier itself.
However, this is actually really difficult in a 100% cloud-based print management system where, by definition, there are no servers to perform this functionality. Controlling the print jobs is easy; before allowing the secure print job to be released, the cloud system can check whether user has the necessary funds to complete the job. Straight forward enough as long as you can ensure that the final printed product is the same as the analysis made by the software (which, by the way, uniFLOW Online can).
In reality, confirming whether or not if users have enough funds before copying is a completely different story.
One way could be to check a student’s level of funds before they logon to the device. Provided the student has some funds, then why not let them have full access to the device so they can copy what they want, for however long they want and it will be accounted for later? Unfortunately, this would put the student into debt, possibly hundreds of euros in debt. As far as we at NT-ware were concerned, this was simply not good enough; it would be nothing more than just a box ticking exercise to purport that we had functionality that we really didn’t provide.
Another option was to disable the normal copier interface and use a “scan to printer” workflow instead. The student would “scan” the copy job which is then analysed by the cloud service and, if the student has the funds, it is sent back to be printed. Once again this was not a satisfactory option. Copier manufacturers have spent thousands and thousands of hours in refining the copier interface, making sure that the experience is as good as possible, but advanced copier functionality – even simple finishing options – was still not available. Hence we didn’t go down this path either.
In order to fix this problem we worked directly with Canon Inc to make changes to the copier firmware itself.
With uniFLOW Online and Canon imageRUNNER ADVANCE DX devices, students can use the full functionality of the normal copier functionality of the device. When they make a copy, the imageRUNNER ADVANCE analyses the job – how many pages are colour, how many black/white, which pages sizes etc – and sends that information directly to uniFLOW Online. uniFLOW Online then checks if the user has sufficient funds and, if so, sends a message back to the imageRUNNER ADVANCE to complete the copy job.
Super quick, super accurate and super correct.
uniFLOW Online 2020.3 introduced this budget and quota last year. At the end of June 2021, we extended it further by adding the ability for users to add funds to their account using PayPal or any credit card. These “student paid funds” are also held separately from any “free funds”, which the educational establishment may provide to students each term or semester, making any refunds super easy.
Not just a box-ticking exercise.
If something is worth doing, it’s worth doing properly.
Nobody ever has to ask uniFLOW Online “Why Don’t You Do Right”.
Photo credits: freepik.com
uniFLOW Online is a SaaS product featuring a multi-tenancy software architecture. uniFLOW Online differentiates between management tenants, operated by Canon sales organisations or a Canon Partner, and isolated customer tenants which provide secure print and scan capabilities. Management tenants centrally manage all customer tenants; the latter are easy to add and there can be any number below a management tenant. Each one is separated and isolated from both its associates and parent tenants.
Management tenants assign and manage customer tenant subscriptions. Upon creation of a customer tenant by Canon or a Canon partner, uniFLOW Online runs in trial mode free of charge. It allows for an unrestricted number of users and devices and can later be converted to a regular subscription without any interruption in service. There is no logistical requirement to deliver subscriptions i.e. no emails/ letters. The management tenant can provide subscriptions immediately upon receiving the customer's purchase order.
The concept of management tenants and customer tenants facilitates the highest level of customer service and support while respecting privacy regulations. If permitted by the customer, an operator of a management tenant can access a customer tenant, via a temporary service account, or a user account with the Partner Admin role selected. If required, an expiration date can be set to give temporary access to the tenant in order to provide the customer support during the initial tenant setup. A user with the Partner Admin role has similar access rights as the administrator excluding any user-related information to guarantee user privacy and security aspects are respected.
A tree view, showing all child and sub-child tenants, gives Canon or their partners a direct overview of all existing child tenants. If a temporary service account has been created, the service account user can also gain direct access to the sub-tenant via the tenant tree view. This enables provision of seamless support.
Slowly but surely, companies are moving every locally hosted server to the cloud. File servers? Gone. Email servers? Gone. Far more efficient, secure, and cheaper.
Printing is normally the last piece of local server infrastructure which is moved to the cloud. Of course, the reasons for moving this infrastructure are the same: more efficient, secure and cheaper. Quocirca highlight that it costs, on average, £1,900 to provision a server with annual running costs of a further £1,500. The more local servers and local infrastructure, the higher the costs and therefore the higher the savings with a cloud based print management system. It’s no wonder why 76% of companies have either implemented a cloud printing solution or are planning on doing so. Move printing to the cloud and remove all those servers, right?
This is where the problem comes in.
Printers themselves are typically not very clever. They were designed to work on a local network and not via the internet so something has to communicate to the cloud for them. This means that while print servers may have been removed, they must be replaced by other local software or infrastructure instead. Servers with another name. A key thing to look for here is a “PC which you don’t turn off”, a “box” or “hub”. These are effectively servers whichever way you want to try and disguise it.
Unless you use uniFLOW Online and Canon imageRUNNER ADVANCE devices!
Unlike other printers, Canon devices ARE clever. Together with uniFLOW Online, they CAN communicate directly to the Internet.
No mesh. No edge. No servers. No boxes. No client software installed on PCs anywhere.
The firmware of the Canon imageRUNNER ADVANCE devices have been extended to support uniFLOW Online without any help from any other software. True cloud. True savings.
Without installing ANY software, clients or any other euphemism for “infrastructure” anywhere on their network, customers can benefit from the following functionality:
All of this (and more…) is available without installing any software on any clients, apart from the normal Canon printer driver, naturally.
We do have some OPTIONAL client software with uniFLOW Online to extend the functionality and the supported network types if the above isn’t enough. This includes:
The combination of uniFLOW Online and Canon imageRUNNER ADVANCE devices really does mean that we can do it “All by Myself”
· Figures from Quocirca report “Cloud Print Services, 2021”
When considering storing user data in the cloud, the location of the data center is everything. Cloud hosting companies have spent billions of dollars creating multiple data centers in different regions across the world to not only provide a faster connection but, more importantly, to ensure the data remains within the same region as the company and its users. Microsoft Azure have invested in over 160 physical data centers with Google and AWS each providing hundreds more. They wouldn’t do this without VERY good reason.
The questions of data residency and data sovereignty are critical in the decision-making process when companies select which provider to use when moving their previously locally hosted infrastructure, such as their user directory, email and file servers, to the cloud.
Companies and users want to make sure they know in which legal region their personal data is stored. Legal requirements based on the company’s location, such as GDPR, must also be considered. Often, having a local data center just feels right; human nature does not like the idea that personal and company information is pinging its way around the world for anyone to look at and for it to be regulated by an unfamiliar legal jurisdiction.
uniFLOW Online is written for the Microsoft Azure platform. We have also deployed it in multiple Azure data centers around the world which allows companies to select the right one for their business and legal requirements. Although this raises our own costs, as we have to deploy and maintain the service multiple times, it is the right thing to do.
Currently, uniFLOW Online is available in the following Microsoft Azure data centers:
Australia: Australia Southeast (Victoria)
USA: East US (Virginia)
Japan: Japan East (Tokyo, Saitama)
Asia: Southeast Asia (Singapore)
UK: UK South (London)
Europe: West Europe (Netherlands)
China: China North (Beijing)
The multiple Microsoft Azure data centers used by uniFLOW Online allow customer data to respect data sovereignty by remaining within the local region. It is not sent to different legal jurisdictions i.e. European customers' data will always be stored in Europe while customers in Australia know their data will never leave Australia.
With uniFLOW Online, your company and user data never have to say “Don’t send me away…”
The most fundamental part of a print management system is being able to count and measure what is being printed, when and by whom. Without this, everything else is irrelevant. As the old saying goes “you can’t manage what you can’t measure.
But you have to be able to count EVERY page going through a printer ACCURATELY. Simply guessing or trying your best to come by the right number isn’t good enough. Accounting data has to be 100% i.e. every page counts.
Back in the days when print servers were used, this was easier to accomplish. Most network printers have a security setting which allows the administrator to print only those jobs which come from a specific IP or MAC address – the print server itself where the print management software is installed. A similar result can be achieved by having printers on a separate VLAN with the print server being the only bridge between printers and PCs.
These methods don’t overcome the problem of a user sending a 100 page job then cancelling it after just 5 pages; at least it stopped anyone bypassing the print management system by printing directly.
However with a cloud-based print management system, where the WHOLE POINT is to remove local servers and infrastructure, we are back to square one. How can we direct the printer to only accept jobs that are being accounted for but ignore those which are not, especially when they may come from the same PC?
With uniFLOW Online and Canon devices, this isn’t a problem at all.
Thanks to collaboration between NT-ware and Canon Inc, uniFLOW Online and Canon devices work as one. Canon devices will accept and print all jobs as normal. It does not matter if the jobs are sent from a Windows PC, Mac, ChromeOS, AirPrint, Mopria or one of a multitude of other printing systems which the devices support.
Once the job has been printed, the device itself communicates with uniFLOW Online to let it know what activity it has just carried out and for whom. If that user sent a 100 page job only to cancel it after 5 pages, the Canon device tells uniFLOW Online that only 5 pages were printed. In other words, 100% accuracy. The device also sends all information as to HOW the job was printed including double sided, stapling and even down to which paper tray was used to supply the paper.
No software is needed on any computer or device anywhere. As long as a user can print to a Canon device, uniFLOW Online can account for it.
Furthermore it also tracks all copying, faxing and scanning activity on the device i.e. 100% of all jobs all of the time. As well as being able to view all of this data in uniFLOW Online, it can be displayed via other data visualisation tools such as Microsoft Excel, PowerBI, Qlik and pretty much anything else.
The icing on the cake - all of this accounting functionality is provided 100% free as part of uniFLOW Online Express package with every Canon device.
To extend accounting and cost control, a subscription to uniFLOW Online can be purchased which will provide more complex functionalities such as cost center selection, print and copy quotas, budgets for schools and other educational environments plus much more. That is a story for another day.
Remember, uniFLOW Online means you can “Count on me”.
Print Management systems have always been developed to make printing easier and more accessible to users, regardless of their location. In 2011, we introduced our server-based product uniFLOW 5.1 to enable users to submit their print jobs by email.
Fast forward 10 years and email job submission is still an essential function of any print management system. The reasons why printing via email is popular are clear:
So, when looking at your SaaS cloud-based print management system, wouldn’t you assume that printing via email would be a standard offering? It is a popular feature for on premise installations so isn’t the end user demand for the functionality the same?
The ability for users to send their file to print via email has been part of uniFLOW Online since we launched 5 years ago. Users can just email any file - Word, PowerPoint, Excel, PDF etc - and we handle the rest. All the user has to do is walk to the printer of their choice, authenticate and release the emailed print job securely. They can also select any finishing options such as printing double sided, staple or hole-punch before it is printed.
This feature is not only useful for company users; it is essential to allow guest users to be able to print as well.
With uniFLOW Online, any guests to your company can also print securely; there is no need for ANY registration forms, clients to install and neither does the company administrator need to be involved. All that guests need to do is to email the job they want to print to uniFLOW Online and, by return, they will receive a one-time code to use to release the job on a printer. The administrator can already have stipulated that all jobs from guests are always printed in black and white and double-sided, if required.
This is the reason why email printing is so important – it is SO simple.
And it’s not just simple for the users. For administrators, there is nothing to install and nothing to configure. Email printing is a standard part of uniFLOW Online which is activated by default.
Photo credits: Valeria Aksakova on freepik.com
A few years ago, every piece of software suddenly "supported" the Cloud. In reality, the only change was that normal on-premises, server-based software was running on infrastructure hosted in the cloud with a few VPN connections to ensure it worked. Technically, this is true but is it really what is implied by a cloud-based system? Or is it just stretching the truth to claim support so they can jump on the bandwagon?
We are seeing the same thing happening now with the "Zero Trust" security model. Lots of marketing materials declare that "Zero Trust" is supported but don't define what "Zero Trust" actually means. The product in question may only offer support for one small section of a Zero Trust model yet imply support for everything.
Both Microsoft and Google have done their best to define their own interpretations of a Zero Trust security model. Both have documented changes made to their own internal networks and procedures to establish a path for customers who wish to join them on this journey.
Microsoft defines a Zero Trust security model as using the following guiding principles*:
This sounds logical and is something that most companies are, or should be, actively pursuing. Of course, it doesn't happen overnight; it is a journey involving all aspects of the company network, processes, and systems.
Then we have "printing" …
Printing may not be the most exciting section of the products’ portfolio in the IT department’s remit but, if the printing and scanning infrastructure is not included as part of the Zero Trust implementation, things can rapidly fall apart.
For example, in the traditional office, PCs and printers are typically all on the same network or split into different VLANs with a print server bridging the gap i.e. all nice and simple.
Small/home office network – No Zero Trust network segmentation
Separate VLANs – Partial Zero Trust network segmentation but requires Servers
However, in a Zero Trust model, as part of the "assume breach" principle, the "blast radius" of a potential breach is reduced by isolating each network point as much as possible from all other network points. This can also mean that internet access is only available from the internal network i.e., no other communication routes allowed. Should one PC become infected or compromised, it cannot spread because it cannot "talk" to anyone else.
Full Zero Trust network micro-segmentation. Only Internet access available
That's great but how can the user print if his/her PC cannot "talk" to the printer?
By continuing to use the old, existing print methods, the Zero Trust model must be downgraded, or exceptions made to the network, to incorporate printing by allowing PCs to talk to each other and all devices to talk to the printers. This is the opposite of what the original Zero Trust plan was designed for. Outdated printer requirements and print management software means the entire Zero Trust process falls apart and security is lowered.
Unless... you use uniFLOW Online and Canon imageRUNNER ADVANCE DX devices!
Users can print from anywhere using any device and their (encrypted) print jobs are stored in the local Microsoft Azure data center. When users are ready to collect print jobs, they walk to a printer, identify themselves with their ID card, select the jobs they want to release and hit "print". The Canon imageRUNNER ADVANCE DX then collects the jobs directly from uniFLOW Online and prints them. The only thing the printer needs is a power supply and internet connection. No need for local infrastructure, clients, servers, boxes, VPNs or hubs. Secure printing fully compliant with the Zero Trust model.
You won't be surprised that segmented networks are not the only part of the Zero Trust security model supported by uniFLOW Online. Referring to the afore mentioned guiding principles from Microsoft:
So, by selecting uniFLOW Online and Canon imageRUNNER ADVANCE DX devices as your print and scan management platform, you can transition your network to a full Zero Trust security model without compromise.
Never trust a stranger and, with Zero Trust, never trust anyone without checking first!
Photo credits: freepik.com
It's only when you stop and look back that you can see how far you have come.
This is where we are now with uniFLOW Online which was launched 5 years ago, back in 2016. Looking back, our first version of uniFLOW Online was already a great product. On day one, we launched a fully cloud-based SaaS solution hosted on multiple regional Microsoft Azure™ data centers while keeping print jobs locally within the customer network. Printing via email, user authentication through Microsoft 365 and accounting for all print, copy, fax and scan jobs were all part of that first release.
Since then, thanks to our policy of releasing new versions every 4 months, we have transformed the first product into something completely unrecognizable.
2017 saw the introduction of guest email printing support, secure printing for non-Canon printers and our first scanning integration to Google Drive™ and email. More scanning destinations arrived in 2018 including Box, Dropbox, OneDrive®, SharePoint® Online together with the ability to convert scanned documents into editable formats such as Word. “Focus on the Enterprise” was the theme for 2019. Customers who have secured their network infrastructure with a Zero-Trust/Micro-segmentation model - where network devices can only "talk" to the internet and not each other - were supported when we added the ability for Canon imageRUNNER ADVANCE devices to pull jobs directly from uniFLOW Online, removing the need for any local client software. Print jobs could also be stored on Canon device hard drives and pulled from device to device if the customer wanted to keep print jobs on the internal network rather than travel over the cloud.
Providing customers with multiple options as to how they would like to configure their printing environment, rather than forcing a "one size, fits all" approach, has always been a key development principle. This was further enhanced in 2020 by allowing users to print directly to uniFLOW Online (on Windows, Mac, Chrome, iOS and Android devices) from any location. At the same time, collaboration with Microsoft added support for Universal Print to enable users to submit jobs and securely release them without any need to install client software. Specific printing functionality required for different vertical markets, such as the ability to select cost centers or stop users printing and copying when they have run out of budget or quota, allowed uniFLOW Online to expand further. Scanning evolved further to include automatic meta-data entry by learning the document structure and applying barcode recognition and zonal OCR which removed the need for manual data entry.
As said before, it's only when you stop and look back that you can see how far you’ve come.
uniFLOW Online is now hosted in 7 different regional data centers (Europe, USA, Singapore, China, Japan, Australia, UK) and has been security checked by the US Government for use on their internal networks. It provides enterprise ready print and scan management functionality without needing any local infrastructure. It integrates with your existing identity providers including Microsoft 365, Google Workspace, Okta, PingFederate and others.
This is us just getting started...
We are proud to reach the fifth anniversary of uniFLOW Online, one of the world’s first 100% cloud-based print and scan management platforms. Since launching in 2016, the service has been enriched with a multitude of features to provide today a comprehensive solution for the evolving needs of our customers. Continuous development has made it the preferred cloud print and scan management solution for thousands of customers world wide with already more than 35.000 devices connected.
“We are proud to be able to recognize that uniFLOW Online’s feature set has multiplied but, even more importantly, it is seen as a key element by our customers and the entire industry to help drive digital transformation. uniFLOW Online shows our dedication and passion as an innovative leader in print and scan management, listening with care to our customers requirements and demands.“
Karsten Huster, CEO and founder of NT-ware
uniFLOW Online has evolved into an unmatched, sophisticated print and scan management solution. In the beginning it focused on user authentication, secure and mobile printing and accounting for small and medium sized businesses. Today, this versatile and feature-rich platform, hosted on regional Microsoft Azure datacenters, has grown to include a wide range of scanning applications, easy driver deployment and support for various job submission pathways so it can cater to the needs of even the large, worldwide operating enterprise customers.
Click here to read more about how uniFLOW Online helped De Zorggroep, a large healthcare provider in the Netherlands, in their transition to the workplace of the future.
“Over the past 5 years, we have seen many of our customers’ business requirements evolving. In a fast-changing business and societal environment, they all need to find ways to increase the productivity of their employees, allow mobility and remote working, whilst securely accessing information and processing documents. Canon Digital Transformation Services is supporting customers in this constant “need to adapt” journey, helping them to find solutions to their evolving requirements. uniFLOW Online is a key pillar in a comprehensive range of print & scan products, various software and services that Canon provides as part of its Digital Transformation Services offer. It enables customers to realise the opportunities the “New Way of Working” represents, while providing also solutions to the challenges that it generates.”
Marc Bory, European Sales Director, Canon Europe
Cloud technology is offering previously unthinkable possibilities. Regular releases, several times a year, ensure technology enhancements are immediately available to customers worldwide. Key technology and feature developments have set unmatched markers in the industry:
Various organizations recognize uniFLOW Online´s abundant features such as secure printing, cost tracking, mobile printing and advanced scanning which help organizations and their employees work efficiently. Its usability, flexible and straightforward design, robust security features and enhanced cloud functionality are seen as unmatched in the public cloud print and scan management arena.
NT-ware’s innovative spirit, paired with an agile development approach, ensure uniFLOW Online is the best-in-class public cloud print and scan management solution. We are looking forward driving future innovation in the years ahead.
Photo credits: pexels.com