Your data, protected and under control.

Wherever they travel.

SeaPath Webinar – Access to protected documents without agents

Why SealPath? We focus on…

User Experience Enterprise Interoperability

DLPs
SIEMs,
Data Classification,
O365,
G-Suite,
Etc.

Integration with other

Native Tools Ready for integration in
data security, cloud and
Easy-To-Use the large enterprise
corporate tools

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Approach with the new features

Integration with DLPs Classification

Kerberos Integration,
ADFS
Automatic Protection
of Email

User Experience Enterprise Interoperability

AutoCAD, SolidEdge

Automatic Protection of Folders and Repositories

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
SealPath Secure Browser and Native Opening on Office Mobile and Mac

Users can open protected documents in Office

Opening without intalling for iOS, Android or Mac without Viewers
agents or software

Multi-platform through
web client Edition is available also apart from
Viewing

Users can work directly in SharePoint, Office

365, Box, without downloading documents

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
SealPath Secure Browser
Need and Solution
NEED AND PROBLEM
 When you receive a protected document, if it is not Office, you must install SealPath Lite to open it. If you do
not have Microsoft Office (i.e. Libre Office) or you are on a Linux platform you could not open it.
 Working from SharePoint or Office 365 it is not possible to decrypt protected documents to be viewed in the
Office online viewer. It is necessary to download and open them locally in order to render them correctly.
 Working from G-Suite, Box, something similar happens. You need to download the documents to open them.
 Companies that work with Office 365 E1 that only have the web environment to work with Office.

SOLUTION
 The user can drag the Office or PDF document to the browser on the SealPath web portal and can open it
without having to install software.
 The possibility of opening with SealPath will be allowed from SharePoint On-Premise or Office 365. The file
will be redirected to the renderer (on-premise or in the cloud) that will allow to show the protected
document.
 Not only can the protected document be displayed but editing, if the user has editing permissions.
 Plugins have been created for Office 365, SharePoint On-Premise, Box, G-Suite that allow the user the
option of “Open with SealPath Secure Browser” the protected document without having to download it.
 Office 365 E1 users have "SealPath Secure Browser" to work without downloading the file.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
How it works: SealPath Portal The first time,
validation is requested
1 from the user. It can be
reminded.
A protected document is received 2
and the option "Open the protected
document now" is selected in the
SealPath portal.

3
A drag and drop of the
protected document is 4
made to the browser.
Once validated the
document will be
opened with the
permissions that we
have assigned

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
How it works: Office 365, SharePoint, Box, G-Suite.

1
Select the option to open
We have protected with “SealPath Secure
documents in Office 365, Browser ” in the context
SharePoint, Box or G-Suite. menu
2

3
Once validated, the document will be opened
The first time, with the permissions that we have assigned. If it is
validation is requested modified (and you have Edit permissions) the
from the user. It can be document will be kept updated in your location.
reminded. You can limit copy & paste, pint, etc.
4

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Demo Secure Browser
Technical Details
FOR SEALPATH ENTERPRISE SAAS:
 In the case of working with SealPath SaaS, it is not necessary to install any module at the server level.
 Yes it is necessary to install plugins (server, non-client) in Office 365, SharePoint, G-Suite or Box.
 As protected documents travel to the cloud, it is possible to have a local architecture where the rendering
servers are on the client.

FOR SEALPATH ENTERPRISE ON-PREMISE:

 It is necessary to install 2 new servers:
 Secure Browser Server: Receives the documents, check permissions, pass them to the rendering server
to show it to the user. It requires SealPath for File Servers.
 Rendering Server: Based on Office Online Server, it shows the user the documents. It has additional
layers to control user permissions on documents. In the near future, this server will be able to work
together with that of Mobile without requiring an additional one.

NOTE: In both cases, documents travel protected to the cloud. Once they have been displayed, they are deleted.
The erase time is configurable (in hours).

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical Details
ARCHITECTURE AND COMMUNICATION FLOW: RENDER DOCUMENT ON THE BROWSER
4. Get the permissions.
Internally requires
SealPath File Server.

SECURE BROWSER SERVER (A) RENDERING SERVER (B)

1. The user drags 2. The file to be opened is sent.

the file to the
browser to view it

5. The document is sent to

6. The file is shown. render with the permissions.

3 The identity of the user is

checked.

PROTECTION SERVER (C)

(A) (B) You can install On-Premise or use SaaS.

(B) (C) SealPath Client Protection Server or SaaS.
www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical details
ARCHITECTURE AND COMMUNICATION FLOW: OFFICE 365, SHAREPOINT ONLINE, BOX AND G-SUITE
5 Get the permissions.
OFFICE 365, SHAREPOINT, G-SUITE, BOX Internally requires
SealPath File Server.

SECURE BROWSER SERVER (A) RENDERING SERVER (B)

1. The user chooses to open 3. The file to be opened is sent.
the document with SealPath
Secure Browser from the
context menu of O365, etc.
7. It shows the file. 6. The document is sent to
8. It´s updated in Office 365, render with the permissions.
2. The document arrives at the etc., if there have been
SealPath redirector service that tells changes.
you which server you should use to 4 The identity of the user is
view (cloud or on-premise). checked.

This step is not necessary with

SharePoint On-Premise.

REDIRECTION SERVICE (D) PROTECTION SERVER (C)

(A) (B) You can install On-Premise or use SaaS.
(B) (C) SealPath client protection server or SaaS.
(C) (D) It is a SealPath SaaS service. You do not have to install anything on the client.
www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical details
PLUGINS NEEDED:

The following plugins are necessary for the user to see the option “Open with SealPath Secure Browser” in the
browser when in SharePoint, Office 365, G-Suite, or Box. All plugins must be installed and managed by the
administrator.

SharePoint On-Premise or Online:

 It is possible to install a plugin by the administrator.
 It avoids having to use the redirector service since the plugin tells the document where to go.
Office 365, OneDrive:
 There is a SealPath Secure Browser plugin in the Office 365 application store.
G-Suite:
 There is a SealPath Secure Browser plugin in the Google Drive app store.
Box:
 There is a SealPath Secure Browser plugin in the Box app store.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical details
BROWSER COMPATIBILITY
OFFICE 365 AND ONE DRIVE FROM APPSTORE
Browser ANDROID IOS MOBILE MAC OS WINDOWS
Google Chrome    
Internet Explorer    
Safari   
Microsoft Edge    
Firefox    
SHAREPOINT ONLINE
Browser ANDROID IOS MOBILE MAC OS WINDOWS
Google Chrome    
Internet Explorer    
Safari    
Microsoft Edge    
Firefox    
SHAREPOINT ON PREMISE
Browser ANDROID IOS MOBILE MAC OS WINDOWS
Google Chrome    
Internet Explorer    
Safari    
Microsoft Edge    
Firefox    
www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical details
BROWSER COMPATIBILITY
BOX
Browser ANDROID IOS MOBILE MAC OS WINDOWS
Google Chrome    
Internet Explorer    
Safari    
Microsoft Edge    
Firefox    
GOOGLE DRIVE
Browser ANDROID IOS MOBILE MAC OS WINDOWS
Google Chrome    
Internet Explorer    
Safari    
Microsoft Edge    
Firefox    

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Summary of benefits

 Share Office and PDF documents with external documents without needing to
install anything. This has been one of the main complaints of users when using the
application.

 View and edit Office and Pdf documents by customers with Office 365, SharePoint,
G-Suite, Box that do not want to have Office installed in all positions.

 Increase compatibility with platforms. Now anyone can open the document even if
it is on Linux or any other Operating System.

 The entire document life cycle can be maintained within the document manager
(Office 365, SharePoint, G-Suite, Box), without leaving the browser.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Office Mobile Integration
Need and Solution
NEED OR PROBLEM
 When a user needs to open a protected file in iOS, Android or Mac OSX, it is necessary to
download SealPath Mobile Viewer that allows viewing documents but not editing. Users are used
to work with Office Mobile to open documents in mobile platforms due to it is the standard
application for that. Mac OSX users also need to edit files, print, copy & paste, etc. apart from
viewing them.

SOLUTION
 A new Server module has been created to allowing the native integration with Office Mobile
so that the users can open protected Office files without needing to install additional
components on the device. It allows working with protected documents in Office for Mac OSX.

 When the user opens a protected document on Office Mobile or Office for Mac OSX, an
authentication process based on OAuthv2 to this module on the server to validate the user
credentials is generated.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
How it works
2
1 In the first openning the
A screen is shown telling that the user credentials are
document is trying to connect with a requested. You can click on
external site (Protection server). “remember”.

3
If it is the first time we work with 4
Office Mobile, we will need to
insert the credentials of a Microsoft Once it is opened, the
account. This window can be document will be shown
cancelled in iOS or Mac but for with the permissions
Android it only allows the available for the user.
validation with a corporate
account. We will need an Office
corporate account to be able to
edit documents..
www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical Details
FOR SEALPATH ENTERPRISE SAAS:
 In case of working with SealPath SaaS it is not necessary to install any module in the server.

FOR SEALPATH ENTERPRISE ON-PREMISE:

 It is necessary to install a new server side module:
 It deploys different components: I.e. an authorization and federation server that works in a similar
way to ADFS (Active Directory Federation Services).
 This module requires also an update in the database tables.
 It is also necessary to register new entries in the internal and external DNS that tells the mobile where to
login.

In both cases, the opening of

documents on mobile devices can
be disabled by policy. This option is
only available to the administrator.
By default it is enabled.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical Details

COMMUNICATION WORKFLOW
DNS Service
Discovery

Discovery of which server you have to

request authorization from

Authorization and validation

workflow based on Oauth v2 SEALPATH SERVICE
(CLOUD OR ON-PREMISE)

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Technical Details
AUTHORIZATION WORKFLOW BETWEEN CUSTOMER AND SERVER

 SealPath Office Mobile works with an Oauth v2 authorization workflow.

 The first time a protected file is opened in the Office Mobile, a redirection is made to the server to
authenticate the user.
 If the authentication is correct, a single-sign-on cookie is obtained that contains an encrypted identity of the
user.
 A new request is made to the server with this cookie and an authorization code is obtained.
 With this authorization code the client calls the token management endpoint and receives an access token
and a refresh token.
 The client sends the access token to the endpoint of the document access license management server that
validates it and allows the document to be opened in case of having permissions.
 The lifetime of authorization codes, tokens, etc. It can be configured on the server. The default values in
minutes are:
<add key="AuthorizationCodeLifetime" value="5" />
<add key="AccessTokenLifetime" value="20" />
<add key="RefreshTokenLifetime" value="43200" />
<add key="SingleSignOnCookieLifetime" value="20" />

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
Summary of benefits

 View and edit protected Office documents on any platform with Microsoft Office
Mobile software.

 It is not necessary to download any additional applications to work with Office

documents.

 It works with the option normally used, and increasingly, on mobile devices.

 Behavior on Mac OSX similar to Windows. You do not need to install anything to
open protected documents on Mac OSX.

 Possibility to enable or disable this option by policy by the administrator.

www.sealpath.com
© SealPath Technologies – Confidential Propietary - 2019
DATA-CENTRIC SECURITY FOR THE
ENTERPRISE