Cloud printing is a technology that allows companies to print documents from printers and MFPs connected to the internet, regardless of the physical location. Scan to Cloud is the same for digitizing documents to Cloud-based file depositories using multi-function printers. How that’s done and what is under the hood of the Cloud SaaS makes a whole difference in terms of TCO and security.
How Cloud Print and Scan to Cloud work
Instead of sending print jobs directly to a specific printer, print is performed through a virtual printer installed on the desktop or in the mobile device.
The print job then goes to a cloud-based service, which then routes the print job to the designated printer when the print job owner authenticates at the printer. Scan to Cloud works the same way, documents are processed by the multi-function printer, converted into PDF or TIFF and stored in the user Cloud storage or into the corporate SharePoint.
The benefits for your company are very significant:
- With the best Cloud print solutions, there is no more printer-related IT infrastructure on-premises, just the printers
- IT departments can stop managing printing and printers, and use their bandwidth on other important projects
- Printers can be moved to a VLAN so that the technician servicing those printers can’t access the IT infrastructure through the LAN socket
- Mobile print is easy, you can generate print jobs from anywhere, as long as you have Internet access
- Going digital becomes faster and easier, you can safely digitize all your paper documents, on any of the MFP of the company
- Your company can get a complete and dynamic dashboard of printing and print cost using big data reporting such as PowerBI
Typical solutions for Cloud print and Scan to Cloud
There are several solutions for Cloud print and scan to Cloud :
- Microsoft Universal Print: Microsoft Universal Print allows to connect some printers (only those that are Universal-Print compatible) to its Azure print service. Microsoft Universal Print allows to stop deploying printer drivers on client PC, saving millions to large companies. The limitation of Microsoft Universal Print is on mass-deployment of printer, no native support for badge authentication or scan to SharePoint/OneDrive, a charge for each document beyond a free quota per user and the lack of standard print management features such as print rules, access control management, advanced reporting etc. To fill that gap, it is possible to subscribe to third party plugins for Microsoft Universal Print such as Celiveo 365 that extend the features list.
- Solution from Printer Manufacturers: Many printer manufacturers offer their own Cloud printing and scan to Cloud solutions. These services typically require you to install special software or apps on the printer and/or PC on the local network and register them with the manufacturer’s Cloud service. Those solutions only work with some printer models of the manufacturer and most of the time don’t support other printer brands. It is critical to verify that the printer manufacturer proposing the solution is ISO/IEC 27001:2022 certified, to ensure your documents and user information are safe.
- Third-Party Cloud Printing Services: There are also third-party cloud printing services that work with a variety of printers from different manufacturers. These services often provide additional features such as print job management, scan to OneDrive for business and SharePoint Cloud, advanced security options, and integration with other Cloud services. Similar to printer vendor solutions, it is critical to verify that the SaaS publisher is ISO/IEC 27001:2022 certified, to ensure your documents and user information are safe. Note that many boast an “ISO/IEC 27001” certification, not mentioning the version and only the 2022 version covers cyber-security, Cloud SaaS and Personal Information Protection (PII/GDPR). ISO/IEC 27001:2013 is an obsolete security standard that does not cover Cloud, SaaS, cyber-security, PII and GDPR during certification audits.
- Cloud-Enabled Printers: Some newer printers come with built-in support for cloud printing, allowing you to print directly from Cloud storage services like Google Drive, Dropbox, and OneDrive without the need for additional software or services, but usage is often problematic as they require to login each time on the Cloud service. The print flow is also complex as having to store a document in the Cloud then reach a printer, authenticate, navigate, select the document, and request its printing is time consuming.
Main architecture types for Cloud print and scan to Cloud
There are three main architectures used by Cloud Print Service Solutions:
- Server-based print management solution moved to a VM in the Cloud: those solution are old solutions developed years ago for everything except the Cloud, moved to a Virtual Machine itself moved to the Cloud for clients.
Some call it “lipstick on a pig” solutions. Imagine what the VMs management will be like when there are thousands of clients and VM, and that each time the OS (Windows or Linux) requires an update and reboot no user can print or release a print job. Even worse: some of those solutions claim high availability by doubling the infrastructure and call the solution “clustered”. Such akward solutions include YSoft Cloud. that some say would use an OpenVPN VPN to funnel data from the Cloud to the local network. If this is true the CISO should really be concerned as that’s a backdoor to the corporate firewall with incoming data… - Hybrid Cloud solution: those solutions are also refurbished solutions where part of the infrastructure has been moved to the Cloud in a rush. There is still plenty of on-premises software, as agent or servers, and the creativity of marketing departments is pushed to the limits to paint the result as a Cloud solution. Some solutions use proxies between the local network and the Cloud, meaning some PC must be on permanently to service the infrastructure, and on the same network. The overall cost and management is not exactly what companies want to suffer from when they implement a “Cloud First” strategy. An example of such “actually not-so-Cloud” solution is Printix from Tungsten – Kofax. Another example is PaperCut Edge Mesh where many PC have to be live as they are used as mini-servers. And for all those non-compliant Pure-Cloud setup, the IT department needs to manage, deploy, secure, backup maintain dozens or hundreds of PC based on the number of networks, sites and printers.
- Pure Cloud architecture SaaS on native PaaS: Those solutions meet the “Cloud First” policy expectation, with no local infrastructure to manage except printers connected to Internet. This architecture is similar to SIP IP phones that connect top a network plug and communicate directly with a SIP VOIP service in the Cloud (you would not want your phone calls to reply on PC that have to be live on your network, print service should also be direct to Cloud).
That clean architecture has then a much lower TCO, is simpler and faster to deploy and less prone to problems. Those solutions also have a very special particularity: they don’t rely on any operating system, they are built on PAAS from Cloud providers such as Azure, Google Service or AWS. No operating system means no vulnerability to patch, no reboot, no updates, no VM backup and full elasticity to adapt bandwidth and CPU power as needed and at the best cost, Such solutions include Celiveo 365 built on Azure PaaS, fully elastic and integrated with the Microsoft 365 suite and Entra ID.
Some solutions use proxies between the local network and the Cloud, meaning some PC must be on permanently to service the infrastructure, and on the same network. The overall cost and management is not exactly what companies want to suffer from when they implement a “Cloud First” strategy. An example of such “actually not-so-Cloud” solution is 
Security
Some Cloud print and scan to Cloud solutions request very high privileges to be granted, that should never be accepted. That includes service accounts with read and/or write access to Cloud resources such as OneDrive for Business or SharePoint, and Global admin privileges.
Some solutions also use a VPN between the local networks and the Cloud solution that could become a Trojan horse would the Cloud solution become compromised.
A clean solution only requires read access to the corporate SSO such as Entra ID, to authenticate users, and read/write on print jobs, nothing else. For scan to Cloud, the access token generated by the login to the Cloud service such as OneDrive for Business or SharePoint, should never ever leave the printer. Our investigation has shown some solutions do hijack Microsoft authentication tokens and move them to their Cloud service or even worse, broadcast them to all printers. It means any privileged user from the Cloud service company, or a hacker, could get those tokens and silently read/write the employees Cloud documents.
It is then critical to verify all the rights, communication channels, token usage and verify the statements through cyber-security audits.
Conclusion
Since clients want to eliminate printer server, eliminate print application servers and go driverless printing and agentless printing, every print management software publisher now claims it has a Cloud print solution. But you want to do with printing what you must have done with IP phones a decade ago: just plug devices to Internet and use them, no local software or PC, and get the highest possible security.
It is then necessary to carefully analyze how solutions are built, if they require any local software, if they still need you to manage multiple drivers and print queues, if they are running in a VM in the Cloud instead of being built on PaaS, and if the publisher can produce any ISO/IEC-27001:2022 certification status and permanent security audits.
Otherwise Cloud print and scan to Cloud can quickly become your worst nightmare.
